Hi david,
If you use ldap authentication i think that to call the bean
id="attributeRepository" with the class
org.jasig.services.persondir.support.StubPersonAttributeDao is not the
solution.
Try with the class org.jasig.cas.persondir.LdapPersonAttributeDao like
below :
<bean id="attributeRepository"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:baseDN="ou=people,dc=yourcompany,dc=fr"
p:searchFilter="uid={0}"
p:searchControls-ref="searchControls"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:resultAttributeMapping-ref="resultAttributeMap"
/>
<util:map id="resultAttributeMap">
<entry key="uid" value="user" />
<entry key="mail" value="email" />
<entry key="cn" value="displayName" />
<entry key="eduPersonPrincipalName" value="eduPersonPrincipalName"
/>
</util:map>
<bean id="searchControls"
class="javax.naming.directory.SearchControls"
p:searchScope="2"
/>
Le 2014-09-02 20:51, David A. Kovacic a écrit :
Adding a logger for the PolicyBasedAuthenticationManager does show
the principals being being populated. Thanks for the information :-)
I tried dropping back to just a stub attributeRepository bean:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="user" />
<entry key="mail" value="email" />
<entry key="cn" value="displayName" />
<entry key="eduPersonPrincipalName"
value="eduPersonPrincipalName" />
</util:map>
and what I see in the logs is that rather than containing values
mapped to the names the mapping variables are mapping and returning
the attribute names instead:
2014-09-02 14:16:08,601 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [uid[rat9]]>
2014-09-02 14:16:08,601 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [mail[regina.t...@case.edu]]>
2014-09-02 14:16:08,602 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [cn[Register Test]]>
2014-09-02 14:16:08,602 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [eduPersonPrincipalName[r...@demo.case.edu]]>
2014-09-02 14:16:08,603 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler successfully authenticated rat9+password>
2014-09-02 14:16:08,603 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]
- <Attempting to resolve a principal...>
2014-09-02 14:16:08,603 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver]
- <Creating SimplePrincipal for [rat9]>
2014-09-02 14:16:08,604 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@b88dbe
resolved rat9 from rat9+password>
2014-09-02 14:16:08,605 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated rat9 with credentials [rat9+password].>
2014-09-02 14:16:08,605 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for rat9: {DISPLAYNAME=CN,
EDUPERSONPRINCIPALNAME=EDUPERSONPRINCIPALNAME, USER=UID, EMAIL=MAIL}>
Unless there is some way to force the actual values into the stub
mapping, it looks like you MUST do the additional search. It's not
as bad as it could be since I am reusing the authentication search
connection pool to grab the information, so instead of opening a
connection and doing a search, I am just doing the search.
Dave
On 8/29/14 4:32 PM, Marvin Addison wrote:
In short, is there some way to dump the
principal after authentication, or some other way to tell if the
attributes have been properly stored.
PolicyBasedAuthenticationManager logs the resolved principal at
DEBUG:
logger.info("Authenticated {} with credentials {}.", principal,
Arrays.asList(credentials));
logger.debug("Attribute map for {}: {}", principal.getId(),
principal.getAttributes());
Turning up org.jasig.cas.authentication to DEBUG would print out the
information you need to definitively show whether the attributes you
expect are in the principal.
This is the definition of the "primaryPrincipalResolver" that seems
to
finally be working:
<!--
| Resolves a principal from a credential using an attribute
repository that is configured to resolve
| against a deployer-specific store (e.g. LDAP).
-->
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
<property name="attributeRepository" ref="attributeRepository" />
</bean>
While I imagine that it does work, it's not efficient since you're
effectively doing attribute resolution twice. The handler can resolve
attributes on the same connection as that used for authentication;
with PersonDirectoryPrincipalResolver, you're opening a new connection
to do it again. The wrinkle is that you MUST define an
attributeRepository bean for use by other system components, but you
should probably use a StubPersonAttributeDao [1] bean that simply has
the attribute mapping.
M
[1]
http://developer.jasig.org/projects/person-directory/1.1.1/apidocs/org/jasig/services/persondir/support/StubPersonAttributeDao.html
[1]
--
You are currently subscribed to cas-user@lists.jasig.org as:
daniel.char...@unice.fr
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Links:
------
[1]
http://developer.jasig.org/projects/person-directory/1.1.1/apidocs/org/jasig/services/persondir/support/StubPersonAttributeDao.html
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
