Hello, I configured CAS 4 with my Active Directory servers and authentication works great. However, I am not able to transmit attributes from AD to cas clients (phpCAS 1.3.3). Basically, I would like to get group membership. I read many threads but I'm getting confused between CAS3 and CAS4 configuration and I'm pretty new to CAS4.
You can find my deployerConfigContext.xml and cas.properties attached for the server configuration. You can also find my very basic test file for phpCAS. Do you have complete sample configuration files with AD and attributes release? (even if it's not group membership, I can still customize) Thanks for your help, Michael Michaƫl Todorovic IT Security Engineer, Systems Team S&P Capital IQ / Real-Time Solutions [cid:image002.png@01CFB192.8B3BB000]<https://twitter.com/QuantHouseNews> [cid:image003.png@01CFB192.8B3BB000] <http://www.linkedin.com/company/121040?trk=tyah> ________________________________ The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. McGraw Hill Financial reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw Hill Financial e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw Hill Financial e-mail addresses you, as the sender, are consenting to McGraw Hill Financial processing any of your personal data therein. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
cas.properties
Description: cas.properties
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default authentication handler with
| one implementing your approach for authenticating usernames and passwords.
+
-->
<beans
xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xmlns:context="http://www.springframework.org/schema/context";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd";>
<context:component-scan base-package="org.jasig.cas" />
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="ldapAuthenticationHandler" value-ref="principalResolver"/>
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy"/>
</property>
</bean>
<bean id="principalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
p:principalAttributeName="sAMAccountName"
p:attributeRepository-ref="attributeRepository" />
<!-- <bean id="ldapMapper"
class="org.jasig.cas.adaptors.ldap.services.DefaultLdapServiceMapper"/>-->
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
p:registeredServices-ref="registeredServicesList"/>
<bean id="searchRequest"
class="org.ldaptive.SearchRequest"
p:baseDn="${ldap.baseDn}"
p:searchFilter="sAMAccountName={0}" />
<bean id="attributeRepository"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:connectionFactory-ref="bindPooledLdapConnectionFactory"
p:baseDN="${ldap.baseDn}"
p:searchFilter="sAMAccountName={0}">
<property name="searchControls">
<bean class="javax.naming.directory.SearchControls"
p:timeLimit="1000"
p:countLimit="1"
p:searchScope="0"
p:returningAttributes="" />
</property>
<property name="resultAttributeMapping">
<map>
<entry key="member" value="member" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
<entry key="memberOf" value="memberOf" />
<entry key="sAMAccountName" value="sAMAccountName" />
</map>
</property>
</bean>
<util:list id="registeredServicesList">
<bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0" p:name="HTTP and IMAP"
p:description="Allows HTTP(S) and IMAP(S) protocols" p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001"/>
</util:list>
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager"/>
<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList"/>
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10"/>
<bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000"/>
</util:list>
<!-- START DEV LDAP Config -->
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="sAMAccountName"
p:passwordPolicyConfiguration-ref="passwordPolicy"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="member" value="member" />
<entry key="sAMAccountName" value="sAMAccountName" />
<entry key="displayName" value="displayName" />
<entry key="memberOf" value="memberOf" />
</map>
</property>
</bean>
<bean id="passwordPolicy" class="org.jasig.cas.authentication.support.LdapPasswordPolicyConfiguration"
p:alwaysDisplayPasswordExpirationWarning="${password.policy.warnAll}"
p:passwordWarningNumberOfDays="${password.policy.warningDays}"
p:passwordPolicyUrl="${password.policy.url}"
p:accountStateHandler-ref="accountStateHandler" />
<!-- This component is suitable for most cases but can be replaced with a custom component for special cases. -->
<bean id="accountStateHandler" class="org.jasig.cas.authentication.support.DefaultAccountStateHandler" />
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler">
<property name="authenticationResponseHandlers">
<util:list>
<bean class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" />
</util:list>
</property>
</bean>
<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="${ldap.baseDn}"
p:allowMultipleDns="false"
p:subtreeSearch="true"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:userFilter="${ldap.authn.searchFilter}"
/>
<bean id="searchPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="searchConnectionPool" />
<bean id="searchConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="searchConnectionFactory" />
<bean id="searchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="searchConnectionConfig" />
<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="${ldap.managerDn}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="${ldap.managerPassword}" />
</property>
</bean>
<bean id="abstractConnectionPool" abstract="true"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy" />
<bean id="abstractConnectionConfig" abstract="true"
class="org.ldaptive.ConnectionConfig"
p:connectTimeout="${ldap.connectTimeout}"
p:responseTimeout="${ldap.responseTimeout}"
p:useStartTLS="${ldap.useStartTLS}"
p:useSSL="${ldap.useSSL}"
p:ldapUrl="${ldap.url.EMEA} ${ldap.url.NA} ${ldap.url.APAC}"
p:sslConfig-ref="sslConfig" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="${ldap.pool.minSize}"
p:maxPoolSize="${ldap.pool.maxSize}"
p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
p:validatePeriodically="${ldap.pool.validatePeriodically}"
p:validatePeriod="${ldap.pool.validatePeriod}" />
<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.KeyStoreCredentialConfig"
p:keyStore="${ldap.ssl.keyStore}"
p:keyStoreType="JKS"
p:keyStorePassword="${ldap.ssl.keyStorePassword}" />
</property>
</bean>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="${ldap.pool.prunePeriod}"
p:idleTime="${ldap.pool.idleTime}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledLdapConnectionFactory">
<property name="authenticationControls">
<util:list>
<bean class="org.ldaptive.control.PasswordPolicyControl" />
</util:list>
</property>
</bean>
<bean id="bindPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="bindConnectionFactory" />
<bean id="bindConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
<!-- END DEV LDAP Config -->
</beans>
<<attachment: testCAS.php>>
