CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

[Benjamin Bini]

Hello,

I need your help on a problem I have with my CAS environment.

Here is my CAS configuration:

# LDAP Authentication
#cas.authn.ldap[0].type=AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].ldapUrl=${ldap.url}
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].bindDn=${ldap.bindDn}
cas.authn.ldap[0].bindCredential=${ldap.bindCredential}
cas.authn.ldap[0].minPoolSize=2
cas.authn.ldap[0].maxPoolSize=5
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=${ldap.baseDn}
cas.authn.ldap[0].searchFilter=${ldap.searchFilter}
cas.authn.ldap[0].dnFormat=${ldap.dnFormat}
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=objectGUID:objectGUIDFromAuthHandler


# LDAP Attribute Repository
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.objectGUID=objectGUIDFromAttrRepo
cas.authn.attributeRepository.ldap[0].attributes.mail=email
cas.authn.attributeRepository.ldap[0].attributes.givenName=prenom
cas.authn.attributeRepository.ldap[0].attributes.sn=nom
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=username
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap.url}
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=${ldap.baseDn}
cas.authn.attributeRepository.ldap[0].searchFilter=${ldap.searchFilter}
cas.authn.attributeRepository.ldap[0].bindDn=${ldap.bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${ldap.bindCredential}

 

As a test, I get the "objectGUID" attribute from my ActiveDirectory twice, once from the authentication handler directly, once from the LDAP Attribute Repository. My goal is to get it only from the AttributeRepository (because I also have SPNEGO authentication activated).

The problem is that I do not get the same objectGUID in both cases! From the AuthenticatoinHandler I get a base64 encoded GUID. From the AttributeRepository I get a binary object corresponding to ANOTHER GUID when I encode it to base64. Strangely, other attributes are ok: if I get displayName or givenName from the AuthenticationHandler and the AttributeRepository, they are the same.

Is this a known issue? Is there a problem with my configuration? Can I do anything to solve this or provide any other information for someone to help me with this issue?

Thank you a lot for your help.

[Danny]

I found the same behavior...I asked several weeks ago if there was a way to force a repository attribute to be handled as binary and force base64 coding.

[Daniel Fisher]

On Mon, May 4, 2020 at 4:42 AM Benjamin Bini <benj...@bini.io> wrote:

Is this a known issue? Is there a problem with my configuration? Can I do anything to solve this or provide any other information for someone to help me with this issue?

If you add

cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID

and

cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID

Do you get the string representation of the objectGUID and are they the same?

--Daniel Fisher

[Benjamin Bini]

The property for AttributeRepository does not exist.

For the authentication handler though it returns the GUID correctly.

[Jonathon Taylor]

Benjamin,

We are running into a similar issue with CAS 5.3.15.1.  In our case AD is a secondary attribute repository and we specifically need the objectGUID.  We are seeing the same behavior where the GUID is not being converted correctly.   We use a third-party vendor for CAS customizations/support (in our case Unicon) and they helped identify a bug whereby it appears the binaryAttributes property is not respected.

We are testing a patch to both the CAS person-directory configuration and the person-directory LDAP implementation that appears to fix the problem by implementing support for binary attributes.  I'm hoping there will be some pull requests for this soon.  I believe I can share what we have tested so far if it sounds like what you are seeing.

Jonathon

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/677ccd72-69b8-4a61-92d0-3fb020c63501%40apereo.org.

[Benjamin Bini]

Thank you a lot for your answer, I feel less lonely with my issue!

If you are allowed to share any code or patch I would gladly try to apply it to my instance to see if it fixes this.

Have a nice day,

Benjamin

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Jonathon Taylor]

I think it's fine to share these and the pull requests are submitted.  You'll have to add both of these to your overlay in the appropriate /src/main/java directories:

https://github.com/apereo/person-directory/commit/15d34378e9303d6be7d099d910bc4e7a7837bd06#diff-544920f35ec4115f8fefcec687ea43c3

https://github.com/apereo/cas/pull/4850/commits/242eaac3d2e570fe4f4557310cc5af5fbe66e57a

For that second one our consultant also had me place a lombok.config file in the same path to address a build issue:

lombok.log.fieldName=LOGGER

lombok.log.fieldIsStatic=true

lombok.toString.doNotUseGetters=true

lombok.equalsAndHashCode.doNotUseGetters=true

lombok.addLombokGeneratedAnnotation = true

config.stopBubbling=true

Finally, in addition to adding org.apereo.cas.cas-server-support-person-directory to our dependencies, I had to add a bunch more in order to get our build to work.  We are still using maven / pom.xml

org.apereo.cas.cas-server-support-person-directory ${cas.version}

org.apereo.cas.cas-server-core-authentication-api ${cas.version}

org.apereo.cas.cas-server-core-util-api ${cas.version}

org.apereo.cas.cas-server-support-ldap-core ${cas.version}

com.github.ben-manes.caffeine.caffeine 2.8.2

org.ldaptive.ldaptive 1.2.4

org.slf4j.slf4j-api 1.7.25

org.apache.logging.log4j.log4j-core 2.7

org.apache.logging.log4j.log4j-slf4j-impl 2.7

org.projectlombok.lombok 1.18.0

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6dac267d-acd9-41a3-a52b-d0cf8da6bb99%40apereo.org.