All,
Scenario: CAS with LDAPFastBind talking to MS-AD, talking to Google Apps,
currently with username.
In our environment, username != email name, so we're trying to map some
additional LDAP attribs to the principal, in order to pass the 'mail'
attribute to GoogleApps
Using this as a guide: http://www.ja-sig.org/wiki/display/CASUM/Attributes,
we configured the resolver below.
When this runs on cas login, it produces an error that seems to be related
to not being able to handle references.
<org.springframework.ldap.PartialResultException: Unprocessed Continuation
Reference(s); nested exception is javax.naming.PartialResultException:
Unprocessed Continuation Reference(s); remaining name 'dc=x,dc=y,dc=z'>
(a packet capture against plain ldap shows that the query on the whole
subtree with filter sAMAccountName=%u is working and has deferAlways set.
It returns one search result, and 3 search referrals to DomainDNSZone,
ForestDNSZones and a cn=Configuration
Can we avoid the referals by setting deferAlways to no, if so, how to do it?
Another observation is that the request query only asks for the
sAMAccountName attribute, not the others mapped in the attribRepository
bean)
Reading through some postings, I tried adding to the credToPrincipal bean,
as well as to the contextSourceLdapAttrib bean this:
<property name="ignorePartialResultException" value="yes" />
neither of which support that property and thus cause app load errors.
What is the solution this problem ? Any suggestions are appreciated!
Thanks again,
Johan
Thunderbird School of Global Management
Glendale, AZ
www.thunderbird.edu
Config (site specific info removed):
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials, ie get the
sername -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by
the resolved Principal -->
<property name="filter" value="(sAMAccountName=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase" value="dc=x,dc=y,dc=z" />
<property name="contextSource" ref="contextSourceLdapAttributes" />
<!-- use the attrib repository defined below -->
<property name="attributeRepository">
<ref bean="attribRepository" />
</property>
</bean>
<bean id="contextSourceLdapAttributes"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://dc1/</value>
<value>ldap://dc2/</value>
<value>ldap://dc3/</value>
</list>
</property>
<property name="userName" value="cn=cas,ou=xxxx,dc=x,dc=y,dc=z" />
<property name="password" value="ppppp" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
<!--
Set the LDAP connect and read timeout(in ms) for the java ldap class
See http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html
-->
<entry>
<key>
<value>com.sun.jndi.ldap.connect.timeout</value>
</key>
<value>2000</value>
</entry>
<entry>
<key>
<value>com.sun.jndi.ldap.read.timeout</value>
</key>
<value>2000</value>
</entry>
</map>
</property>
</bean>
<!-- the attribute repository bean for mapping LDAP attributes to Principal
attributes -->
<bean id="attribRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN"
value="dc=ad,dc=t-bird,dc=edu" />
<!--
This query is used to find the entry for populating attributes.
{0} will be replaced by the new Principal ID extracted from the ldap
-->
<property name="query" value="(sAMAccountName={0})" />
<property name="contextSource" ref="contextSourceLdapAttributes" />
<property name="ldapAttributesToPortalAttributes">
<map>
<!-- Mapping beetween LDAP entry's attributes (key) and Principal"s
(value) -->
<entry key="cn" value="Name"/>
<entry key="givenName" value="FirstName" />
<entry key="sn" value="LastName" />
<entry value="mail" key="EmailAddress" />
</map>
</property>
</bean>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
