One of the things that held me up with Active Directory authentication was
getting the search criteria correctly understood. I understood
the Java but was ignorant of Microsoft's Active Directory. Be sure that you
use the sAMAccountName which is the network user.
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="contextSource" ref="contextSource"/>
<property name="filter" value="sAMAccountName=%u"/>
<property name="searchBase" value="OU=ts,OU=it,DC=dotp,DC=ncp,DC=net"/>
<property name="ignorePartialResultException"
value="yes" />
<property name="allowMultipleAccounts" value="yes" />
</bean>
</list>
</property>
</bean>
David
On 8/14/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>
> Sandor,
>
> Be aware that even tho the page Scott mentions says that you don't need
> bind credentials if you use the FastBind handler - that's only partly true.
>
> There are three connections in a full authentication (assuming you use
> FastBind. Presumably four if you don't.) :
> 1) auth the user's credentials. This one is indeed made without needing a
> bind account.
> 2) look up the principal (as specified in the
> credentialsToPrincipalResolver)
> 3) look up the attributes (as specified in the attributeRepository) using
> the principal that was found in step 2.
>
> The second and third connections are made anonymously (does your AD allow
> anonymous search?) if you have not provided a bind account. I mention this
> because I banged my head against it for quite a while before figuring out
> what was going on.
>
>
> Ann
>
> ------
> G. Ann Campbell
> Systems Engineer
> Shaw Industries
>
>
>
>
> *"Scott Battaglia" <[EMAIL PROTECTED]>*
> Sent by: [EMAIL PROTECTED]
>
> 08/14/2008 07:31 AM Please respond to
> Yale CAS mailing list <[email protected]>
>
> To
> "Yale CAS mailing list" <[email protected]> cc
> Subject
> Re: CAS LDAP Auth
>
>
>
>
> This should help:*
> **http://www.ja-sig.org/wiki/display/CASUM/LDAP*<http://www.ja-sig.org/wiki/display/CASUM/LDAP>
>
> (it also shows up as the 8th item in a Google search, which is kind of
> low...anyone here a SEO-type person? ;-))
>
>
> On Thu, Aug 14, 2008 at 5:21 AM, Sandor Nemeth <*
> [EMAIL PROTECTED] <[EMAIL PROTECTED]>> wrote:
> Hy all,
>
> I'm pretty new to CAS and I'm looking forward to gather some information
> about connection CAS and a MS Active Directory Server.
>
> I googled for now a couple of hours, but I could not receive any solution
> about my problem. How can I ( if I can ) configure an LDAP Server in CAS? Or
> if I'm not, where should I configure it?
>
> I found users in some mailing list archives, but there are links pointing
> to 404 pages. I suppose, there was a solution to my problem, but I cannot go
> on as I'm not able to find the new location of these pages.
>
> Regards,
> Sandor Nemeth
>
> _______________________________________________
> Yale CAS mailing list*
> [EMAIL PROTECTED] <[email protected]>*
> **http://tp.its.yale.edu/mailman/listinfo/cas*<http://tp.its.yale.edu/mailman/listinfo/cas>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> **********************************************************
> Privileged and/or confidential information may be contained in this message.
> If you are not the addressee indicated in this message (or are not
> responsible for delivery of this message to that person) , you may not copy
> or deliver this message to anyone. In such case, you should destroy this
> message and notify the sender by reply e-mail.
> If you or your employer do not consent to Internet e-mail for messages of
> this kind, please advise the sender.
> Shaw Industries does not provide or endorse any opinions, conclusions or
> other information in this message that do not relate to the official business
> of the company or its subsidiaries.
> **********************************************************
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
