(Note: I posted a similar message on the user list yesterday, but the final question here is different. https://groups.google.com/d/msg/jasig-cas-user/Jml9i6oJxRs/lS-TX0QMB8gJ )
I'm currently using a JNDIRealm to supply authentication and group membership to a servlet (Orbeon Forms http://www.orbeon.com/). Here's my current config: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://server1.example.com:636" alternateURL="ldaps://server2.example.com:636" connectionName="cn=binduser,o=myorg" connectionPassword="password" userSearch="(&(objectClass=User)(employeeNumber=*)(cn={0}))" userBase="o=myorg" userSubtree="true" roleName="cn" roleSearch="(&(objectClass=groupOfNames)(member={0}))" roleBase="o=myorg" roleSubtree="true" commonRole="authenticated-user" /> There are two features I miss when switching to using an AssertionCasRealm. 1. The commonRole property allows me to easily assign a role to all authenticated users. 2. While I can't find any mention of this in the JNDIRealm documentation, roleName="cn" causes the CN attribute to be extracted from the group and used as the role name rather than the DN. This is useful to me because Orbeon Forms doesn't currently allow commas in role names. My AssertionCasRealm configuration is simply: <Realm className="org.jasig.cas.client.tomcat.v7.AssertionCasRealm" roleAttributeName="groupMembership" /> I haven't heard back on my question to the user list, whether there are configuration changes that I can make to achieve similar functionality. In the case it isn't possible, I'm wondering if you would be receptive to patches implementing options that could improve substituteability with JNDIRealm. I am also looking for direction on how I might best implement those changes. Aaron Spike -- This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College. -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
