Hello, well, maybe you didnt get me right. I want to resolve the attributes on authentication over ldap. This works fine for a normal authentication, but if I want to make an surrogate authentication like "surrogateUser+primaryUser", the primary user principal has all ldap attributes and the surrogate user principal has none. So I want that the surrogate user principal has also the ldap attributes form the surrogate user. So there is only one data source(LDAP for primary and surrogate user). For this I found: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution but i tried something around with this configuration options. No success so far.
So the ldap attributes shouldnt get into the principal after the authentication. They should be while authentication. I think that i need to configure the principal resolution right.. but i dont know how. On the site i found this subtext: "Principal resolution and Person Directory settings for this feature are available here <https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution> under the configuration key cas.authn.surrogate.principal." which redirects you to the link above. Ray Bon schrieb am Donnerstag, 26. November 2020 um 18:00:28 UTC+1: > Marcel, > > principalAttributeList is for resolving attributes on authentication. If > you want to retrieve attributes after the fact or perhaps from a different > data source, > > https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-attributes > > Ray > > On Thu, 2020-11-26 at 07:06 -0800, Marcel Fromkorth wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > > Hello, > > I'm trying to configure the surrogate authentication support over ldap > authentication. > All this happens on CAS Version 6.2.5. > > The problem is, that the surrogate user principal has no attributes, which > should be mapped from ldap. I want, that the surrogateUser principal will > get his ldap attributes. For the primary user it works fine. > > I only got: *Surrogate access is denied. The principal does not have the > required attributes [{attributes=[testAttribute]}] *-> which are defined > in the service at "surrogateRequiredAttributes". > > In the Debug logs i could see this: > > *<Found surrogate principal [SimplePrincipal(id=testuser, attributes={})]>* > > Some logs earlier i can see, that the ldap user for surrogate is found > sucessfully and all needed attributes exists. -> so i think, that something > with the principal resolution doesnt work. > > here an snippet of my cas.properties: > > > > > *cas.authn.surrogate.ldap.searchFilter=uid:caseExactMatch:={user} > cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate} > > cas.authn.surrogate.principal.attribute-resolution-enabled=true > cas.authn.surrogate.principal.principal-attribute=attributes* > > I switched the accessStrategy in my services to > *SurrogateRegisteredServiceAccessStrategy*. > > So.. i dont know, why the attributes of the surrogate user wont mapped > into the surrogate user principal. For the primary user it works fine(by > the primary user I used *cas.authn.ldap[0].principalAttributeList*=attributes > > --> works fine). > > But in the documentation, it seems that there only exists the attribute " > *principal-attribute*" for this type of setting. > > Can someone help me here? > > Greetings and thank you. > > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e742f49c-985f-48fc-876f-18b0f85e1a0dn%40apereo.org.
