> I am trying to get some attributes (mail adress, full name) from the > LDAP directory using the FastBindLdapAuthenticationHandler method. > In our environment each user is allowed to read his own attributes (like > cn oder mail), so I have thought there is no need for a special bind user.
The attribute query happens on a separate connection, so even if you use the same LdapContextSource, there is a different authentication context. In fact it's likely anonymous, in which case I'd imagine the user attributes would not be visible. We solve this problem at the directory level where we connect via SASL EXTERNAL using a certificate as a service credential that is authorized to read application-specific attributes. I can put you in touch with our (excellent) directory admin if you'd like more information. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
