If you want to retrieve the attributes about the person in the CredentialsToPrincipalResolver (which I'm guessing is the second bind) you'll have to write something that can utilize the existing credentials (or modify the existing handler).
If you do make some modifications or a new handler, please create a JIRA issue and attach any available source code as we'll consider it for inclusion so that you and other's don't have to maintain separate code. -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Wed, Jul 30, 2008 at 8:36 AM, <[EMAIL PROTECTED]> wrote: > > Hi, > > New to the list. I've scanned the archives & not really seen this topic > covered, but forgive me if it's old ground. > > I'm trying to set CAS up to hit an Active Directory server via LDAP. > > Started at the LDAP page in the manual ( > http://www.ja-sig.org/wiki/display/CASUM/LDAP) and figured the FastBind > auth handler was exactly what I needed - instead of a role account, you hit > the directory with the user's own credentials. > > And as far as it goes, that part works perfectly. But I see in my Wireshark > logs that CAS is authenticating with the user's credentials, then UNbinding. > Then trying to bind anonymously for the principal lookup. Unfortunately > anonymous search is disallowed on this directory. As are (by policy) role > accounts. End result: "your credentials aren't authentic." > > So... Is there a way to make the out-of-the-box pieces re-use the user's > credentials for the second bind attempt? A way to make it all happen with > the first bind? Am I muffing the configuration? Or will I need to roll my > own solution? > > > Many Thanks, > Ann > > ------ > G. Ann Campbell > Systems Engineer > Shaw Industries > > ********************************************************** > Privileged and/or confidential information may be contained in this message. > If you are not the addressee indicated in this message (or are not > responsible for delivery of this message to that person) , you may not copy > or deliver this message to anyone. In such case, you should destroy this > message and notify the sender by reply e-mail. > If you or your employer do not consent to Internet e-mail for messages of > this kind, please advise the sender. > Shaw Industries does not provide or endorse any opinions, conclusions or > other information in this message that do not relate to the official business > of the company or its subsidiaries. > ********************************************************** > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
