Hello all,
I'm using "apereo CAS Overlay 5.1.1" and CAS Service Management Overlay
5.1.1
I encounter a similar issue :
step 1) login success.
step 2) Access failed (because : No principal attributes are found to
satisfy defined attribute requirements ??)
My *.json *config :
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorizes all application urls
that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 10000,
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy"
,
"allowedAttributes" : [ "java.util.ArrayList", [ "sAMAccountName",
"displayName", "cn"] ]
},
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"sAMAccountName" : [ "java.util.HashSet", [ "mylogin_ad" ] ],
"displayName" : [ "java.util.HashSet", ["NAME Julien"] ]
}
}
}
My attribute config in *management.properties* :
cas.authn.attributeRepository.attributes.uid=sAMAccountName={user}
cas.authn.attributeRepository.attributes.mail=mail
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=commonName
My *log *:
=============================================================
WHO: mylogin_ad
WHAT: Supplied credentials: [mylogin_ad]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Jun 29 09:40:22 CEST 2017
CLIENT IP ADDRESS: ip_client
SERVER IP ADDRESS: ip_serveur
=============================================================
>
2017-06-29 09:40:22,748 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationTransactionManager] -
<Successful authentication; Collecting authentication result
[org.apereo.cas.authentication.DefaultAuthentication@915180a0]>
2017-06-29 09:40:22,760 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,770 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,777 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,785 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,785 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,792 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,803 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,810 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,817 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,823 DEBUG [org.apereo.cas.web.support.WebUtils] -
<Evaluating request to determine if warning cookie should be generated>
2017-06-29 09:40:22,824 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Collecting authentication history based on [1] authentication events>
2017-06-29 09:40:22,825 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Evaluating authentication principal [mylogin_ad] for inclusion in result>
2017-06-29 09:40:22,825 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Collected principal attributes [{memberOf=[CN=Liste Utilisateurs
XXXX,OU=Groupes de distribution,OU=Groupes,DC=domaine,DC=com,DC=fr],
LdapAuthenticationHandler.mylogin_ad=CN=NAME
Julien,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domaine,DC=com,DC=fr,
[email protected], sAMAccountName=mylogin_ad, displayName=NAME
Julien}] for inclusion in this result for principal [mylogin_ad]>
2017-06-29 09:40:22,827 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Collected single authentication attribute [authenticationMethod] ->
[LdapAuthenticationHandler]>
2017-06-29 09:40:22,827 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Collected single authentication attribute
[successfulAuthenticationHandlers] -> [[LdapAuthenticationHandler]]>
2017-06-29 09:40:22,827 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Finalized authentication attributes
[{authenticationMethod=LdapAuthenticationHandler,
successfulAuthenticationHandlers=[LdapAuthenticationHandler]}] for
inclusion in this authentication result>
2017-06-29 09:40:22,828 DEBUG
[org.apereo.cas.authentication.DefaultPrincipalElectionStrategy] -
<Nominated [mylogin_ad] as the primary principal>
2017-06-29 09:40:22,829 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Determined primary authentication principal to be [mylogin_ad]>
2017-06-29 09:40:22,829 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Collected authentication attributes for this result are
[{authenticationMethod=LdapAuthenticationHandler,
successfulAuthenticationHandlers=[LdapAuthenticationHandler]}]>
2017-06-29 09:40:22,829 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Authentication result commenced at
[2017-06-29T09:40:22.829+02:00[Europe/Paris]]>
2017-06-29 09:40:22,829 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Building an authentication result for authentication
[org.apereo.cas.authentication.DefaultAuthentication@cc139fa0] and service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@18c92e83[id=https://servername.domain.com.fr:8443/cas-management/manage.html,originalUrl=https://servername.domain.com.fr:8443/cas-management/manage.html,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]>
2017-06-29 09:40:22,830 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Creating new transaction with name
[org.apereo.cas.DefaultCentralAuthenticationService.createTicketGrantingTicket]:
PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-06-29 09:40:22,830 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Creating new transaction with name
[org.apereo.cas.DefaultCentralAuthenticationService.createTicketGrantingTicket]:
PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-06-29 09:40:22,837 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [mylogin_ad]>
2017-06-29 09:40:22,838 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <[DefaultPrincipalAttributesRepository] will return the collection of
attributes directly associated with the principal object which are
[{displayName=NAME Julien, LdapAuthenticationHandler.mylogin_ad=CN=NAME
Julien,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domaine,DC=com,DC=fr,
[email protected], memberOf=[CN=Liste Utilisateurs
APPLIS,OU=Groupes de distribution,OU=Groupes,DC=domaine,DC=com,DC=fr],
sAMAccountName=mylogin_ad}]>
2017-06-29 09:40:22,838 DEBUG
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
- <Found [5] cached attributes for principal [mylogin_ad] that are
[{displayName=NAME Julien, LdapAuthenticationHandler.mylogin_ad=CN=NAME
Julien,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domaine,DC=com,DC=fr,
[email protected], memberOf=[CN=Liste Utilisateurs
APPLIS,OU=Groupes de distribution,OU=Groupes,DC=domaine,DC=com,DC=fr],
sAMAccountName=mylogin_ad}]>
2017-06-29 09:40:22,838 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{displayName=NAME Julien,
LdapAuthenticationHandler.mylogin_ad=CN=NAME
Julien,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domaine,DC=com,DC=fr,
[email protected], memberOf=[CN=Liste Utilisateurs
APPLIS,OU=Groupes de distribution,OU=Groupes,DC=domaine,DC=com,DC=fr],
sAMAccountName=mylogin_ad}] for [mylogin_ad]>
2017-06-29 09:40:22,838 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process
attributes for [mylogin_ad]>
2017-06-29 09:40:22,840 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
[{}] for [mylogin_ad]>
2017-06-29 09:40:22,841 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2017-06-29 09:40:22,841 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2017-06-29 09:40:22,841 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if
any>
2017-06-29 09:40:22,841 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
2017-06-29 09:40:22,842 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2017-06-29 09:40:22,842 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding default attributes first to the released set of attributes>
2017-06-29 09:40:22,842 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2017-06-29 09:40:22,843 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{}]>
2017-06-29 09:40:22,843 DEBUG
[org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <No
principal attributes are found to satisfy defined attribute requirements>
2017-06-29 09:40:22,843 DEBUG
[org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Access
is denied. There are not enough attributes available to satisfy
requirements>
2017-06-29 09:40:22,843 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
grant access to service
[https://servername.domain.com.fr:8443/cas-management/manage.html] because
it is not authorized for use by [mylogin_ad].>
2017-06-29 09:40:22,846 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: mylogin_ad
WHAT: L'application pour laquelle vous avez tenté de vous authentifier
n'est pas autorisée à utiliser CAS.
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Jun 29 09:40:22 CEST 2017
CLIENT IP ADDRESS: ip_client
SERVER IP ADDRESS: ip_serveur
=============================================================
Anyone can help me plz ? Thx.
Le lundi 21 novembre 2016 10:34:28 UTC+1, Ludovic Senecaux a écrit :
>
> Hy,
>
> I would like to configure the new mgmt webapp (v5) authorization through
> LDAP like in CAS v4.2.x.
> I have a LDAP group (groupOfNames) with many members (member attribute).
> In CAS 4.x, this was possible through ldaptive:AuthorizationGenerator.
> In CAS 5.x, I didn't find any doc to configure authz through LDAP groups.
>
> Thanks in advance
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ad02685-caac-44c1-b501-033676f9fa87%40apereo.org.
