Attributes from LDAP Authentication Handler

217 views

Skip to first unread message

Nick Couchman

unread,

Jul 17, 2016, 9:57:29 PM7/17/16

to CAS Community

I'm having a really hard time figuring out the proper deployerContextConfiguration.xml settings to get LDAP attributes from the existing LDAP Authentication Handler rather than having to set up a separate LDAP Directory search for attributes. I've found several references to how to set it up, but they seem to assume some knowledge that I don't have. My current config is below, and, based on this config, all of the attributes show up with empty values because it's using the stub driver with the backing map, which has blank values. Can anyone tell me what I need to change to get LDAP attributes out of the ldapAuthenticationHandler and not have to set up a separate LDAP Directory connection for retrieving them?

Thanks - Nick

==Begin Config==

<util:map id="authenticationHandlersResolvers">
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />
</util:map>

<util:list id="authenticationMetadataPopulators">
<ref bean="successfulHandlerMetaDataPopulator" />
<ref bean="rememberMeAuthenticationMetaDataPopulator" />
</util:list>

<util:map id="attrRepoBackingMap">
<entry key="displayName" value="" />
<entry key="mail" value="" />
<entry key="groupMembership" value="" />
<entry key="cn" value="" />
<entry key="givenName" value="" />
<entry key="sn" value="" />
<entry key="uid" value="" />
<entry key="uidNumber" value="" />
<entry key="gidNumber" value="" />
</util:map>

<util:list id="monitorsList">
<ref bean="memoryMonitor" />
<ref bean="sessionMonitor" />
</util:list>

Misagh Moayyed

unread,

Jul 18, 2016, 2:14:12 AM7/18/16

to CAS Community

Have you followed this doc?

https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html#configuration

Specially the part that says "If you do decide to let the authentication handler retrieve attributes instead of a separate principal resolver, you will need to….” Sounds like what you were asking.

--
Misagh

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2211f8aa-50ac-49d2-a42b-4cb37e323d3a%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Dmitriy Kopylenko

unread,

Jul 18, 2016, 6:06:47 AM7/18/16

to Nick Couchman, CAS Community

Use this:

<entry key-ref="ldapAuthenticationHandler" value-ref="#{null}" />

Cheers,

Nick Couchman

unread,

Jul 18, 2016, 10:07:31 AM7/18/16

to CAS Community

Wow, that's really, really embarrassing. Made that change and it works perfectly. Thanks for pointing out the obvious.

-Nick

Nick Couchman

unread,

Jul 18, 2016, 10:08:17 AM7/18/16

to CAS Community

Yep, with value= instead of value-ref=, it works great. Next time I'll read the documentation more thoroughly.

-Nick

z mortazavi

unread,

Feb 15, 2017, 4:16:45 AM2/15/17

to jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net

I setup jasig-cas-4.2.6 and I can login successful in cas-side but in my client I get login successful but phpCAS::getAttributes() no return my attribute such as mail and givenName

deployerConfigContext.xml is:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext"
      
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd


       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd

       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.ldaptive.org/schema/spring-ext http://www.ldaptive.org/schema/spring-ext.xsd">

    <bean id="ldapAuthenticationHandler"         class="org.jasig.cas.authentication.LdapAuthenticationHandler"

      c:authenticator-ref="authenticator"> 
    <property name="principalAttributeMap">
        <map>

<entry key="givenName" value="firstName"/>


     <entry key="mail" value="email"/>

        </map>
    </property> 
    </bean>
    
    
    
    
    <util:map id="authenticationHandlersResolvers">


        <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />

<entry key-ref="ldapAuthenticationHandler" value="#{null}" />



    </util:map>
    
    
    <util:list id="authenticationMetadataPopulators">
        <ref bean="successfulHandlerMetaDataPopulator" />
        <ref bean="rememberMeAuthenticationMetaDataPopulator" />
    </util:list>

    <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
    <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />

    <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
          p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">

<entry key="givenName" value="firstName"/>


    <entry key="mail" value="email"/>
   
      
        <entry>

            <key><value>memberOf</value></key>
            <list>
                <value>faculty</value>
                <value>staff</value>
                <value>org</value>
            </list>
        </entry>


