Chris,
I had to check the box for 'Ignore Attribute Management via this Tool​' for the
service in Service Manager. You will also need to make sure the attributes are
listed under Attributes.
Ray
________________________________
From: Chris Irwin <chris.ir...@sadasystems.com>
Sent: August 24, 2015 06:05
To: cas-user@lists.jasig.org
Subject: [cas-user] Attribute Release
I'm having some issues wiring up my attribute release. Any suggestions or a
working deployerConfigContext.xml would be appreciated. My log looks like this:
2015-08-20 14:19:36,040 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie
with name [CASPRIVACY]
2015-08-20 14:19:36,040 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve
ticket
[TGT-1-03rvcFwo7UUd6wCKFMV3993ZTcdIax5sbcp6GIGBeyVOcsPecC-cas01.example.org]
2015-08-20 14:19:36,040 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket
[TGT-1-03rvcFwo7UUd6wCKFMV3993ZTcdIax5sbcp6GIGBeyVOcsPecC-cas01.example.org]
found in registry.
2015-08-20 14:19:36,040 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Added cookie with
name [CASTGC] and value
[TGT-1-03rvcFwo7UUd6wCKFMV3993ZTcdIax5sbcp6GIGBeyVOcsPecC-cas01.example.org]
2015-08-20 14:19:36,056 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor did not generate service.
2015-08-20 14:19:39,198 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor did not generate service.
2015-08-20 14:19:39,198 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor did not generate service.
2015-08-20 14:19:47,588 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP
authentication for 2233445+password
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response:
[org.ldaptive.auth.AuthenticationResponse@57434383::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=CN=2233445,OU=PeopleSoft_UGrads,DC=students,dc=root,dc=njcu[[legacyExchangeDN[/o=First
Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=2233445557]], [mail[asa...@njcu.edu]],
[proxyAddresses[SMTP:asa...@njcu.edu, smtp:asa...@live.njcu.edu,
smtp:asa...@exchange.njcu.edu]], [uSNCreated[110424013]],
[whenChanged[20150810172625.0Z]], [objectClass[top, person,
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Apple]],
[objectGUID[BbC~1?uF??!%??]], [extensionAttribute15[GALEnabled]],
[instanceType[0]], [objectSid[�� �� ~d�S?0n?.�?^?M� ]],
[whenCreated[20150810155326.0Z]], [msExchHideFromAddressLists[TRUE]],
[sn[Sauce]], [userAccountControl[66048]],
[lastLogonTimestamp[130837011635597383]], [mailNickname[ASauce]],
[msExchRecipientTypeDetails[128]], [cn[2233445]],
[msExchRecipientDisplayType[6]], [sAMAccountName[2233445]],
[targetAddress[SMTP:asa...@live.njcu.edu]], [sAMAccountType[805306368]],
[userPrincipalName[asa...@njcu.edu]], [showInAddressBook[CN=All Mail
Users(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu, CN=All
Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu]], [displayName[Apple
Sauce]], [pwdLastSet[130836956066416514]], [name[2233445]],
[msExchPoliciesExcluded[{26491cfc-9e50-4857-861b-0cb8df22b5d7}]],
[msExchUMDtmfMap[emailAddress:272823, lastNameFirstName:2233445,
firstNameLastName:2233445]],
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]],
[distinguishedName[CN=2233445,OU=PeopleSoft_UGrads,DC=students,DC=root,DC=njcu]],
[internetEncoding[1310720]], [msExchVersion[44220983382016]],
[uSNChanged[110427141]]], responseControls=null, messageId=-1],
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sAMAccountName[2233445]]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [cn[2233445]]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [givenName[Apple]]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sn[Sauce]]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [mail[asa...@njcu.edu]]
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [displayName[Apple Sauce]]
2015-08-20 14:19:47,604 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
LdapAuthenticationHandler successfully authenticated 2233445+password
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
Attempting to resolve a principal...
2015-08-20 14:19:47,604 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
Creating SimplePrincipal for [2233445]
2015-08-20 14:19:47,604 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Created seed map='{username=[2233445]}' for uid='2233445'
2015-08-20 14:19:47,619 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Adding attribute 'uid' with value '[2233445]' to query builder 'null'
2015-08-20 14:19:47,619 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Constructed LDAP search query [samAccountName=2233445]
2015-08-20 14:19:47,619 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Generated query builder
'[org.ldaptive.SearchFilter@1067769952::filter=samAccountName={0},
parameters={0=2233445}]' from query Map {username=[2233445]}.
2015-08-20 14:19:47,619 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@7fa6d9e0
resolved 2233445 from 2233445+password
2015-08-20 14:19:47,619 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated
2233445 with credentials [2233445+password].
2015-08-20 14:19:47,619 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map
for 2233445: {}
2015-08-20 14:19:47,619 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [2233445+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Aug 20 14:19:47 EDT 2015
CLIENT IP ADDRESS: 10.0.2.57
SERVER IP ADDRESS: 10.0.2.73
=============================================================
You can see the attributes resolve but noting in the attribute Map. My config
is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xmlns:context="http://www.springframework.org/schema/context";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy"
/>
</property>
</bean>
<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver"
/>
<!--
| Resolves a principal from a credential using an attribute repository
that is configured to resolve
| against a deployer-specific store (e.g. LDAP).
