Carl,
Cas uses ldaptive, https://www.ldaptive.org/. Its docs may shed some light.
Ray
On Thu, 2022-05-19 at 10:41 -0400, Carl Waldbieser wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Ray,
No-- I don't want person "A" to be able to authenticate on behalf of person "B".
Currently, our users log on with a system assigned username. I'd like them to
also be able to claim their own username alias and be able to log on with that.
So for example, user "smithe" could have an alias "catlover86" and use that as
their username.
OpenLDAP has a concept of alias entries for its DIT that can refer to other
entries. Potentially, I could use this, but there are some caveats:
1. The LDAP client has to explicitly dereference aliases.
2. When an entry is being dereferenced, it won't be returned in a search if
you are searching for attributes on the alias itself. This is because the
filter matches the attributes on the dereferenced entry.
The 2nd rule is very counter-intuitive in my opinion. It took me a while to
wrap my head around what was going on. But you can set the LDAP base DN to the
alias during a SEARCH operation, and the dereferenced target will be returned
assuming you have a filter that matches the target.
Typically, our 2 step BIND in CAS looks like this:
1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid") that
matches the username provided. This search is done while BINDed as a DN with
elevated search privs.
2. Once a matching entry is found, BIND to it using the password provided.
CAS lets me set up a search filter like "(uid={user})" where it will do the
substitution for "user", so this works fine.
To use aliases, I'd want to do something like:
1. SEARCH the LDAP DIT for an entry with a base DN of
"uid={user},ou=aliases,o=myorg". Again, the search would be done while BINDed
as a DN with elevated search privs.
2. Once a matching *dereferenced* entry is found, BIND to it using the
password provided.
The configuration I'm not sure about is that CAS would need to be able to
substitute {user} into the base DN for the search, making sure to escape it
properly. Also, the SEARCH would need to indicate that alias entries should be
dereferenced.
I'm not sure if CAS supports this without getting into some magical Java bean
territory.
Thanks,
Carl Waldbieser
On Wed, May 18, 2022 at 7:09 PM Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>>
wrote:
Carl,
Are you referring to surrogate authentication?
https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html
Ray
On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
If I have an entry and an alias in an OpenLDAP DIT such that searching on
"alias" dereferences "entry", is it possible to configure CAS to perform a 2
stage BIND in this way?
I.e.
1. User enters "alias" and password at the CAS login form.
2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg" and a
filter like "(objectClass=*)".
3. The actual entry dereferenced has DN
"uid=entry,ou=somedepartment,o=myorg".
4. CAS attempts a BIND against this DN with the provided password.
It's not obvious from the documentation how one might configure that, or even
if it is possible.
Thanks,
Carl Waldbieser
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose
historical relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose
historical relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb60822d009bbc13e49f4e930e9c1f91ee6337b7.camel%40uvic.ca.
