Before the userDN change and after upgrading to CAS 3.4.11, our users
would often see the error message "CAS is unavailable" if they entered a
bad password when attempting to login to CAS. The corresponding log
entries contained an LDAP error code 49. When users logged in with the
correct password, no error was displayed or logged. The errors stopped
after I set the AD userDN in the form of "[email protected]".
The following improvement sounds like it might be involved:
https://issues.jasig.org/browse/CAS-987
It would really be a smoking gun if you upgraded from <=3.4.8 to 3.4.11.
I think you'd also have to have a configuration problem for this to
throw unhandled exceptions that would manifest as "CAS Unavailable," but
I'd have to study your config carefully against the source to make a
clear case for it. In any case I don't think use of sAMAccountName over
DN has anything to do with it; it's just one of many AD-specific features.
I'd recommend you consider the FastBindAuthenticationHandler for both
security and performance reasons. I'm fairly certain it would make the
issue above moot, with some other benefits besides.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
