John, The LDAP stuff will open a new Initial Context and bind with the user's credentials after they've found the user. Is that what you are seeing? Without seeing more of the configuration, its hard to tell (do you have a test environment one where you can strip out any information?)
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Mon, Oct 27, 2008 at 1:08 PM, John M Stewart <[EMAIL PROTECTED]>wrote: > > Greetings: > > A couple weeks ago I posted a question about problems we are having using > CAS in an AD environment. Our system works fine most of the time but > randomly fails with an AD error message that means bad credentials ('52e > vece'). Once it fails the only way to get it working is to recycle CAS on > tomcat6. Some folks responded with ideas but none panned out. > > I've since been able to turn on some debug on the client's production > system and from looking at the logs, it appears that CAS fails when it > starts using a user's credentials to connect to AD instead of the AD > service account. So instead of seeing 'Principal: > 'cn=svcacct,cn=Users,...' in the log we start to see 'cn=Doe, John > N,cn=Users,...' in the log, which corresponds to the time that CAS errors > out. So it would appear that the contextSource credentials being used to > connect to AD is somehow being overwritten by a user's credentials? I > haven't figured out the pattern of when it happens yet. I'm hoping someone > else has seen this? Thanks so much for any ideas! > > John S. > > ps. I'm unable to include my spring context to the e-mail, our system is > airgapped so it's not available. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
