CAS 7.0 attribute retrieval failure

[Ray Bon]

I am using org.apereo.cas:cas-server-support-ldap-core with the following config to retrieve attributes after the authentication step.

....

ldap[0]:
        attributes:
          description: description
        bind-credential: ${authn.ldap.bind-credential}
        base-dn: ${authn.ldap.base-dn-admin}
        bind-dn: ${authn.ldap.bind-dn}
        connect-timeout: PT3S
        id: administrators
        ldap-url: ${ldap-url}
        order: 2
        search-filter: uid={user}

...

This results in the below log output  (at bottom of email) (more available upon request). Since the search is submitted with the service (_not_ serviceId), no attribute is returned. This behaviour is new since version 6.5

I have looked at the code in:

https://github.com/apereo/cas/blob/v7.0.0/support/cas-server-support-person-directory/src/main/java/org/apereo/cas/config/CasPersonDirectoryLdapConfiguration.java

https://github.com/apereo/person-directory/blob/person-directory-parent-3.0.1/person-directory-impl/src/main/java/org/apereo/services/persondir/support/ldap/LdaptivePersonAttributeDao.java

https://github.com/apereo/cas/blob/master/support/cas-server-support-ldap-core/src/main/java/org/apereo/cas/util/LdapConnectionFactory.java

https://github.com/apereo/cas/blob/master/support/cas-server-support-ldap-core/src/main/java/org/apereo/cas/util/LdapUtils.java

I would like to know where LdaptivePersonAttributeDao is being accessed in other parts of the cas code? That is, what populates the attributes and how it chooses the particular attribute:value to submit to the search request?

Thanks,

Ray

cas               | 2024-01-25 22:13:56,810 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'principal' with value '[rbon]' to query builder 'null'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'credentialClass' with value '[UsernamePasswordCredential]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=UsernamePasswordCredential]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'credentialId' with value '[rbon]' to query builder '[org.ldaptive.FilterTemplate@-147358242::filter=uid={user}, parameters={user=UsernamePasswordCredential}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'username' with value '[rbon]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'service' with value '[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,811 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Generated query builder '[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]' from query Map {principal=[rbon], credentialClass=[UsernamePasswordCredential], credentialId=[rbon], username=[rbon], service=[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,812 TRACE [                                      org.ldap.SearchRequest] - <setting baseDn: ou=...> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,812 TRACE [                                      org.ldap.SearchRequest] - <setting filter: [org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,812 TRACE [                                      org.ldap.SearchRequest] - <setting binaryAttributes: [objectGUID, objectSid]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,813 TRACE [                                      org.ldap.SearchRequest] - <setting returnAttributes: [eduPersonEntitlement, uid, mail, eduPersonAffiliation, givenName, eduPersonPrincipalName, sn, cn, memberOf]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,813 TRACE [                                      org.ldap.SearchRequest] - <setting searchScope: SUBTREE> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,813 TRACE [                                      org.ldap.SearchRequest] - <setting sizeLimit: 0> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:56,813 TRACE [                                      org.ldap.SearchRequest] - <setting timeLimit: PT0S> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'principal' with value '[rbon]' to query builder 'null'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'credentialClass' with value '[UsernamePasswordCredential]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=UsernamePasswordCredential]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'credentialId' with value '[rbon]' to query builder '[org.ldaptive.FilterTemplate@-147358242::filter=uid={user}, parameters={user=UsernamePasswordCredential}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,040 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'username' with value '[rbon]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'service' with value '[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]' to query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 DEBUG [     org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Generated query builder '[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]' from query Map {principal=[rbon], credentialClass=[UsernamePasswordCredential], credentialId=[rbon], username=[rbon], service=[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 TRACE [                                      org.ldap.SearchRequest] - <setting baseDn: ou=administrators,ou=...> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,041 TRACE [                                      org.ldap.SearchRequest] - <setting filter: [org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,042 TRACE [                                      org.ldap.SearchRequest] - <setting binaryAttributes: [objectGUID, objectSid]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,042 TRACE [                                      org.ldap.SearchRequest] - <setting returnAttributes: [description]> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,042 TRACE [                                      org.ldap.SearchRequest] - <setting searchScope: SUBTREE> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,042 TRACE [                                      org.ldap.SearchRequest] - <setting sizeLimit: 0> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,042 TRACE [                                      org.ldap.SearchRequest] - <setting timeLimit: PT0S> [https-openssl-nio-8443-exec-9]
cas               | 2024-01-25 22:13:57,277 INFO  [              org.aper.cas.auth.DefaultAuthenticationManager] - <Authenticated principal [rbon] with attributes [{domain=[uvic.ca], username=[rbon]}] via credentials [[UsernamePasswordCredential(username=rbon, source=null, customFields={})]].> [https-openssl-nio-8443-exec-9]

[Ray Bon]

To clarify the sentence about the service being submitted for ldap search.

What is happening:

uid=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient

what should happen

uid=rbon

Ray

[Misagh Moayyed]

You can review PrincipalAttributeRepositoryFetcher.

[Ray Bon]

Ok, to close the loop on this (and perhaps open a new one), I can get the attributes if I use this config option:

cas.authn.attribute-repository.ldap[0].query-attributes.username=uid

NOTE: attributes are returned if no service is provided with the authentication attempt since username is the last attribute processed (discussed later).

To find the key, 'username', I used this logger (and the follow up for ldap):

<Logger name="org.apereo.services.persondir" level="debug" />

<Logger name="org.ldaptive" level="trace"/>

<Logger name="org.ldaptive.SearchRequest" level="trace" additivity="true" />

After perusing the code, indeed the resulting FilterTemplate has all entries (principal, credentialClass, credentialId, username, service), observed with this log line:

Generated query builder '[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]' from query Map {principal=[rbon], credentialClass=[UsernamePasswordCredential], credentialId=[rbon], username=[rbon], service=[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.

However the filter is only  concerned with a single parameter, 'user', setting it to the entry being processed; i.e. last one wins, which is the value for service.

If, however the search filter is changed to:

search-filter: uid={username}

Then attributes are returned.

Two obvious ways forward are:

1. make cas.authn.attribute-repository.ldap[].query-attributes a required property (and provide at least some predefined options; such as principal, credentialId, username)

2. add the attribute used in the authentication stage to the list of query parameters (so the same search-filter can be used with authentication and attribute retrieval)

I am open to other suggestions.

Ray

[Misagh Moayyed]

2. add the attribute used in the authentication stage to the list of query parameters (so the same search-filter can be used with authentication and attribute retrieval)

This is the best option. You should be able to add this the same way "username" is added.