[CAS-5.2.2] Jaas LDAP Authentication Prinicipal Attribute Resolve Issue

140 views
Skip to first unread message

Soumya Tripathy

unread,
Feb 15, 2018, 9:29:54 AM2/15/18
to CAS Community
Hi,
Recently we upgraded CAS from 5.1.0 to 5.2.2.
With CAS 5.1.0 when I was using JAAS with LDAP it was returning the correct principal.
But when with CAS 5.2.0 now I'm getting the principal as 

Log In Successful

You, CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com have successfully logged into the Central Authentication Service 


(XXX are masked due to company internal policy)

Where as earlier(With CAS-5.1.0) I was getting 

Log In Successful

You, Soumya_Tripathy have successfully logged into the Central Authentication Service 


I compared the logs of both the version, here is the findings:


CAS-5.1.0 Logs


2018-02-15 19:28:04,673 DEBUG [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] - <Attempting authentication for: [Soumya_Tripathy]> [LdapLoginModule] authentication-first mode; SSL disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to authenticate user: Soumya_Tripathy [LdapLoginModule] searching for entry belonging to user: Soumya_Tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added UserPrincipal "Soumya_Tripathy" to Subject [LdapLoginModule] logged out Subject 2018-02-15 19:28:04,770 DEBUG [org.apereo.cas.authentication.AbstractAuthenticationManager] - <Authentication handler [JaasAuthenticationHandler] successfully authenticated [Soumya_Tripathy]> 2018-02-15 19:28:04,773 DEBUG [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal...> 2018-02-15 19:28:04,775 DEBUG [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver] - <Creating principal for [Soumya_Tripathy]>


CAS-5.2.2 Logs

2018-02-15 18:51:19,449 DEBUG [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] - <Attempting authentication for: [soumya_tripathy]> [LdapLoginModule] authentication-first mode; SSL disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to authenticate user: soumya_tripathy [LdapLoginModule] searching for entry belonging to user: soumya_tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added UserPrincipal "soumya_tripathy" to Subject [LdapLoginModule] logged out Subject 2018-02-15 18:51:19,523 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [JaasAuthenticationHandler] successfully authenticated [soumya_tripathy]> 2018-02-15 18:51:19,524 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Invoking principal resolver [org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]> 2018-02-15 18:51:19,525 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Resolved principal [CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> 2018-02-15 18:51:19,527 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Final principal constructed by the chain of resolvers is [CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> 2018-02-15 18:51:19,528 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver@1a6ac3e7[chain=[org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]]] resolved [CN=CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com] from [soumya_tripathy]> 2018-02-15 18:51:19,529 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [CN=CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]>




What I observe earlier version(5.1.0) CAS was delegating the request to PersonDirectoryPrincipalResolver but now with 5.2.2 version it is delegating to PolicyBasedAuthenticationManager and ChainingPrincipalResolver.


HTTPSandIMAPS-10000001.json:

{

  "@class": "org.apereo.cas.services.RegexRegisteredService",

  "serviceId": "^(http|https|imaps)://.*",

  "name": "HTTPS and IMAPS",

  "id": 10000001,

  "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",

  "proxyPolicy":

  {

    "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"

  },

  "evaluationOrder": 10000,

  "usernameAttributeProvider":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",

    "canonicalizationMode": "NONE",

    "encryptUsername": false

  },

  "logoutType" : "BACK_CHANNEL",

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": false,

    "excludeDefaultAttributes": false

  },

  "accessStrategy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled": true,

    "ssoEnabled": true,

    "requireAllAttributes": true,

    "caseInsensitive": false

  }

}


JAAS.conf:


LDAP { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://xxx" authIdentity="{USERNAME}@xxxdomain" userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))" useSSL=false debug=true; };



Is there any configuration I'm missing with respect to cas 5.2.2?



Thanks

Soumya Ranjna Tripathy


Man H

unread,
Feb 15, 2018, 12:49:39 PM2/15/18
to cas-...@apereo.org
What would your question be

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75-df0dc5cbbec6%40apereo.org.

Message has been deleted

Soumya Tripathy

unread,
Feb 15, 2018, 11:47:44 PM2/15/18
to CAS Community
I want CAS should resolve the principal as Soumya_Tripathy instead of CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com., How can I achieve the same in 5.2.2 version of CAS with Jaas LDAP?
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Soumya Tripathy

unread,
Feb 16, 2018, 4:44:43 AM2/16/18
to CAS Community
I looked into the source code of CasCoreAuthenticationPrincipalConfiguration.java and I'm getting attributeRepositories as empty.

@Autowired
@RefreshScope
@Bean
@ConditionalOnMissingBean(name = "personDirectoryPrincipalResolver")
public PrincipalResolver personDirectoryPrincipalResolver(@Qualifier("principalFactory") final PrincipalFactory principalFactory) {
final PersonDirectoryPrincipalResolver bean = new PersonDirectoryPrincipalResolver();
bean.setAttributeRepository(attributeRepository);
bean.setPrincipalAttributeName(casProperties.getPersonDirectory().getPrincipalAttribute());
bean.setReturnNullIfNoAttributes(casProperties.getPersonDirectory().isReturnNull());
bean.setPrincipalFactory(principalFactory);
final ChainingPrincipalResolver resolver = new ChainingPrincipalResolver();
if (!attributeRepositories.isEmpty()) {
LOGGER.debug("Attribute repository sources are defined and available for the principal resolution chain. "
+ "The principal resolver will use a combination of attributes collected from attribute repository sources "
+ "and whatever may be collected during the authentication phase where results are eventually merged.");
resolver.setChain(CollectionUtils.wrapList(bean, new EchoingPrincipalResolver()));
} else {
LOGGER.debug("Attribute repository sources are not available for principal resolution so principal resolver will echo "
+ "back the principal resolved during authentication directly.");
resolver.setChain(new EchoingPrincipalResolver());
}
return resolver;
}

 So it is always going to EchoingPrincipalResolver . and then Principal is getting resolved to CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com. 

Do I need any additional properties to set in my cas.properties, so that it'll include the PersonDirectoryPrincipalResolver in the resolver chain when I'm using plain JAAS Ldap auth?
Reply all
Reply to author
Forward
0 new messages