LDAP Principal resolution
100 views
Skip to first unread message
Tom Poage
May 19, 2016, 4:45:35 PM5/19/16
to cas-...@apereo.org
Afternoon,
CAS 4.2.1
I'm having a little difficulty figuring out how to resolve a normalized principal from an LDAP directory. E.g. user enters 'Fred' as the username and I'd like to return the principal 'fred' from the uid attribute (as stored in the directory).
If I use the (largely default) config below, entering "FRED" returns "FRED" at serviceValidate (LDAP being case-insensitive, authentication does succeed). Code behind ldapAuthenticationHandler looks like it should populate attributes.
(Re: the JAAS line, we're layering in a legacy credential store. Bonus if we can query the directory to return a normalized name here, as well.)
Ideas on what I'm missing? Do I need to dive into the personDirectoryPrincipalResolver? Cf.
cas.principal.resolver.persondir.return.null
cas.principal.resolver.persondir.principal.attribute
Thanks!
Tom.
deployerContextConfig.xml:
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
<entry key-ref="jaasAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
<util:list id="authenticationMetadataPopulators" />
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
...
<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid" c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="simpleName" />
<entry key="mail" value="email" />
<entry key="memberOf" value="membership" />
</map>
</property>
</bean>
<ldaptive:bind-search-authenticator
id="authenticator"
ldapUrl="${ldap.url}"
baseDn="${ldap.baseDn}"
userFilter="${ldap.authn.searchFilter}"
bindDn="${ldap.managerDn}"
bindCredential="${ldap.managerPassword}"
...
ldap.properties:
ldap.url=...
ldap.baseDn=...
ldap.authn.searchFilter=(uid={user})
...
CAS 4.2.1
I'm having a little difficulty figuring out how to resolve a normalized principal from an LDAP directory. E.g. user enters 'Fred' as the username and I'd like to return the principal 'fred' from the uid attribute (as stored in the directory).
If I use the (largely default) config below, entering "FRED" returns "FRED" at serviceValidate (LDAP being case-insensitive, authentication does succeed). Code behind ldapAuthenticationHandler looks like it should populate attributes.
(Re: the JAAS line, we're layering in a legacy credential store. Bonus if we can query the directory to return a normalized name here, as well.)
Ideas on what I'm missing? Do I need to dive into the personDirectoryPrincipalResolver? Cf.
cas.principal.resolver.persondir.return.null
cas.principal.resolver.persondir.principal.attribute
Thanks!
Tom.
deployerContextConfig.xml:
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
<entry key-ref="jaasAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
<util:list id="authenticationMetadataPopulators" />
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
...
<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid" c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="simpleName" />
<entry key="mail" value="email" />
<entry key="memberOf" value="membership" />
</map>
</property>
</bean>
<ldaptive:bind-search-authenticator
id="authenticator"
ldapUrl="${ldap.url}"
baseDn="${ldap.baseDn}"
userFilter="${ldap.authn.searchFilter}"
bindDn="${ldap.managerDn}"
bindCredential="${ldap.managerPassword}"
...
ldap.properties:
ldap.url=...
ldap.baseDn=...
ldap.authn.searchFilter=(uid={user})
...
Tom Poage
May 19, 2016, 5:36:03 PM5/19/16
to cas-...@apereo.org
Could swear I tried this, but trying it again worked:
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler" value="#{ null }" />
serviceValidate:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>fred</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="jaasAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
Username: FrEd
</util:map>
serviceValidate:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>fred</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
Reply all
Reply to author
Forward
0 new messages