The AD is set to allow global search by all authenticated users; any thing else (resetting password, etc) requires the administrator credentials - but we don't use the Password Manager in CAS - we do that externally via other apps. All we need is to determine that a user's account authenticates and pass the attributes on to other applications.
I'm using the deployerConfigContext defined here: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication (The first code sample, which says "The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. It is therefore the most performant and secure solution for the typical Active Directory deployment.") *From the command line:* I am able to do an ldapsearch using my own credentials (and looking up another user), and, of course, I am also able to do a search for another user using the Admin credentials: ldapsearch -x -H ldaps://id.fuller.edu -b "ou=fuller,dc=id,dc=fuller,dc=edu" -D "admin_acco...@id.fuller.edu" -w "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName sAMAccountName pwdLastSet lastLogon mail memberof With either the admin credentials or my own, I get all requested data back from the server, but with CAS the validation of my own personal account credentials fails, and all I can seem to get from the error logs is that my own personal credentials are invalid -- even though I can use them from the command line and retrieve data for any user. It seems that this is a configuration error in CAS, but the error logs are insufficient to help debug this. Setting up a proxy to track down issues is beyond my knowledge. If there is other documentation on setting up CAS 4.0 with LDAP that doesn't use the Maven overlay method or the cut-and-paste code from the above URL, I'd be happy to try that out at this point. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
