I have an active directory setup with the users in different top level OU's
(Staff, Students, Faculty, Alumni, etc). The Staff is subdivided into
departments containing users. If I point the searchbase of the
org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver
bean to one of the OU's, I can authenticate any of the users in that OU (if I
point it to the Staff directory, I can authenticate anyone in a sub-unit of
Staff). However, if I point the searchbase to the Domain I get a
"javax.naming.PartialResultException: Unprocessed Continuation Reference(s);"
error, which I have read about and seems to be a common issue with Active
Directory.
So I thought I would try setting multiple
CredentialsToLDAPAttributePrincipalResolver beans each pointing to a different
OU, since the container is a list and the description says:
This is the List of CredentialToPrincipalResolvers that identify what Principal
is trying to authenticate.
The AuthenticationManagerImpl considers them in order, finding a
CredentialToPrincipalResolver which
supports the presented credentials.
But when I attempt to log in that way, I am getting a
"java.lang.NullPointerException" exception:
org.springframework.web.util.NestedServletException: Request processing failed;
nested exception is
org.springframework.webflow.engine.ActionExecutionException: Exception thrown
executing [AnnotatedAction@2f327c02 targetAction =
org.jasig.cas.web.flow.AuthenticationViaFormAction@173a0067, attributes =
map['method' -> 'submit']] in state 'submit' of flow 'login-webflow' -- action
execution attributes were 'map['method' -> 'submit']'; nested exception is
java.lang.NullPointerException
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:583)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511)
javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
This error does not come up if I attempt to log in as a user in the OU that is
listed first, so it seems like some credential is getting "used up" when going
through the first CredentialsToLDAPAttributePrincipalResolver bean.
So, for example, if I have:
<property
name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the
resolved Principal -->
<property name="filter" value="(sAMAccountname=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="sAMAccountname" />
<property name="searchBase" value="ou=Staff,dc=<domain>,dc=<ext>" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the
resolved Principal -->
<property name="filter" value="(sAMAccountname=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="sAMAccountname" />
<property name="searchBase" value="ou=Students,dc=<domain>,dc=<ext>" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
</list>
</property>
I can log in as any user in the Staff OU, but get an error if I attempt to log
in as any user in the Students OU.
Is there any way to do what I am trying to do?
I'm currently using CAS server version 3.3.1.
Thanks,
Aaron
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
