My guess would be that allowedAttributes must also be configured as: <property name="allowedAttributes"> <list> <value>attr1</value> <value>attr2</value> </list> </property>
unless something is smart enough to recognize comma as a separator (maybe there is? I usually just list them explicitly). On Thu, Mar 17, 2011 at 1:32 PM, Marvin Addison <[email protected]>wrote: > I believe the problem is here: > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="0" /> > <property name="name" value="HTTP" /> > <property name="description" value="Only Allows > HTTP Urls" /> > <property name="serviceId" value="http://**"; /> > <property name="allowedAttributes" > value="uid,cn,isMemberOf" /> > </bean> > > You need to either remove allowedAttributes attribute, or list all > attributes by the name you've given them in the principal, > "username,Name,isMemberOf". All RegisteredServiceImpl entries should > be configured similarly. > > M > > On Thu, Mar 17, 2011 at 1:26 PM, Cyril GUILLERMINET > <[email protected]> wrote: > > Hi, > > > > I am running CAS 3.4.6 with OpenDS and user authentication is working as > expected. > > > > However, I am not able to get LDAP attributes, could you please help me > to find what I am doing wrong. Here is my configuration: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <beans xmlns="http://www.springframework.org/schema/beans"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xmlns:p="http://www.springframework.org/schema/p"; > > xmlns:sec="http://www.springframework.org/schema/security"; > > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > > <bean id="authenticationManager" > > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <property > name="credentialsToPrincipalResolvers"> > > <list> > > <bean > > > > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > > <property > name="credentialsToPrincipalResolver"> > > <bean > > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > > </property> > > <property name="filter" > value="(uid=%u)" /> > > <property > name="principalAttributeName" value="uid" /> > > <property name="searchBase" > value="ou=people,dc=tinesys,dc=fr" /> > > <property name="contextSource" > ref="contextSource" /> > > <property name="attributeRepository"> > > <ref bean="attributeRepository" /> > > </property> > > </bean> > > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > > </list> > > </property> > > <property name="authenticationHandlers"> > > <list> > > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > > p:httpClient-ref="httpClient" /> > > <!-- > > <bean > > > > class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" > /> > > +--> > > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > <property name="filter" value="uid=%u" > /> > > <property name="searchBase" > value="ou=people,dc=tinesys,dc=fr" /> > > <property name="contextSource" > ref="contextSource" /> > > </bean> > > </list> > > </property> > > </bean> > > > > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > > <property name="pooled" value="false"/> > > <property name="urls"> > > <list> > > <value>ldaps://myhost:1636/</value> > > </list> > > </property> > > <property name="userDn" value="cn=Directory Manager"/> <!-- eg > uid=LdapUser,dc=yourdomain,dc=edu --> > > <property name="password" value="my secret password"/> > > <property name="baseEnvironmentProperties"> > > <map> > > <entry> > > <key> > > > <value>java.naming.security.authentication</value> > > </key> > > <value>simple</value> > > </entry> > > <entry> > > <key> > > > <value>com.sun.jndi.ldap.connect.timeout</value> > > </key> > > <value>2000</value> > > </entry> > > <entry> > > <key> > > <value>com.sun.jndi.ldap.read.timeout</value> > > </key> > > <value>2000</value> > > </entry> > > </map> > > </property> > > </bean> > > <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" > authorities="ROLE_ADMIN" />--> > > > > <sec:user-service id="userDetailsService"> > > <sec:user name="battags" password="notused" > authorities="ROLE_ADMIN" /> > > </sec:user-service> > > <bean id="attributeRepository" > > > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > > <property name="contextSource" ref="contextSource" /> > > <property name="baseDN" value="ou=people,dc=tinesys,dc=fr" /> > > <property name="requireAllQueryAttributes" value="true" /> > > <!-- > > Attribute mapping beetween principal (key) and LDAP (value) > names > > used to perform the LDAP search. By default, multiple search > criteria > > are ANDed together. Set the queryType property to change to > OR. > > --> > > <property name="queryAttributeMapping"> > > <map> > > <entry key="username" value="uid" /> > > </map> > > </property> > > <property name="resultAttributeMapping"> > > <map> > > <!-- Mapping beetween LDAP entry attributes (key) and > Principal's (value) --> > > <entry key="cn" value="Name"/> > > <entry key="uid" value="username"/> > > <entry value="isMemberOf" key="isMemberOf" /> > > </map> > > </property> > > </bean> > > > > <bean > > id="serviceRegistryDao" > > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > > <property name="registeredServices"> > > <list> > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > > <property name="id" value="0" /> > > <property name="name" value="HTTP" /> > > <property name="description" value="Only Allows > HTTP Urls" /> > > <property name="serviceId" value="http://**"; /> > > <property name="allowedAttributes" > value="uid,cn,isMemberOf" /> > > </bean> > > > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > > <property name="id" value="1" /> > > <property name="name" value="HTTPS" /> > > <property name="description" value="Only Allows > HTTPS Urls" /> > > <property name="serviceId" value="https://**"; /> > > </bean> > > > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > > <property name="id" value="2" /> > > <property name="name" value="IMAPS" /> > > <property name="description" value="Only Allows > HTTPS Urls" /> > > <property name="serviceId" value="imaps://**" /> > > </bean> > > > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > > <property name="id" value="3" /> > > <property name="name" value="IMAP" /> > > <property name="description" value="Only Allows > IMAP Urls" /> > > <property name="serviceId" value="imap://**" /> > > </bean> > > </list> > > </property> > > </bean> > > > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > </beans> > > > > Here are some logs: > > 2011-03-17 12:54:04,949 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > someone] > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Attempting to resolve a