CAS-6.2 X509-Authentication and LDAP Atrribute Resolution
129 views
Skip to first unread message
Klaus-Dieter Krannich
May 13, 2021, 5:35:42 AM5/13/21
to CAS Community
Hi all,
I'm trying to upgrade a CAS-6.1 installation to CAS-6.2. We are using X509-Authentication an retrieving additional attributes from an LDAP-attribute-repository. Principal resolution in X509-Authentication is configured as:
principalType: SUBJECT
principalDescriptor: $EMAILADDRESS
In CAS-6.1 this works like expected, in CAS-6.2 I get:
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting authentication of [[subjectDn=EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x]] using [X509CredentialsAuthenticationHandler]>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [X509CredentialsAuthenticationHandler] successfully authenticated [AbstractCredential()]>
TRACE [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal via [X509SubjectPrincipalResolver]>
TRACE [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Creating principal for [k...@b-tu.de]>
WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for [{principal=[subjectDn=EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x], x509Rfc822Email=[k...@b-tu.de], issuerDn=[CN=x, OU=x, O=x, C=x], sigAlgOid=[x], issuerX500Principal=[CN=x,OU=x,C=x], subjectX500Principal= [1.2.840.113549.1.9.1=x,2.5.4.5=x,CN=x,O=x,L=x,ST=x,C=x], username=k...@b-tu.de, subjectDn=[EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x]}]>
It looks like, that a wrong principal is passed to the LDAP-attribute-resolver - the default X509 subjectDN principal, and not the configured email principal.
Am I missing a changed/new configuration option or is this a bug?
Thank you for your comments.
Regards
Klaus-Dieter Krannich
I'm trying to upgrade a CAS-6.1 installation to CAS-6.2. We are using X509-Authentication an retrieving additional attributes from an LDAP-attribute-repository. Principal resolution in X509-Authentication is configured as:
principalType: SUBJECT
principalDescriptor: $EMAILADDRESS
In CAS-6.1 this works like expected, in CAS-6.2 I get:
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting authentication of [[subjectDn=EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x]] using [X509CredentialsAuthenticationHandler]>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [X509CredentialsAuthenticationHandler] successfully authenticated [AbstractCredential()]>
TRACE [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal via [X509SubjectPrincipalResolver]>
TRACE [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Creating principal for [k...@b-tu.de]>
WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for [{principal=[subjectDn=EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x], x509Rfc822Email=[k...@b-tu.de], issuerDn=[CN=x, OU=x, O=x, C=x], sigAlgOid=[x], issuerX500Principal=[CN=x,OU=x,C=x], subjectX500Principal= [1.2.840.113549.1.9.1=x,2.5.4.5=x,CN=x,O=x,L=x,ST=x,C=x], username=k...@b-tu.de, subjectDn=[EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x]}]>
It looks like, that a wrong principal is passed to the LDAP-attribute-resolver - the default X509 subjectDN principal, and not the configured email principal.
Am I missing a changed/new configuration option or is this a bug?
Thank you for your comments.
Regards
Klaus-Dieter Krannich
Juan Manuel Díaz Nevado
Jun 22, 2021, 3:41:54 AM6/22/21
to CAS Community, Klaus-Dieter Krannich
Hi, its an old question but i'm trying this in cas 6.3 too.
I'm cannot change de principal, even when principaltype was RFC822_EMAIL, as far as i know principalDescriptor only change $username not $principal, and in order of make ldap attribute repository work i need to configure searchfilter as <LDAPfield>={<x509cert_attribute} like this:
cas.authn.x509.principal.active-attribute-repository-ids=ldap_attrRepository
cas.authn.attribute-repository.ldap[0].searchFilter=mail={x509Rfc822Email}
cas.authn.attribute-repository.ldap[0].id=ldap_attrRepository
this work for me independently of principaltype because x509Rfc822Email is a field that x509 auth metod try to find always and my cert have it. I can retrive more attributes from LDAP with this conf but when i try to only auth cert who has attributes in LDAP i have not able to. I try with this conf:
cas.authn.x509.principal.returnNull=true
cas.authn.x509.principal.principalResolutionFailureFatal=true
If you solve your problem, did you manage this kind of restriction???
Thanks :)
Reply all
Reply to author
Forward
0 new messages