principal attributes from ldap in CAS 4.2

Mikko Tuumanen

unread,

Feb 5, 2016, 1:39:10 AM2/5/16

to CAS Community

I've been trying to upgrade from 3.x to 4.2, but I don't understand how to set up user attributes from cas.

In 3.x I had

<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">

in deployerConfigContext.xml and

<c:if test="${fn:length(assertion.chainedAuthentications) > 0}"> 
       <cas:attributes> 
       <c:forEach var="auth" items="${assertion.chainedAuthentications}"> 
               <c:forEach var="attr" items="${auth.principal.attributes}">
                       <c:forEach var="v" items="${attr.value}">
                               <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(v)}</cas:${fn:escapeXml(attr.key)}>
                       </c:forEach>
               </c:forEach> 
       </c:forEach> 
       </cas:attributes> 
</c:if>

in protocol/2.0/casServiceValidationSuccess.jsp

This worked perfectly with a CAS 3.x.

And then the 4.2:

<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler"
      p:principalIdAttribute="uid"
      c:authenticator-ref="authenticator">
    <property name="principalAttributeMap">
        <map>
                <entry key="mail" value="email" />
                <entry value="givenname" key="givenName" />
                <entry value="surname" key="sn" />
                <entry value="telephone" key="telephoneNumber" />
        </map>
    </property>
</bean>

This part works. I can see from slapd and cas debug that cas really asks and gets those attributes from ldap.

I use a jsonServiceRegistryDao and in the config json file I have

  "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy"
  }

This works too.

And then the thing I didn't figure out:

In the default deployerConfigContext.xml, there is a:

<bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
          p:backingMap-ref="attrRepoBackingMap" />

If I let that stay there, I get the attributes from the attrRepoBackingMap and not from ldap.
If I remove the attributeRepository bean completely, cas won't start:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.jasig.services.persondir.IPersonAttributeDao] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {@org.springframework.beans.factory.annotation.Qualifier(value=attributeRepository)}

If I try to use org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao as attributeRepository like I did with 3.x, cas won't start because

Caused by: java.lang.ClassNotFoundException: org.springframework.ldap.filter.Filter

I think I shouldn't need to use the LdapPersonAttributeDao because LdapAuthenticationHandler already picks up the attributes.

What am I missing here?

What should I use as an attributeRepository?

I even tried to alias the LdapAuthenticationHandler to be the attributeRepository but that didn't help either.

Misagh Moayyed

unread,

Feb 5, 2016, 5:38:35 AM2/5/16

to CAS Community

Study http://jasig.github.io/cas/4.2.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Mikko Tuumanen

unread,

Feb 8, 2016, 4:34:55 AM2/8/16

to jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net

Study http://jasig.github.io/cas/4.2.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler

<entry key-ref="primaryAuthenticationHandler" value-ref="#{null}" />

causes

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationHandlersResolvers': Cannot resolve reference to bean '#{null}' while setting bean property 'sourceMap' with key [<primaryAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined

Dmitriy Kopylenko

unread,

Feb 8, 2016, 7:47:17 AM2/8/16

to Mikko Tuumanen, jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net

use value="#{null}" instead of value-ref

D.

Misagh Moayyed

unread,

Feb 8, 2016, 8:47:52 AM2/8/16

to CAS Community

It is not value-ref. It's value.

Mikko Tuumanen <jcjzc6w...@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Sent with Air Mail

David Lee

unread,

Mar 3, 2016, 12:11:16 AM3/3/16

to CAS Community, jasig-c...@googlegroups.com, mmoa...@unicon.net

I'm struggling with the same problem..

<constructor-arg ref="authenticator" />

<map>

<!--

| This map provides a simple attribute resolution mechanism.

| Keys are LDAP attribute names, values are CAS attribute names.

| This facility can be used instead or in addition to PrincipalResolver

| components.

-->

</map>

</property>

</bean>

Like above I added additional entries I would like to retrieve from LDAP, and it works, but looks like the attributes generated by SimplePrinciple was overwritten by the below,

<bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"

p:backingMap-ref="attrRepoBackingMap" />

<util:map id="attrRepoBackingMap">

<entry>

<key><value>memberOf</value></key>

<list>

<value>faculty</value>

<value>staff</value>

</list>

</entry>

</util:map>

So when I tried to get the attributes in the CAS client as below,

AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();

Map attributes = principal.getAttributes();

Iterator attributeNames = attributes.keySet().iterator();

It populates static entries defined in the backing map.

For your reference, I followed all the posts in this question thread and did as below,

<util:map id="authenticationHandlersResolvers">

</util:map>

cas.principal.resolver.persondir.return.null=false // in cas.properties I did this.

And added the below to the service JSON file

...

"attributeReleasePolicy" : {

"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",

"principalAttributesRepository" : {

"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"

},

"authorizedToReleaseCredentialPassword" : false,

"authorizedToReleaseProxyGrantingTicket" : false,

"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn" ] ]

},

...

But it still retrieves the mapped static entries...

Could you please share how you could get the attributes in the map in

<constructor-arg ref="authenticator" />

<map>

<!--

| This map provides a simple attribute resolution mechanism.

| Keys are LDAP attribute names, values are CAS attribute names.

| This facility can be used instead or in addition to PrincipalResolver

| components.

-->

</map>

</property>

</bean>

Thanks in advance.

Misagh Moayyed

unread,

Mar 3, 2016, 6:28:40 AM3/3/16

to CAS Community

Your configuration is not clear on what you intend to do. By my reading, looks like the problem is you are getting static attributes rather than what’s defined in LDAP? If so, it’s because of this:

What you’re saying there is, authenticate via ldap, then retrieve my attributes defined by the resolver (which are static because this resolver is connected to your static source). Your other handler right below it is never involved, because this one simply succeeds.