-->
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<!--
Bean that defines the attributes that a service may return. This example
uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</util:map>
-->
<bean id="attributeRepository"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:baseDN="${ldap.baseDn}"
p:searchFilter="samAccountName={0}"
p:searchControls-ref="searchControls"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:queryAttributeMapping-ref="queryAttributeMap"
p:resultAttributeMapping-ref="resultAttributeMap"
/>
<util:map id="queryAttributeMap">
<entry key="username" value="uid" />
</util:map>
<util:map id="resultAttributeMap">
<entry key="samAccountName" value="userName" />
<entry key="cn" value="Student ID" />
<entry key="givenName" value="First Name" />
<entry key="sn" value="Last Name" />
<entry key="mail" value="email" />
<entry key="displayName" value="displayName" />
</util:map>
<!--
Sample, in-memory data store for the ServiceRegistry. A real implementation
would probably want to replace this with the JPA-backed ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
-->
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
p:registeredServices-ref="registeredServicesList" />
<!--
<bean id="serviceRegistryDao"
class="org.jasig.cas.adaptors.ldap.services.LdapServiceRegistryDao"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:searchRequest-ref="searchRequest"
p:ldapServiceMapper-ref="ldapMapper" />
<bean id="ldapMapper"
class="org.jasig.cas.adaptors.ldap.services.DefaultLdapServiceMapper"/>
-->
<util:list id="registeredServicesList">
<bean class="org.jasig.cas.services.RegexRegisteredService"
p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and
IMAP(S) protocols"
p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001"
/>
<!--
Use the following definition instead of the above to further restrict
access
to services within your domain (including sub domains).
Note that example.com must be replaced with the domain you wish to
permit.
This example also demonstrates the configuration of an attribute filter
that only allows for attributes whose length is 3.
-->
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0" />
<property name="name" value="AwardSpring" />
<property name="description" value="Your HTTP Service" />
<property name="serviceId" value="https://njcu.awardspring.com/SignIn/CASAuth";
/>
<property name="ignoreAttributes" value="True" />
<property name="allowedAttributes">
<list>
<value>samAccountName</value>
<value>cn</value>
<value>givenName</value>
<value>sn</value>
<value>mail</value>
<value>displayName</value>
</list>
</property>
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1" />
<property name="name" value="EAB" />
<property name="description" value="Your HTTP Service" />
<property name="serviceId" value="https://sscimpl.advisory.com/gsrc/SSO/njcu";
/>
<property name="ignoreAttributes" value="True" />
<property name="allowedAttributes">
<list>
<value>samAccountName</value>
<value>cn</value>
<value>givenName</value>
<value>sn</value>
<value>mail</value>
<value>displayName</value>
</list>
</property>
</bean>
<!--
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="1" />
<property name="name" value="All Websites" />
<property name="description" value="Allows HTTP(S) sites" />
<property name="serviceId" value="^(https?)://.*" />
<property name="evaluationOrder" value="0" />
<property name="attributeFilter">
<bean
class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter"
c:regex="^\w{3}$" />
</property>
</bean>
-->
</util:list>
<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor"
class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList"
/>
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<!--
NOTE
The following ticket registries support SessionMonitor:
* DefaultTicketRegistry
* JpaTicketRegistry
Remove this monitor if you use an unsupported registry.
-->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</util:list>
<!-- Cirwin - Add Attribute release bean
<context:component-scan base-package="org.jasig.cas" />
<context:annotation-config />
-->
<bean id="ldapPersonAttributeDao"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:baseDN="${ldap.baseDn}"
p:searchControls-ref="searchControls"
p:searchFilter="samAccountName={0}">
<property name="resultAttributeMapping">
<map>
<entry key="samAccountName" value="userName" />
<entry key="cn" value="Student ID" />
<entry key="givenName" value="First Name" />
<entry key="sn" value="Last Name" />
<entry key="mail" value="email" />
<entry key="displayName" value="displayName" />
<entry key="employeeID" value="employeeID" />
</map>
</property>
</bean>
<bean id="searchControls" class="javax.naming.directory.SearchControls"
p:searchScope="2"
p:countLimit="10" />
<!-- INSERT CONNECTION CONFIGURATIONS HERE -->
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="samAccountName"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="samAccountName" value="userName" />
<entry key="cn" value="Student ID" />
<entry key="givenName" value="First Name" />
<entry key="sn" value="Last Name" />
<entry key="mail" value="email" />
<entry key="displayName" value="displayName" />
<entry key="employeeID" value="employeeID" />
</map>
</property>
</bean>
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler" />
<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="${ldap.baseDn}"
p:subtreeSearch="true"
p:allowMultipleDns="false"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:userFilter="${ldap.authn.searchFilter}" />
<bean id="searchPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="searchConnectionPool" />
<bean id="searchConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="searchConnectionFactory" />
<bean id="searchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="searchConnectionConfig" />
<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="cass...@root.njcu">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="${ldap.authn.managerPassword}" />
</property>
</bean>
<bean id="abstractConnectionPool" abstract="true"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy" />
<bean id="abstractConnectionConfig" abstract="true"
class="org.ldaptive.ConnectionConfig"
p:ldapUrl="${ldap.url}"
p:connectTimeout="${ldap.connectTimeout}"
p:useStartTLS="${ldap.useStartTLS}"
p:sslConfig-ref="sslConfig" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="${ldap.pool.minSize}"
p:maxPoolSize="${ldap.pool.maxSize}"
p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
p:validatePeriodically="${ldap.pool.validatePeriodically}"
p:validatePeriod="${ldap.pool.validatePeriod}" />
<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="${ldap.trustedCert}" />
</property>
</bean>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="${ldap.pool.prunePeriod}"
p:idleTime="${ldap.pool.idleTime}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
<bean id="bindPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="bindConnectionFactory" />
<bean id="bindConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
</beans>
Chris
--
You are currently subscribed to cas-user@lists.jasig.org as: r...@uvic.ca
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
