Enabling LDAP Attribute Resolution breaks authentication

129 views
Skip to first unread message

Raymond Drew Walker

unread,
Jan 18, 2017, 12:47:20 PM1/18/17
to cas-...@apereo.org

In CAS 4.1...

 

I had LDAP authentication working with cas-mfa overlay, with the default attribute stub DAO. I wanted to enable LDAP based attribute mapping, as the cas-mfa overlay doesn’t seem to pull from the principal attributes gathered during authentication. This means cas-mfa “per attribute” settings don’t work as expected. So, when enabling the LdaptivePersonAttributeDao:

 

As per: https://apereo.github.io/cas/4.1.x/integration/Attribute-Resolution.html

(commons collections in pom, etc.)

 

<bean id="attributeRepository"

      class="org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao"

      p:connectionFactory-ref="searchPooledLdapConnectionFactory"

      p:baseDN="${ldap.authn.baseDn}"

      p:searchControls-ref="searchControls"

      p:searchFilter="uid={0}">

    <property name="resultAttributeMapping">

        <map>

            <!--

               | Key is LDAP attribute name, value is principal attribute name.

               -->

            <entry key="uid" value="uid" />

            <entry key="cn" value="cn" />

            <entry key="mail" value="mail" />

            <entry key="nauedumemberof" value="nauedumemberof" />

        </map>

    </property>

</bean>

<bean id="searchControls"

      class="javax.naming.directory.SearchControls"

      p:searchScope="2"

      p:countLimit="10" />

 

I get the following log/error (after successful password/user login, denied ticket and kicked back to login):

 

2017-01-18 10:18:12,209 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for rdw4>

2017-01-18 10:18:12,288 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@1697294702::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=naueduregid=XXXXXXXXX,ou=people,dc=nau,dc=edu[[uid[rdw4]], [mail[Ray.W...@nau.edu]], [nauedumemberof[(attributes removed for brevity)]], [cn[Raymond Drew Walker]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>

2017-01-18 10:18:12,290 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [cn[Raymond Drew Walker]]>

2017-01-18 10:18:12,290 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [mail[Ray.W...@nau.edu]]>

2017-01-18 10:18:12,290 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [nauedumemberof[(attributes removed for brevity)]]>

2017-01-18 10:18:12,293 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated rdw4>

2017-01-18 10:18:12,294 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal...>

2017-01-18 10:18:12,294 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Creating SimplePrincipal for [rdw4]>

2017-01-18 10:18:12,295 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - <Created seed map='{username=[rdw4]}' for uid='rdw4'>

2017-01-18 10:18:12,295 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - <Adding attribute 'username' with value '[rdw4]' to query builder 'null'>

2017-01-18 10:18:12,295 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - <Constructed LDAP search query [uid=rdw4]>

2017-01-18 10:18:12,296 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - <Generated query builder '[org.ldaptive.SearchFilter@-2004784735::filter=uid={0}, parameters={0=rdw4}]' from query Map {username=[rdw4]}.>

2017-01-18 10:18:12,332 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - <Converted ldap DN entry [naueduregid=XXXXXXXXX,ou=people,dc=nau,dc=edu] to attribute map { (attributes removed for brevity) }>

2017-01-18 10:18:12,344 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit>

2017-01-18 10:18:12,345 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: rdw4

WHAT: 'principal' cannot be null.

Check the correctness of @Audit annotation at the following audit point: execution(public abstract transient org.jasig.cas.authentication.Authentication org.jasig.cas.authentication.AuthenticationManager.authenticate(org.jasig.cas.authentication.Credential[]))

ACTION: TICKET_GRANTING_TICKET_NOT_CREATED

APPLICATION: CAS

WHEN: Wed Jan 18 10:18:12 MST 2017

CLIENT IP ADDRESS: 134.114.112.199

SERVER IP ADDRESS: 134.114.213.249

=============================================================

 

Why is this happening?

— 

Raymond Walker
Software Systems Engineer StSp.
ITS Northern Arizona University

 

Michael Ivanov

unread,
Sep 18, 2018, 9:08:47 PM9/18/18
to CAS Community
Hi Raymond, 

Have you ever solved this? I just came across the same issue in CAS 4.1.7

Thanks, 
--Michael
Reply all
Reply to author
Forward
0 new messages