Trouble getting user from LDAP
Scott Battaglia
scott.battaglia at gmail.com
Mon Dec 10 11:55:11 EST 2007
You should be able to use sAMAccountName if you want.
-Scott
On Dec 10, 2007 10:20 AM, Jonathan Hayward http://JonathansCorner.com <
christos.jonathan.hayward at gmail.com> wrote:
> We are having trouble getting CAS to get the usernames from LDAP; in our
> LDAP server, the "uid" field is not populated ("sAMAccountName" does its
> work).
>
> Do any problems jump out, or any "usual suspects" for trouble getting
> usernames from LDAP?
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> | deployerConfigContext.xml centralizes into one file some of
> the declarative configuration that
> | all CAS deployers will need to modify.
> |
> | This file declares some of the Spring-managed JavaBeans that
> make up a CAS deployment.
> | The beans declared in this file are instantiated at context
> initialization time by the Spring
> | ContextLoaderListener declared in web.xml. It finds this
> file because this
> | file is among those declared in the context parameter
> "contextConfigLocation".
> |
> | By far the most common change you will need to make in this
> file is to change the last bean
> | declaration to replace the default
> SimpleTestUsernamePasswordAuthenticationHandler with
> | one implementing your approach for authenticating usernames
> and passwords.
> +-->
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:p="http://www.springframework.org/schema/p"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
> <!--
> | This bean declares our AuthenticationManager.
> The CentralAuthenticationService service bean
> | declared in applicationContext.xml picks up this
> AuthenticationManager by reference to its id,
> | "authenticationManager". Most deployers will be
> able to use the default AuthenticationManager
> | implementation and so do not need to change the
> class of this bean. We include the whole
> | AuthenticationManager here in the
> userConfigContext.xml so that you can see the things you will
> | need to change in context.
> +-->
>
> <bean id="contextSource" class="
> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="urls">
> <list>
>
> <value>ldap://[DELETED]:389/OU=Accounts,OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]</value>
> </list>
> </property>
> <property name="userName" value="[DELETED]"/>
> <property name="password" value="[DELETED]"/>
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
> <key>
> <value>java.naming.security.authentication</value>
> </key>
> <value>simple</value>
> </entry>
> </map>
> </property>
> </bean>
> <bean id="authenticationManager"
> class="
> org.jasig.cas.authentication.AuthenticationManagerImpl">
> <!--
> | This is the List of
> CredentialToPrincipalResolvers that identify what Principal is trying to
> authenticate.
> | The AuthenticationManagerImpl
> considers them in order, finding a CredentialToPrincipalResolver which
> | supports the presented credentials.
> |
> | AuthenticationManagerImpl uses these
> resolvers for two purposes. First, it uses them to identify the Principal
> | attempting to authenticate to CAS
> /login . In the default configuration, it is the
> DefaultCredentialsToPrincipalResolver
> | that fills this role. If you are
> using some other kind of credentials than UsernamePasswordCredentials, you
> will need to replace
> |
> DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver
> that supports the credentials you are
> | using.
> |
> | Second, AuthenticationManagerImpl
> uses these resolvers to identify a service requesting a proxy granting
> ticket.
> | In the default configuration, it is
> the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
>
> | You will need to change this list if
> you are identifying services by something more or other than their callback
> URL.
> +-->
> <property name="credentialsToPrincipalResolvers">
> <list>
> <!--
> |
> UsernamePasswordCredentialsToPrincipalResolver supports the
> UsernamePasswordCredentials that we use for /login
> | by default
> and produces SimplePrincipal instances conveying the username from the
> credentials.
> |
> | If you've
> changed your LoginFormAction to use credentials other than
> UsernamePasswordCredentials then you will also
> | need to
> change this bean declaration (or add additional declarations) to declare a
> CredentialsToPrincipalResolver that supports the
> | Credentials
> you are using.
