FastBind is ignoring any credentials you set in the ContextSource, which means that the ones in the ContextSource are actually probably incorrect (or at least don't have the correct permissions to do stuff)
Cheers, Scott On Wed, Jun 17, 2009 at 8:41 AM, Winter, James <[email protected]> wrote: > Scott, > > > > Do you use the FastBindLdapAuthenticationHandler or the > BindLdapAuthenticationHandler? I can get the fastbind to work using > %[email protected] <%[email protected]> but I couldn’t get the Bind to work using > the same credentials that I have in the contextSource. > > > > *James Winter* > > 215.517.2588 > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, June 16, 2009 11:20 PM > > *To:* [email protected] > *Subject:* Re: [cas-user] CAS and Active Directory > > > > You can use this simplified resolver: > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > p:attributeRepository-ref="attributeRepository" /> > > Example repository: > <bean > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao" > p:baseDN="ou=users,dc=school,dc=ad,dc=school,dc=edu" > p:query="(sAMAccountName={0})" > p:contextSource-ref="contextSource"> > <property name="ldapAttributesToPortalAttributes"> > <map> > <entry key="givenName" value="givenName"/> > <entry key="mail" value="mail" /> > <entry key="employeeID" value="employeeID" /> > <entry key="displayName" value="displayName" /> > <entry key="sn" value="sn" /> > </map> > </property> > </bean> > > > > On Tue, Jun 16, 2009 at 4:04 PM, Scott Battaglia < > [email protected]> wrote: > > Just a note that you can simplify your configuration and apply the > "attributeRepository" directly to the > UsernamePasswrodCredentialsToPrincipalResolver. You usually only use the > CredentialsToLdapAttributePrincipalResolver to map the username provided to > something else. > > > That said I don't see anything crazy off the top of my head, but I'll > double check my AD config at home. > > Cheers, > Scott > > > > On Tue, Jun 16, 2009 at 3:59 PM, Winter, James <[email protected]> > wrote: > > Inside of credentialsToPrincipalResolvers: > > > > <bean > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > > <property name="credentialsToPrincipalResolver"> > > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > > </property> > > <property name="filter" value="(sAMAccountName=%u)" /> > > <property name="principalAttributeName" value="Name" /> > > <property name="searchBase" > value="CN=Users,DC=school,DC=edu" /> > > <property name="contextSource" ref="contextSource" /> > > <property name="attributeRepository"> > > <ref bean="attributeRepository" /> > > </property> > > </bean> > > > > And the attributeRepository: > > > > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > > <property name="baseDN" value="cn=Users,dc=school,dc=edu" /> > > <property name="query" value="(samAccountName={0})" /> > > <property name="contextSource" ref="contextSource" /> > > <property name="ldapAttributesToPortalAttributes"> > > <map> > > <entry key="samAccountName" > value="Name" /> > > <entry value="mail" > key="EmailAddress" /> > > </map> > > </property> > > </bean> > > > > This is the contextSource: > > > > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > > <property name="urls"> > > <list> > > <value>ldap:// > server.school.edu</value> > > </list> > > </property> > > <property name="userDn" value="{full DN for user}"/> > > <property name="password" value="{password}"/> > > <property name="baseEnvironmentProperties"> > > <map> > > <entry> > > > <key> > > > <value>java.naming.security.authentication</value> > > > </key> > > > <value>simple</value> > > </entry> > > </map> > > </property> > > </bean> > > > > *James Winter* > > 215.517.2588 > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, June 16, 2009 3:41 PM > > > *To:* [email protected] > *Subject:* Re: [cas-user] CAS and Active Directory > > > > Can you post your config minus the password and any other incriminating > evidence? Also, does the binding user have permission to see the attributes > you're trying to retrieve? > > Cheers, > Scott > > On Tue, Jun 16, 2009 at 3:40 PM, Winter, James <[email protected]> > wrote: > > I am using the same contextSource, yes. > > > > *James Winter* > > 215.517.2588 > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, June 16, 2009 3:37 PM > *To:* [email protected] > *Subject:* Re: [cas-user] CAS and Active Directory > > > > According to my quick google search, that usually means an error in the > username provided to bind. Are you using the same LdapContextSource for the > bind authentication handler AND the attribute stuff? > > Cheers, > Scott > > On Tue, Jun 16, 2009 at 3:18 PM, James Winter <[email protected]> wrote: > > I always get this error: > > org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data > 525 > > But again, the authentication itself works correctly, just not any of the > attributes. I think I just need an example deployerConfigContext to get me > started. I cobbled together some examples, but I didn't get very far. > -- > > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
