CAS 6 Attribute release not working

[Bryan Wooten]

Hi all,

We are unable to get attributes to release (CAS 6 Master).

Java client 3.6.1

We have a json service registry entry:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://cas6test.go.utah.edu/.*",
  "name" : "cas6testGoUtahEdu",
  "id" : 2020052801,
  "description" : "bryan....@utah.edu",
  "logoutType" : "FRONT_CHANNEL",
   "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ "firstName", "lastName", "displayName", "email", "homephone", "department", "ou", "cn", "telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid", "eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee", "uustudent","psrole" ] ]
  }
}

LDAP config in cas.properties:

# attr repo creds
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://ldaptest.sys.utah.edu:9292
cas.authn.attributeRepository.ldap[0].baseDn=ou=people,o=utah.edu
cas.authn.attributeRepository.ldap[0].bindDn=uid=xxx,ou=System Accounts,o=utah.edu
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].userFilter=unid={user}
# end attr repo creds

cas.authn.attributeRepository.ldap[0].attributes.uuMFA=uuMFA
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
cas.authn.attributeRepository.ldap[0].attributes.sn=lastName

etc

cas.authn.attributeRe36m2020-06-15 13:11:30,732 DEBUG [org.apereo.cas.util.LdapUtils] - <Initializing ldap connection pool for [ldap://ldaptest.sys.utah.edu:9292] and bindDn [uid=pscas,ou=System Accounts,o=utah.edu]>ESC[m

ESC[36m2020-06-15 13:11:30,876 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <LDAP attributes are fetched from [ldap://ldaptest.sys.utah.edu:9292] via filter [null]>ESC[m
ESC[36m2020-06-15 13:11:30,877 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured result attribute mapping for [ldap://ldaptest.sys.utah.edu:9292] to be [{classnumber=classnumber, isonbr=isonbr, uuInst=uuInst, teachingAssistant=teachingAssistant, almail=almail, 

I am unclear about LDAP attributes are fetched from [ldap://ldaptest.sys.utah.edu:9292] via filter [null]> being null when I have:

cas.authn.attributeRepository.ldap[0].userFilter=unid={user}

But if I add this line: 

cas.authn.ldap[0].principalAttributeList=unid,cn,psrole,mail,uuemployee,uustudent,uuaffiliate,uudept,almail,sn,givenName

I will get some but not all the attributes (they are all valid attrs for the test user, me)... But i want to release attributes on a per json file.

This is also set: cas.authn.authenticationAttributeRelease.enabled=true

Also strange is that if I add:

#cas.authn.attributeRepository.defaultAttributesToRelease=givenName,eduPersonAffiliation,cn,uuemployee,uustudent,mail,psrole,firstName,lastName

Then I stop getting any attributes.

Any help appreciated. This driving me crazy.

-Bryan

University of Utah

[Jason Everling]

I didnt think CAS pulls attributes from ldap based on the service definition? You have to add all attributes you expect to fetch from ldap, so in your config

cas.authn.ldap[0].principalAttributeList=unid,cn,psrole,mail,uuemployee,uustudent,uuaffiliate,uudept,almail,sn,givenName 

Change it to

cas.authn.ldap[0].principalAttributeList=firstName,lastName,displayName,email,homephone,department,ou,cn,telephoneNumber,acadplan,almail,eduPersonAffiliation,uid,eduPersonPrincipalName,ummail,unid,uudept,uuemployee, uustudent,psrole

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXBBt6hfbFZPa0WWLvLkNdpq%2BK9k417PygSizp9ouFdvg%40mail.gmail.com.

[Bryan Wooten]

Thanks for the hint.

So to clarify, cas.authn.ldap[0].principalAttributeList is the superset of attributes that may be released. The service registry json defines the attributes (subset) allowed to be released to the service?

-Bryan

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALdoKi%2BcbneJ%2BhQwG9bHdCPmFRpiXGgNH9kTtoCLqOcd1zK_yQ%40mail.gmail.com.

[Jason Everling]

yes

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Bryan Wooten <ttba...@gmail.com>
Sent: Monday, June 15, 2020 4:30:15 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] CAS 6 Attribute release not working

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVtEtsS5E1fOGsHttio3aSSQhfBpz541_1eriiNLdfMbA%40mail.gmail.com.