Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/202#discussion_r146444185
--- Diff:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
---
@@ -111,6 +113,29 @@ public LDAPConnection bindAs(String userDN, String
password)
// Obtain appropriately-configured LDAPConnection instance
LDAPConnection ldapConnection = createLDAPConnection();
+ // Configure LDAP connection constraints
+ LDAPConstraints ldapConstraints = ldapConnection.getConstraints();
+ if (ldapConstraints == null)
+ ldapConstraints = new LDAPConstraints();
+
+ // Set whether or not we follow referrals
+
ldapConstraints.setReferralFollowing(confService.getFollowReferrals());
+
+ // If the referral auth method is set to bind, we set it using the
existing
+ // username and password.
+ String refAuthMethod = confService.getReferralAuthentication();
+ if (refAuthMethod != null && refAuthMethod.equals("bind"))
+ ldapConstraints.setReferralHandler(new
ReferralAuthHandler(userDN, password));
--- End diff --
Okay, I configured it to just use the search credentials.
The one situation that I thought about here that you might want the ability
to configure separate referral credentials is where you know you have a
situation where your base LDAP tree points to another system, and the
credentials are different on the referred to system than they are on the base
system. This is somewhat of a corner case, and I think it unlikely there are
just huge numbers of people running that, but it's worth keeping in mind for
future discussions. In that case, however, just having this parameter -
ldap-referral-auth - wouldn't be enough - you'd also want to ability to
configure a separate username and password for the referrals, so you'd end up
adding a couple more parameters.
---
