[MGNLLDAP-31] Cannot resolve attributes from AD if entry is in different subtree then the one used as initialSearchAttributes Created: 07/Oct/08 Updated: 27/Nov/13 Resolved: 07/Nov/08 |
|
| Status: | Closed |
| Project: | LDAP Connector |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.3 |
| Type: | Improvement | Priority: | Major |
| Reporter: | Tobias Bösch | Assignee: | Teresa Miyar |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | businesscritical | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Magnolia Enterprise 3.5.8 running on Centos 5.1 32bit |
||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Date of First Response: |
| Description |
|
I am setting up the AD connection as ssoSlave following CAS authorisation. I have some success using these settings: initialSearchAttributes=cn=AdminAccounts,dc=rtsi,dc=ch in ad.properties. Using these and a account in the AdminAccounts subtree I can login. I guess that users could also be in other subtrees if they are not Administrators therefor I would actually like to do something similar to this search: [tboesch@server-03-11 config]$ ldapsearch -a never -H ldap://ip-of-ldap -x -W -D 'cnldap-read-cn' -b 'dc=rtsi,dc=ch' userPrincipalName=G*****CH@rtsi.ch ie. use dc=rtsi,dc=ch as searchbase. This leads to this settings in ad.properties: initialSearchAttributes=dc=rtsi,dc=ch When I change to these I however get the following: Unprocessed Continuation Reference(s) (full trace at the end) Which could mean that the search is not following referrals, but this should not be the problem, since ldapsearch does not follow referrals either. I added these anyway: java.naming.referral=follow to ad.properties, but without any luck. So they are either not picked up or something else goes wrong here. I found this on the net: http://forums.sun.com/thread.jspa?messageID=1679534 (see attached picture) Trace: ERROR info.magnolia.cms.security.SecuritySupportBase SecuritySupportBase.java(logLoginException:85) 09.08.2008 13:44:18 Can't login due to: |
| Comments |
| Comment by Teresa Miyar [ 07/Nov/08 ] |
|
fixed issue by adding suggested change. |
| Comment by Jan Haderka [ 27/Mar/09 ] |
|
Fixed as of r19766 |
| Comment by Magnolia International [ 26/Oct/10 ] |
|
the change done here only "hides" the actual problem; the referral properties are currently not passed to the context, so they're simply ignored if present in the config. |