You can have multiple BindLdapAuthenticationHandlers and
CredentialtoPrincipalResolvers and they will each be tried in order - the
first one to return success is used. If you want to use a particulare
CredentialtoPrincipal resolver depending on the LDAP server that use
authenticated against, you can
use
LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager
Here's an example:
We have 2 LDAP repositories that store user accounts:
- Sun LDAP -- users login with just their username
- Active Directory -- users login with primary email address
All of the AD users also have an entry in LDAP server and all of our CAS
clients expect the principal in the CAS ticket to be a username (NOT
usern...@domain), so we have to use a different
CredentialtoPrincipalResolver for each AuthHandler. Before the Linked
AuthenticationManager was available I had a custom
CredentialtoPrincipalResolver that would do the same thing that search for
the principal in LDAP if the supplied credientials had an '@' in it. Now I
can use standard CAS beans and the configuration is pretty clear - If *this*
AuthHandler succeeds, use *this* CredentialtoPrincipalResolver
deployerConfigContext.xml:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager">
<constructor-arg index="0">
<map>
<entry key-ref="SunDS-LdapAuthHandler"
value-ref="UsernameCredentialtoPrincipalResolver" />
<entry key-ref="AD-LdapAuthHandler"
value-ref="LdapCredentialtoPrincipalResolver" />
<entry key-ref="HTTPAuthHandler"
value-ref="HTTPCredentialtoPrincipalResolver" />
</map>
</constructor-arg>
</bean>
<bean id="SunDS-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="(uid=%u)" />
<property name="searchBase" value="ou=usf,o=usf.edu" />
<property name="contextSource" ref="SunDS-LdapAuthcontext" />
</bean>
<bean id="UsernameCredentialtoPrincipalResolver"
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="AD-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="(proxyaddresses=SMTP:%u)" />
<property name="searchBase" value="DC=usf,DC=edu" />
<property name="contextSource" ref="AD-LdapAuthcontext" />
<property name="ignorePartialResultException" value="yes" /> <!-- fix for
how AD returns results -->
</bean>
<bean id="LdapCredentialtoPrincipalResolver"
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter" value="(mail=%u)" />
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=usf,o=usf.edu" />
<property name="contextSource" ref="SunDS-LdapSearchcontext" />
<property name="attributeRepository" ref="attributeRepository" />
</bean>
On Thu, May 6, 2010 at 1:53 PM, Dean Heisey <[email protected]>wrote:
>
> Is it possible to add multiple BindLdapAuthenticationHandlers to the
> AuthenticationHandler list and have them configured to use different Ldap
> servers?
>
> Sample use case:
>
> User A has entries in the AD tree and Novell Tree.
> The AD entry has been copied from Novell but, is marked as disabled.
> The Novell entry active.
> CAS is using AD for auth. Auth fails in this case because the entry is
> disabled
>
> What I would like to do is have the auth fall through to the second tree
> and
> attempt to auth the user.
>
>
>
> Is there any way to do this..
>
> As an aside. Yes, this configuration is much less than ideal. It evolved
> organically and I am stuck in the middle with no authoritative source for
> authenticating users. It makes for fun times.
>
> Thanks in advance,
>
> Dean
> --
> View this message in context:
> http://jasig.275507.n4.nabble.com/CAS-Multiple-BindLdapAuthenticationHandler-tp2133071p2133071.html
> Sent from the CAS Users mailing list archive at Nabble.com.
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
Eric Pierce
Identity Management Architect
Information Technology
University of South Florida
(813) 974-8868 -- [email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
