I've just spent some time trying to get a v1.3 Shib IdP talking sensibly to AD at a local college. I'm away on hols in a couple of days so rather than spending my usual week banging my head against the documentation before coming here and asking for help, I thought I'd ask you knowledgable folks first...
We were trying to do a couple of fairly straightforward things:
1) Authenticate through a Tomcat JNDI realm with userSubtree=true and the userbase pointing to the root of the tree dc=elmwood,dc=ac,dc=uk. The tree has separate OUs hanging off there for staff and students. The authentication works fine if we point userbase at ou=staff,dc=elmwood, dc=ac,dc=uk and searches the subtrees below there correctly, finding the user and binding as that to verify the password, but when pointing at the root it doesn't work. A wireshark trace shows it find the users fully distinguished name but then some other LDAP responses I don't understand and no attempt to bind. Is there some obvious fix for this?
2) In AD is there any fine granularity of control over which attributes a user object can see? in resolver.xml we have another JNDI data connector which is used to read the "principals" attributes before munging them into assertions, we would like to be able to restrict the user that this operates as to only being able to read certain attributes as required rather than all attributes of the "principal". It seems that if there are too many attributes visible then this overflows and you only get some of them being made available. Alternatively, in the JNDI connector can you specify which attributes you want it to read? I have a suspicion that this may be possible (I think Chad LaJoie said it was, but this may only be in v2), but have not been able to find any documentation.
I'm finding working with AD quite frustrating - both of the above are really trivial to do in Novell eDirectory! Unfortunately my VM box which hosts my server2003 and toy AD tree has died and I can't play around with AD myself at the moment. Hence any help would be appreciated to get them up and running.
The University of Dundee is a registered Scottish charity, No: SC015096