So we found the issue was brought in by the Surrogate authentication
component. Once we remove that dependency, the issue was gone. We are going
to log an issue so hopefully it gets fixed soon.

On Tue, Jun 25, 2019 at 3:57 PM Geng, Kelly <ge...@miamioh.edu> wrote:

> I should add that we authenticate against OpenLDAP, but do get attributes
> from both OpenLDAP and AD. Here are the relevant cas.properties entries:
>
> ###############################################
> # Configure the primary authentication source.
>
> cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldaps://[our_ldap_host]
> cas.authn.ldap[0].connectionStrategy=DEFAULT
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=ou=people,dc=muohio,dc=edu
> cas.authn.ldap[0].searchFilter=uid={user}
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].bindDn=uid=cassvc,ou=ldapids,dc=muohio,dc=edu
> cas.authn.ldap[0].bindCredential=[our_secret]
>
> ###############################################
> # Define the attribute used to give the principal ID of the
> # authenticated user.
> cas.personDirectory.principalAttribute=uid
> cas.personDirectory.returnNull=false
>
>
> ###############################################
> # Define the attributes to be resolved via the primary repository.
> # This should be OpenLDAP in our case.
>
> cas.authn.attributeRepository.ldap[0].attributes.muohioeduPrimaryAffiliation=affiliation
>
> cas.authn.attributeRepository.ldap[0].attributes.muohioeduPrimaryAffiliationCode=affiliationcode
>
> cas.authn.attributeRepository.ldap[0].attributes.muohioeduBannerPersonId=UDC_IDENTIFIER
> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>
> cas.authn.attributeRepository.ldap[0].attributes.eduPersonAffiliation=eduPersonAffiliation
> ...
>
>
> ###############################################
> # Configure the primary attribute repository. Most of our attributes
> # come from OpenLDAP.
>
> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldap.miamioh.edu
> cas.authn.attributeRepository.ldap[0].connectionStrategy=DEFAULT
> cas.authn.attributeRepository.ldap[0].order=0
> cas.authn.attributeRepository.ldap[0].useSsl=true
> cas.authn.attributeRepository.ldap[0].useStartTls=false
> cas.authn.attributeRepository.ldap[0].connectTimeout=5000
> cas.authn.attributeRepository.ldap[0].baseDn=ou=people,dc=muohio,dc=edu
> cas.authn.attributeRepository.ldap[0].searchFilter=uid={user}
> cas.authn.attributeRepository.ldap[0].subtreeSearch=true
>
> cas.authn.attributeRepository.ldap[0].bindDn=uid=cassvc,ou=ldapids,dc=muohio,dc=edu
> cas.authn.attributeRepository.ldap[0].bindCredential=[secret]
>
> ###############################################
> # Define the attributes to be resolved via the secondary repository.
> # This should be Active Directory in our case.
> cas.authn.attributeRepository.ldap[1].attributes.memberOf=groupMembership
> cas.authn.attributeRepository.ldap[1].attributes.memberOf=memberOf
>
> ###############################################
> # Configure the secondary attribute repository. This is AD in our
> # environment and is primarily going to be used for group membership.
>
> cas.authn.attributeRepository.ldap[1].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.attributeRepository.ldap[1].ldapUrl=ldaps://storm.miamioh.edu
> cas.authn.attributeRepository.ldap[1].connectionStrategy=DEFAULT
> cas.authn.attributeRepository.ldap[1].order=1
> cas.authn.attributeRepository.ldap[1].useSsl=true
> cas.authn.attributeRepository.ldap[1].useStartTls=false
> cas.authn.attributeRepository.ldap[1].connectTimeout=5000
>
> cas.authn.attributeRepository.ldap[1].baseDn=ou=people,dc=it,dc=muohio,dc=edu
> cas.authn.attributeRepository.ldap[1].searchFilter=cn={user}
> cas.authn.attributeRepository.ldap[1].subtreeSearch=true
> cas.authn.attributeRepository.ldap[1].bindDn=CN=CASSvc2,OU=Service
> Accounts,OU=MUUser,DC=it,DC=muohio,DC=edu
> cas.authn.attributeRepository.ldap[1].bindCredential=secret
>
> On Tue, Jun 25, 2019 at 3:13 PM Geng, Kelly <ge...@miamioh.edu> wrote:
>
>> Hi All,
>>
>> We are upgrading CAS from 5.3.7 to 6.0.4. One issue we are seeing is that
>> CAS is returning duplicated attribute values if a service(non-SAML service)
>> specifies SAML1.1 as the server protocol version. In looking at the CAS
>> log, we found the same duplicated attribute values are being recorded(see
>> below). We verified that in CAS5.3.7 we are not seeing the duplicated
>> values in CAS log. I wonder whether anyone else sees the same thing and why
>> they are being duplicated. This breaks our applications that didn't turn
>> "enable_saml" false and at the same time use some of the attributes,
>> expecting them to be a string but now an array is returned.
>>
>>
>> *2019-06-25 15:00:28,628 INFO
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>> <{"who":"gengx","what":"[result=Service Access
>> Granted,service=https://web.test/terms-of-service/,principal=SimplePrincipal(id=gengx
>> <https://web.test/terms-of-service/,principal=SimplePrincipal(id=gengx>,
>> attributes={telephoneNumber=[campus: +1 513 529 2002, campus: +1 513 529
>> 2002], mail=[ge...@miamioh.edu <ge...@miamioh.edu>, ge...@miamioh.edu
>> <ge...@miamioh.edu>], eduPersonAffiliation=[staff, staff], displayName=[Ms.
>> Kelly Geng, Ms. Kelly Geng], muohioeduAffiliationCode=[sta, frs, sta, frs],
>> muohioeduPrimaryAffiliation=[staff, staff],
>> ...}),requiredAttributes={}]","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Tue
>> Jun 25 15:00:28 EDT
>> 2019","clientIpAddress":"10.28.129.164","serverIpAddress":"127.0.0.1"}>*
>>
>>
>> Thanks for your help!
>>
>>
>> --
>> Kelly
>> Application Developer
>> Miami University
>>
>
>
> --
> Kelly
>


-- 
Kelly

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3DdsAswa93QfF%3Dsm%3DtPGxYuzg8CGtwFowdPZ_HBQBhfVg%40mail.gmail.com.

Reply via email to