Thanks for the reply Marvin, its appreciated.
Setting p:ignorePartialResultException="false" on the context source
used for the search operation should be sufficient. Post your
BindLdapAuthenticationHandler bean config, logs at DEBUG, and stack
trace if you continue to have trouble.
I'm not clear on this though... Don't I want ignorePartialResultException to be
true so I do ignore it?
My BindLdapAuthenticationHandler is below. I tried changing to 'false' but same
result.
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="cn=%u"
p:searchBase="dc=our-server,dc=newpaltz,dc=edu"
p:contextSource-ref="contextSource"
p:ignorePartialResultException="true" />
I have my full deployerConfigContext.xml (with redactions for passwords and a
couple other things) at:
www.newpaltz.edu/castest/deployerConfigContext.xml
I've also placed debug logs at:
www.newpaltz.edu/castest/debuglog.txt
I don't understand what is happening in the log though. The first thing it says
is that it is performing an LDAP bind for my user's DN ("Performing LDAP bind
with credential: CN=chauvetp,OU=npuser,DC=active,DC=newpaltz,DC=edu"). Then it
says I'm successfully authenticated
"org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials: [username:
chauvetp]". Then later it says "AUTHENTICATION FAILED" and the error I've been
seeing all along (without DEBUG turned on):
=============================================================
WHO: [username: chauvetp]
WHAT: Unprocessed Continuation Reference(s); nested exception is
javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
remaining name 'dc=active,dc=newpaltz,dc=edu'
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Tue Jun 25 13:57:46 EDT 2013
CLIENT IP ADDRESS: 137.140.3.13
SERVER IP ADDRESS: 137.140.1.41
=============================================================
<blockquote>
> Is there a filter of some sort I can use? Something different I can
> do
> when searching?
Search the GC, as recommended earlier. It doesn't return referrals.
M
</blockquote>
<blockquote>
</blockquote>
Unfortunately the global catalog is not complete in the results it returns
(i.e. for example, there are some eduPerson schema details that are in AD but
not in the GC). Its complete in that it has all the users and is not returning
referrals but unless there is a way I can use one LDAP server for searching (to
find the DN) and another for binding as that user I don't think it will work
for us.
- Paul
----- Original Message -----
<blockquote>
> My goal, if possible is to ignore and not chase referrals if at all
> possible.
I must admit we don't provide very good referral handling. Typically you
want to discard referrals and not even include them in the result set.
Unfortunately that is not possible via JNDI environment parameters or
via Spring LDAP. The ignorePartialResultException flag simply causes the
PartialResultException to be swallowed when it occurs on reading the
_first_ referral result out of a NamingEnumeration; it's the behavior
that's closest to ignoring referrals altogether. But it's not the same.
You have to assume that referrals come _after_ meaningful results, which
is safe in practice but certainly not guaranteed by either Microsoft or
the LDAP protocol. Under that assumption dropping referrals is the same
as ignoring the exception, but it's worth noting the assumption because
it may not hold in all cases.
Setting p:ignorePartialResultException="false" on the context source
used for the search operation should be sufficient. Post your
BindLdapAuthenticationHandler bean config, logs at DEBUG, and stack
trace if you continue to have trouble.
> Is there a filter of some sort I can use? Something different I can do
> when searching?
Search the GC, as recommended earlier. It doesn't return referrals.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
</blockquote>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
