Search code examples
ldapsingle-sign-oncasldap-client

Get LDAP user attributes from CAS


i've got some problems with CAS in conjunction with LDAP now. I want to implement an SSO solution for multiple applications. Authentication works great so far. We want to authorize the users on the base of their roles which are configured in LDAP. The problem is that CAS does not deliver the user roles.

I am now so far that I know that the deployerConfigContext.xml needs to be configured. I have also found various tutorials, most work with either the wrong version of CAS or do not do what I want.

Our users lie in cn=admin,cn=users,dc=manager,dc=local, groups reside in cn=admins,ou=groups,dc=manager,dc=local. The CAS version is 3.5.2

I have tried insertig something like this:

<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
    <property name="backingMap">
        <map>
            <entry key="uid" value="uid" />
            <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
            <entry key="groupMembership" value="groupMembership" />
        </map>
    </property>
    <property name="query" value="(uid={0})" />
    <property name="contextSource" ref="contextSource" />
    <property name="ldapAttributesToPortalAttributes">
        <map>
            <entry key="cn" value="Name" />
            <entry key="home" value="homeDirectory" />
        </map>
    </property>
</bean>

CAS told me that he doesn't like the properties query, contextSource and ldapAttributesToPortalAttributes. I wanted to fetch the "simple" attribute homeDirectory.

Can anyone of you give me tips for how to configure that wicked xml file? If you wish, I can also provide the complete xml file.

UPDATE

After some fiddling, I tried configuring an attributeRepository as on this site: https://wiki.jasig.org/display/CASUM/Attributes in chapter Populate Principal's attributes with LDAP repository. The result is that CAS doesn't start but instead gives me the message

Bean property 'ldapAttributesToPortalAttributes' is not writable or has an invalid setter method.

My attributeRepository looks like this:

<bean id="attributeRepository"  class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
    <property name="ldapAttributesToPortalAttributes">
        <map>
            <entry key="cn" value="Name" />
            <entry key="home" value="homeDirectory" />
        </map>
    </property>
</bean>

Solution

  • I have the following bean

    <bean id="attributeRepository"
        class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
        <property name="baseDN" value="ou=groups,dc=manager,dc=local"/>     
        <property name="contextSource" ref="contextSource" />
        <property name="requireAllQueryAttributes" value="true"/>
        <property name="queryAttributeMapping">
            <map>
                <entry key="username" value="sAMAccountName" />
            </map>
        </property>     
        <property name="resultAttributeMapping">
            <map>               
                <entry key="displayName" value="cn" />
            </map>
        </property>
    </bean>
    

    Where you are mapping displayName attribute as a cn. Lines below in your deployerConfigContext.xml you will find allowedAttributes, if it doesn't exist you can add. Using this you will load that information in session.

    <bean
        id="serviceRegistryDao"
        class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
            <property name="registeredServices">
                <list>
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="0" />
                        <property name="name" value="HTTP and IMAP" />
                        <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
                        <property name="serviceId" value="^(https?|imaps?)://.*" />
                        <property name="evaluationOrder" value="10000001" />
                        <property name="allowedAttributes">
                            <list>
                                <value>cn</value>
                            </list>
                        </property> 
                    </bean>                    
                </list>
            </property>
        </bean>
    

    In order to return those values from CAS modify casServiceValidationSuccess.jsp (located at WEB-INF/view/jsp/protocol/2.0)

    <cas:attributes>
    <c:forEach var="auth" items="${assertion.chainedAuthentications}">
    <c:forEach var="attr" items="${auth.principal.attributes}" >
    <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}        </cas:${fn:escapeXml(attr.key)}>
    </c:forEach>
    </c:forEach>
    </cas:attributes>