Shibboleth Developers

[Velpi <>]

Hi,

I have been building a workaround for a problem with MS Active Directory 
when resolving attributes with an LDAP search from the base of the 
directory.
https://mail.internet2.edu/wws/arc/shibboleth-users/2005-09/msg00277.html
https://mail.internet2.edu/wws/arc/shibboleth-users/2005-12/msg00032.html

The problem comes down to attribute references that cannot be resolved 
("PartialResultsException"). Most of the time, you just don't want the 
resolver to bother about that. MS-AD does not seem to respond correctly 
to any standard controls to ignore this problem.

At this point I have some working code that makes it possible handle 
this problem as the administrator would like. As suggested by Patrik 
Schnellmann I added an attribute "skipReferrals" to the JNDI provider 
that is configured in resolver.xml. The patch requires several minor 
changes to JNDIDirectoryDataConnector and an extra line the resolver.xml 
schema definition. [I have patched both the lastest release version 
(r1.3b) and the latest CVS version (1.20) of this class]

The patch has been tested successfully for a directory where merging 
multiple results isn't needed. The function for merging those attributes 
has been patched too, but has not been tested.


I think a lot of people would benefit from it if the patch was included 
in one of the next releases of the Shibboleth IdP, if it is found to be 
ok. If any of the developers is interested in the code, please let me 
know where I can send my files to. (it doesn't seem appropriate to 
include the entire file here)


kind regards,

--
---------------------------------------------
Jan "Velpi" Van der Velpen
LUDIT - K.U.Leuven
W. de Croylaan 52A | 3001 Heverlee | Belgium
http://shib.kuleuven.be