2

Using CAS 5.3.x and SPNEGO (Kerberos) authentication, how do I get more user attributes than just the SAMAccountName?

When I only use "standard" LDAP authentication handler, I can just put this configuration:

cas.authn.ldap[0].principalAttributeList=sAMAccountName,displayName,givenName,mail

But after a SPNEGO authentication I don't get those additional attributes.

Do you know a way to do it?

Benjamin Bini
  • 311
  • 4
  • 15

1 Answers1

3

The ability to fetch attributes from external data stores has been present in CAS since the days of 3.x. This functionality was and, to this day, is provided by an Apereo project called Person Directory which is a Java framework for resolving persons and attributes from a variety of underlying sources. It consists of a collection of components that retrieve, cache, resolve, aggregate and merge person attributes from JDBC, LDAP and more. CAS attempts to take advantage of this framework through a concept called PrincipalResolver whose goal is to construct a final identifiable authenticated principal for CAS which carries a number of attributes inside it fetched from attribute repository sources. This meant that for instance, one could authenticate with SPNEGO in one query and then turn around the ask LDAP, a relational database and a Groovy script to fetch attributes for the resolved principal and combine all results into a final collection.

Note that in most cases like in the case of direct LDAP authentication, and starting around CAS 4.x, the authentication engine has been enhanced to be able to retrieve and resolve attributes from the authentication source, which would eliminate the need for configuring a separate attribute repository/resolver especially if both the authentication and the attribute source are the same. Using separate resolvers and sources should only be required when sources are different, or when there is a need to tackle more advanced attribute resolution use cases such as cascading, merging, etc.

To configure CAS to use an external LDAP for attribute repositories, use:

cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
cas.authn.attribute-repository.ldap[0].attributes.cn=commonName
cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf

cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://...
cas.authn.attribute-repository.ldap[0].useSsl=false
cas.authn.attribute-repository.ldap[0].useStartTls=false
cas.authn.attribute-repository.ldap[0].baseDn=dc=example,dc=edu
cas.authn.attribute-repository.ldap[0].searchFilter=uid={0}
cas.authn.attribute-repository.ldap[0].bindDn=...
cas.authn.attribute-repository.ldap[0].bindCredential=...
Misagh Moayyed
  • 4,154
  • 2
  • 15
  • 25
  • You explained in two paragraphs something that is not clear at all in tens of CAS documentation pages. Thank you very much. We will try that and I'll come back here if we have any issue. – Benjamin Bini Apr 07 '20 at 14:39
  • 2
    You're quite welcome. Note that the CAS documentation is a "dictionary". One cant exactly learn a new language by simply memorizing the dictionary. Explanations and walkthroughs may be found here: https://fawnoos.com/blog or here: https://apereo.github.io/ In fact my answer above was copied verbatim from one of the Apereo/Fawnoos blog posts :) If you look around, you'll find more that might help with future questions as well. – Misagh Moayyed Apr 07 '20 at 14:51
  • 2
    Thank you. I knew about apereo "blog" but not about fawnoos. Very good resource. The fragmented state of the information about CAS and the lack of full, complete documentation and tutorials makes it quite difficult to improve your CAS skills without banging your head against the walls. For example, the big page listing all configuration properties can't really be considered as a dictionnary as there are all the "words" (the different configuration properties) but not always the "definitions" (what the property do)! It's getting better comparing to what it was before, but still. Anyway, thanks! – Benjamin Bini Apr 07 '20 at 16:00
  • 1
    I fully understand. If it may still help, the definitions of the properties ship with CAS automatically. If you look around the blog, you'll find posts on configuration metadata and a number of reasons why they are the way they are. That said, it goes without saying that major improvements are in order. Whether financially or technically, consider contributing to the project to improve the status of things. – Misagh Moayyed Apr 08 '20 at 20:13
  • I'd be happy to help. I am not up to date with CAS 6.x though. Do you have any resource to learn the main differences between CAS 5.x and 6x? – Benjamin Bini Apr 09 '20 at 17:27
  • 1
    Architecturally, no difference. Mostly settings that are renamed or moved. Main difference is CAS 6 requires Java 11. I recommend you take a look at the apereo blog, and go through the release notes for each release candidate of v6. That should give you a pretty good idea. – Misagh Moayyed Apr 10 '20 at 08:02