I recently updated my CAS 3.5.2 installation to CAS 4.0.0. I got it working
after working through some initial issues with the LdapAuthenticationHandler
not finding the users. I had to set subtreeSearch to "true" on
org.ldaptive.auth.PooledSearchDnResolver for my authenticator, in case somebody
else may be having troubles and have their user tree structured similarly. In
order to minimize issues I may have with any future updates I would like to
make sure I'm using pieces in the way that they are intended. I have 2
questions that came up during the conversion.
1) I have 2 authentication handlers that are used concurrently, one which uses
a DB query and the other a LDAP query. I use the preAuthenticate method to
make sure the appropriate handler is used based on their username. In order to
make sure that they are using a common principal, I have an entry in my DB for
successfully authenticated AD accounts (mapped to their objectGuid from AD)
that I use to generate their userId. To support this, I overrode the
postAuthenticate method in my derived LdapAuthenticationHandler to change the
principal. Is this an appropriate use of the postAuthenticate method, or am I
twisting this extensibility point in a way it isn't intended?
@Override
protected final HandlerResult postAuthenticate(final Credential credential,
final HandlerResult result) {
String guid = result.getPrincipal().getId();
int userId = this.dal.GetActiveDirectoryUser(guid, logger);
if (userId <= 0) {
userId =
this.dal.InsertActiveDirectoryUser(guid, logger);
}
return createHandlerResult(credential, new
SimplePrincipal(Integer.toString(userId),
result.getPrincipal().getAttributes()), result.getWarnings());
}
2) I noticed objectGuid from Active Directory was being garbled after I
switched to using it for my principal instead of sAMAccountName (seemingly
related to UTF-8 encoding). I dug through the ldaptive code and it seems like
I need to set the objectGuid entry as binary. Apparently there is an
ObjectGuidHandler class which handles this already. To use it, I changed my
deployerConfigContext.xml as follows:
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler"
p:entryResolver-ref="entryResolver" />
<bean id="entryResolver" class="org.ldaptive.auth.SearchEntryResolver"
p:searchEntryHandlers-ref="searchEntryHandler" />
<bean id="searchEntryHandler" class="org.ldaptive.ad.handler.ObjectGuidHandler"
/>
This appeared to fix the problem for me, and seems like the correct change.
Unfortunately I am brand new to ldaptive and couldn't find anything to confirm
I was doing things even remotely correctly. Does this seem like a reasonable
change, or is this problem better handled in a different way?
Thanks for any time spent towards answering my questions.
Bob Lapanja
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
