I'm trying to configure surrogate authentication on a CAS 5.3.4 using
LDAP as the backend for both normal and surrogate authentication. While
I've managed to get it to work (it's possible to log on as another
user), I'm having problems with the attribute resolution.
Here is the configuration for the main authentication:
cas.authn.ldap[0].name: LDAP
cas.authn.ldap[0].type: ANONYMOUS
cas.authn.ldap[0].poolPassivator: NONE
cas.authn.ldap[0].ldapUrl: ldaps://ldap.agrocampus-ouest.fr
cas.authn.ldap[0].connectionStrategy: ROUND_ROBIN
cas.authn.ldap[0].baseDn: ou=people,dc=agrocampus-ouest,dc=fr
cas.authn.ldap[0].subtreeSearch: false
cas.authn.ldap[0].validator.type: SEARCH
cas.authn.ldap[0].validator.baseDn: dc=agrocampus-ouest,dc=fr
cas.authn.ldap[0].validator.searchFilter: (ou=people)
cas.authn.ldap[0].validator.scope: ONELEVEL
cas.authn.ldap[0].searchFilter:(|(uid={user})(mail={user})(eduPersonPrincipalName={user}))
The configuration for the surrogates is:
cas.authn.surrogate.ldap.name: LDAP Surrogates
cas.authn.surrogate.ldap.baseDn: ou=people,dc=agrocampus-ouest,dc=fr
cas.authn.surrogate.ldap.poolPassivator: NONE
cas.authn.surrogate.ldap.ldapUrl: ldaps://ldap.agrocampus-ouest.fr
cas.authn.surrogate.ldap.connectionStrategy: ROUND_ROBIN
cas.authn.surrogate.ldap.validator.type: SEARCH
cas.authn.surrogate.ldap.validator.baseDn: dc=agrocampus-ouest,dc=fr
cas.authn.surrogate.ldap.validator.searchFilter: (ou=people)
cas.authn.surrogate.ldap.validator.scope: ONELEVEL
cas.authn.surrogate.ldap.memberAttributeName: uid
cas.authn.surrogate.ldap.memberAttributeValueRegex: .*
cas.authn.surrogate.ldap.surrogateSearchFilter:
(&(uid={user})(memberOf=cn=dsi,ou=groups,dc=agrocampus-ouest,dc=fr))
Finally, I have the following configuration for the attribute repository:
cas.personDirectory.principalAttribute: uid
cas.authn.attributeRepository.ldap[0].ldapUrl:ldaps://ldap.agrocampus-ouest.frcas.authn.attributeRepository.ldap[0].poolPassivator:
NONE
cas.authn.attributeRepository.ldap[0].connectionStrategy: ROUND_ROBIN
cas.authn.attributeRepository.ldap[0].searchFilter:
(|(uid={0})(mail={0})(eduPersonPrincipalName={0}))cas.authn.attributeRepository.ldap[0].validator.type:
SEARCH
cas.authn.attributeRepository.ldap[0].validator.baseDn:dc=agrocampus-ouest,dc=frcas.authn.attributeRepository.ldap[0].validator.searchFilter:
(ou=people)cas.authn.attributeRepository.ldap[0].validator.scope: ONELEVEL
cas.authn.attributeRepository.ldap[0].baseDn:
ou=people,dc=agrocampus-ouest,dc=frcas.authn.attributeRepository.ldap[0].subtreeSearch:
false
cas.authn.attributeRepository.ldap[0].attributes.memberOf: memberOf
# More attributes here
This configuration works well when authenticating users normally.
However, when using surrogate authentication, the CAS server adds
attributes from both the primary and surrogate principals, resulting in
a principal with two UIDs, two givenNames, etc..., for example:
2018-10-29 17:34:41,797 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Determined primary authentication principal to be
[SimplePrincipal(id=ldurande, attributes={uid=[ebenoit, ldurande], **snip***
Does anyone have an idea of what the problem might be?
Thanks in advance.
LiOnel.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/377c734e-2985-4a92-89d3-f535aafc6519%40apereo.org.
