CAS Management + LDAP roles

[Julien Sabatier]

I'm trying to setup a CAS 6.2.1 with CAS Management for manage services.

Actually I have a 6.2.1-SNAPSHOT CAS Management which start up well.

At the first load, it redirect me to CAS login page, where I use my login/password.

After, i get the message : "authorizationFailure"

And in the log it appear thar the user roles are empty : 

WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - Unable to authorize access, since the authenticated profile [#CasProfile# | id: julien.sabatier | attributes: {credentialType=UsernamePasswordCredential, isFromNewLogin=true, authenticationDate=2020-08-18T08:07:35.737859Z, authenticationMethod=LdapAuthenticationHandler, successfulAuthenticationHandlers=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles

I want to use LDAP for managing auth.

I have a role : cn=ADMINISTRATOR,ou=roles,dc=lepuyenvelay,dc=fr

And my user is a member of this groupOfMember

Here is the management.properties file I have : https://pastebin.com/g6nZKhnm

And the cas.properties : https://pastebin.com/y4V86jLr

At the compilation of CAS Management, I added following modules : 

compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casMgmtServerVersion}"

compile "org.apereo.cas:cas-server-support-jpa-service-registry:${casMgmtServerVersion}"

compile "org.apereo.cas:cas-server-support-ldap:${casMgmtServerVersion}"

Can anyone help me to make it work ?

Did I miss some dependencies ?

Is my configuration false ?

[Daniel Fisher]

On Tue, Aug 18, 2020 at 8:12 AM Julien Sabatier <sab...@gmail.com> wrote:

I'm trying to setup a CAS 6.2.1 with CAS Management for manage services.

Actually I have a 6.2.1-SNAPSHOT CAS Management which start up well.

At the first load, it redirect me to CAS login page, where I use my login/password.

After, i get the message : "authorizationFailure"

And in the log it appear thar the user roles are empty : 

WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - Unable to authorize access, since the authenticated profile [#CasProfile# | id: julien.sabatier | attributes: {credentialType=UsernamePasswordCredential, isFromNewLogin=true, authenticationDate=2020-08-18T08:07:35.737859Z, authenticationMethod=LdapAuthenticationHandler, successfulAuthenticationHandlers=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles

I want to use LDAP for managing auth.

I have a role : cn=ADMINISTRATOR,ou=roles,dc=lepuyenvelay,dc=fr

And my user is a member of this groupOfMember

Can you put org.ldaptive in DEBUG to confirm the groupOfMember query is happening?

--Daniel Fisher

[Julien Sabatier]

I managed to make it work.

The problem appear to be in attributes release an mapping.

Adding : 

cas.authn.attribute-repository.ldap[0].ldap-url=ldaps://ldap.lepuyenvelay.fr

cas.authn.attribute-repository.ldap[0].bind-dn=cn=admin,dc=lepuyenvelay,dc=fr

cas.authn.attribute-repository.ldap[0].bind-credential=secret

cas.authn.attribute-repository.ldap[0].attributes.memberOf=roles

in cas.properties and management.properties allow to populate roles with : "dc=lepuyenvelay, dc=fr, ou=roles, cn=ADMINISTRATOR"

For my service, I set attributeReleasePolicy to ReturnAllAttributeReleasePolicy

So I set : 

mgmt.adminRoles=dc=lepuyenvelay, dc=fr, ou=roles, cn=ADMINISTRATOR

in management.properties

I don't uderstand why mapped roles is "dc=lepuyenvelay, dc=fr, ou=roles, cn=ADMINISTRATOR" as the memberOf value is "cn=ADMINISTRATOR, ou=roles, dc=lepuyenvelay, dc=fr"...

I think it's a bit chaotic and not exactly what I want as roles are retrieved by CAS attributes and not in the LDAP but it do the job.