Ahh, I understand. That is tragic. There is a bind user in our environment, which I can use for an LDAP search. Thats less effort than using certificates - especially since I have no admin rights on our LDAP directory.
Or does this not work either? Using FastBind for the user auth - and a separate bind user for the search/getAttributes. If neccessary I completely waive this FastBind method and use the bind user for everything. Thanks, Kevin Am 11.06.2011 14:00, schrieb Marvin Addison: >> I am trying to get some attributes (mail adress, full name) from the >> LDAP directory using the FastBindLdapAuthenticationHandler method. >> In our environment each user is allowed to read his own attributes (like >> cn oder mail), so I have thought there is no need for a special bind user. > > The attribute query happens on a separate connection, so even if you use the > same LdapContextSource, there is a different authentication context. In fact > it's likely anonymous, in which case I'd imagine the user attributes would > not be visible. > > We solve this problem at the directory level where we connect via SASL > EXTERNAL using a certificate as a service credential that is authorized to > read application-specific attributes. I can put you in touch with our > (excellent) directory admin if you'd like more information. > > M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