principal... > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Attempting to resolve a principal... > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - Attempting to resolve a principal... > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - Attempting to resolve a principal... > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - Creating SimplePrincipal for [someone] > > 2011-03-17 12:54:04,949 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - Creating SimplePrincipal for [someone] > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Resolved someone. Trying LDAP resolve now... > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Resolved someone. Trying LDAP resolve now... > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - LDAP search with filter "(uid=someone)" > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - LDAP search with filter "(uid=someone)" > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - returning searchcontrols: scope=2; search base=ou=people,dc=xxxxx,dc=xxxx; > attributes=[uid]; timeout=1000 > > 2011-03-17 12:54:04,951 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - returning searchcontrols: scope=2; search base=ou=people,dc=xxxxx,dc=xxxx; > attributes=[uid]; timeout=1000 > > 2011-03-17 12:54:04,997 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Resolved someone to someone > > 2011-03-17 12:54:04,997 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Resolved someone to someone > > 2011-03-17 12:54:04,997 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Creating SimplePrincipal for [someone] > > 2011-03-17 12:54:04,997 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - Creating SimplePrincipal for [someone] > > 2011-03-17 12:54:04,998 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created > seed map='{username=[someone]}' for uid='someone' > > 2011-03-17 12:54:04,998 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created > seed map='{username=[someone]}' for uid='someone' > > 2011-03-17 12:54:04,998 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding > attribute 'uid' with value '[someone]' to query builder 'null' > > 2011-03-17 12:54:04,998 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding > attribute 'uid' with value '[someone]' to query builder 'null' > > 2011-03-17 12:54:05,001 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - > Generated query builder '(uid=cguillerminet)' from query Map > {username=[cguillerminet]}. > > 2011-03-17 12:54:05,001 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - > Generated query builder '(uid=cguillerminet)' from query Map > {username=[cguillerminet]}. > > 2011-03-17 12:54:05,064 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > > ============================================================= > > WHO: [username: someone] > > WHAT: supplied credentials: [username: someone] > > ACTION: AUTHENTICATION_SUCCESS > > APPLICATION: CAS > > WHEN: Thu Mar 17 12:54:05 EDT 2011 > > CLIENT IP ADDRESS: xxx.xx.xx.xx > > SERVER IP ADDRESS: xxx.xx.xx.xx > > ============================================================= > > > > > > 2011-03-17 12:54:05,070 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > > ============================================================= > > WHO: [username: someone] > > WHAT: TGT-1-gxBJlnF2jeUWpnwel20dUcq0DBOMJ51cRlxKGBRgRctlM4k5gE-cas > > ACTION: TICKET_GRANTING_TICKET_CREATED > > APPLICATION: CAS > > WHEN: Thu Mar 17 12:54:05 EDT 2011 > > CLIENT IP ADDRESS: xxx.xx.xx.xx > > SERVER IP ADDRESS: xxx.xx.xx.xx > > ============================================================= > > > > > > 2011-03-17 12:54:05,071 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > > ============================================================= > > WHO: audit:unknown > > WHAT: TGT-1-WdrIcWoeCRAOXdievaMQze0ItGXgdUY9te0DobCFhcV2dfN7Bs-cas > > ACTION: TICKET_GRANTING_TICKET_DESTROYED > > APPLICATION: CAS > > WHEN: Thu Mar 17 12:54:05 EDT 2011 > > CLIENT IP ADDRESS: xxx.xx.xx.xx > > SERVER IP ADDRESS: xxx.xx.xx.xx > > ============================================================= > > > > > > 2011-03-17 12:54:05,073 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > [ST-1-7sFZLYHxwnNne1wzshAj-cas] for service [http://172.22.95.75/] for > user [cguillerminet] > > 2011-03-17 12:54:05,074 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > > ============================================================= > > WHO: someone > > WHAT: ST-1-7sFZLYHxwnNne1wzshAj-cas for http://xxx.xx.xx.xx/ > > ACTION: SERVICE_TICKET_CREATED > > APPLICATION: CAS > > WHEN: Thu Mar 17 12:54:05 EDT 2011 > > CLIENT IP ADDRESS: xxx.xx.xx.xx > > SERVER IP ADDRESS: xxx.xx.xx.xx > > ============================================================= > > > > > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract > Request from HttpServletRequest. Results: > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract > Request from HttpServletRequest. Results: > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Request Body: > <SOAP-ENV:Envelope xmlns:SOAP-ENV=" > http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" > MinorVersion="1" RequestID="_192.168.16.51.1024506224022" > IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-7sFZLYHxwnNne1wzshAj-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope> > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Request Body: > <SOAP-ENV:Envelope xmlns:SOAP-ENV=" > http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" > MinorVersion="1" RequestID="_192.168.16.51.1024506224022" > IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-7sFZLYHxwnNne1wzshAj-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope> > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: > ST-1-7sFZLYHxwnNne1wzshAj-cas > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: > ST-1-7sFZLYHxwnNne1wzshAj-cas > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: > _192.168.16.51.1024506224022 > > 2011-03-17 12:54:05,125 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: > _192.168.16.51.1024506224022 > > 2011-03-17 12:54:05,129 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > > ============================================================= > > WHO: audit:unknown > > WHAT: ST-1-7sFZLYHxwnNne1wzshAj-cas > > ACTION: SERVICE_TICKET_VALIDATED > > APPLICATION: CAS > > WHEN: Thu Mar 17 12:54:05 EDT 2011 > > CLIENT IP ADDRESS: xxx.xx.xx.xx > > SERVER IP ADDRESS: xx.xx.xx.xx > > ============================================================= > > > > Regards. > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
