...
MSAD allows you to uniquely specify users in two ways, in addition to the standard DN. If you're not having luck with the standard DN, give one of the two below a try. Each of the examples below is shown in the context of the managerDn property of the Acegi Security DefaultInitialDirContextFactory bean.
Kerberos notation
Example: pentahoadmin@mycompany.com
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://mycompany:389" /> <property name="managerDn" value="pentahoadmin@mycompany.com" /> <property name="managerPassword" value="omitted" /> </bean> |
Windows domain notation
Example: MYCOMPANY\pentahoadmin
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://mycompany:389" /> <property name="managerDn" value="MYCOMPANY\pentahoadmin" /> <property name="managerPassword" value="omitted" /> </bean> |
...
In the LdapAuthenticator implementations provided by Acegi Security (e.g. BindAuthenticator) provided by Acegi Security, you must either specify a userDnPatterns, or a userSearch, or both. If you're using the Kerberos or Windows domain notation, you should use userDnPatterns exclusively in your LdapAuthenticator.
| Info | ||
|---|---|---|
| ||
The reason that |
However, Note however that Pentaho's LdapUserDetailsService requires an LdapUserSearch for its userSearch property.
...
The sAMAccountName attribute should be used as the username in user searches. The searchSubtree property (which influences the SearchControls) should most likely be true. Otherwise, it searches the specify specified base plus one level down.
...