Dear M and all,
I have solved this issue as below:
1) Turn on property "ignorePartialResultException" of bean
"org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" by add a
configuration line:
<property name="ignorePartialResultException" value="true"/>
2) Update code of
"org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" of CAS (I use
version 3.5.5):
In the method "protected final boolean
authenticateUsernamePasswordInternal(final UsernamePasswordCredentials
credentials)":
Comment the statement of "return" of below code.
if (cns.size() > 1 && !this.allowMultipleAccounts) {
// return false;
}
Then compile, pack "cas-server-support-ldap" and update
"cas-server-support-ldap-3.3.5.jar" into the cas.
I would like to inform to you a new option.
Best Regards,
Thach
On Wed, Dec 23, 2009 at 9:10 PM, Marvin Addison <[email protected]>wrote:
> > The exception is logged:
> > javax.naming.PartialResultException: Unprocessed Continuation
> Reference(s);
> > remaining name 'DC=mydomain,DC=mycompany,DC=com'
>
> By default, the Sun JNDI provider sends the LDAPv3 ManageDsaIT control
> to AD, but this control is not supported since AD is not LDAPv3
> compliant. The behavior of AD is to send a referral for the actual
> entry, which is not expected by the JNDI provider and it throws a
> PartialResultException when it sees the referral. You have a few
> options to avoid this:
>
> - Query the global catalog which apparently does not contain referrals
> - Set the Context.REFERRAL property to follow to cause the JNDI
> provider to do client-side referral following (see
> http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html for
> more info)
> - Configure a number of authentication handlers, each pointing to a
> different search base above the root (apparently only the root
> contains referrals; we have no docs to support this, only experience)
> - Set the ignorePartialResultException of the LDAP auth handler to
> true; see http://www.ja-sig.org/wiki/display/CASUM/LDAP for an example
>
> The last option is the easiest and usually sufficient, but it's
> important to note you _may_ miss results since the ordering of results
> before referrals is not guaranteed.
>
> M
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
