Re: [Acegisecurity-developer] New LDAP stuff

Tue, 31 Jan 2006 08:47:55 -0800 

Hi,

I haven't actually used AD in anger and don't have a system to test
against (other than the free ADAM, which I think is a bit different).

However, I don't think you can bind with "sAMAccountName={0},CN=Users"
as this doesn't actually match a DN (as AD sees it).

I've heard of two "alternative" pseudo-DN syntaxes supported by AD. One
is "[EMAIL PROTECTED]" and the other is "domain\username".

I think you can try binding with either of these using the existing
BindAuthenticator. If the user types in the entire name, you could have:

   <property name="userDnPatterns">
    <list>
     <value>{0}</value>
    </list>
   </property>

or if they only type in the username part, you could use something like

   <property name="userDnPatterns">
    <list>
     <value>[EMAIL PROTECTED]</value>
<!-- and/or -->
     <value>domain\{0}</value>
    </list>
   </property>

The "\" in the domain version may need to be escaped, or you might be
able to use a "/".

Disclaimer: everything I wrote above could be wrong. But I'd be grateful
if you could try it out and let us know if it works.

cheers,

Luke.



Bram Bruneel wrote:
> Hi,
>  
> ...
>  
> I noticed that, when using MS Active Directoy that setting the userDnPatterns 
> property in the ldapAuthenticationProvider had no real effect in 
> authenticating 
> users. I could only authenticate against their CN and not the sAMAccountName, 
> which is the real account name in Active Directory.
>  
> ...
>  
> And this is what did not work with MS Active Directory
>  
>  <bean id="bindAuthenticator"
>   class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
>   <constructor-arg>
>    <ref local="initialDirContextFactory"/>
>   </constructor-arg>
>   <property name="userDnPatterns">
>    <list>
>     <value>sAMAccountName={0},CN=Users</value>
>    </list>
>   </property>
>  </bean>
>  
>  

-- 
 Luke Taylor.                      Monkey Machine Ltd.
 PGP Key ID: 0x57E9523C            http://www.monkeymachine.ltd.uk



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to