Cas Login using UPN or SamAccountName
291 views
Skip to first unread message
Stephen Meier
Feb 2, 2016, 12:32:00 PM2/2/16
to cas-...@apereo.org
Good Morning all,
Does anyone use both or either the UPN or the SamaccountName for their users to login?
Stephen Meier
College of the Sequoias
Systems Administrator
Andrew Morgan
Feb 2, 2016, 12:41:43 PM2/2/16
to Stephen Meier, cas-...@apereo.org
On Tue, 2 Feb 2016, Stephen Meier wrote:
> Good Morning all,
>
> Does anyone use both or either the UPN or the SamaccountName for their
> users to login?
Sure. We do something similar against our LDAP service. Search against
> Good Morning all,
>
> Does anyone use both or either the UPN or the SamaccountName for their
> users to login?
both attributes, like this:
<property name="filter" value="(|(uid=%u)(eduPersonPrincipalName=%u))" />
in your case:
<property name="filter" value="(|(samaccountname=%u)(userprincipalname=%u))" />
Always make sure that there will only be one match though. For example,
don't search for samaccountname on a global catalog server where more than
one domain may have the same samaccountname.
Andy
Stephen Meier
Feb 2, 2016, 9:10:28 PM2/2/16
to cas-...@apereo.org
thank you so much for that information. I have added that to our test server and I am able to authenticate with both the samaccountname and the userprincipalname. However, I am only getting attributes when I login with the samaccountname. I tried adding the user principal name to the <map> portion of the attribute query, but nothing comes through. would you be willing to share your deployerconfigcontext.xml section with me?
________________________________________
From: Andrew Morgan [mor...@orst.edu]
Sent: Tuesday, February 02, 2016 9:41 AM
To: Stephen Meier
Cc: cas-...@apereo.org
Subject: Re: [cas-user] Cas Login using UPN or SamAccountName
________________________________________
From: Andrew Morgan [mor...@orst.edu]
Sent: Tuesday, February 02, 2016 9:41 AM
To: Stephen Meier
Cc: cas-...@apereo.org
Subject: Re: [cas-user] Cas Login using UPN or SamAccountName
Andrew Morgan
Feb 2, 2016, 11:18:13 PM2/2/16
to Stephen Meier, cas-...@apereo.org
Ahh, I neglected to give you all the necessary changes...
You'll want both your credentialsToPrincipalResolvers and
authenticationHandlers updated. Here are the relevant chunks:
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver forms the credentials -->
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal -->
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=people,o=orst.edu" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="(|(uid=%u)(eduPersonPrincipalName=%u))"
p:searchBase="ou=people,o=orst.edu"
p:scope="2"
p:contextSource-ref="contextSource" />
</list>
</property>
</bean>
and then the attribute repository:
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="requireAllQueryAttributes" value="false" />
<property name="baseDN" value="ou=people,o=orst.edu" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="contextSource" ref="contextSource" />
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="uid" />
<entry key="udcid" value="UDC_IDENTIFIER" />
<entry key="sn" value="lastname" />
<entry key="givenname" value="firstname" />
<entry key="cn" value="fullname" />
<entry key="mail" value="email" />
<entry key="osuuid" value="osuuid" />
<entry key="osupidm" value="osupidm" />
<entry key="osuid" value="osuid" />
</map>
</property>
</bean>
I hope this helps!
Andy
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
>
You'll want both your credentialsToPrincipalResolvers and
authenticationHandlers updated. Here are the relevant chunks:
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver forms the credentials -->
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal -->
<property name="filter" value="(|(uid=%u)(eduPersonPrincipalName=%u))" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=people,o=orst.edu" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="(|(uid=%u)(eduPersonPrincipalName=%u))"
p:searchBase="ou=people,o=orst.edu"
p:scope="2"
p:contextSource-ref="contextSource" />
</list>
</property>
</bean>
and then the attribute repository:
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="requireAllQueryAttributes" value="false" />
<property name="baseDN" value="ou=people,o=orst.edu" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="contextSource" ref="contextSource" />
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="uid" />
<entry key="udcid" value="UDC_IDENTIFIER" />
<entry key="sn" value="lastname" />
<entry key="givenname" value="firstname" />
<entry key="cn" value="fullname" />
<entry key="mail" value="email" />
<entry key="osuuid" value="osuuid" />
<entry key="osupidm" value="osupidm" />
<entry key="osuid" value="osuid" />
</map>
</property>
</bean>
I hope this helps!
Andy
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
>
Reply all
Reply to author
Forward
0 new messages