Attributes

Added by Scott Battaglia, last edited by Marvin Addison on Oct 21, 2009  (view change) show comment
Table of Contents
Home
Overall Architecture
Authentication
Authentication Managers
Security Policy
TicketRegistry
Testing
Protocols
Advanced Features
Tutorials and HOWTOs
Troubleshooting
Services Management
Extensions

Attributes

Attributes are controlled by the JA-SIG Person Directory project.

Populate Principal's attributes with LDAP repository

CredentialsToLDAPAttributePrincipalResolver lets you create and populate the principal with attributes extracted by JA-SIG Person Directory.

Person Directory can rely on different types of context source (Database, LDAP...).  We'll describe the LDAP way.

    CredentialsToLDAPAttributePrincipalResolver first calls a credentialsToPrincipalResolver to initiate the Principal from the credentials : If username/password is used, UsernamePasswordCredentialsToPrincipalResolver is ok. If client certificates are used, you should define a  x509CertifcateCredentialsToPrincipal. Depending on the class you used, the teporary Principal will be initiated with a login or a certificate attribute as ID.

This Principal's ID is then used to search a repository (here an LDAP server) for a corresponding entry : Based on the filter property, a LDAP request is forged to find the entry corresponding to the prinicpal's ID (ie login or certificate attribute).
The Principal ID is replaced with the principalAttributeName extracted from the LDAP entry : usually uid or cn LDAP attribute is used to create the new principal ID.

We now have a Principal corresponding to an LDAP entry. We now can populate this Principal with attributes. These attributes can come from the same repository or a different one. This repository is defined as attributeRepository of  the CredentialsToLDAPAttributePrincipalResolver.

The mapping between LDAP attributes and their names in principal's attributes map are defined in ldapAttributesToPortalAttributes of attributeRepository.  You'll define here that the "name" attribute of the principal must be set by the "cn" attribute of the LDAP entry.

Example CAS 3.3.3 deployerConfigContext.xml for LDAP
<bean id="authenticationManager"
  class="org.jasig.cas.authentication.AuthenticationManagerImpl">
  <property name="credentialsToPrincipalResolvers">
    <list>
    <bean
      class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
      <!-- The Principal resolver form the credentials -->
      <property name="credentialsToPrincipalResolver">
      <bean
        class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />

      </property>
      <!--
      The query made to find the Principal ID. 
      "%u" will be replaced by the resolved Principal
      -->
      <property name="filter" value="(uid=%u)" />

      <!-- The attribute used to define the new Principal ID -->

      <property name="principalAttributeName" value="uid" />

      <property name="searchBase"
      value="ou=people,o=company,c=fr" />
      <property name="contextSource" ref="contextSource" />

      <property name="attributeRepository">
      <ref bean="attribRepository" />
      </property>

    </bean>

    <!--
    .....
     the rest of the credentials to principal resolvers
    .....
    +-->
    </list>
  </property>
</bean>

<!-- 
Define the contextSource and the attributeRepository.
NOTE:
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource is deprecated as of CAS 3.3.3.
Use org.springframework.ldap.core.support.LdapContextSource instead.
-->
<bean id="contextSource"
  class="org.springframework.ldap.core.support.LdapContextSource">
  <property name="urls">
    <list>
    <value>ldaps://ldap1/</value>
    <value>ldaps://ldap2/</value>
    </list>
  </property>
  <property name="userName" value="cn=manager,c=fr" />
  <property name="password" value="xxxxxxxxxxxxx" />
</bean>

<bean id="attribRepository"
  class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
  <property name="baseDN"
    value="ou=people,o=company,c=fr" />
  <!-- This query is used to find the entry for populating attributes. {0} will be replaced by the new Principal ID extracted from the ldap-->
  <property name="query" value="(uid={0})" />

  <property name="contextSource" ref="contextSource" />
  <property name="ldapAttributesToPortalAttributes">
    <map>
    <!-- Mapping beetween LDAP entry's attributes (key) and Principal"s (value) -->
    <entry key="cn" value="Name"/>
    <entry value="Telephone" key="telephoneNumber" />
    <entry value="Fax" key="facsimileTelephoneNumber" />
    </map>
  </property>
</bean>
Changes for CAS 3.3.4 and Later

CAS 3.3.4 and later uses Person Directory 1.5.0, which has changed substantially from previous versions. This affects the LdapPersonAttributeDao bean definition. The above example is repeated below for a CAS 3.3.4 configuration.

CAS 3.3.4 LdapPersonAttributeDao Example
<bean id="attribRepository"
  class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
  <property name="contextSource" ref="contextSource" />
  <property name="baseDN" value="ou=people,o=company,c=fr" />
  <property name="requireAllQueryAttributes" value="true" />

  <!--
  Attribute mapping beetween principal (key) and LDAP (value) names
  used to perform the LDAP search.  By default, multiple search criteria
  are ANDed together.  Set the queryType property to change to OR.
  -->
  <property name="queryAttributeMapping">
    <map>
      <entry key="username" value="uid" /> 
    </map>
  </property>

  <property name="resultAttributeMapping">
    <map>
    <!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) -->
    <entry key="cn" value="Name"/>
    <entry value="Telephone" key="telephoneNumber" />
    <entry value="Fax" key="facsimileTelephoneNumber" />
    </map>
  </property>
</bean>

See also http://www.ja-sig.org/issues/browse/CAS-655
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.