Hi Marvin,
as we have many different DNs, for the moment being I cannot use the
FastBindLdapAuthenticationHandler due to limitations on our system.
So that's why I have to use the BindLdap, for which I seem to get to the
point outlined in my last e-mail: an infinite sequence of (incrementally
numbered) "Granting service tickets" that lead to nowhere (on Explorer)
or to a "Redirect loop" error on Firefox.
Is this something happened to anyone?
Thanks,
Giuseppe
Marvin Addison wrote:
Here was my misunderstanding: there is a need for fully qualified identifier
for the user who binds, not for the one we're searching
This is only true if you are using the BindLdapAuthenticationHandler,
but I see you're using FastBind. I see from the XML snippets you
shared that you are defining manager bind credentials in the context,
then using the FastBind handler which does not need them. Let me
outline the use cases for Bind and FastBind:
Use BindLdapAuthenticationHandler when you _cannot_ construct the full
DN of a user from the username given in the CAS login screen. That
is, you must perform a search based on some other attribute, e.g.
mail, in order to determine the DN. This handler performs
authentication for each user in three steps: admin bind, search, user
bind.
FastBindLdapAuthenticationHandler is more efficient and preferable
when you can construct the DN from the username in the login form,
e.g. uid=%s,ou=People,dc=vt,dc=edu. The
FastBindLdapAuthenticationHandler will immediately construct the user
DN and use it with the password provided on the login form to perform
an LDAP bind operation.
Hopefully this will clear up what you need to do for your environment.
M
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
