ldap attribute resolution and release

[Trenton D. Adams]

Good day,

I've been scouring the documentation but there doesn't seem to be much
about this. The properties page lists a bunch of properties related to
attribute resolution but when I configure those properties the
samlValidate still doesn't release those attributes.

This is what I put in my application configuration, but none of the
attributes get mapped. What am I missing?


# attribute resolution
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
#cas.authn.attributeRepository.ldap[0].attributes.affiliation=groupMembership

cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://ldap.example.com
cas.authn.attributeRepository.ldap[0].connectionStrategy=
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].connectTimeout=5000
cas.authn.attributeRepository.ldap[0].baseDn=dc=example,dc=com
cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
cas.authn.attributeRepository.ldap[0].subtreeSearch=false
cas.authn.attributeRepository.ldap[0].bindDn=cn=Manager,dc=example,dc=com
cas.authn.attributeRepository.ldap[0].bindCredential=bindpw
cas.authn.attributeRepository.ldap[0].trustCertificates=
cas.authn.attributeRepository.ldap[0].poolPassivator=NONE
cas.authn.attributeRepository.ldap[0].minPoolSize=3
cas.authn.attributeRepository.ldap[0].maxPoolSize=10
cas.authn.attributeRepository.ldap[0].failFast=true
cas.authn.attributeRepository.ldap[0].idleTime=500
cas.authn.attributeRepository.ldap[0].prunePeriod=600
cas.authn.attributeRepository.ldap[0].blockWaitTime=5000
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195

It is only when you are surrounded by a supportive team, that you can achieve
your best. Instead of tearing people down, try building them up!

--
This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.
---

[Ray Bon]

Trenton,

You also have to configure your service to release the attributes, https://apereo.github.io/cas/5.2.x/integration/Attribute-Release-Policies.html.

There is a default attribute set, https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#default-bundle, if all services have a common requirement.

These log lines might help (we are on 5.2.2):

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

        <!-- DEBUG CAS will not authorize the release of ... given the service is denied access to all attributes -->

        <AsyncLogger name="org.apereo.cas.services.DenyAllAttributeReleasePolicy" level="debug"/>

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Trenton D. Adams]

Hi Ray,

I appreciate your help!

I added this to no avail...

cas.authn.attributeRepository.defaultAttributesToRelease=uid,UDC_IDENTIFIER

So, now I'm mapping attributes as per the docs, and I've enabled the default attributes to release, and still it's not working.  Either I'm missing something, or the documentation is missing something.  Ideas?

So my current properties are below.

# attribute resolution
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName

cas.authn.attributeRepository.defaultAttributesToRelease=uid,UDC_IDENTIFIER

#cas.authn.attributeRepository.ldap[0].attributes.affiliation=groupMembership

cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://ldap.example.com
cas.authn.attributeRepository.ldap[0].connectionStrategy=
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].connectTimeout=5000
cas.authn.attributeRepository.ldap[0].baseDn=dc=example,dc=com
cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
cas.authn.attributeRepository.ldap[0].subtreeSearch=false
cas.authn.attributeRepository.ldap[0].bindDn=cn=Manager,dc=example,dc=com
cas.authn.attributeRepository.ldap[0].bindCredential=

cas.authn.attributeRepository.ldap[0].trustCertificates=
cas.authn.attributeRepository.ldap[0].poolPassivator=NONE
cas.authn.attributeRepository.ldap[0].minPoolSize=3
cas.authn.attributeRepository.ldap[0].maxPoolSize=10
cas.authn.attributeRepository.ldap[0].failFast=true
cas.authn.attributeRepository.ldap[0].idleTime=500
cas.authn.attributeRepository.ldap[0].prunePeriod=600
cas.authn.attributeRepository.ldap[0].blockWaitTime=5000
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1531269140.2758.28.camel%40uvic.ca.

[Ray Bon]

Trenton,

Perhaps it is on the ldap side of things. There is the CAS side of things in ldap config:

cas.authn.ldap[0].principalAttributeList=uvicEduPersonNetLinkContactUpdateTimestamp, \

                                         uvicEduPersonSpridenID

but ldap has to be configured to release those attributes.

What is in the logs?

Ray

[Trenton D. Adams]

It appears to not find the attributes, but the attribute release appears to be properly configured as it even states in the logs that the attributes to release are "uid", and "udcid", which is correct. 

I have this in my authenticator configuration, that's correct, yes?

cas.authn.ldap[1].principalAttributeList=uid,udcid

I have mappings and default release policy for uid and udcid.  My questio

cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName

cas.authn.attributeRepository.defaultAttributesToRelease=uid,udcid

Should the defaultAttributesToRelease contain udcid or the mapped version UDC_IDENTIFIER?

I even added the following to my json service registry to see if I could force attribute release...

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|imaps|http)://.*",
  "name" : "generic",
  "id" : 10000001,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

2018-07-11 12:39:33,822 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [trenta] accessing service [http://localhost/blah] defined by registered service [^(https|imaps|http)://.*]...>
2018-07-11 12:39:33,823 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [trenta]>
2018-07-11 12:39:33,823 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{}] for [trenta]>
2018-07-11 12:39:33,823 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [trenta]>
2018-07-11 12:39:33,824 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{}] for [trenta]>
2018-07-11 12:39:33,824 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-07-11 12:39:33,824 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-07-11 12:39:33,824 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-07-11 12:39:33,824 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[uid, udcid]]>
2018-07-11 12:39:33,825 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-07-11 12:39:33,825 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-07-11 12:39:33,825 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-07-11 12:39:33,825 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [trenta] accessing service [http://localhost/blah] defined by registered service [^(https|imaps|http)://.*]...>
2018-07-11 12:39:33,825 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>

[Ray Bon]

The log line, Found principal attributes [{}] for [trenta], suggests that ldap is not configured to release the attributes.

