I haven't used CAS in a little while (and also don't currently have access to a CAS installation to check), but my recollection is that memberOf may be a special case, and not like other multi-valued attributes. Whether you can use it as shown may depend on what LDAP server you're using, and how you have it configured.
So, some questions: David, did you get this working with memberOf, or some other multi-valued attribute? What LDAP server are you using? Carl, have you tried some other multi-valued attribute? What behavior do you get with that? And what LDAP server are you using? As I recall, we were able to get this working, basically, but we had to use some overlay with our LDAP server (OpenLDAP). We also had to use a different attribute name (than memberOf) -- but maybe we could've avoided that by configuring it differently. There's a thread from this list from a little while ago that might have some relevant information -- the subject line was "CAS 4.0 w/ OpenLDAP won't return memberOf attribute", and it included comments from Doug Campbell, Marvin Addison, and myself. I'm not sure what to make of the fact that in your logs you see the memberOf attribute and value in the response. That seems to suggest that mod_auth_cas is getting it, where my comments I think have more to do with getting the CAS server to handle memberOf correctly in the first place. So maybe these things aren't relevant to your situation. Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Sat, 11 Jul 2015, David Hawes wrote: > On Fri, Jul 10, 2015 at 11:36 PM, Carl Waldbieser <cwaldbie...@gmail.com> > wrote: > > > > Has anyone been able to use the `mod_auth_cas` `require cas-attribute` > > directive to work with the `memberOf` or other multi-valued attribute? > > I can verify that it works with multi-valued attributes. As noted in > the README, both the attribute name and value are case-sensitive. > > > I have been able to get it to work using a single-valued attribute like: > > > > require cas-attribute givenName:Carl > > OR > > require cas-attribute email:waldb...@lafayette.edu > > > > but if I try something like: > > > > require cas-attribute memberOf:cn=admins,ou=groups,o=lafayette > > > > I get an authorization error. Cranking the logs up to DEBUG shows the > > attribute is in the CAS response, but mod_auth_cas still decides the > > response doesn't match. > > Check that your require directive attribute and value match what is in > the response exactly. > > I think for most use cases this should be case-insensitive. > > > I did notice the XML response in the log seems truncated. I wasn't sure if > > this is because there is a limit to how much mod_auth_cas will write for a > > given log entry. > > > > The README from my tarball says I am using MOD_AUTH_CAS 1.0.10. > > I tested with this version, so it should work. > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > mepst...@illinois.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