> +-->
> <bean
> class="
> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> >
> <property
> name="attributeRepository">
>
> <ref bean="attributeRepository" />
> </property>
> </bean>
> <!--
> |
> HttpBasedServiceCredentialsToPrincipalResolver supports
> HttpBasedCredentials. It supports the CAS 2.0 approach of
> |
> authenticating services by SSL callback, extracting the callback URL from
> the Credentials and representing it as a
> |
> SimpleService identified by that callback URL.
> |
> | If you are
> representing services by something more or other than an HTTPS URL whereat
> they are able to
> | receive a
> proxy callback, you will need to change this bean declaration (or add
> additional declarations).
> +-->
> <bean
> class="
> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
> <!--
> | Whereas
> CredentialsToPrincipalResolvers identify who it is some Credentials might
> authenticate,
> | AuthenticationHandlers actually
> authenticate credentials. Here we declare the AuthenticationHandlers that
> | authenticate the Principals that the
> CredentialsToPrincipalResolvers identified. CAS will try these handlers in
> turn
> | until it finds one that both
> supports the Credentials presented and succeeds in authenticating.
> +-->
> <property name="authenticationHandlers">
> <list>
> <!--
> | This is the
> authentication handler that authenticates services by means of callback via
> SSL, thereby validating
> | a server
> side SSL certificate.
> +-->
> <bean class="
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> "
>
> p:httpClient-ref="httpClient" />
> <!--
> | This is the
> authentication handler declaration that every CAS deployer will need to
> change before deploying CAS
> | into
> production. The default SimpleTestUsernamePasswordAuthenticationHandler
> authenticates UsernamePasswordCredentials
> | where the
> username equals the password. You will need to replace this with an
> AuthenticationHandler that implements your
> | local
> authentication strategy. You might accomplish this by coding a new such
> handler and declaring
> |
> edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
> handlers provided in the adaptors modules.
> +-->
> <!--
> <bean
> class="
> org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
> />
> -->
>
> <bean class="
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property
> name="filter" value="sAMAccountName=%u" />
> <property
> name="searchBase" value="DC=[DELETED],DC=[DELETED],DC=[DELETED]" />
> <property
> name="contextSource" ref="contextSource" />
> <property
> name="ignorePartialResultException" value="yes" />
> </bean>
> </list>
> </property>
> </bean>
>
> <!--
> This bean defines the security roles for the Services
> Management application. Simple deployments can use the in-memory version.
> More robust deployments will want to use another option, such
> as the Jdbc version.
>
> The name of this should remain "userDetailsService" in order
> for Acegi to find it.
>
> To use this, you should add an entry similar to the following
> between the two value tags:
> battags=notused,ROLE_ADMIN
>
> where battags is the username you want to grant access to.
> You can put one entry per line.
> -->
> <bean id="userDetailsService" class="
> org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
> <property name="userMap">
> <value>
> </value>
> </property>
> </bean>
>
> <!--
> Bean that defines the attributes that a service may return.
> This example uses the Stub/Mock version. A real implementation
> may go against a database or LDAP server. The id should
> remain "attributeRepository" though.
> -->
> <bean id="attributeRepository"
> class="
> org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN"
>
> value="OU=[DELETED],OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]"
> />
> <property name="principalAttributeName"
> value="sAMAccountName" />
>
> <!-- This query is used to find the entry for
> populating attributes. {0} will be replaced by the new Principal ID
> extracted from the ldap-->
> <property name="query"
> value="(sAMAccountName={0})" />
> <property name="contextSource" ref="contextSource"
> />
>
> </bean>
>
> <!--
> Sample, in-memory data store for the ServiceRegistry. A real
> implementation
> would probably want to replace this with the JPA-backed
> ServiceRegistry DAO
> The name of this bean should remain "serviceRegistryDao".
> -->
> <bean
> id="serviceRegistryDao"
> class="
> org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
> </beans>
> --
> ++ Jonathan Hayward, jonathan.hayward at pobox.com
> ** To see an award-winning website with stories, essays, artwork,
> ** games, and a four-dimensional maze, why not visit my home page?
> ** All of this is waiting for you at http://JonathansCorner.com
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071210/b57f8b3b/attachment.html
More information about the cas
mailing list