CAS 6.2.x Surrogate Principle has no mapped attributes from LDAP
195 views
Skip to first unread message
Marcel Fromkorth
Nov 26, 2020, 10:06:57 AM11/26/20
to CAS Community
Hello,
I'm trying to configure the surrogate authentication support over ldap authentication.
All this happens on CAS Version 6.2.5.
The problem is, that the surrogate user principal has no attributes, which should be mapped from ldap. I want, that the surrogateUser principal will get his ldap attributes. For the primary user it works fine.
I only got: Surrogate access is denied. The principal does not have the required attributes [{attributes=[testAttribute]}] -> which are defined in the service at "surrogateRequiredAttributes".
In the Debug logs i could see this:
Some logs earlier i can see, that the ldap user for surrogate is found sucessfully and all needed attributes exists. -> so i think, that something with the principal resolution doesnt work.
here an snippet of my cas.properties:
cas.authn.surrogate.ldap.searchFilter=uid:caseExactMatch:={user}
cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate}
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.principal-attribute=attributes
cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate}
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.principal-attribute=attributes
I switched the accessStrategy in my services to SurrogateRegisteredServiceAccessStrategy.
So.. i dont know, why the attributes of the surrogate user wont mapped into the surrogate user principal. For the primary user it works fine(by the primary user I used cas.authn.ldap[0].principalAttributeList=attributes --> works fine).
But in the documentation, it seems that there only exists the attribute "principal-attribute" for this type of setting.
Can someone help me here?
Greetings and thank you.
Ray Bon
Nov 26, 2020, 12:00:28 PM11/26/20
to cas-...@apereo.org
Marcel,
principalAttributeList is for resolving attributes on authentication. If you want to retrieve attributes after the fact or perhaps from a different data source,
Ray
On Thu, 2020-11-26 at 07:06 -0800, Marcel Fromkorth wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Marcel Fromkorth
Nov 27, 2020, 3:17:51 AM11/27/20
to CAS Community, Ray Bon
Hello,
well, maybe you didnt get me right. I want to resolve the attributes on authentication over ldap. This works fine for a normal authentication, but if I want to make an surrogate authentication like "surrogateUser+primaryUser", the primary user principal has all ldap attributes and the surrogate user principal has none. So I want that the surrogate user principal has also the ldap attributes form the surrogate user. So there is only one data source(LDAP for primary and surrogate user). For this I found: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution but i tried something around with this configuration options. No success so far.
So the ldap attributes shouldnt get into the principal after the authentication. They should be while authentication. I think that i need to configure the principal resolution right.. but i dont know how. On the site i found this subtext: "Principal resolution and Person Directory settings for this feature
are available here
under the configuration key cas.authn.surrogate.principal." which redirects you to the link above.
Ray Bon
Nov 27, 2020, 11:18:11 AM11/27/20
to cas-...@apereo.org
Marcel,
I have not implemented the surrogate feature so my understanding may be off, but I think what gets sent to the service is all about the surrogate. Since the surrogate is not authenticating, it has no access to authentication attributes.
Additional attributes can be extracted from ldap (after authentication), these I hope would be for the surrogate ({user}, below). Image the scenario where the surrogates were in a different ou than authenticating user.
I had intended to include this in my last email (sorry if it caused confusion):
cas.authn.attributeRepository.ldap[0].id=people
cas.authn.attributeRepository.ldap[0].order=1
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.sn=sn
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldaplocal.uvic.ca:636
cas.authn.attributeRepository.ldap[0].connectTimeout=PT3S
cas.authn.attributeRepository.ldap[0].baseDn=ou=people,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=uid={user}
cas.authn.attributeRepository.ldap[0]..bindDn=cn=Auth Manager,ou=administrators,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[0].bindCredential=
Ray
Marcel Fromkorth
Jan 5, 2021, 2:48:43 AM1/5/21
to CAS Community, Ray Bon
Hi Ray,
im a little bit late with my feedback, but now the surrogate authentication works fine with the attributeRepository-Part from your last message.
Thank you very much!
Greetings and a happy new year :)
Reply all
Reply to author
Forward
0 new messages