    </util:map> 

    
    <alias name="serviceThemeResolver" alias="themeResolver" />

    <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />

    <alias name="defaultTicketRegistry" alias="ticketRegistry" />
    
    <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />

    <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
    <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />

    <bean id="auditTrailManager"
          class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
          p:entrySeparator="${cas.audit.singleline.separator:|}"
          p:useSingleLine="${cas.audit.singleline:false}"/>

    <alias name="neverThrottle" alias="authenticationThrottle" />

    <util:list id="monitorsList">
        <ref bean="memoryMonitor" />
        <ref bean="sessionMonitor" />
    </util:list>

    <alias name="defaultPrincipalFactory" alias="principalFactory" />
    <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
    <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
    <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />

<bean id="serviceRegistryDao"
      class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
      p:registeredServices-ref="registeredServicesList" />
    


    <util:list id="registeredServicesList">
        <bean class="org.jasig.cas.services.RegexRegisteredService"
          p:id="1"
          p:name="sso"
          p:serviceId="^(https?|imaps?|http?)://.*"
          p:description="sso cas"
          p:evaluationOrder="0" >
  
   
 <property name="attributeReleasePolicy">
    <bean class="org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy">
        <property name="allowedAttributes">
    

                     
                <list>
                    <value>mail</value>
                    <value>givenName</value>
                    

                </list> 
    </property>
    </bean>
    
        </property>

        </bean>
  

    </util:list>    

    
            
        <ldaptive:ad-authenticator id="authenticator"
            
        ldapUrl="xxxx"
        baseDn="xxxxxx"
        userFilter="xx"
        bindDn="xxxxx"
        bindCredential="xxxxxxxx"
        connectTimeout="5000"
        useStartTLS="false"
        blockWaitTime="3000"
        maxPoolSize="10"
        allowMultipleDns="false"
        minPoolSize="1"
        validateOnCheckOut="false"
        validatePeriodically="true"
        validatePeriod="300"
        idleTime="600"
        prunePeriod="300"
        failFastInitialize="false"
        subtreeSearch="true"
        useSSL="false"

/>
        
</beans>

and my json file is:

....
    "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"   }
   "allowedAttributes" : [ "java.util.ArrayList", [ "mail", "givenName"] ]
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
...

and in client side i have:

phpCAS::client(CAS_VERSION_3_0,'xxx',443,'cas');

...

$attr = phpCAS::getAttributes();

but my response is (don't involve my attribute mail and givenName) :

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
AEF4 .|    |    |    |    |    |        <cas:authenticationSuccess>
AEF4 .|    |    |    |    |    |            <cas:user>xxx</cas:user>
AEF4 .|    |    |    |    |    |            
AEF4 .|    |    |    |    |    |                <cas:attributes>
AEF4 .|    |    |    |    |    |                          
AEF4 .|    |    |    |    |    |                            <cas:LdapAuthenticationHandler.dn>xxxxxxxxx</cas:LdapAuthenticationHandler.dn>
AEF4 .|    |    |    |    |    |                          
AEF4 .|    |    |    |    |    |                            <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
AEF4 .|    |    |    |    |    |                           
AEF4 .|    |    |    |    |    |                            <cas:isFromNewLogin>true</cas:isFromNewLogin>
AEF4 .|    |    |    |    |    |                             
AEF4 .|    |    |    |    |    |                            <cas:authenticationDate>2017-02-01T10:46:15.737+03:30</cas:authenticationDate>
AEF4 .|    |    |    |    |    |                        
AEF4 .|    |    |    |    |    |                
AEF4 .|    |    |    |    |    |                </cas:attributes>
AEF4 .|    |    |    |    |    |         
AEF4 .|    |    |    |    |    |        </cas:authenticationSuccess>
AEF4 .|    |    |    |    |    |    </cas:serviceResponse>

please help me.

thanks in advance.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.578c73a5.185532a6.184f0%40unicon.net.

Reply all

Reply to author

Forward

0 new messages