What am I missing.?...Exclusive Authentication Source for a Service...bonus for Attribute Repository Answer ;-)

[Colin Ryan]

Reposting essentially again as I just cannot make this go. My heartfelt apologies that I'm circling to the list again on this.

As before. I want to be able to specifically require an exclusive Authentication Resource per Service definition. I cannot seem to make this work.

CAS 6.2.3

LDAP Resource Definition

==============

cas.authn.ldap[0].name=LDAP
cas.authn.ldap[0].order=0
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldap://100.10.1.230:3131
cas.authn.ldap[0].bind-dn=cn=<xxxx>
cas.authn.ldap[0].search-filter=(&(uid={user})(inetuserstatus=active))
cas.authn.ldap[0].base-dn=o=isp
cas.authn.ldap[0].bind-credential=yyyy
cas.authn.ldap[0].principal-attribute-id=uid
cas.authn.ldap[0].principal-attribute=uid
cas.authn.ldap[0].principal-attribute-list=uid,sn,cn:commonName,givenName,inetUserStatus,dn
cas.authn.ldap[0].use-ssl=false
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=false
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true

Radius:

=====

cas.authn.radius.name=Radius
cas.authn.radius.server.protocol=PAP
cas.authn.radius.server.retries=1
cas.authn.radius.client.authenticationPort=1645
cas.authn.radius.client.sharedSecret=zzzzzz
cas.authn.radius.client.inetAddress=100.10.1.184
cas.authn.radius.client.accountingPort=1646
cas.authn.radius.principal-attribute: username
cas.authn.radius.principal-attribute-id: username

Service Definition (Using HTTP Generic)

========================

{
         "@class" : "org.apereo.cas.services.RegexRegisteredService",
         "serviceId" : "^(https|imaps)://.*",
         "name" : "HTTPS and IMAPS",
         "id" : 10000001,
        "evaluationOrder": 99999,
"authenticationPolicy":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
        "requiredAuthenticationHandlers": ["java.util.TreeSet", ["Radius"]],
        "excludedAuthenticationHandlers": ["java.util.TreeSet", ["LDAP"]]
  },
 "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

It just doesn't work. If I enter a credential set that fails in Radius it will still fall into LDAP and succeed.

Also I'm trying to use LDAP attribute repository to round out the attribute response from said Radius authentication. Again debug logging of the the various elements implies that it should work but I'm not even seeing the LDAP query for the attributes. Maybe I'm missing the point on how it all works? For example how do you define that attributes that link the PrincipalID etc etc.

^[[36m2020-10-28 14:59:16,984 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <LDAP attributes are fetched from [ldap://100.10.1.230:3131] via filter [uid=zzzzz]>^[[m
^[[36m2020-10-28 14:59:16,986 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured result attribute mapping for [ldap://100.10.1.230:3131] to be [{cn=commonName, dn=dn, inetUserStatus=inetUserStatus, uid=uid, mail=mail}]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Setting binary attributes [[objectGUID, objectSid]]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured subtree searching for [ldap://100.10.1.230:3131]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Adding LDAP attribute source for [ldap://100.10.1.230:3131]>^[[m

Configurations

** Enabling ePerson stuff?

cas.person-directory.attribute-resolution-enabled: true
cas.personDirectory.activeAttributeRepositoryIds: LDAPAttr
cas.person-directory.return-null=false
cas.person-directory.principal-attribute=uid

cas.authn.attributeRepository.expirationTime=30
cas.authn.attributeRepository.expirationTimeUnit=seconds
cas.authn.attributeRepository.merger=MULTIVALUED

** Configuration the LDAP store (log output above seems to imply it's picking this up)

cas.authn.attribute-repository.ldap[0].id=LDAPAttr
cas.authn.attribute-repository.ldap[0].order=0
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.authn.attribute-repository.ldap[0].attributes.cn=commonName
cas.authn.attribute-repository.ldap[0].attributes.dn=dn
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].attributes.inetUserStatus=inetUserStatus
cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://100.10.1.230:3131
cas.authn.attribute-repository.ldap[0].useSsl=false
cas.authn.attribute-repository.ldap[0].useStartTls=false
cas.authn.attribute-repository.ldap[0].baseDn=o=isp
cas.authn.attribute-repository.ldap[0].search-filter: uid={0}
cas.authn.attribute-repository.ldap[0].bindDn=cn=xxxx
cas.authn.attribute-repository.ldap[0].bindCredential=yyyy

cas.authn.attribute-repository.default-attributes-to-release: uid,dn,mail,commonName

Thoughts on either of these area's would be greatly appreciated.

[Misagh Moayyed]

What I suspect you're missing is that you are running (as you report) CAS 6.2.3, and yet the "excludedAuthenticationHandlers" piece is only available in 6.3.x

Compare:

https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html

With:

https://apereo.github.io/cas/development/services/Configuring-Service-AuthN-Policy.html

Big red box, top of the page. The table the contains the parameters should be the main delta.