>>> On 25/04/2008 at 10:33, in message
<[log in to unmask]>, Josh
Howlett <[log in to unmask]> wrote:
>
> Note that it is somewhat more difficult to extract credentials from ADS;
> for example, if you wanted to pull the credentials from the directory
> and compare them to those provided by the user.
>
Hi Josh,
I'm not sure which stage you're referring to?
During the bind process it's a standard ldap bind. User has supplied cn, tomcat (if that is who is doing the auth) looks up the FDN and then binds with that fdn and the password supplied.
At the later stage, Shib binds with the credentials supplied in resolver.xml and gets the required attributes for %PRINCIPAL% out of the directory using ldap, which are then passed out as SAML assertions.
I'm not quite sure when you would pull out anything and compare it, am I missing something? I know that people have worries about schema extensions etc with AD, but the basic binding and retrieving attributes by LDAP seems pretty normal when I've played with it.
Andy
--
*********
Andy Swiffin
Senior Network Specialist, Corporate Information systems
Information & Communications Services (ICS)
University of Dundee, Computing Centre, Park Place, Dundee, DD1 4HN
Direct: 01382 388000 (Service Desk)
Visit our website at: www.dundee.ac.uk/ics
*********
The University of Dundee is a registered Scottish charity, No: SC015096
|