LDAP attributes release problem

[Hordo]

Hello,

I am trying to setting up a CAS 6.2.0 Server and I have a problem with LDAP attributes release.
I am following this guide : https://dacurry-tns.github.io/deploying-apereo-cas/

The LDAP connection is successful but it returns only the REMOTE_USER attribute.

Here is a part of my cas.properties :

cas.authn.ldap[0].name=Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].validatePeriod=300
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].ldapUrl=ldaps://ad1.domain.com ldaps://ad2.domain.com
cas.authn.ldap[0].baseDn=OU=users,DC=domain,DC=com
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s@domain.com

Here is the service registry :

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://castest.domain.com/secured-by-cas(\\z|/.*)",
  "name" : "Apache Secured By CAS",
  "id" : 1592052371,
  "description" : "CAS development Apache mod_auth_cas server with username/password protection",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

And here is the mod_auth_cas configuration on castest.domain.com :

LoadModule auth_cas_module /etc/httpd/modules/mod_auth_cas.so

<Directory /var/www/html/secured-by-cas>
    <IfModule mod_auth_cas.c>
        AuthType CAS
        CASAuthNHeader On
    </IfModule>
    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
    CASLoginUrl https://cas.domain.com/cas/login
    CASValidateUrl https://cas.domain.com/cas/serviceValidate
#    CASValidateUrl https://cas.domain.com/cas/samlValidate
    CASCookiePath /var/cache/httpd/mod_auth_cas/
    CASSSOEnabled On
    CASDebug On
    LogLevel debug
    CASValidateSAML Off
</IfModule>

These are the last lines of logs :

2020-06-13 14:56:44,656 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas] to registry.>
2020-06-13 14:56:44,656 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: hordo
WHAT: ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas for https://castest.domain.com/secured-by-cas/index.php
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Sat Jun 13 14:56:44 CEST 2020
CLIENT IP ADDRESS: *.*.*.*
SERVER IP ADDRESS: *.*.*.*
=============================================================

>
2020-06-13 14:56:44,687 DEBUG [org.apereo.cas.validation.AuthenticationPolicyAwareServiceTicketValidationAuthorizer] - <Evaluating service [AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php, originalUrl=https://castest.domain.com/secured-by-cas/index.php, artifactId=ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] to ensure required authentication handlers can satisfy assertion>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy] - <Authentication policy is satisfied having found at least one authentication transactions>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.authentication.DefaultRequestedAuthenticationContextValidator] - <No particular authentication context is required for this request>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No service credentials specified, and/or the proxy handler [org.apereo.cas.ticket.proxy.support.Cas20ProxyHandler@454bde11] cannot handle credentials>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas] for service [https://castest.domain.com/secured-by-cas/index.php]>
2020-06-13 14:56:44,699 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <View name 'scopedTarget.cas3ServiceSuccessView', model {assertion=ImmutableAssertion(primaryAuthentication=org.apereo.cas.authentication.DefaultAuthentication@f5b3778f, chainedAuthentications=[org.apereo.cas.authentication.DefaultAuthentication@f5b3778f], fromNewLogin=true, service=AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php, originalUrl=https://castest.domain.com/secured-by-cas/index.php, artifactId=null, principal=hordo, source=service, loggedOutAlready=false, format=XML, attributes={})), service=AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php, originalUrl=https://castest.domain.com/secured-by-cas/index.php, artifactId=ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={}), org.springframework.validation.BindingResult.assertion=org.springframework.validation.BeanPropertyBindingResult: 0 errors, org.springframework.validation.BindingResult.service=org.springframework.validation.BeanPropertyBindingResult: 0 errors}>
2020-06-13 14:56:44,699 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing the output model [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service]] to render view [Cas30ResponseView]>
2020-06-13 14:56:44,700 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Final collection of attributes for the response are [[credentialType, samlAuthenticationStatementAuthMethod, isFromNewLogin, mail, authenticationDate, sAMAccountName, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed, cn, userPrincipalName]].>
2020-06-13 14:56:44,702 DEBUG [org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] - <[11] encoded attributes are available for release to [Apache Secured By CAS]: [[credentialType, samlAuthenticationStatementAuthMethod, isFromNewLogin, mail, authenticationDate, sAMAccountName, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed, cn, userPrincipalName]]>
2020-06-13 14:56:44,702 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Encoded attributes for the response are [{credentialType=[UsernamePasswordCredential], samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[true], mail=[hordopsn@domain.com], authenticationDate=[2020-06-13T12:56:39.405973Z], sAMAccountName=[hordo], authenticationMethod=[Active Directory], successfulAuthenticationHandlers=[Active Directory], longTermAuthenticationRequestTokenUsed=[false], cn=[Hordo PSN], userPrincipalName=[hordo@domain.com]}]>
2020-06-13 14:56:44,727 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.>
2020-06-13 14:56:44,729 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Completed 200 OK>
2020-06-13 14:56:44,729 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - <Chain processed normally>
2020-06-13 14:56:44,729 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <SecurityContextHolder now cleared, as request processing completed>
2020-06-13 14:56:59,174 DEBUG [org.apereo.cas.services.AbstractServicesManager] - <Adding registered service [^https://castest.domain.com/secured-by-cas(\z|/.*)] with name [Apache Secured By CAS] and internal identifier [1592052371]>
2020-06-13 14:56:59,174 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>

I see three odd things, the first one is the "No service credentials specified, and/or the proxy handler cannot handle credentials" and yet it validate successfully the service ticket the line after.
The second one is the two hours difference of the authenticationDate attribute compared to the real one. 
The third one is the SecurityContext line, I really don't know how to solve this.

Also, I tried with SAML but it didn't change anything.

I hope someone can help me.

Thanks.

[Hordo]

Okay, so I found the "problem".
First of all, I checked the CASCookiePath folder and the cookie was created correctly and all the necessary information was there.
At this point, I knew it was just a display problem and I replaced the php part of the secured-by-cas/index.php by this : 

<?php
foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n";
}
?>

You can find more here : https://www.php.net/manual/en/function.getallheaders.php

This time, everything was well displayed but with the header "Cas-" and not "CAS_" as it was written in the guide I follow.

So TLDR : In the php part of the secured-by-cas/index.php just replace "CAS_" by "Cas-" and it will be good.

I spent about ten hours on this stupid problem, I hope it will help someone else :)