> Here was my misunderstanding: there is a need for fully qualified identifier > for the user who binds, not for the one we're searching
This is only true if you are using the BindLdapAuthenticationHandler, but I see you're using FastBind. I see from the XML snippets you shared that you are defining manager bind credentials in the context, then using the FastBind handler which does not need them. Let me outline the use cases for Bind and FastBind: Use BindLdapAuthenticationHandler when you _cannot_ construct the full DN of a user from the username given in the CAS login screen. That is, you must perform a search based on some other attribute, e.g. mail, in order to determine the DN. This handler performs authentication for each user in three steps: admin bind, search, user bind. FastBindLdapAuthenticationHandler is more efficient and preferable when you can construct the DN from the username in the login form, e.g. uid=%s,ou=People,dc=vt,dc=edu. The FastBindLdapAuthenticationHandler will immediately construct the user DN and use it with the password provided on the login form to perform an LDAP bind operation. Hopefully this will clear up what you need to do for your environment. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
