LDAP fastbind + non-anonymous principal lookup - again

[Michael Ströder]

ann.campbell at shawinc.com wrote:
> 
> If you have user-provided credentials that authenticate against a 
> directory, why _wouldn't_ you use them for principal lookup and 
> attribute retrieval?

Because there might be tight access control configured at the directory 
server which does not allow the end-user who logs in to search all user 
entries.

So searching for user entries should be done with a special service user 
account for CAS. This is also helpful when looking at the directory 
server's logs.

Ciao, Michael.