从CAS获取LDAP用户属性 [英] Get LDAP user attributes from CAS

问题描述

我现在在将CAS与LDAP结合使用时遇到了一些问题。我想为多个应用程序实现SSO解决方案。身份验证到目前为止效果很好。我们要根据在LDAP中配置的角色授权用户。问题是CAS无法交付用户角色。

i've got some problems with CAS in conjunction with LDAP now. I want to implement an SSO solution for multiple applications. Authentication works great so far. We want to authorize the users on the base of their roles which are configured in LDAP. The problem is that CAS does not deliver the user roles.

我到目前为止，我知道 deployerConfigContext.xml 需要配置。我还发现了各种教程，大多数教程都使用错误版本的CAS或不执行我想要的操作。

I am now so far that I know that the deployerConfigContext.xml needs to be configured. I have also found various tutorials, most work with either the wrong version of CAS or do not do what I want.

我们的用户位于 cn = admin，cn = users，dc = manager，dc = local ，组位于 cn = admins，ou = groups，dc = manager，dc = local 。我的CAS版本是3.5.2

Our users lie in cn=admin,cn=users,dc=manager,dc=local, groups reside in cn=admins,ou=groups,dc=manager,dc=local. The CAS version is 3.5.2

我尝试了以下插入操作：

I have tried insertig something like this:

<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
    <property name="backingMap">
        <map>
            <entry key="uid" value="uid" />
            <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
            <entry key="groupMembership" value="groupMembership" />
        </map>
    </property>
    <property name="query" value="(uid={0})" />
    <property name="contextSource" ref="contextSource" />
    <property name="ldapAttributesToPortalAttributes">
        <map>
            <entry key="cn" value="Name" />
            <entry key="home" value="homeDirectory" />
        </map>
    </property>
</bean>

CAS告诉我他不喜欢属性 query ， contextSource 和 ldapAttributesToPortalAttributes 。我想获取简单属性homeDirectory。

CAS told me that he doesn't like the properties query, contextSource and ldapAttributesToPortalAttributes. I wanted to fetch the "simple" attribute homeDirectory.

你们中的任何人都可以给我提示如何配置该邪恶的xml文件吗？如果您愿意，我也可以提供完整的xml文件。

Can anyone of you give me tips for how to configure that wicked xml file? If you wish, I can also provide the complete xml file.

更新

经过一番摆弄之后，我尝试在此站点上配置 attributeRepository ： https://wiki.jasig.org/display/CASUM/Attributes 第章中的LDAP存储库填充主体的属性。结果是CAS没有启动，而是给了我消息

After some fiddling, I tried configuring an attributeRepository as on this site: https://wiki.jasig.org/display/CASUM/Attributes in chapter Populate Principal's attributes with LDAP repository. The result is that CAS doesn't start but instead gives me the message

Bean property 'ldapAttributesToPortalAttributes' is not writable or has an invalid setter method.

我的 attributeRepository 看起来像这样：

<bean id="attributeRepository"  class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
    <property name="ldapAttributesToPortalAttributes">
        <map>
            <entry key="cn" value="Name" />
            <entry key="home" value="homeDirectory" />
        </map>
    </property>
</bean>

推荐答案

我有以下bean

<bean id="attributeRepository"
    class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
    <property name="baseDN" value="ou=groups,dc=manager,dc=local"/>     
    <property name="contextSource" ref="contextSource" />
    <property name="requireAllQueryAttributes" value="true"/>
    <property name="queryAttributeMapping">
        <map>
            <entry key="username" value="sAMAccountName" />
        </map>
    </property>     
    <property name="resultAttributeMapping">
        <map>               
            <entry key="displayName" value="cn" />
        </map>
    </property>
</bean>

将 displayName 属性映射为 cn 的位置强>。在deployerConfigContext.xml中的下面几行中，您会找到 allowedAttributes ，如果不存在，则可以添加。

Where you are mapping displayName attribute as a cn. Lines below in your deployerConfigContext.xml you will find allowedAttributes, if it doesn't exist you can add. Using this you will load that information in session.

<bean
    id="serviceRegistryDao"
    class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
        <property name="registeredServices">
            <list>
                <bean class="org.jasig.cas.services.RegexRegisteredService">
                    <property name="id" value="0" />
                    <property name="name" value="HTTP and IMAP" />
                    <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
                    <property name="serviceId" value="^(https?|imaps?)://.*" />
                    <property name="evaluationOrder" value="10000001" />
                    <property name="allowedAttributes">
                        <list>
                            <value>cn</value>
                        </list>
                    </property> 
                </bean>                    
            </list>
        </property>
    </bean>

为了从CAS中返回这些值，请修改casServiceValidationSuccess.jsp（位于WEB-INF / view / jsp / protocol / 2.0）

In order to return those values from CAS modify casServiceValidationSuccess.jsp (located at WEB-INF/view/jsp/protocol/2.0)

<cas:attributes>
<c:forEach var="auth" items="${assertion.chainedAuthentications}">
<c:forEach var="attr" items="${auth.principal.attributes}" >
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}        </cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</c:forEach>
</cas:attributes>

这篇关于从CAS获取LDAP用户属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！