I have just added a second LdapContextSource named contextSourceProxy.
The first LdapContextSource (without proxy user) is for the fast bind
authentication and the second LdapContextSource is for the
attributeRepository:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSourceProxy" />
....
</bean>
<bean id="contextSourceProxy"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls">
<list>
<value>ldap://192.168.2.3/</value>
</list>
</property>
<property name="userDn" value="uid=proxyuser,ou=myou,dc=de" />
<property name="password" value="..." />
...
</bean>
But is does not work:
09:52:23,860 DEBUG [...UsernamePasswordCredentialsToPrincipalResolver] -
Creating SimplePrincipal for [kevin]
09:52:23,863 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
Resolved kevin. Trying LDAP resolve now...
09:52:23,863 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
LDAP search with filter "(uid=kevin)"
09:52:23,863 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
returning searchcontrols: scope=2; search
base=ou=students,dc=uni-hildesheim,dc=de; attributes=[uid]; timeout=1000
09:52:23,878 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
LDAP search returned zero results.
09:52:23,878 INFO [...CredentialsToLDAPAttributePrincipalResolver] -
Initial principal "kevin" was not found in LDAP, returning null
The proxy user is definitely allowed to search the tree. And there
definitely is a user with the dn
uid=kevin,ou=students,dc=uni-hildesheim,dc=de
Can anyone help?
Thanks,
Kevin
Am 11.06.2011 14:42, schrieb Kevin Richter:
> Ahh, I understand. That is tragic.
>
> There is a bind user in our environment, which I can use for an LDAP
> search. Thats less effort than using certificates - especially since I
> have no admin rights on our LDAP directory.
>
> Or does this not work either? Using FastBind for the user auth - and a
> separate bind user for the search/getAttributes.
> If neccessary I completely waive this FastBind method and use the bind
> user for everything.
>
>
> Thanks,
> Kevin
>
>
>
> Am 11.06.2011 14:00, schrieb Marvin Addison:
>>> I am trying to get some attributes (mail adress, full name) from the
>>> LDAP directory using the FastBindLdapAuthenticationHandler method.
>>> In our environment each user is allowed to read his own attributes (like
>>> cn oder mail), so I have thought there is no need for a special bind user.
>>
>> The attribute query happens on a separate connection, so even if you use the
>> same LdapContextSource, there is a different authentication context. In
>> fact it's likely anonymous, in which case I'd imagine the user attributes
>> would not be visible.
>>
>> We solve this problem at the directory level where we connect via SASL
>> EXTERNAL using a certificate as a service credential that is authorized to
>> read application-specific attributes. I can put you in touch with our
>> (excellent) directory admin if you'd like more information.
>>
>> M
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
