Hi Svejk,
For me I use the below method on my deployerConfigContext.xml, we have to two
directory for Instructors and the other for Students.
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase" value="DC=foo,DC=com" />
<property name="contextSource" ref="LDAPSRV-A" />
<property name="ignorePartialResultException" value="yes"
/> <!-- fix because of how AD returns results -->
</bean>
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase" value="DC=foo1,DC=com" />
<property name="contextSource" ref="LDAPSRV-B" />
<property name="ignorePartialResultException" value="yes"
/> <!-- fix because of how AD returns results -->
</bean>
</list>
</property>
</bean>
<bean id="LDAPDSRV-A"
class="org.springframework.ldap.core.support.LdapContextSource">
<!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind
operations. -->
<property name="pooled" value="false"/>
<!--
Although multiple URLs may defined, it's strongly recommended to avoid this
configuration
since the implementation attempts hosts in sequence and requires a
connection timeout
prior to attempting the next host, which incurs unacceptable latency on
node failure.
A proper HA setup for LDAP directories should use a single virtual host
that maps to multiple
real hosts using a hardware load balancer.
-->
<property name="url" value="ldap://foo.com:389"; />
<!--
Manager credentials are only required if your directory does not support
anonymous searches.
Never provide these credentials for FastBindLdapAuthenticationHandler since
the user's
credentials are used for the bind operation.
-->
<property name="userDn" value="your user"/>
<property name="password" value="your password"/>
<!-- Place JNDI environment properties here. -->
<property name="baseEnvironmentProperties">
<map>
<!-- Three seconds is an eternity to users. -->
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<!-- Explained at
http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION
-->
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
<bean id="LDAPSRV-B"
class="org.springframework.ldap.core.support.LdapContextSource">
<!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind
operations. -->
<property name="pooled" value="false"/>
<!--
Although multiple URLs may defined, it's strongly recommended to avoid this
configuration
since the implementation attempts hosts in sequence and requires a
connection timeout
prior to attempting the next host, which incurs unacceptable latency on
node failure.
A proper HA setup for LDAP directories should use a single virtual host
that maps to multiple
real hosts using a hardware load balancer.
-->
<property name="url" value="ldap://foo1:389"; />
<!--
Manager credentials are only required if your directory does not support
anonymous searches.
Never provide these credentials for FastBindLdapAuthenticationHandler since
the user's
credentials are used for the bind operation.
-->
<property name="userDn" value="Your user"/>
<property name="password" value="your password"/>
<!-- Place JNDI environment properties here. -->
<property name="baseEnvironmentProperties">
<map>
<!-- Three seconds is an eternity to users. -->
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<!-- Explained at
http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION
-->
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
Regards,
Amjad
> Date: Thu, 22 Nov 2012 16:40:31 +0000
> Subject: [cas-user] multiple directories
> From: [email protected]
> To: [email protected]
>
> Hi,
>
> I have looked for this infomation, I promise. Can't seem to find it though.
>
> I have two LDAP directories, A and B.
> There are no username clashes.
> Could I configure CAS to authenticate and gather attributes from A and
> B - e.g., try A then B?
> If directory B is down is the impact great (assuming I can set a
> shortish timeout)?
>
> Cheers,
> Svejk
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
