I think we ran across something like this when using direct ("fast")
bind (JAAS). A bump in ldaptive version to 1.0.2+ (I think) fixed it.I think there was a similar issue with the BindLdapAuthenticationHandler that was fixed a little later: https://issues.jasig.org/browse/CAS-1429 Tom. On 06/01/2015 02:01 AM, HURTEVENT VINCENT wrote: > Hello, > > a power user warn me about a behavior he has on CASsified web application > when he retrieves user login. > > Our CAS server does LDAP authentication through the > BindLdapAuthenticationHandler. > If the user types his login in the login form with an asterisk at the end, > the authentication is well done and the CASsified application retrieve this > bad formed user’s login. > > What I understand is that the CAS service user queries the LDAP server with > (uid=vincent.hurtevent*) filter, getting the user DN, but rather to use the > uid it can get from the query, it reuses the login entered by the user as > principal username and sends it to web app. > > Is this a misconfiguration thing or a code problem ? We use the 3.5.2 version. > > If I want to force CAS server to use the user uid it could get from LDAP > queries, do I have to complete the resultAttributeMapping property in the > attributeRepository bean with <entry key="username" value="uid" /> ? > > Is there a way by configuration to prevent LDAP injection or LDAP/MySQL > injection in the client web application ? > > > — > Vincent Hurtevent > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
