Greetings all,
I'm having a heck of time getting X509 with LDAP integration and LDAP
attribute resolution working on CAS 6.0. The core issue is that I have to
use the certificate UPN for initial authentication and for determining the
users DN from LDAP. Then I have to use that DN to lookup other
attributes. My hands are tied on how the LDAP schema is setup.
Using this configuration:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].name=AD_SERVERS
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldapUrl}
cas.authn.attributeRepository.ldap[0].bindDn=${bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${bindCredential}
cas.authn.attributeRepository.ldap[0].baseDn=${baseDn}
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=distinguishedName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
CAS gives get the UPN off the certificate creates a Principal ID and
returns distinguishedName, displayName, and mail. But I need other
attributes with a searchFilter using the distinguishedName. I tired adding
a 2nd cas.authn.attributeRepository entry but can't figure out how to use
the distinguishedName from the first one. So then I thought I might be
able to use LDAP integration to use the UPN to get the DN and then use that
in attributeRepository block and it's turned out to be even worse. Just
for authentication I've got:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.principalDescriptor=$username
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.x509.ldap.name=X509_LDAP_INTEGRATION
cas.authn.x509.ldap.ldapUrl=${ldapUrl}
cas.authn.x509.ldap.bindDn=${bindDn}
cas.authn.x509.ldap.bindCredential=${bindCredential}
cas.authn.x509.ldap.baseDn=${baseDn}
cas.authn.x509.ldap.keystore=${keyStore}
cas.authn.x509.ldap.keystorePassword=${keyPasswd}
cas.authn.x509.ldap.useSsl=true
cas.authn.x509.ldap.useStartTls=false
cas.authn.x509.ldap.subtreeSearch=true
cas.authn.x509.ldap.searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.x509.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.x509.ldap.allowMultipleDns=false
cas.authn.x509.ldap.allowMultipleEntries=false
cas.authn.x509.ldap.followReferrals=false
The logs shows:
<Creating principal for [merrittc@site]>
<Created seed map='{username=[merrittc@site]}' for uid='merrittc@site'>
Then is thows a NullPointerException:
ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[X509SubjectAlternativeNameUPNPrincipalResolver(super=AbstractX509PrincipalResolver(super=PersonDirectoryPrincipalResolver(attributeRepository=org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl@25109608,
principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@1,
returnNullIfNoAttributes=false,
principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$706/0x0000000840841840@be5226f,
principalAttributeNames=username, useCurrentPrincipalId=false),
alternatePrincipalAttribute=null))] failed to resolve principal from
[AbstractCredential()]>
Followed by:
2019-05-20 12:30:47,903 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Principal resolution handled by [$Proxy160] produced a null principal.
This is likely due to misconfiguration or missing attributes; CAS will
attempt to use the principal produced by the authentication handler, if
any.>
2019-05-20 12:30:47,903 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Principal resolution for authentication by [X509_AUTHENTICATION] produced
a null principal.>
2019-05-20 12:30:47,903 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final
principal resolved for this authentication event is [null]>
and then AUTHENTICATION FAILED
Any ideas? This is driving me up the wall.
Thanks
r/Chad
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/10091f6f-d896-4780-a49e-a4ac42d773b7%40apereo.org.
