Misagh, I have the LDAP component using this example:
<bean id="ldapPersonAttributeDao" class="org.jasig.cas.persondir.LdapPersonAttributeDao" p:connectionFactory-ref="pooledLdapConnectionFactory" p:baseDN="${ldap.baseDn}" p:searchControls-ref="searchControls" p:searchFilter="mail={0}"> <property name="resultAttributeMapping"> <map> <!-- | Key is LDAP attribute name, value is principal attribute name. --> <entry key="member" value="member" /> <entry key="mail" value="mail" /> <entry key="displayName" value="displayName" /> </map> </property> </bean> I believe I need to add this as well: <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTPS Services" /> <property name="description" value="YOUR HTTP Service" /> <property name="serviceId" value="https://**" /> <property name="allowedAttributes"> <list> <value>yourAttributeName</value> </list> </property> </bean> My question is, can I do this to release the same set of attributes for any service? This looks like it’s going to require me to set this up for every new service. Sincerely, Christopher Irwin From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Friday, August 14, 2015 1:50 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] Attribute Release You are not getting anything from CAS because you’re not allowing any attributes to be released. Your logs/config show you’re only resolving attributes. Your service registry needs to release them next. See: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html From: Ray Bon [mailto:r...@uvic.ca] Sent: Friday, August 14, 2015 10:25 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: Re:[cas-user] Attribute Release Chris, Clearly I did not look closely enough at the logs. In the log you have "Created seed map='{username=[cirwin]}' for uid='cirwin'" followed by "Generated query builder 'null' from query Map {username=[cirwin]}" In my log between these two lines I get "Adding attribute 'uid' with value '[rbon]' to query builder 'null'" followed by "Generated query builder '(uid=rbon)' from query Map {username=[rbon]}" In your configuration you have <util:map id="queryAttributeMap"> <entry key="user" value="uid" /> </util:map> Try changing the key in the configuration from 'user' to 'username'. Ray ________________________________ From: Chris Irwin <chris.ir...@sadasystems.com<mailto:chris.ir...@sadasystems.com>> Sent: August 14, 2015 05:02 To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: RE:[cas-user] Attribute Release Ray, In the log below you can see the results of the query. You can also see the attributes I have listed in the ldapAuthenticationHandler’s principalAttributeMap get returned in the “Found principal attribute” This is what I want to return back to the app but all I’m getting is the following: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>cirwin</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> I thought I just needed to wire up so that the attributes resolved here are released: 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sAMAccountName[CIrwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [cn[Chris Irwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [givenName[Chris]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sn[Irwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [mail[chris.ir...@sadasystems.com]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [displayName[Chris Irwin]] Is that different? Chris From: Ray Bon [mailto:r...@uvic.ca] Sent: Thursday, August 13, 2015 6:17 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: Re:[cas-user] Attribute Release Check what attributes are being released from your LDAP server. The items in the LDAP response may be provided as part of the authenticated user info but not necessarily the released attributes. Ray ________________________________ From: Chris Irwin <chris.ir...@sadasystems.com<mailto:chris.ir...@sadasystems.com>> Sent: August 13, 2015 13:58 To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] Attribute Release I'm not sure what i'm missing here. I can see the attributes resolved but they are never released to the client: 2015-08-13 16:31:20,456 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP authentication for cirwin+password 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=CN=Chris Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[chris.ir...@sadasystems.com]], [uSNCreated[75502415]], [description[SADA Consultant]], [whenChanged[20150805152738.0Z]], [objectClass[top, person, organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]], [objectGUID[??????D?a??[??]], [objectSid[ q??K9?l??>u??V ]], [instanceType[4]], [whenCreated[20150410141222.0Z]], [dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z, 16010101000000.0Z]], [sn[Irwin]], [userAccountControl[66048]], [lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]], [sAMAccountName[CIrwin]], [sAMAccountType[805306368]], [userPrincipalName[cir...@njcu.edu]], [displayName[Chris Irwin]], [pwdLastSet[130731491217059125]], [name[Chris Irwin]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], [distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]], [memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu, CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain Admins,CN=Users,DC=root,DC=njcu]], [uSNChanged[90371268]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sAMAccountName[CIrwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [cn[Chris Irwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [givenName[Chris]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sn[Irwin]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [mail[chris.ir...@sadasystems.com]] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [displayName[Chris Irwin]] 2015-08-13 16:31:20,565 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler successfully authenticated cirwin+password 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - Attempting to resolve a principal... 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - Creating SimplePrincipal for [cirwin] 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] - Created seed map='{username=[cirwin]}' for uid='cirwin' 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] - Generated query builder 'null' from query Map {username=[cirwin]}. 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] - No queryBuilder was generated for query {username=[cirwin]}, null will be returned 2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433<mailto:org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433> resolved cirwin from cirwin+password 2015-08-13 16:31:20,581 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated cirwin with credentials [cirwin+password]. 