Hello, well, maybe you didnt get me right. I want to resolve the attributes on authentication over ldap. This works fine for a normal authentication, but if I want to make an surrogate authentication like "surrogateUser+primaryUser", the primary user principal has all ldap attributes and the surrogate user principal has none. So I want that the surrogate user principal has also the ldap attributes form the surrogate user. So there is only one data source(LDAP for primary and surrogate user). For this I found: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution but i tried something around with this configuration options. No success so far.
So the ldap attributes shouldnt get into the principal after the authentication. They should be while authentication. I think that i need to configure the principal resolution right.. but i dont know how. On the site i found this subtext: "Principal resolution and Person Directory settings for this feature are available here <https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution> under the configuration key cas.authn.surrogate.principal." which redirects you to the link above. Ray Bon schrieb am Donnerstag, 26. November 2020 um 18:00:28 UTC+1: > Marcel, > > principalAttributeList is for resolving attributes on authentication. If > you want to retrieve attributes after the fact or perhaps from a different > data source, > > https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-attributes > > Ray > > On Thu, 2020-11-26 at 07:06 -0800, Marcel Fromkorth wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > > Hello, > > I'm trying to configure the surrogate authentication support over ldap > authentication. > All this happens on CAS Version 6.2.5. > > The problem is, that the surrogate user principal has no attributes, which > should be mapped from ldap. I want, that the surrogateUser principal will > get his ldap attributes. For the primary user it works fine. > > I only got: *Surrogate access is denied. The principal does not have the > required attributes [{attributes=[testAttribute]}] *-> which are defined > in the service at "surrogateRequiredAttributes". > > In the Debug logs i could see this: > > *<Found surrogate principal [SimplePrincipal(id=testuser, attributes={})]>* > > Some logs earlier i can see, that the ldap user for surrogate is found > sucessfully and all needed attributes exists. -> so i think, that something > with the principal resolution doesnt work. > > here an snippet of my cas.properties: > > > > > *cas.authn.surrogate.ldap.searchFilter=uid:caseExactMatch:={user} > cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate} > > cas.authn.surrogate.principal.attribute-resolution-enabled=true > cas.authn.surrogate.principal.principal-attribute=attributes* > > I switched the accessStrategy in my services to > *SurrogateRegisteredServiceAccessStrategy*. > > So.. i dont know, why the attributes of the surrogate user wont mapped > into the surrogate user principal. For the primary user it works fine(by > the primary user I used *cas.authn.ldap[0].principalAttributeList*=attributes > > --> works fine). > > But in the documentation, it seems that there only exists the attribute " > *principal-attribute*" for this type of setting. > > Can someone help me here? > > Greetings and thank you. > > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e742f49c-985f-48fc-876f-18b0f85e1a0dn%40apereo.org.
