LDAP fastbind + non-anonymous principal lookup

Andrew Ralph Feller, afelle1 afelle1 at lsu.edu
Wed Jul 30 08:54:35 EDT 2008 

Ann,

If you cannot convince your company to create an account strictly for
authentication credentials from CAS, you will probably have to roll your own
solution for the moment.  The only LDAP authentication handlers currently
available are FastBind and Bind, which work anonymously or use a configured
username / password.

Sorry =(
A-

On 7/30/08 7:36 AM, "ann.campbell at shawinc.com" <ann.campbell at shawinc.com>
wrote:

> 
> Hi, 
> 
> New to the list. I've scanned the archives & not really seen this topic
> covered, but forgive me if it's old ground.
> 
> I'm trying to set CAS up to hit an Active Directory server via LDAP.
> 
> Started at the LDAP page in the manual
> (http://www.ja-sig.org/wiki/display/CASUM/LDAP) and figured the FastBind auth
> handler was exactly what I needed - instead of a role account, you hit the
> directory with the user's own credentials.
> 
> And as far as it goes, that part works perfectly. But I see in my Wireshark
> logs that CAS is authenticating with the user's credentials, then UNbinding.
> Then trying to bind anonymously for the principal lookup. Unfortunately
> anonymous search is disallowed on this directory. As are (by policy) role
> accounts. End result: "your credentials aren't authentic."
> 
> So... Is there a way to make the out-of-the-box pieces re-use the user's
> credentials for the second bind attempt? A way to make it all happen with the
> first bind? Am I muffing the configuration? Or will I need to roll my own
> solution? 
> 
> 
> Many Thanks,
> Ann
> 
> ------
> G. Ann Campbell
> Systems Engineer
> Shaw Industries
> 
> **********************************************************
> Privileged and/or confidential information may be contained in this message.
> If you are not the addressee indicated in this message (or are not responsible
> for delivery of this message to that person) , you may not copy or deliver
> this message to anyone. In such case, you should destroy this message and
> notify the sender by reply e-mail.
> If you or your employer do not consent to Internet e-mail for messages of this
> kind, please advise the sender.
> Shaw Industries does not provide or endorse any opinions, conclusions or other
> information in this message that do not relate to the official business of the
> company  or its subsidiaries.
> **********************************************************
> 
> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-- 
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080730/aeb1294a/attachment.html

More information about the cas mailing list