So:

Turn this:

Into this:

Now, if you wish to get attributes from LDAP AND from a static config that is also possible. But not this way.

Note that “principalAttributeMap” of your handler can be a list too. If you don’t have any special mappings, you can turn that map into a list. Easier to read.

Misagh

hyeongmok lee

unread,

Mar 4, 2016, 12:16:39 AM3/4/16

to Misagh Moayyed, CAS Community

Thanks Misagh/Petr,

I followed Misagh's instruction and it works like a charm. It was very helpful!

Thanks again!

jack matton

unread,

Jan 6, 2017, 2:48:06 AM1/6/17

to CAS Community

hello. I have come trouble when intergrate openLdap with 4.2. Can u show your detail deployerConfigContext.xml ?

z mortazavi

unread,

Feb 1, 2017, 6:40:30 AM2/1/17

to CAS Community, mmoa...@unicon.net

Hi,

I setup jasig-cas-4.2.6 and I can login successful in cas-side but in my client I get login successful but phpCAS::getAttributes() no return my attribute such as mail and givenName

deployerConfigContext.xml is:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd


       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd

       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.ldaptive.org/schema/spring-ext http://www.ldaptive.org/schema/spring-ext.xsd">


    
     
    <bean id="ldapAuthenticationHandler"         class="org.jasig.cas.authentication.LdapAuthenticationHandler"

      c:authenticator-ref="authenticator"> 
    <property name="principalAttributeMap">
        <map>

    <entry key="givenName" value="firstName"/>
     <entry key="mail" value="email"/>
    
        </map>
    </property> 
    </bean>


    
    
    
    
    <util:map id="authenticationHandlersResolvers">
        <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />

           <entry key-ref="ldapAuthenticationHandler" value="#{null}" />

    </util:map>
    
    
    <util:list id="authenticationMetadataPopulators">
        <ref bean="successfulHandlerMetaDataPopulator" />
        <ref bean="rememberMeAuthenticationMetaDataPopulator" />
    </util:list>
        
        
        
    <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
    <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />



    <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
          p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">

    <entry key="givenName" value="firstName"/>
    <entry key="mail" value="email"/>


   
      
        <entry>
            <key><value>memberOf</value></key>
            <list>
                <value>faculty</value>
                <value>staff</value>
                <value>org</value>
            </list>
        </entry>
    </util:map>

    <alias name="serviceThemeResolver" alias="themeResolver" />

    <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />

    <alias name="defaultTicketRegistry" alias="ticketRegistry" />
    
    <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />

    <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
    <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />

    <bean id="auditTrailManager"
          class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
          p:entrySeparator="${cas.audit.singleline.separator:|}"
          p:useSingleLine="${cas.audit.singleline:false}"/>

    <alias name="neverThrottle" alias="authenticationThrottle" />

    <util:list id="monitorsList">
        <ref bean="memoryMonitor" />
        <ref bean="sessionMonitor" />
    </util:list>

    <alias name="defaultPrincipalFactory" alias="principalFactory" />
    <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
    <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
    <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
    

    
<bean id="serviceRegistryDao"
      class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
      p:registeredServices-ref="registeredServicesList" />
    


    <util:list id="registeredServicesList">
        <bean class="org.jasig.cas.services.RegexRegisteredService"
          p:id="1"
          p:name="sso"
          p:serviceId="^(https?|imaps?|http?)://.*"
          p:description="sso cas"
          p:evaluationOrder="0" >
  
   
 <property name="attributeReleasePolicy">
    <bean class="org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy">
        <property name="allowedAttributes">
    

                     
                <list>
                    <value>mail</value>
                    <value>givenName</value>
                    

                </list> 
    </property>
    </bean>
    
        </property>

        </bean>
  

    </util:list>    

    
            
        <ldaptive:ad-authenticator id="authenticator"
            
        ldapUrl="xxxx"
        baseDn="xxxxxx"
        userFilter="xx"
        bindDn="xxxxx"
           bindCredential="xxxxxxxx"
        connectTimeout="5000"
        useStartTLS="false"
        blockWaitTime="3000"
        maxPoolSize="10"
        allowMultipleDns="false"
        minPoolSize="1"
        validateOnCheckOut="false"
        validatePeriodically="true"
        validatePeriod="300"
        idleTime="600"
        prunePeriod="300"
        failFastInitialize="false"
        subtreeSearch="true"
        useSSL="false"

/>
        
</beans>

does need i change HTTPSandIMAPS-10000001.json file for ReturnAllowedAttributeReleasePolicy??
is any help?
thanks in advaned

On Thursday, March 3, 2016 at 2:58:40 PM UTC+3:30, Misagh Moayyed wrote:

Your configuration is not clear on what you intend to do. By my reading, looks like the problem is you are getting static attributes rather than what’s defined in LDAP? If so, it’s because of this:

<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />

What you’re saying there is, authenticate via ldap, then retrieve my attributes defined by the resolver (which are static because this resolver is connected to your static source). Your other handler right below it is never involved, because this one simply succeeds.

So:

Turn this:
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />

Into this:
<entry key-ref="ldapAuthenticationHandler" value="#{null}" />

Now, if you wish to get attributes from LDAP AND from a static config that is also possible. But not this way.

Note that “principalAttributeMap” of your handler can be a list too. If you don’t have any special mappings, you can turn that map into a list. Easier to read.

Misagh

Reply all

Reply to author

Forward