Now that the server has been configured to support attribute release, it must be configured to resolve (retrieve) the attributes to be released. Since the LDAP module has already been added to the server, all that is necessary to enable this is the definition of some additional properties.

Configure Active Directory attribute resolution

Add the following lines to etc/cas/config/cas.properties in the cas-overlay-template directory on the master build server (casdev-master) to enable CAS to resolve attributes from Active Directory:

cas.authn.attributeRepository.ldap[0].order:            0
cas.authn.attributeRepository.ldap[0].ldapUrl:          ldaps://zuul.newschool.edu
cas.authn.attributeRepository.ldap[0].validatePeriod:   270
cas.authn.attributeRepository.ldap[0].userFilter:       sAMAccountName={user}
cas.authn.attributeRepository.ldap[0].baseDn:           ou=TNSUsers,dc=tns,dc=newschool,dc=edu
cas.authn.attributeRepository.ldap[0].bindDn:           cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise Support,dc=tns,dc=newschool,dc=edu
cas.authn.attributeRepository.ldap[0].bindCredential:   xxxxxxxxxxxx
cas.authn.attributeRepository.ldap[0].attributes.cn:    uid
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName:     givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.sn:    sn
cas.authn.attributeRepository.ldap[0].attributes.tnsGoogleAppsRole:     role
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber:   cn

The first seven properties should be self-explanatory (or see the descriptions in the previous sections). Note that while we did not need to use a bind account to authenticate users against Active Directory, we do need to use one to resolve attributes.

The .attributes. properties specify, for each attribute, its name in the directory, and the name it should be given when sending it to the client application (the mapped name). For example, in the set of attributes above, the Active Directory attributes cn, displayName, givenName, mail, sn, tnsGoogleAppsRole, and tnsIDNumber will be retrieved and may be sent to client applications. The attributes named cn, tnsGoogleAppsRole, and tnsIDNumber will be released with the mapped names uid, role, and cn respectively, while the other attributes’ names will not be changed.

Configure Luminis LDAP attribute resolution

Add the following lines to etc/cas/config/cas.properties to enable CAS to resolve attributes from Luminis LDAP:

cas.authn.attributeRepository.ldap[1].order:            1
cas.authn.attributeRepository.ldap[1].ldapUrl:          ldaps://janus.newschool.edu
cas.authn.attributeRepository.ldap[1].validatePeriod:   270
cas.authn.attributeRepository.ldap[1].userFilter:       uid={user}
cas.authn.attributeRepository.ldap[1].baseDn:           ou=People,o=cp
cas.authn.attributeRepository.ldap[1].bindDn:           uid=ldap_ssotest,ou=People,o=cp
cas.authn.attributeRepository.ldap[1].bindCredential:   xxxxxxxxxxxx
cas.authn.attributeRepository.ldap[1].attributes.cn:    cn
cas.authn.attributeRepository.ldap[1].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[1].attributes.givenName:     givenName
cas.authn.attributeRepository.ldap[1].attributes.mail:  mail
cas.authn.attributeRepository.ldap[1].attributes.sn:    sn
cas.authn.attributeRepository.ldap[1].attributes.udcid: UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[1].attributes.uid:   uid

As above, the first seven properties should be self-explanatory. The list of attributes to be released is similar to, but not the same as, the list for Active Directory, above.

One difference is that the two directories use different attributes for the same information. Luminis LDAP stores the username in the uid attribute and the student/employee ID number in the cn attribute. Active Directory on the other hand, stores the username in the cn attribute, and stores the student/employee ID number in a custom attribute called tnsIDNumber. To make things match up so the same data is in the same attribute from both directories (the reason for this will become apparent below), the Active Directory configuration above switches things around to match Luminis LDAP by mapping cn to uid and tnsIDNumber as cn.

Another difference is that Active Directory has an attribute called tnsGoogleAppsRole (released as role) that Luminis LDAP doesn’t have, and Luminis LDAP has an attribute called udcid (released as UDC_IDENTIFIER) that Active Directory doesn’t have.

Configure an attribute merging strategy

Although CAS will only authenticate a user against the first directory (according to the evaluation order) in which the user is found, it will attempt to retrieve attributes from all configured repositories and then merge them together. The merging strategy determines what happens when CAS discovers the same attribute (based on the mapped name) in multiple repositories. The options are:

REPLACE Overwrites the existing value (if any) with the new value. The attribute will contain the last value discovered.
ADD Retain the existing value (if any), and ignore any subsequent values discovered for the same attribute. The attribute will contain the first value discovered.
MERGE Combine all values into a single attribute, resulting in a comma-separated list of values.

In our case, we have a mix of users who are only in Active Directory, users who are only in Luminis LDAP, and users who are in both directories. Most of the time the duplicated attributes have the same value in both directories, but there are just enough exceptions to make MERGE a bad idea (applications that don’t expect to receive multi-valued attributes don’t handle them well). We have therefore (somewhat arbitrarily) decided that for users in both directories, the values of their attributes in Active Directory should “win,” and since Active Directory is the first repository, we want to use the ADD strategy. So, add the following line to etc/cas/config/cas.properties:

cas.authn.attributeRepository.merger:                   ADD

Had we instead decided that Luminis LDAP should “win,” REPLACE would be the correct strategy. Or, we could stick with the ADD strategy and change the evaluation order of the repositories.

References