Principal Resolution
In the event that a separate resolver is put into place, control how the final principal should be constructed by default.
# cas.personDirectory.principalAttribute= |
What you described earlier is all automated. You don’t need to define beans for DAOs in XML.
In principal, you will need to put in the settings for authentication attributes based on LDAP and SQL. Then DAOs will be constructed for you automatically and merged together. If you find this recipe does not work, either share your settings or open up an issue please.
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27c8c5a3-d37b-4d5f-ba45-4103d1b90ab9%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https?://localhost.*",
"name" : "localhost",
"id" : 2,
"description" : "Allows only localhost services",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
##
# CAS Server Context Configuration
#
server.name=URL
server.context-path=/cas
server.port=8433
cas.server.http.enabled=false
cas.ticket.st.timeToKillInSeconds=600
server.ssl.enabled=true
server.ssl.key-alias=cas
server.ssl.key-store=file:/somewhere/.keystore
server.ssl.key-store-password=secret
server.ssl.key-password=secret
server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.max-threads=5
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.protocol-header-https-value=https
server.tomcat.remote-ip-header=X-FORWARDED-FOR
server.tomcat.uri-encoding=UTF-8
spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true
##
# CAS Cloud Bus Configuration
#
spring.cloud.bus.enabled=false
endpoints.enabled=true
endpoints.sensitive=true
management.context-path=/status
endpoints.restart.enabled=false
endpoints.shutdown.enabled=false
##
# CAS Web Application Session Configuration
#
server.session.timeout=300
server.session.cookie.http-only=true
server.session.tracking-modes=COOKIE
##
# CAS Thymeleaf View Configuration
#
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.cache=false
##
# CAS Log4j Configuration
#
server.context-parameters.isLog4jAutoInitializationDisabled=true
##
# CAS AspectJ Configuration
#
spring.aop.auto=true
spring.aop.proxy-target-class=true
##
# CAS Authentication Credentials
#
cas.authn.accept.users=
##
# LDAP
#
cas.authn.ldap[0].ldapUrl=ldap://URL:PORT/
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Users,DC=Company,DC=Com
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=manager
cas.authn.ldap[0].bindCredential=secret
cas.authn.ldap[0].dnFormat=%s...@Company.Com
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=sAMAccountName,sn,co,givenName,displayName,mail,department,telephoneNumber,title
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=false
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
##
# CAS Authentication Attributes
#
cas.personDirectory.principalAttribute=sAMAccountName
cas.personDirectory.returnNull=false
##
# JDBC attribute repository
#
cas.authn.attributeRepository.jdbc.singleRow=true
cas.authn.attributeRepository.jdbc.requireAllAttributes=false
cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE
cas.authn.attributeRepository.jdbc.sql=SELECT u.login AS sAMAccountName, f.name AS name, f.`type` AS `type`, m.value AS value FROM user AS u\
JOIN metadata AS m\
ON u.id = m.user_id\
JOIN field AS f\
ON m.field_id = f.id\
WHERE f.application_id = 1\
AND user = sAMAccountName
cas.authn.attributeRepository.jdbc.username=sAMAccountName
cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES
cas.authn.attributeRepository.jdbc.isolateInternalQueries=false
cas.authn.attributeRepository.jdbc.url=jdbc:mysql://URL/DATABASE
cas.authn.attributeRepository.jdbc.failFast=false
cas.authn.attributeRepository.jdbc.isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.HSQLDialect
cas.authn.attributeRepository.jdbc.leakThreshold=10
cas.authn.attributeRepository.jdbc.propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.attributeRepository.jdbc.batchSize=1
cas.authn.attributeRepository.jdbc.user=mysqlUser
cas.authn.attributeRepository.jdbc.ddlAuto=create-drop
cas.authn.attributeRepository.jdbc.password=secret
cas.authn.attributeRepository.jdbc.autocommit=false
cas.authn.attributeRepository.jdbc.driverClass=org.hsqldb.jdbcDriver
cas.authn.attributeRepository.jdbc.idleTimeout=5000
cas.authn.attributeRepository.jdbc.pool.suspension=false
cas.authn.attributeRepository.jdbc.pool.minSize=6
cas.authn.attributeRepository.jdbc.pool.maxSize=18
cas.authn.attributeRepository.jdbc.pool.maxIdleTime=1000
cas.authn.attributeRepository.jdbc.pool.maxWait=2000
What you described earlier is all automated. You don’t need to define beans for DAOs in XML.
In principal, you will need to put in the settings for authentication attributes based on LDAP and SQL. Then DAOs will be constructed for you automatically and merged together. If you find this recipe does not work, either share your settings or open up an issue please.
--
Misagh
As I said earlier, this works for the LDAP attributes but doesn't merge with the JDBC ones (no query sent).
See this section: https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes
> If no other attribute source is defined and if attributes are not retrieved as part of primary authentication via LDAP….
You are doing that; which is that you are getting attributes from LDAP as part of authn. When you do, CAS disables external principal resolvers because it is taught that attributes come from ldap directly. If you wish to merge multiple sources, you need to disable that part and nuke out the attributes and define attribute repository sources for each source via the properties. That will activate merging.
I can open an issue, I don't know what's the best process.
https://github.com/apereo/cas/issues
Might be worth introducing flexibility into the configuration to allow what you have defined.
2016-10-18 16:27:33,579 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for egunyar>
2016-10-18 16:27:33,607 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=egu...@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2016-10-18 16:27:33,611 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=egu...@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2016-10-18 16:27:33,612 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account state not defined. Returning empty list of messages.>
2016-10-18 16:27:33,613 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned as result. Creating the final LDAP principal>
2016-10-18 16:27:33,614 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL>
2016-10-18 16:27:33,615 ERROR [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id attribute uid is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available are [[displayName[GUNYAR Erdal]], [cn[GUNYAR Erdal]]]>
2016-10-18 16:27:33,618 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating egunyar>
2016-10-18 16:27:33,618 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler exception details: uid attribute not found for egunyar>
2016-10-18 16:27:33,620 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [egunyar] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2016-10-18 16:27:33,622 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(Authentication org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] with thrown exception [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes]>
cas.authn.ldap[0].* ...
# Except those which are commented:
# cas.authn.ldap[0].principalAttributeId=sAMAccountName
# cas.authn.ldap[0].principalAttributePassword=
# cas.authn.ldap[0].principalAttributeList=
cas.personDirectory.principalAttribute=sAMAccountName
cas.personDirectory.returnNull=false
cas.authn.attributeRepository.attributes.uid=sAMAccountName
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=cn
cas.authn.attributeRepository.attributes.affiliation=department
cas.authn.attributeRepository.jdbc.* ...