Atlassian has a nice paper on how to write LDAP filters: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html and should help you if you want to restrict the users able to authenticate with CAS.
The way I see this, CAS should authenticate the user (wide open to the users and restricted to authorized apps only), and the application using CAS should authorize the user. That means the logic of who can use what should be in the application and not in CAS. This is why CAS has the possibility to return LDAP attributes to the application: are you a member of so and so groups? Then go ahead and use my application as an admin or as a user with specific roles. This is my point of view and it is based on my experience in my environment. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/87ad1bf3-1224-4b9a-932e-96af24719f39%40apereo.org.