Thanks Marvin for the response. <bean id="attributeRepository"
class="org.jasig.cas.persondir.LdapPersonAttributeDao" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:baseDN="${ldap.resolver.baseDn}" p:searchControls-ref="searchControls" p:searchFilter="uid={0}"> Believe I see the problem. The security context of this search is either anonymous or using a service credential; in either case it's not the security context of the authenticating user needed for the overlay. In other words it's not visible to you. I think I am not seeing this though. If I use the manager account that is used to search the directory or the credentials of the use who is logging in with ldapsearch, as long as I explicitly request the memberOf attribute it gets returned. You should be able to use the additionalAttributes property of LdapAuthenticationHandler to fetch attributes and add them to the principal at authentication time. In that case you're bound as the user, which should satisfy the overlay. Then you'll need to use a static PersonAttributeDao to simply define stub properties for the attributeRepository. The real values come from the principal. That's advanced configuration that is not documented anywhere, but most of the difficulty is with PersonDirectory components, not CAS ones per se. I have a StaticPersonAttributesDao component I can share with you if you get stuck, but it's pretty easy to implement PersonAttributesDao. Okay. I think I am beginning to understand. Are you saying that I should put all my attributes that I want returned here: <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="uid" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <!-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. --> <entry key="ssoGUID" value="ssoGUID" /> <entry key="givenName" value="givenname" /> <entry key="sn" value="surname" /> <entry key="memberOf" value="memberOf" /> <entry key="uid" value="user" /> </map> </property> </bean> and also define a stub like this to use in place of <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="user" /> <entry key="ssoGUID" value="ssoGUID" /> <entry key="givenName" value="givenname" /> <entry key="sn" value="surname" /> <entry key="memberOf" value="memberOf" /> </util:map> </bean> When I did this I end up getting back just the values I specify in the stub, not the values of LDAP. It seems like I must be getting close but I my understanding is lacking. I appreciate you continuing to point me in the right direction. Thanks! Doug -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user