To follow up, I just discovered that if I set the searchBase =
"ou=Department,dc=x,dc=y,dc=z"
things work. That is to say, the ldap query result doesn't cause an
exception, gets the result, then asks for the attributes, and they are
returned.
(i've figured out how to turn of deref, but that makes no difference either
way)
Any idea why this now works ?
I then noticed that the log file shows the following entries:
2009-03-06 11:16:53,365 WARN
[org.jasig.services.persondir.support.ldap.PersonAttributesMapper] -
<Converting value 0 of LDAP
attribute 'givenName' from byte[] to String>
Does this mean it is not properly reading the returned attribute values from
ldap into the principal ?
Apologies for this barage of questions...
Johan
----- Original Message -----
From: "Johan Reinalda" <[email protected]>
To: <[email protected]>
Sent: Friday, March 06, 2009 10:53 AM
Subject: Credentials from LDAP To Principal &
All,
Scenario: CAS with LDAPFastBind talking to MS-AD, talking to Google Apps,
currently with username.
In our environment, username != email name, so we're trying to map some
additional LDAP attribs to the principal, in order to pass the 'mail'
attribute to GoogleApps
Using this as a guide:
http://www.ja-sig.org/wiki/display/CASUM/Attributes, we configured the
resolver below.
When this runs on cas login, it produces an error that seems to be related
to not being able to handle references.
<org.springframework.ldap.PartialResultException: Unprocessed Continuation
Reference(s); nested exception is javax.naming.PartialResultException:
Unprocessed Continuation Reference(s); remaining name 'dc=x,dc=y,dc=z'>
(a packet capture against plain ldap shows that the query on the whole
subtree with filter sAMAccountName=%u is working and has deferAlways set.
It returns one search result, and 3 search referrals to DomainDNSZone,
ForestDNSZones and a cn=Configuration
Can we avoid the referals by setting deferAlways to no, if so, how to do
it?
Another observation is that the request query only asks for the
sAMAccountName attribute, not the others mapped in the attribRepository
bean)
Reading through some postings, I tried adding to the credToPrincipal
bean, as well as to the contextSourceLdapAttrib bean this:
<property name="ignorePartialResultException" value="yes" />
neither of which support that property and thus cause app load errors.
What is the solution this problem ? Any suggestions are appreciated!
Thanks again,
Johan
Thunderbird School of Global Management
Glendale, AZ
www.thunderbird.edu
Config (site specific info removed):
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials, ie get the
ername -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by
the resolved Principal -->
<property name="filter" value="(sAMAccountName=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase" value="dc=x,dc=y,dc=z" />
<property name="contextSource" ref="contextSourceLdapAttributes" />
<!-- use the attrib repository defined below -->
<property name="attributeRepository">
<ref bean="attribRepository" />
</property>
</bean>
<bean id="contextSourceLdapAttributes"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://dc1/</value>
<value>ldap://dc2/</value>
<value>ldap://dc3/</value>
</list>
</property>
<property name="userName" value="cn=cas,ou=xxxx,dc=x,dc=y,dc=z" />
<property name="password" value="ppppp" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
<!--
Set the LDAP connect and read timeout(in ms) for the java ldap class
See http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html
-->
<entry>
<key>
<value>com.sun.jndi.ldap.connect.timeout</value>
</key>
<value>2000</value>
</entry>
<entry>
<key>
<value>com.sun.jndi.ldap.read.timeout</value>
</key>
<value>2000</value>
</entry>
</map>
</property>
</bean>
<!-- the attribute repository bean for mapping LDAP attributes to
Principal attributes -->
<bean id="attribRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN"
value="dc=ad,dc=t-bird,dc=edu" />
<!--
This query is used to find the entry for populating attributes.
{0} will be replaced by the new Principal ID extracted from the ldap
-->
<property name="query" value="(sAMAccountName={0})" />
<property name="contextSource" ref="contextSourceLdapAttributes" />
<property name="ldapAttributesToPortalAttributes">
<map>
<!-- Mapping beetween LDAP entry's attributes (key) and Principal"s
(value) -->
<entry key="cn" value="Name"/>
<entry key="givenName" value="FirstName" />
<entry key="sn" value="LastName" />
<entry value="mail" key="EmailAddress" />
</map>
</property>
</bean>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
