External Mapping of LDAP attributes in CAS

One of the features that is attractive about CAS is it’s ability to pass LDAP attributes to a specified application via SAML. This functionality is starting to become more heavily used by our web developers, creating demand for more and more attributes to mapped. An issue arose from this; CAS must be rebuilt every time a new attribute is to be mapped. The solution was to externalize the resultAttributeMapping property to a configuration file. This can be achieved through the use of the util schema.

Add the schema to deployerConfigContext.xml:


Append the following to schemaLocation:


The resultAttributeMapping property (in deployerConfigContext) will look like this:

<property name="resultAttributeMapping">
<util:properties id="attr" location="file:/etc/cas/ldap.attributes" />

Your attributes file cannot contain other property configurations, due to how the file is referenced.  It is a collection that follows the form: key=value, with each entry placed on its own line.  Here is an example ldap.attributes property file:


2 thoughts on “External Mapping of LDAP attributes in CAS

  1. Very nice – just what I was looking for.
    I wonder how hard it would be to reload the contents if the file changes? 🙂
    BTW this line got truncated in the post:
    <util:properties id="attr" location="file:/etc/cas/ldap.attribtues

  2. Glad to hear it Chris!
    The util schema does support automatic property file reloading, but I don’t believe it does with the method described above. I believe you would have to write a custom bean to accomplish this.

    Unicon did implement something similar to this for their JSON based service registry. Although I can’t say whether this would work with the LDAP attributes externalization. The source can be found here: https://github.com/Unicon/springframework-addons/wiki/Resource-change-detecting-event-notifier

    For my own uses at least, I would tend to stay away from automatic reloading in a production environment.

    Thanks for the catch BTW, looks like I can’t spell attributes either 🙂

Comments are closed.