Re: [cas-user] mod_auth_cas - /samlValidate - require cas-attribute - memberOf
On Sun, Jul 12, 2015 at 05:09:21PM -0500, Milt Epstein wrote: As I recall, we were able to get this working, basically, but we had to use some overlay with our LDAP server (OpenLDAP). We also had to use a different attribute name (than memberOf) -- but maybe we could've avoided that by configuring it differently. Yes, openldap doesn't support the memberOf attribute unless you load the memberof overlay. We have that working, we didn't have to use a different attribute name. The one catch is that it is considered an operational attribute, so you either need to request it specifically or request all operational attributes, it's not returned otherwise. I'm not sure what to make of the fact that in your logs you see the memberOf attribute and value in the response. That seems to suggest that mod_auth_cas is getting it, where my comments I think have more to do with getting the CAS server to handle memberOf correctly in the first place. So maybe these things aren't relevant to your situation. I was playing with mod_auth_cas last year sometime and I know I had authorization using memberOf working. I don't have the specific config I used though. It's on my shortlist to get that deployed in producion, but probably not soon enough to help the OP out, sorry :(. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] mod_auth_cas - /samlValidate - require cas-attribute - memberOf
I haven't used CAS in a little while (and also don't currently have access to a CAS installation to check), but my recollection is that memberOf may be a special case, and not like other multi-valued attributes. Whether you can use it as shown may depend on what LDAP server you're using, and how you have it configured. So, some questions: David, did you get this working with memberOf, or some other multi-valued attribute? What LDAP server are you using? Carl, have you tried some other multi-valued attribute? What behavior do you get with that? And what LDAP server are you using? As I recall, we were able to get this working, basically, but we had to use some overlay with our LDAP server (OpenLDAP). We also had to use a different attribute name (than memberOf) -- but maybe we could've avoided that by configuring it differently. There's a thread from this list from a little while ago that might have some relevant information -- the subject line was CAS 4.0 w/ OpenLDAP won't return memberOf attribute, and it included comments from Doug Campbell, Marvin Addison, and myself. I'm not sure what to make of the fact that in your logs you see the memberOf attribute and value in the response. That seems to suggest that mod_auth_cas is getting it, where my comments I think have more to do with getting the CAS server to handle memberOf correctly in the first place. So maybe these things aren't relevant to your situation. Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Sat, 11 Jul 2015, David Hawes wrote: On Fri, Jul 10, 2015 at 11:36 PM, Carl Waldbieser cwaldbie...@gmail.com wrote: Has anyone been able to use the `mod_auth_cas` `require cas-attribute` directive to work with the `memberOf` or other multi-valued attribute? I can verify that it works with multi-valued attributes. As noted in the README, both the attribute name and value are case-sensitive. I have been able to get it to work using a single-valued attribute like: require cas-attribute givenName:Carl OR require cas-attribute email:waldb...@lafayette.edu but if I try something like: require cas-attribute memberOf:cn=admins,ou=groups,o=lafayette I get an authorization error. Cranking the logs up to DEBUG shows the attribute is in the CAS response, but mod_auth_cas still decides the response doesn't match. Check that your require directive attribute and value match what is in the response exactly. I think for most use cases this should be case-insensitive. I did notice the XML response in the log seems truncated. I wasn't sure if this is because there is a limit to how much mod_auth_cas will write for a given log entry. The README from my tarball says I am using MOD_AUTH_CAS 1.0.10. I tested with this version, so it should work. -- You are currently subscribed to cas-user@lists.jasig.org as: mepst...@illinois.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] mod_auth_cas - /samlValidate - require cas-attribute - memberOf
On Fri, Jul 10, 2015 at 11:36 PM, Carl Waldbieser cwaldbie...@gmail.com wrote: Has anyone been able to use the `mod_auth_cas` `require cas-attribute` directive to work with the `memberOf` or other multi-valued attribute? I can verify that it works with multi-valued attributes. As noted in the README, both the attribute name and value are case-sensitive. I have been able to get it to work using a single-valued attribute like: require cas-attribute givenName:Carl OR require cas-attribute email:waldb...@lafayette.edu but if I try something like: require cas-attribute memberOf:cn=admins,ou=groups,o=lafayette I get an authorization error. Cranking the logs up to DEBUG shows the attribute is in the CAS response, but mod_auth_cas still decides the response doesn't match. Check that your require directive attribute and value match what is in the response exactly. I think for most use cases this should be case-insensitive. I did notice the XML response in the log seems truncated. I wasn't sure if this is because there is a limit to how much mod_auth_cas will write for a given log entry. The README from my tarball says I am using MOD_AUTH_CAS 1.0.10. I tested with this version, so it should work. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] mod_auth_cas - /samlValidate - require cas-attribute - memberOf
Has anyone been able to use the `mod_auth_cas` `require cas-attribute` directive to work with the `memberOf` or other multi-valued attribute? I have been able to get it to work using a single-valued attribute like: require cas-attribute givenName:Carl OR require cas-attribute email:waldb...@lafayette.edu but if I try something like: require cas-attribute memberOf:cn=admins,ou=groups,o=lafayette I get an authorization error. Cranking the logs up to DEBUG shows the attribute is in the CAS response, but mod_auth_cas still decides the response doesn't match. I did notice the XML response in the log seems truncated. I wasn't sure if this is because there is a limit to how much mod_auth_cas will write for a given log entry. The README from my tarball says I am using MOD_AUTH_CAS 1.0.10. Thanks, Carl Waldbieser -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user