EchoingPrincipalResolver

[Klaus-Dieter Krannich]

Hi,

I'm trying to implement authentication with uid+pass or mail+pass against ldap

in cas-5.2.2.

Basically it is

authn.ldap[0].userFilter=(|(uid={user})(mail={user})),

authn.ldap[0].principalAttribute=uid

authn.ldap[0].principalAttributeList: uid,  mail.

This works fine with uid+pass. If I try mail+pass, I get:

------

2018-02-23 14:18:53,539 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [LdapAuthenticationHandler] successfully authenticated [x...@yy.de]>

2018-02-23 14:18:53,541 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Invoking principal resolver [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver@389a9ff6[returnNullIfNoAttributes=false,principalAttributeName=uid,principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$73/906424041@6f071d0c,principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@d]]>

2018-02-23 14:18:53,587 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Resolved principal [xx]>

2018-02-23 14:18:53,587 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Adding attributes [{REMOVED}] for the final principal>

2018-02-23 14:18:53,586 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Invoking principal resolver [org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@15af06f[]]>

2018-02-23 14:18:53,587 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Resolved principal [x...@yy.de]>

2018-02-23 14:18:53,587 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Adding attributes [{REMOVED}] for the final principal>

2018-02-23 14:18:53,591 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver@28532753[chain=[org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver@389a9ff6[returnNullIfNoAttributes=false,principalAttributeName=uid,principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$73/906424041@6f071d0c,principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@d], org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@15af06f[]]]] failed to resolve principal from [x...@yy.de]>

org.apereo.cas.authentication.PrincipalException: Resolved principals by the chain are not unique because principal resolvers have produced CAS principals with different identifiers which typically is the result of a configuration issue.

------

How this configuration issue can be fixed?

Thanks,

   K-D

[Lucas Ferreira]

Which CAS version are you using? For CAS 5.2 the following config works with me:

cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user}))

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributeList=uid,mail

Please, check if the parameters name that you are using are correct, for example, you wrote "principalAttribute" instead of "principalAttributeId".

[Klaus-Dieter Krannich]

Hi,

Lucas, you are right, it works as expected, if no additional principal resolver is configured. As soon as I add  an attributeRepoitory via e.g. cas.authn.attrributeRepository.ldap[0] properties, I get the error.

In cas-4.2.7 I have:

    <util:map id="authenticationHandlersResolvers">
       <entry key-ref="proxyAuthenticationHandler"   value-ref="proxyPrincipalResolver" />
       <entry key-ref="ldapAuthenticationHandler"    value="#{null}" />
       <entry key-ref="x509AuthenticationHandler"    value-ref="x509PrincipalResolver" />
   </util:map>
So my question is, how to configure this in cas-5.2?

Thanks,

   K-D