Attribute Resolution From Authentication Source
66 views
Skip to first unread message
IainWorkman
Jan 10, 2019, 3:41:16 PM1/10/19
to CAS Community
Hi All,
Under the previous version this was sufficient to ensure those attributes listed (memberOf, samaccountname, displayName, mail) would end up in the cas response. They don't any more.
)
At this point I am stumped.
I am currently in the process of migrating from v5.0.x to v5.3.x and am having issues with obtaining attributes for services. The symptom I am seeing is that, even when I configure a service with the Attribute Release policy of Return All I am seeing no attributes when I run through the test provided at /status/attrresolution
I am using LDAP for authentication, and from the documentation I should also be able to use this in order to obtain attributes (see https://apereo.github.io/cas/5.3.x/integration/Attribute-Resolution.html):
Principal Resolution
Note that in most if not all cases, CAS authentication is able to retrieve and resolve attributes from the authentication source, which would eliminate the need for configuring a separate resolver specially if both the authentication and the attribute source are the same. Using separate resolvers should only be required when sources are different, or when there is a need to tackle more advanced attribute resolution use cases such as cascading, merging, etc. See this guide for more info.
The configuration block for the ldap source is as follows
cas.authn.ldap[0].principalAttributeList=memberOf, samaccountname, displayName, mailcas.authn.ldap[0].type=AUTHENTICATEDcas.authn.ldap[0].ldapUrl=ldaps://dc.domain.comcas.authn.ldap[0].useSsl=truecas.authn.ldap[0].baseDn=cn=users,dc=domain,dc=comcas.authn.ldap[0].bindDn=cn=admin,ou=admin,dc=domain,dc=comcas.authn.ldap[0].bindCredential=**************cas.authn.ldap[0].searchFilter=(|(sAMAccountName={user})(mail={user}))cas.authn.ldap[0].principalAttributeId=samaccountnamecas.authn.ldap[0].validator.baseDn=cn=users,dc=domain,dc=comUnder the previous version this was sufficient to ensure those attributes listed (memberOf, samaccountname, displayName, mail) would end up in the cas response. They don't any more.
In some initial debugging I have found that in PolicyBasedAuthenticationManager::authenticateAndResolvePricipal() the principal which is getting returned from the result (an instance of a SimplePrincipal) contains the attributes returned by the LdapAuthenticationHandler, but that these are then overwritten with the call to this.resolvePricipal(handler, resolver, credential, principal) which happens a few lines later (with the resolver being of the type :
PersonDirectoryPrincipalResolver(attributeRepository=org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl@41e5bc47, principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@1, returnNullIfNoAttributes=false, principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$167/1993482928@71e35b54, principalAttributeNames=null, useCurrentPrincipalId=false)
At this point I am stumped.
Thanks in advance for any help,
Iain
Reply all
Reply to author
Forward
0 new messages