I would like to clarify a couple of points here about configuring CAS for LDAP authentication. BindLdapAuthenticationHandler is for the use case where DN cannot be constructed from the user name used for authentication, requiring instead a search operation to be performed to map the user name to a full DN that can be used for a bind operation to verify the password. Most directories, including AD, are not configured to allow anonymous searches for any meaningful data, so a service credential is required.
FastBindLdapAuthenticationHandler, on the other hand, is when the full DN is simply a full qualification of the user name, e.g. uid=marvin,ou=middleware,dc=vt,dc=edu, where marvin is the user name. No search is required here since you can construct the DN by string concatenation, and therefore a separate service credential is not required for this handler. Additionally, FastBindLdapAuthenticationHandler works with AD in some cases, depending on your OU structure and authentication needs. The unit test for that class can be configured against arbitrary LDAP environments, and we confirmed it works against our AD infrastructure here at Virginia Tech. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
