CAS 5: Changing the principal resolver in application.properties

[Erdal Gunyar]

Hello all,

I'm quite confused by the CAS 5 documentation :

https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes

https://apereo.github.io/cas/development/installation/Configuration-Properties.html#principal-resolution

I'm reading that I can change the principal resolver only with the configuration properties.

For example, change the default LDAP resolver (for the LDAP authentication handler) by a JDBC resolver.

I've tested that but the default LDAP resolver stays and the SQL is not even queried.

The JDBC internal DAO must be built though because as soon as I put some JDBC attribute repo stuff on the config, the app needs for the hssqldb dependency on the launch.

The part of the documentation that makes me think it's possible is :

https://apereo.github.io/cas/development/installation/Configuration-Properties.html#principal-resolution

Principal Resolution
In the event that a separate resolver is put into place, control how the final principal should be constructed by default.

# cas.personDirectory.principalAttribute= # cas.personDirectory.returnNull=false

But I don't see how here... I'm puzzled.

Any help, even hint will be greatly appreciated :)

[Misagh Moayyed]

What you described earlier is all automated. You don’t need to define beans for DAOs in XML. 

In principal, you will need to put in the settings for authentication attributes based on LDAP and SQL. Then DAOs will be constructed for you automatically and merged together. If you find this recipe does not work, either share your settings or open up an issue please.

-- 
Misagh

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27c8c5a3-d37b-4d5f-ba45-4103d1b90ab9%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Erdal Gunyar]

Thanks for the response!

You guessed well! Initially, I wished to merge the (automaticaly created) DAOs only with application.properties. That would be great.

Sure, here is the code:

localhost-2.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https?://localhost.*",
  "name" : "localhost",
  "id" : 2,
  "description" : "Allows only localhost services",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

application.properties

##
# CAS Server Context Configuration
#
server.name=URL
server.context-path=/cas
server.port=8433

cas.server.http.enabled=false
cas.ticket.st.timeToKillInSeconds=600

server.ssl.enabled=true
server.ssl.key-alias=cas
server.ssl.key-store=file:/somewhere/.keystore
server.ssl.key-store-password=secret
server.ssl.key-password=secret

server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.max-threads=5
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.protocol-header-https-value=https
server.tomcat.remote-ip-header=X-FORWARDED-FOR
server.tomcat.uri-encoding=UTF-8

spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true

##
# CAS Cloud Bus Configuration
#
spring.cloud.bus.enabled=false

endpoints.enabled=true
endpoints.sensitive=true
management.context-path=/status
endpoints.restart.enabled=false
endpoints.shutdown.enabled=false


##
# CAS Web Application Session Configuration
#
server.session.timeout=300
server.session.cookie.http-only=true
server.session.tracking-modes=COOKIE

##
# CAS Thymeleaf View Configuration
#
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.cache=false

##
# CAS Log4j Configuration
#
server.context-parameters.isLog4jAutoInitializationDisabled=true

##
# CAS AspectJ Configuration
#
spring.aop.auto=true
spring.aop.proxy-target-class=true

##
# CAS Authentication Credentials
#
cas.authn.accept.users=

##
# LDAP
#
cas.authn.ldap[0].ldapUrl=ldap://URL:PORT/
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Users,DC=Company,DC=Com
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=manager
cas.authn.ldap[0].bindCredential=secret
cas.authn.ldap[0].dnFormat=%s...@Company.Com
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=sAMAccountName,sn,co,givenName,displayName,mail,department,telephoneNumber,title
cas.authn.ldap[0].type=AD

cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=false
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000

##
# CAS Authentication Attributes
#
cas.personDirectory.principalAttribute=sAMAccountName
cas.personDirectory.returnNull=false

