I have used LDP this morning and did a bind as administrator, which was
successful and then did a search for a user with their full dn path and
found the user successfully in my AD. I have then tried the same
settings in CAS using the Fastbind bean method connecting in my context
with the administrator and it still won't authenticate the user.
Settings are currently as follows:
<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter"
value="cn=%u,ou=Identities,dc=ExampleOrganization,dc=local" />
<property name="contextSource"
ref="contextSource" />
</bean>
</list>
</property>
</bean>
<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://198.168.0.1</value>
</list>
</property>
<property name="userName" value="Administrator"/>
<property name="password" value="apassword"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
Regards
Mike Jones
Identity Management Systems Administrator
IT Systems
University of Hull
Tel: 01482 465549
Email: [email protected]
-----Original Message-----
From: Marvin Addison [mailto:[email protected]]
Sent: 26 May 2009 17:39
To: [email protected]
Subject: Re: [cas-user] Problem authenticating with CAS to Active
Directory
I would like to clarify a couple of points here about configuring CAS
for LDAP authentication. BindLdapAuthenticationHandler is for the use
case where DN cannot be constructed from the user name used for
authentication, requiring instead a search operation to be performed
to map the user name to a full DN that can be used for a bind
operation to verify the password. Most directories, including AD, are
not configured to allow anonymous searches for any meaningful data, so
a service credential is required.
FastBindLdapAuthenticationHandler, on the other hand, is when the full
DN is simply a full qualification of the user name, e.g.
uid=marvin,ou=middleware,dc=vt,dc=edu, where marvin is the user name.
No search is required here since you can construct the DN by string
concatenation, and therefore a separate service credential is not
required for this handler. Additionally,
FastBindLdapAuthenticationHandler works with AD in some cases,
depending on your OU structure and authentication needs. The unit
test for that class can be configured against arbitrary LDAP
environments, and we confirmed it works against our AD infrastructure
here at Virginia Tech.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user*****************************************************************************************
To view the terms under which this email is distributed, please go to
http://www.hull.ac.uk/legal/email_disclaimer.html
*****************************************************************************************
