> 1. For Active Directory, what if users are split into different OUs in a > domain? For instance, staff in a "Staff" OU and students in a "Students" > OU directly in the root of the domain. I tried leaving the baseDN for > the attributeRepository as "dc=school,dc=edu" but that gets a > continuation error. Is there a way to search multiple OUs?
The error above is a known issue, http://www.ja-sig.org/issues/browse/PERSONDIR-53. It _would_ be possible to search below the OU level if the PersonDirectory developers would simply apply the patch that Scott attached to that issue, but their lack of movement on the issue to date suggests it won't be fixed in the near future. Sorry. The workaround is to create multiple attribute repository beans, each with the scope of the OU you wish to search. We do something similar where different authentication handlers produce different principals, requiring different LDAP queries for attributes. We handle that using two attribute repositories and it works well. I recall, but don't have a reference, that others have posted to the list with a use case similar to yours and have solved the problem with multiple attribute repositories. You might try searching the archives for those if you would like some concrete configuration examples. Good luck, M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
