I would like feedback on guidelines for LDAP configuration in Active Directory to be included in an AD example of CAS attribute release on the wiki, http://www.ja-sig.org/wiki/display/CASUM/Attributes. At least a couple issues have arisen with regard to referral handling in AD, and I believe the attribute release page is a good place to discuss them. Our group has produced documentation, http://code.google.com/p/vt-middleware/wiki/vtldapAD, that discusses three strategies for AD referral handling. While there may be use cases for all three, I believe ignoring referrals is generally the best practice. I will restate here the configuration for that case:
- Set Context.REFERRAL JNDI environment property to "throw" - Ignore any ReferralExceptions thrown when referrals are encountered in the resulting NamingEnumeration This configuration has the desirable property that the Sun JNDI provider orders all normal result entries before referrals, so one can be certain that all normal results are obtained by the time referrals appear. Note that the default "ignore" setting does not guarantee this desirable result ordering. Although it is technically possible to follow referrals, there are practical obstacles in many cases. Two common problems: the user's credentials are not valid for the target of the referral, the host of the target is unreachable (e.g. firewalling). Are there any cases where referrals actually have meaningful or requisite data? For example, in an AD forest a root domain might contain basic info about a user while a subdomain might hold further details. If the root domain were queried for user data, it would presumably return referrals for records in the subdomain. If anyone has a setup like this that might be relevant for CAS attribute release, please speak up. For the purposes of CAS it may make the most sense to provide a simple configuration to follow or ignore referrals in cases where they may arise, and do the environment setup and exception handling internally to shield users from the complexities and vagaries of referral handling. I favor this approach, but it would require API changes to be included in a future CAS release. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