Ray

[Trenton D. Adams]

What do you mean by that?  Ldap itself, or the cas configuration for ldap?

Our ldap only hides things like the password field.

[Ray Bon]

My ldap knowledge is limited. Our setup has to be configured to release each attribute and this can vary per bind user.

You may be able to check some of this with something like ldapsearch.

Ray

[Trenton D. Adams]

Yeah, ldapsearch reveals the attributes just fine, which is why I asked.  I know that it's not ldap, so there has to be some sort of thing I'm missing then, or a typo, or something.

I guess I'll dig into the CAS code.  Unfortunately it's not all loading properly with IntelliJ IDEA.

[Ray Bon]

Looking closer at our config, we are not using the properties, cas.authn.attributeRepository.ldap[0].xxx. Perhaps this is causing a confilct.

We specify the mapping in the service definition:

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

    "principalAttributesRepository":

    {

      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "expiration": 2,

      "timeUnit": "HOURS"

    },

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": true,

    "excludeDefaultAttributes": false,

    "allowedAttributes":

    {

      "@class": "java.util.TreeMap",

      "uvicEduPersonSpridenID": "UDC_IDENTIFIER"

    }

  },

Ray

[Trenton D. Adams]

Someone else suggested something similar off list, directly to me.

I have this...

cas.authn.attributeRepository.defaultAttributesToRelease=uid,udcid,UDC_IDENTIFIER

Resulting in this printed to the debug log, thereby proving that the system does have default attribute release configured for udcid...

<Default attributes for release are: [[uid, udcid, UDC_IDENTIFIER]]>

My ldapsearch reveals udcid in it's response.

I added...

  "attributeReleasePolicy": {
    "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes": {
      "@class": "java.util.TreeMap",
      "udcid": "UDC_IDENTIFIER"
    }
  }

However, when I added that TreeMap mapping, I am now getting...

2018-07-12 10:42:03,626 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [UDC_IDENTIFIER] that is based off of [udcid] in the allowed attributes list. Ensure the original attribute [udcid] is retrieved and contains at least a single value. Attribute [UDC_IDENTIFIER] will and can not be released without the presence of a value.>

If I add the attributeReleasePolicy you gave, with the uvicEduPersonSpridenID replaced with udcid (our attribute in ldap), I get the same error above.

I disabled the cas.authn.attributeRepository.ldap[0].xxx properties and it's still trying to find the UDC_IDENTIFIER, so I think you are probably correct that I do not need those other properties.

This is my ldap configuration.  I am using chained authentication, so it's the second one.

cas.authn.ldap[1].type=DIRECT
cas.authn.ldap[1].ldapUrl=ldap://ldap.example.com
cas.authn.ldap[1].useSsl=false
cas.authn.ldap[1].subtreeSearch=false
cas.authn.ldap[1].baseDn=dc=example,dc=com
cas.authn.ldap[1].userFilter=uid={user}
cas.authn.ldap[1].dnFormat=uid=%s,ou=Staff,ou=People,dc=example,dc=com
cas.authn.ldap[1].principalAttributeId=uid
cas.authn.ldap[1].principalAttributeList=uid,udcid

What's clear to me at this point is that CAS needs more descriptive text on this, rather than just listing all the properties.  It should also print better diagnostic info, like "hey, you might not have set this property and you should have." sort of thing.

Is there a saml configuration for attribute release?

So, in summary I have tried...

• in the json service definition: ReturnAllAttributeReleasePolicy, ReturnMappedAttributeReleasePolicy
• in the configuration properties:
  
  • cas.authn.attributeRepository.*
  • cas.authn.ldap[1].principalAttributeList=uid,udcid in combination with ReturnMappedAttributeReleasePolicy
  • cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER as a direct mapping without a need to map elsewhere and in combination with ReturnAllAttributeReleasePolicy

Not a single one of these actually works so far.  It's all just very odd.  This is frustrating. :(

[Trenton D. Adams]

I am seeing this, but as far as I can tell I should not be, as I've configured the attribute release policy and the attributes on the ldap authentication configuration.

<Found [0] attributes for principal [trenta] from the attribute repository.>

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/621438cc-5fc4-d21b-0204-a52e9fb0f304%40athabascau.ca.

--

This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.

---

[Ray Bon]

Try removing, cas.authn.attributeRepository.*, properties.

Ray

[Trenton D. Adams]

It's working now.

If finally figured out why I've been having soooo much trouble fiddling with it to get it to work.  CAS reloads the properties from /etc/cas when I save the files.  But it does not expire attribute caches, so even if I'm forced to re-authenticate the cached empty list of attributes is returned.

That's a serious pain, I've spent literally days trying to get this to work because I didn't know about the caching.  Once I started doing full CAS restarts (which takes a long time) I was able to get it working quite easily.

Now I'm off to see how to disable that.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1531426930.2758.48.camel%40uvic.ca.

[Trenton D. Adams]

Thanks so much for your help on this guys.  At least it made clear that I wasn't really doing anything wrong. :D

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/37503e73-8b61-3d40-0340-d9b164e9f1c2%40athabascau.ca.

--

This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.

---