> Sorrry, I meant to ask if CredentialsToLDAPAttributePrincipalResolver can be > used to achieve this
No. While it is common to use that component with X.509 auth to transform the DN into a more user-friendly principal name via LDAP lookup, your use case, as I understand it from previous posts, is to have chained authentication handlers and do the email verification as an authorization check. The crux of your problem is that CAS is designed to authenticate with the first available handler for a particular credential type. You'll have to write your own authentication handler that does X.509 followed by the LDAP bind/search to lookup the authorization data you need. I'm pretty sure the outline I wrote up for you in response to your previous post is your best bet. Even if you decide on another implementation, I'm fairly certain you will need to write some code to address this use case. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
