Hello.. I was curious about the pooled attributes. We've been using JAAS to Kerberos for our CAS server for years, but I was considering changing it to use LDAP against our Active Directory. So, I followed the directions on the following page on the wiki and got it working..
http://www.ja-sig.org/wiki/display/CASUM/LDAP I saw in one of the examples where the pooled flag was set when specifing multiple ldap servers, but not set when only one server was specified. I copied the code below from the wiki page. I'm basically doing the same thing. <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldaps://ldap.rutgers.edu/</value> <value>ldaps://ldap2.rutgers.edu/</value> </list> </property> One of the features we're looking for is the ability to failover to another ldap server. Is the pooled attribute you mentioned earlier (JNDI pooling) the same as the one above? Is that necessary to use multiple servers? I'm not looking to introduce any type of impersonation attacks, but would like the CAS server to be highly available. I'm not really a Java programmer and I'm just looking for some clarrification here. Thanks, Pat On Fri, Sep 18, 2009 at 11:41 AM, Marvin Addison <[email protected]>wrote: > > I found that disabling the OpenLdap pool option on the > deployerconfigcontext solves the problem: > > > > ... > > <bean id="OpenLdapContextSource" > > class="org.springframework.ldap.core.support.LdapContextSource"> > > <property name="pooled" value="false"/> > > ... > > You should _never_ use JNDI pooling, enabled by the pooled attribute, > for authentication. That may cause the authenticated state of one > connection to be inherited by a subsequent connection for a different > user, thus allowing the former credentials to be used instead of the > current ones. This would allow impersonation attacks. > > Formerly, when we wrote the custom AuthenticatedLdapContextSource > subclass, we explicitly overwrote the pooled property value so this > wasn't possible. Perhaps we need some big red letters somewhere in > our documentation that indicates _not_ to do this with the Spring > LdapContextSource class that we recommend using currently. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
