>>> On 01/05/2009 at 11:27, in message
<5A2110DC1CD00B45A0832E5BF98ECB0602D576808D@ex2>, Matt Dunkin
<[log in to unmask]> wrote:
> Paul,
>
> As a starter you could try replacing
>
> userSearch="(uid={0})"
>
> with
>
> userSearch="(samAccountName={0})"
>
> From memory, I think I'm right in saying AD doesn't have a uid attribute or
> at least populate it.
Get yourself a copy of ldp.exe and have a browse of the tree - that way you can confirm what attributes you're seeing (and what shib will see). It'll also enable you to cut and paste the connection name, password and search base into it so that you can make sure you have no cunning typos!
It may be the referrals problem if you're trying to search from the top of an AD tree (beware I'm no AD expert), have a look at the threads in the archives from the end of August 2008 and October 2008. I can't remember if:
userBase="cn=Users,dc=abcol,dc=ac,dc=uk"
counts as the top of the tree though for this to be a problem.
>
> You might also want to try port 3268 (the global catalog) if your AD is
> "complicated" as it doesn't return you referrals like a standard LDAP query
> to AD can on port 389.
Beware when you use this in resolver.xml that (I'm told) the GC doesn't have _all_ attributes so depending on what you're looking for it may not be there - this is a bit academic for you at the moment though as you need to get signed on first!
What you're trying to do does work, we got it all going down at Adam Smith college yesterday :-)
Cheers
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|