Attribute Repository issue!

[SK Sahraoui]

Hi,

I have this issue where PrincipalAttributeRepositoryFetcher is using the wrong username when trying to fetch attributes.

I have CAS configured to authenticate users against Active Directory and I have configured attributes to be fetched from AD/ldap as a repository.

I have the cache disabled 

cas.authn.attribute-repository.expiration-time=0

Scenario:

The user is not authenticated at first and gets authenticated, attribute repository gets called and attributes fetched and populated, so far so good. 

Now, a second call is made to active directory with username=client_id, the client_id of the app making the request and I get this warning

2021-02-24 16:35:35,931 WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for [{username=cyiXVXfM2gcgUD6d1kBfoa21HiUlt6vfDwdn}]>

is this a normal behavior?

This is my config:

cas.person-directory.attribute-resolution-enabled=true

cas.person-directory.active-attribute-repository-ids=ldapRepository

cas.person-directory.principal-attribute=sAMAccountName

cas.person-directory.return-null=false

cas.person-directory.principal-resolution-failure-fatal=true

cas.person-directory.use-existing-principal-id=false

cas.authn.attribute-repository.ldap[0].id=ldapRepository

cas.authn.attribute-repository.ldap[0].order=0

cas.authn.attribute-repository.ldap[0].ldap-url=ldaps://ldap-server

cas.authn.attribute-repository.ldap[0].base-dn=dc=domain,dc=net

cas.authn.attribute-repository.ldap[0].subtree-search=true

cas.authn.attribute-repository.ldap[0].search-filter=sAMAccountName={0}

cas.authn.attribute-repository.ldap[0].bind-dn=cn=XX,OU=ServiceAccounts,dc=XX,dc=XX

cas.authn.attribute-repository.ldap[0].bind-credential=XXXX

cas.authn.attribute-repository.ldap[0].attributes.cn=displayName

cas.authn.attribute-repository.ldap[0].attributes.description=displayNameAr

cas.authn.attribute-repository.ldap[0].attributes.givenName=firstName

cas.authn.attribute-repository.ldap[0].attributes.sn=lastName

cas.authn.attribute-repository.ldap[0].attributes.mail=email

cas.authn.attribute-repository.ldap[0].attributes.mobile=mobile

[Tom O'Neill]

I would recommend digging through your logs – I’m guessing that the value you’re seeing there (cyiXVXfM2gcgUD6d1kBfoa21HiUlt6vfDwdn) is being pulled as a principal attribute.

 

I had a similar problem where the application kept trying to use one of the password attributes that was being returned during the authentication process.

 

What I did was use the following settings to map the sAMAccountName to ‘uid’:

 

cas.authn.ldap[0].principal-attribute-list=sAMAccountName:uid

cas.authn.ldap[0].principal-attribute-id=sAMAccountName

 

And then I referenced ‘uid’ in my attribute search filters:

 

cas.authn.attribute-repository.ldap[0].search-filter=sAMAccountName={uid}

cas.authn.attribute-repository.ldap[1].search-filter=sAMAccountName={uid}

cas.authn.attribute-repository.ldap[2].search-filter=uid={uid}

 

This is with CAS 6.3.0

 

Thanks,

Tom

 

From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of SK Sahraoui
Sent: Wednesday, February 24, 2021 12:34 PM
To: CAS Community <cas-...@apereo.org>
Subject: [EXT] [cas-user] Attribute Repository issue!

 

CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders.

[EXT-STAMP-ADDED]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1acdcccd-8fb4-4fe0-b47f-d9822e3f10f2n%40apereo.org.