##
# JDBC attribute repository
#
cas.authn.attributeRepository.jdbc.singleRow=true
cas.authn.attributeRepository.jdbc.requireAllAttributes=false
cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE
cas.authn.attributeRepository.jdbc.sql=SELECT u.login AS sAMAccountName, f.name AS name, f.`type` AS `type`, m.value AS value FROM user AS u\
     JOIN metadata AS m\
       ON u.id = m.user_id\
    JOIN field AS f\
        ON m.field_id = f.id\
    WHERE f.application_id = 1\
        AND user = sAMAccountName
cas.authn.attributeRepository.jdbc.username=sAMAccountName
cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES
cas.authn.attributeRepository.jdbc.isolateInternalQueries=false
cas.authn.attributeRepository.jdbc.url=jdbc:mysql://URL/DATABASE
cas.authn.attributeRepository.jdbc.failFast=false
cas.authn.attributeRepository.jdbc.isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.HSQLDialect
cas.authn.attributeRepository.jdbc.leakThreshold=10
cas.authn.attributeRepository.jdbc.propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.attributeRepository.jdbc.batchSize=1
cas.authn.attributeRepository.jdbc.user=mysqlUser
cas.authn.attributeRepository.jdbc.ddlAuto=create-drop
cas.authn.attributeRepository.jdbc.password=secret
cas.authn.attributeRepository.jdbc.autocommit=false
cas.authn.attributeRepository.jdbc.driverClass=org.hsqldb.jdbcDriver
cas.authn.attributeRepository.jdbc.idleTimeout=5000
cas.authn.attributeRepository.jdbc.pool.suspension=false
cas.authn.attributeRepository.jdbc.pool.minSize=6
cas.authn.attributeRepository.jdbc.pool.maxSize=18
cas.authn.attributeRepository.jdbc.pool.maxIdleTime=1000
cas.authn.attributeRepository.jdbc.pool.maxWait=2000

As I said earlier, this works for the LDAP attributes but doesn't merge with the JDBC ones (no query sent).

I can open an issue, I don't know what's the best process.

Thanks.

Le mardi 18 octobre 2016 11:14:17 UTC+2, Misagh Moayyed a écrit :

What you described earlier is all automated. You don’t need to define beans for DAOs in XML. 

In principal, you will need to put in the settings for authentication attributes based on LDAP and SQL. Then DAOs will be constructed for you automatically and merged together. If you find this recipe does not work, either share your settings or open up an issue please.

-- 
Misagh

[Misagh Moayyed]

As I said earlier, this works for the LDAP attributes but doesn't merge with the JDBC ones (no query sent).

See this section: https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes 

> If no other attribute source is defined and if attributes are not retrieved as part of primary authentication via LDAP….

You are doing that; which is that you are getting attributes from LDAP as part of authn. When you do, CAS disables external principal resolvers because it is taught that attributes come from ldap directly. If you wish to merge multiple sources, you need to disable that part and nuke out the attributes and define attribute repository sources for each source via the properties. That will activate merging.

I can open an issue, I don't know what's the best process.

https://github.com/apereo/cas/issues 

Might be worth introducing flexibility into the configuration to allow what you have defined. 

[Erdal Gunyar]

Thanks, I think I see better the logic; but I've just tried and if I comment the attribute part of the LDAP authentication it fails to authenticate:

2016-10-18 16:27:33,579 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for egunyar>
2016-10-18 16:27:33,607 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=egu...@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2016-10-18 16:27:33,611 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=egu...@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2016-10-18 16:27:33,612 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account state not defined. Returning empty list of messages.>
2016-10-18 16:27:33,613 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned as result. Creating the final LDAP principal>
2016-10-18 16:27:33,614 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL>
2016-10-18 16:27:33,615 ERROR [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id attribute uid is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available are [[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]]>
2016-10-18 16:27:33,618 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating egunyar>
2016-10-18 16:27:33,618 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler exception details: uid attribute not found for egunyar>
2016-10-18 16:27:33,620 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [egunyar] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2016-10-18 16:27:33,622 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(Authentication org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] with thrown exception [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes]>

The configuration being:

cas.authn.ldap[0].* ... 

# Except those which are commented:
# cas.authn.ldap[0].principalAttributeId=sAMAccountName
# cas.authn.ldap[0].principalAttributePassword=
# cas.authn.ldap[0].principalAttributeList=

cas.personDirectory.principalAttribute=sAMAccountName
cas.personDirectory.returnNull=false

cas.authn.attributeRepository.attributes.uid=sAMAccountName
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=cn
cas.authn.attributeRepository.attributes.affiliation=department

cas.authn.attributeRepository.jdbc.* ...

Note that if I put back principalAttributeId, then the resolver will be the default LDAP stuff like the previous posts.

What could I be do wrong? :/

Maybe in the way I try to nuke the default LDAP resolver?

Erdal.

[Misagh Moayyed]

Turn this back on:

cas.authn.ldap[0].principalAttributeId=sAMAccountName

Or blank it out.

If that doesn't work, you are welcome to file an issue.

---

From: "Erdal Gunyar" <gun...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Cc: "Misagh Moayyed" <mmoa...@unicon.net>
Sent: Tuesday, October 18, 2016 6:06:23 PM
Subject: Re: [cas-user] CAS 5: Changing the principal resolver in application.properties

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6777bcc2-4218-4c51-8b04-44d26a39f1c7%40apereo.org.