Andy Cowling wrote: > > Just to be clear, pulling the email address from the cert and resolving > to a username in LDAP is required for authentication, not > authorization(!) We don't want to authenticate any user who provides a > cert that does not correspond to the login name they use in the web form.
I think one has to distinguish several (optional) steps: 0. Map the user ID entered in a web form to a credential name (e.g. search the user's LDAP bind-DN with (uid=%u) in CAS) 1. Use the credential name together with the credential for authc => result is a principal name based on the authc mech used 2. Map the authc-specific principal name to a (normalized) authz-ID as CAS principal name. This is not authz, it's just name mapping 3. Outside CAS: Authz of the user within an application based on the (normalized) CAS principal name So for your situation... - step 0. is only needed if cert-based authc mech does not work. - the result of step 1. is the cert's subject-DN if cert-based authc was used. Being in your situation I would more think about what the different IDs are and who controls the name spaces with which naming rules. I'd then try to provision the LDAP entries in such a way that you can do the mapping in step 2. above like described here: http://www.ja-sig.org/wiki/display/CASUM/Attributes Further considerations: What is your authz-ID? The e-mail address? Is the e-mail address name spaces limited for your user community? Do you control the e-mail address name space? Note that in general normalization of the e-mail address can be tricky since the local part of a RFC2822 e-mail address is *case-sensitive*. The standard LDAP equality matching rule for attribute 'mail' is caseIgnoreIA5Match though. Who issues the client certs? If you control the client certs your issuing CA should be the only one trusted CA for the login. Also you can provision parts of the client cert data to the user's LDAP entry. ...etc... Ciao, Michael. -- Michael Ströder E-Mail: [email protected] http://www.stroeder.com -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
