What I suspect you're missing is that you are running (as you report) CAS 6.2.3, and yet the "excludedAuthenticationHandlers" piece is only available in 6.3.x
Compare: https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html With: https://apereo.github.io/cas/development/services/Configuring-Service-AuthN-Policy.html Big red box, top of the page. The table the contains the parameters should be the main delta. On Thursday, October 29, 2020 at 1:28:27 AM UTC+4 C Ryan wrote: > Reposting essentially again as I just cannot make this go. My heartfelt > apologies that I'm circling to the list again on this. > > As before. I want to be able to specifically require an exclusive > Authentication Resource per Service definition. I cannot seem to make this > work. > > > CAS 6.2.3 > > > LDAP Resource Definition > > ============== > > > cas.authn.ldap[0].name=LDAP > cas.authn.ldap[0].order=0 > cas.authn.ldap[0].type=AUTHENTICATED > cas.authn.ldap[0].ldap-url=ldap://100.10.1.230:3131 > cas.authn.ldap[0].bind-dn=cn=<xxxx> > cas.authn.ldap[0].search-filter=(&(uid={user})(inetuserstatus=active)) > cas.authn.ldap[0].base-dn=o=isp > cas.authn.ldap[0].bind-credential=yyyy > cas.authn.ldap[0].principal-attribute-id=uid > cas.authn.ldap[0].principal-attribute=uid > cas.authn.ldap[0].principal-attribute-list=uid,sn,cn:commonName,givenName,inetUserStatus,dn > cas.authn.ldap[0].use-ssl=false > cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=false > cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true > > > Radius: > > ===== > > cas.authn.radius.name=Radius > cas.authn.radius.server.protocol=PAP > cas.authn.radius.server.retries=1 > cas.authn.radius.client.authenticationPort=1645 > cas.authn.radius.client.sharedSecret=zzzzzz > cas.authn.radius.client.inetAddress=100.10.1.184 > cas.authn.radius.client.accountingPort=1646 > cas.authn.radius.principal-attribute: username > cas.authn.radius.principal-attribute-id: username > > > Service Definition (Using HTTP Generic) > > ======================== > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^(https|imaps)://.*", > "name" : "HTTPS and IMAPS", > "id" : 10000001, > "evaluationOrder": 99999, > "authenticationPolicy": > { > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", > "requiredAuthenticationHandlers": ["java.util.TreeSet", ["Radius"]], > "excludedAuthenticationHandlers": ["java.util.TreeSet", ["LDAP"]] > }, > "attributeReleasePolicy" : { > "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > } > } > > > It just doesn't work. If I enter a credential set that fails in Radius it > will still fall into LDAP and succeed. > > > Also I'm trying to use LDAP attribute repository to round out the > attribute response from said Radius authentication. Again debug logging of > the the various elements implies that it should work but I'm not even > seeing the LDAP query for the attributes. Maybe I'm missing the point on > how it all works? For example how do you define that attributes that link > the PrincipalID etc etc. > > > ^[[36m2020-10-28 14:59:16,984 DEBUG > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <LDAP attributes > are fetched from [ldap://100.10.1.230:3131] via filter [uid=zzzzz]>^[[m > ^[[36m2020-10-28 14:59:16,986 DEBUG > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured result > attribute mapping for [ldap://100.10.1.230:3131] to be [{cn=commonName, > dn=dn, inetUserStatus=inetUserStatus, uid=uid, mail=mail}]>^[[m > ^[[36m2020-10-28 14:59:16,990 DEBUG > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Setting binary > attributes [[objectGUID, objectSid]]>^[[m > ^[[36m2020-10-28 14:59:16,990 DEBUG > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured subtree > searching for [ldap://100.10.1.230:3131]>^[[m > ^[[36m2020-10-28 14:59:16,990 DEBUG > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Adding LDAP > attribute source for [ldap://100.10.1.230:3131]>^[[m > > > > Configurations > > ** Enabling ePerson stuff? > > cas.person-directory.attribute-resolution-enabled: true > cas.personDirectory.activeAttributeRepositoryIds: LDAPAttr > cas.person-directory.return-null=false > cas.person-directory.principal-attribute=uid > > cas.authn.attributeRepository.expirationTime=30 > cas.authn.attributeRepository.expirationTimeUnit=seconds > cas.authn.attributeRepository.merger=MULTIVALUED > > ** Configuration the LDAP store (log output above seems to imply it's > picking this up) > > cas.authn.attribute-repository.ldap[0].id=LDAPAttr > cas.authn.attribute-repository.ldap[0].order=0 > cas.authn.attribute-repository.ldap[0].attributes.uid=uid > cas.authn.attribute-repository.ldap[0].attributes.cn=commonName > cas.authn.attribute-repository.ldap[0].attributes.dn=dn > cas.authn.attribute-repository.ldap[0].attributes.mail=mail > cas.authn.attribute-repository.ldap[0].attributes.inetUserStatus=inetUserStatus > cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://100.10.1.230:3131 > cas.authn.attribute-repository.ldap[0].useSsl=false > cas.authn.attribute-repository.ldap[0].useStartTls=false > cas.authn.attribute-repository.ldap[0].baseDn=o=isp > cas.authn.attribute-repository.ldap[0].search-filter: uid={0} > cas.authn.attribute-repository.ldap[0].bindDn=cn=xxxx > cas.authn.attribute-repository.ldap[0].bindCredential=yyyy > > cas.authn.attribute-repository.default-attributes-to-release: > uid,dn,mail,commonName > > > Thoughts on either of these area's would be greatly appreciated. > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c99f2149-ec79-47a4-9dbf-2a58e44487ben%40apereo.org.
