Bill,
In `cas.properties`, in your LDAP section, you want a property like this:
cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
That says that the principal that is authenticated should get the above list of LDAP attributes. For the ones that have 2 items separated by a colon, that is just a rename from the LDAP attribute to the name that will be exposed via CAS.
In your service file for an individual service, you specify what attributes from the above list you want to release. The following sections from a service file are an example:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
"@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"patterns": {
"@class" : "java.util.HashMap",
"memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
},
"excludeUnmappedAttributes": false,
"completeMatch": false,
"order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
},
The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to a specific value (because he attribute is multi-valued, and you usually only want to release only one or a few of the values to a service). The "allowedAttributes" section specifies what attributes from the principal will be released at all.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1473853490.82791165.1535742993465.JavaMail.zimbra%40lafayette.edu.