CAS 5.1.0-RC3 LDAP - How to get all groups that a user is a member of?
456 views
Skip to first unread message
Michael Prieß
Apr 28, 2017, 8:50:13 AM4/28/17
to CAS Community
Hello,
my question is "How to get all groups that a user is a member of as attribute?" I'm using CAS 5.1.0-RC3 + LDAP for authentification and this is my LDAP configuration and my LDAP structure.
cas.properties
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].ldapUrl=ldap://ldap:389
cas.authn.ldap[0].baseDn=ou=users,dc=company,dc=com
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].dnFormat=cn=%s,ou=users,dc=company,dc=com
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributeList=sn,mail
Part of my ldap.ldif:
dn: cn=dev,ou=groups,dc=company,dc=com
cn: dev
member: cn=john,ou=users,dc=company,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=john,ou=users,dc=company,dc=com
cn: john
objectclass: inetOrgPerson
objectclass: top
mail: john...@example.com
sn: John Doe
If I use the user john IMHO only attributes which are under "cn=john,ou=users,dc=company,dc=com" exposed as attributes like mail and sn for example. Right?
Possible Solutions:
1. Solve the problem with CAS: Is it possible to retrieve the LDAP attribute groupOfNames with a additional query and attach them to my service token like the attributes sn, email.
2. Solve the problem with LDAP: I have to add the attribute groupOfNames to the user john and and have to duplicate attributes. See http://www.openldap.org/doc/admin24/overlays.html
Thanks,
Michael
my question is "How to get all groups that a user is a member of as attribute?" I'm using CAS 5.1.0-RC3 + LDAP for authentification and this is my LDAP configuration and my LDAP structure.
cas.properties
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].ldapUrl=ldap://ldap:389
cas.authn.ldap[0].baseDn=ou=users,dc=company,dc=com
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].dnFormat=cn=%s,ou=users,dc=company,dc=com
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributeList=sn,mail
Part of my ldap.ldif:
dn: cn=dev,ou=groups,dc=company,dc=com
cn: dev
member: cn=john,ou=users,dc=company,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=john,ou=users,dc=company,dc=com
cn: john
objectclass: inetOrgPerson
objectclass: top
mail: john...@example.com
sn: John Doe
If I use the user john IMHO only attributes which are under "cn=john,ou=users,dc=company,dc=com" exposed as attributes like mail and sn for example. Right?
Possible Solutions:
1. Solve the problem with CAS: Is it possible to retrieve the LDAP attribute groupOfNames with a additional query and attach them to my service token like the attributes sn, email.
2. Solve the problem with LDAP: I have to add the attribute groupOfNames to the user john and and have to duplicate attributes. See http://www.openldap.org/doc/admin24/overlays.html
Thanks,
Michael
Menno en Erla Avegaart
May 5, 2017, 2:12:47 AM5/5/17
to CAS Community
I'm using:
Op vrijdag 28 april 2017 14:50:13 UTC+2 schreef Michael Prieß:
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].ldapUrl=...
cas.authn.ldap[0].baseDn=ou=users,dc=company,dc=com
cas.authn.ldap[0].userFilter=(&(uid={user})(objectclass=inetOrgPerson))
cas.authn.ldap[0].subtreeSearch=false
cas.authn.ldap[0].dnFormat=uid=%s,ou=users,dc=company,dc=com
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].keystore=classpath:/keystore.jks
cas.authn.ldap[0].keystorePassword=...
cas.authn.ldap[0].keystoreType=JKS
cas.authn.ldap[0].enhanceWithEntryResolver=false
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributeList=sn,title,mail,telephoneNumber,mobile,manager
cas.authn.ldap[0].validateOnCheckout=false
cas.authn.ldap[0].validatePeriodically=false
cas.authn.ldap[0].validator.type=NONE
cas.authn.attributeRepository.merger=merge
cas.authn.attributeRepository.ldap[0].ldapUrl=...
cas.authn.attributeRepository.ldap[0].connectionStrategy=
cas.authn.attributeRepository.ldap[0].baseDn=ou=groups,dc=company,dc=com
cas.authn.attributeRepository.ldap[0].userFilter=(&(member=uid={user},ou=users,dc=company,dc=com)(objectclass=groupOfNames))
cas.authn.attributeRepository.ldap[0].subtreeSearch=false
cas.authn.attributeRepository.ldap[0].attributes.cn=roles
cas.authn.attributeRepository.ldap[0].bindDn=...
cas.authn.attributeRepository.ldap[0].bindCredential=...
cas.authn.attributeRepository.ldap[0].keystore=classpath:/keystore.jks
cas.authn.attributeRepository.ldap[0].keystorePassword=...
cas.authn.attributeRepository.ldap[0].keystoreType=JKS
cas.authn.attributeRepository.ldap[0].validateOnCheckout=false
cas.authn.attributeRepository.ldap[0].validatePeriodically=false
cas.authn.attributeRepository.ldap[0].validator.type=NONE
However, for this to work, I had to patch persondir (see https://github.com/apereo/person-directory/issues/14).
Reply all
Reply to author
Forward
0 new messages