2015-08-13 16:31:20,581 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map for cirwin: {} 2015-08-13 16:31:20,581 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: supplied credentials: [cirwin+password] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Aug 13 16:31:20 EDT 2015 CLIENT IP ADDRESS: 208.104.112.159 SERVER IP ADDRESS: 10.0.2.73 ============================================================= I have included the deployerConfigContext.xml for reference: <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at the following location: http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd<http://www.springframework.org/schema/beans%20http:/www.springframework.org/schema/beans/spring-beans-3.2.xsd%0b %20http:/www.springframework.org/schema/tx%20http:/www.springframework.org/schema/tx/spring-tx-3.2.xsd%0b %20http:/www.springframework.org/schema/security%20http:/www.springframework.org/schema/security/spring-security-3.2.xsd%0b %20http:/www.springframework.org/schema/util%20http:/www.springframework.org/schema/util/spring-util.xsd>"> <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <!-- Old Value - <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> --> <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <!-- Required for proxy ticket mechanism. --> <bean id="proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean id="primaryAuthenticationHandler" class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> <property name="users"> <map> <entry key="casuser" value="Mellon"/> </map> </property> </bean> <!-- Required for proxy ticket mechanism --> <bean id="proxyPrincipalResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> <!-- | Resolves a principal from a credential using an attribute repository that is configured to resolve | against a deployer-specific store (e.g. LDAP). --> <bean id="primaryPrincipalResolver" class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </util:map> --> <bean id="attributeRepository" class="org.jasig.cas.persondir.LdapPersonAttributeDao" p:baseDN="${ldap.baseDn}" p:searchFilter="samAccountName={0}" p:searchControls-ref="searchControls" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:queryAttributeMapping-ref="queryAttributeMap" p:resultAttributeMapping-ref="resultAttributeMap" /> <util:map id="queryAttributeMap"> <entry key="user" value="uid" /> </util:map> <util:map id="resultAttributeMap"> <entry key="samAccountName" value="userName" /> <entry key="cn" value="Student ID" /> <entry key="givenName" value="First Name" /> <entry key="sn" value="Last Name" /> <entry key="mail" value="email" /> <entry key="displayName" value="displayName" /> </util:map> <bean id="searchControls" class="javax.naming.directory.SearchControls" p:searchScope="2" /> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". +--> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" p:registeredServices-ref="registeredServicesList" /> <util:list id="registeredServicesList"> <bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols" p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" /> <!-- Use the following definition instead of the above to further restrict access to services within your domain (including sub domains). Note that example.com must be replaced with the domain you wish to permit. This example also demonstrates the configuration of an attribute filter that only allows for attributes whose length is 3. --> <!-- <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="HTTP and IMAP on example.com" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" /> <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> <property name="evaluationOrder" value="0" /> <property name="attributeFilter"> <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" /> </property> </bean> --> </util:list> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> <util:list id="monitorsList"> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry * JpaTicketRegistry Remove this monitor if you use an unsupported registry. --> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </util:list> <!-- INSERT CONNECTION CONFIGURATIONS HERE --> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="samAccountName" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <!-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. --> <entry key="samAccountName" value="userName" /> <entry key="cn" value="Student ID" /> <entry key="givenName" value="First Name" /> <entry key="sn" value="Last Name" /> <entry key="mail" value="email" /> <entry key="displayName" value="displayName" /> </map> </property> </bean> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" c:resolver-ref="dnResolver" c:handler-ref="authHandler" /> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver" p:baseDn="${ldap.baseDn}" p:subtreeSearch="true" p:allowMultipleDns="false" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:userFilter="${ldap.authn.searchFilter}" /> <bean id="searchPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="searchConnectionPool" /> <bean id="searchConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="searchConnectionFactory" /> <bean id="searchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="searchConnectionConfig" /> <bean id="searchConnectionConfig" parent="abstractConnectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="cass...@root.njcu<mailto:cass...@root.njcu>"> <property name="bindCredential"> <bean class="org.ldaptive.Credential" c:password="${ldap.authn.managerPassword}" /> </property> </bean> <bean id="abstractConnectionPool" abstract="true" class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:poolConfig-ref="ldapPoolConfig" p:blockWaitTime="${ldap.pool.blockWaitTime}" p:validator-ref="searchValidator" p:pruneStrategy-ref="pruneStrategy" /> <bean id="abstractConnectionConfig" abstract="true" class="org.ldaptive.ConnectionConfig" p:ldapUrl="${ldap.url}" p:connectTimeout="${ldap.connectTimeout}" p:useStartTLS="${ldap.useStartTLS}" p:sslConfig-ref="sslConfig" /> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" p:minPoolSize="${ldap.pool.minSize}" p:maxPoolSize="${ldap.pool.maxSize}" p:validateOnCheckOut="${ldap.pool.validateOnCheckout}" p:validatePeriodically="${ldap.pool.validatePeriodically}" p:validatePeriod="${ldap.pool.validatePeriod}" /> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> <property name="credentialConfig"> <bean class="org.ldaptive.ssl.X509CredentialConfig" p:trustCertificates="${ldap.trustedCert}" /> </property> </bean> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" p:prunePeriod="${ldap.pool.prunePeriod}" p:idleTime="${ldap.pool.idleTime}" /> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledLdapConnectionFactory" /> <bean id="bindPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> <bean id="bindConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="bindConnectionFactory" /> <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> <bean id="bindConnectionConfig" parent="abstractConnectionConfig" /> <!-- Cirwin - Add Attribute release bean <context:component-scan base-package="org.jasig.cas" /> <context:annotation-config /> --> </beans> Chris -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: r...@uvic.ca<mailto:r...@uvic.ca> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: chris.ir...@sadasystems.com<mailto:chris.ir...@sadasystems.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: r...@uvic.ca<mailto:r...@uvic.ca> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net<mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: chris.ir...@sadasystems.com<mailto:chris.ir...@sadasystems.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user