Marvin Addison wrote: >> I'm not >> getting the attributes mapped in the resultAttributeMapping. > > I see you're searching at the directory root, which in AD generally > contains _many_ referrals. This is a complicated situation for which > most LDAP components do not have an optimal solution. The core > problem is that there is no defined ordering by the Java JNDI provider > of "real" results and referrals such that if your result set happens > to have referrals before meaningful results, you will lose them all > since the JNDI provider throws ReferralException on the _first_ > referral. A good technical reference for your options is > http://code.google.com/p/vt-middleware/wiki/vtldapAD, even if it's not > specific to spring-ldap, person-directory, or CAS. > > Based on my experience with AD issues in CAS, the best option would be > to set the JNDI environment property java.naming.referral to "throw", > http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html, > which will force ordering of normal results _before_ referrals and > throw com.sun.jndi.ldap.LdapReferralException on the first referral > encountered. Sadly, none of the LDAP components in CAS supports this > usage. Your best bet, then, at present is to attempt to formulate a > query or queries that will search at higher levels of the directory > where referrals are unlikely.
Another option might be to query the global catalog (LDAP on port 3268, LDAPS on port 3269) which contains a subset of attributes of all forest user entries. If an attribute is not therein and you have influence on the AD schema configuration you can add it there. Use a decent LDAP client to browse the GC and see whether it fits your needs. Ciao, Michael. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user