Ahh, I neglected to give you all the necessary changes...
You'll want both your credentialsToPrincipalResolvers and
authenticationHandlers updated. Here are the relevant chunks:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver forms the credentials -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the
resolved Principal -->
<property name="filter" value="(|(uid=%u)(eduPersonPrincipalName=%u))" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=people,o=orst.edu" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="(|(uid=%u)(eduPersonPrincipalName=%u))"
p:searchBase="ou=people,o=orst.edu"
p:scope="2"
p:contextSource-ref="contextSource" />
</list>
</property>
</bean>
and then the attribute repository:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="requireAllQueryAttributes" value="false" />
<property name="baseDN" value="ou=people,o=orst.edu" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="contextSource" ref="contextSource" />
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="uid" />
<entry key="udcid" value="UDC_IDENTIFIER" />
<entry key="sn" value="lastname" />
<entry key="givenname" value="firstname" />
<entry key="cn" value="fullname" />
<entry key="mail" value="email" />
<entry key="osuuid" value="osuuid" />
<entry key="osupidm" value="osupidm" />
<entry key="osuid" value="osuid" />
</map>
</property>
</bean>
I hope this helps!
Andy
On Wed, 3 Feb 2016, Stephen Meier wrote:
thank you so much for that information. I have added that to our test server and I
am able to authenticate with both the samaccountname and the userprincipalname.
However, I am only getting attributes when I login with the samaccountname. I tried
adding the user principal name to the <map> portion of the attribute query, but
nothing comes through. would you be willing to share your deployerconfigcontext.xml
section with me?
________________________________________
From: Andrew Morgan [[email protected]]
Sent: Tuesday, February 02, 2016 9:41 AM
To: Stephen Meier
Cc: [email protected]
Subject: Re: [cas-user] Cas Login using UPN or SamAccountName
On Tue, 2 Feb 2016, Stephen Meier wrote:
Good Morning all,
Does anyone use both or either the UPN or the SamaccountName for their
users to login?
Sure. We do something similar against our LDAP service. Search against
both attributes, like this:
<property name="filter" value="(|(uid=%u)(eduPersonPrincipalName=%u))" />
in your case:
<property name="filter" value="(|(samaccountname=%u)(userprincipalname=%u))"
/>
Always make sure that there will only be one match though. For example,
don't search for samaccountname on a global catalog server where more than
one domain may have the same samaccountname.
Andy
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
