SOLVED sorta So the original problem was caused by me using Active Directories Global Catalog to get around the PartialResultException that AD is known to throw. For those of you not deep into the intricaties of AD if you connect to ldap using port 3268 not 389 you get the Global Catalog. The Global Catalog is nice since it has information from all of thew AD domain including sub domains. The thing is not all attributes are synced to the Global Catalog. There is a way of telling AD what attributes to sync. The link below has information on that. So I had AD sync my extened attributes to the Global Catalog and all is happy.
http://technet.microsoft.com/en-us/library/cc758130%28WS.10%29.aspx Begin forwarded message: > From: Jeffrey Simpson <[email protected]> > Date: September 7, 2011 3:28:18 PM EDT > To: "[email protected]" <[email protected]> > Subject: LDAP Attributes and Extended Schema > > Using LDAP I have been able to login, query attributes and send the > attributes back to the client if the attributes are the standard LDAP > attributes. We are using MS Active Directory as our LDAP server and we have > extended the Person Object Schema. I have not not been able to query the > added attributes. So no problem with cn and userPrincipleName but no go with > our added attribute SecurityQuestion. I have checked the log and the > problem is not in sending them out but the SecurityQuestion is not put in the > User's Attribute map. > I have written a Java class and can get these attributes no problem. Any > ideas? Below is my deployerConfigContext.xml > > > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:tx="http://www.springframework.org/schema/tx"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager"> > <constructor-arg index="0"> > <map> > <entry key-ref="Staff-LdapAuthHandler" > value-ref="Staff-LdapCredentialtoPrincipalResolver" /> > <entry key-ref="HTTPAuthHandler" > value-ref="HTTPCredentialtoPrincipalResolver" /> > </map> > </constructor-arg> > </bean> > > <bean id="HTTPCredentialtoPrincipalResolver" > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > > <bean id="HTTPAuthHandler" > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <bean id="Staff-LdapAuthHandler" > > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > <property name="filter" > value="%[email protected]" /> > <property name="contextSource" > ref="contextSource" /> > <property > name="ignorePartialResultException" value="yes" /> > </bean> > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="url" > value="ldap://dc1.yfuusa.local:3268/DC=YFUUSA,DC=Local"; /> > <!-- > <value>ldap://dc2.yfuusa.local:389/DC=YFUUSA,DC=Local</value> --> > <!-- Place JNDI environment properties here. --> > <property name="baseEnvironmentProperties"> > <map> > <!-- Three seconds is an eternity to users. --> > <entry key="com.sun.jndi.ldap.connect.timeout" > value="3000" /> > <entry key="com.sun.jndi.ldap.read.timeout" value="3000" > /> > > <!-- Explained at > http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION > --> > <entry key="java.naming.security.authentication" > value="simple" /> > </map> > </property> > <property name="userDn" > value="CN=HIDEME,CN=Users,DC=YFUUSA,DC=Local" /> > <property name="password" value="SECRET" /> > > </bean> > > <bean id="Staff-LdapCredentialtoPrincipalResolver" > > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > <property name="credentialsToPrincipalResolver"> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > > </property> > <property name="filter" value="(sAMAccountName=%u)" /> > > <property name="principalAttributeName" value="sAMAccountName" /> > <property name="scope" value="2" /> > > <property name="searchBase" value="" /> > <property name="contextSource" ref="contextSource" /> > > <property name="attributeRepository"> > <ref bean="attributeRepository" /> > </property> > > </bean> > > > <sec:user-service id="userDetailsService"> > <sec:user name="hideme" password="notused" authorities="ROLE_ADMIN" /> > </sec:user-service> > > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="contextSource" ref="contextSource" /> > <property name="baseDN" value="" /> > <property name="requireAllQueryAttributes" value="false" /> > > <property name="queryAttributeMapping"> > <map> > <entry key="username" value="sAMAccountName" /> > </map> > </property> > > <property name="resultAttributeMapping"> > <map> > <entry key="cn" value="Name"/> > <entry key="userPrincipalName" value="userPrincipalName" /> > <entry key="memberOf" value="group" /> > <entry key="distinguishedName" value="distinguishedName" /> > <entry key="securityQuestion" value="securityQuestion" /> > </map> > </property> > </bean> > <bean > id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > <property name="registeredServices"> > <list> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="0" /> > <property name="name" value="LocalMy.YFU" /> > <property name="description" value="Only Allows HTTPS > Urls" /> > <property name="serviceId" > value="http://chekov:10000/cgi-bin/WebObjects/WOYFUJava.woa/wa/TemporaryDirectAction/casLogin"; > /> > <property name="allowedAttributes"> > <list> > <value>group</value> > <value>Name</value> > > <value>userPrincipalName</value> > > <value>distinguishedName</value> > <value>pfoId</value> > > <value>securityQuestion</value> > </list> > </property> > <property > name="anonymousAccess" value="true"/> > </bean> > </list> > </property> > </bean> > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > </beans> > > Jeffrey Simpson Senior Software Engineer Telephone: 240.235.2144 Fax: 240.235.2174 [email protected] Youth For Understanding (YFU) prepares young people for their responsibilities and opportunities in a changing, interdependent world. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
