i've got some problems with CAS in conjunction with LDAP now. I want to implement an SSO solution for multiple applications. Authentication works great so far. We want to authorize the users on the base of their roles which are configured in LDAP. The problem is that CAS does not deliver the user roles.
I am now so far that I know that the deployerConfigContext.xml
needs to be configured. I have also found various tutorials, most work with either the wrong version of CAS or do not do what I want.
Our users lie in cn=admin,cn=users,dc=manager,dc=local
, groups reside in cn=admins,ou=groups,dc=manager,dc=local
. The CAS version is 3.5.2
I have tried insertig something like this:
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
<property name="query" value="(uid={0})" />
<property name="contextSource" ref="contextSource" />
<property name="ldapAttributesToPortalAttributes">
<map>
<entry key="cn" value="Name" />
<entry key="home" value="homeDirectory" />
</map>
</property>
</bean>
CAS told me that he doesn't like the properties query
, contextSource
and ldapAttributesToPortalAttributes
. I wanted to fetch the "simple" attribute homeDirectory.
Can anyone of you give me tips for how to configure that wicked xml file? If you wish, I can also provide the complete xml file.
UPDATE
After some fiddling, I tried configuring an attributeRepository
as on this site: https://wiki.jasig.org/display/CASUM/Attributes in chapter Populate Principal's attributes with LDAP repository
. The result is that CAS doesn't start but instead gives me the message
Bean property 'ldapAttributesToPortalAttributes' is not writable or has an invalid setter method.
My attributeRepository
looks like this:
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="ldapAttributesToPortalAttributes">
<map>
<entry key="cn" value="Name" />
<entry key="home" value="homeDirectory" />
</map>
</property>
</bean>
I have the following bean
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN" value="ou=groups,dc=manager,dc=local"/>
<property name="contextSource" ref="contextSource" />
<property name="requireAllQueryAttributes" value="true"/>
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="displayName" value="cn" />
</map>
</property>
</bean>
Where you are mapping displayName attribute as a cn. Lines below in your deployerConfigContext.xml you will find allowedAttributes, if it doesn't exist you can add. Using this you will load that information in session.
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
<property name="allowedAttributes">
<list>
<value>cn</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
In order to return those values from CAS modify casServiceValidationSuccess.jsp (located at WEB-INF/view/jsp/protocol/2.0)
<cas:attributes>
<c:forEach var="auth" items="${assertion.chainedAuthentications}">
<c:forEach var="attr" items="${auth.principal.attributes}" >
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)} </cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</c:forEach>
</cas:attributes>