> The way I'm thinking it would work could be if CAS would query the LDAP > directory based on a username/password combo and return something globally > unique as the uid.
Problem is that I'm not aware of any directory that exposes the password hash as a standard attribute that would allow you to construct a search filter that would comprise the unique pair you're after. While in theory it would work fine, in practice there's no directory that would support it. Another important matter to consider is that "probably" unique and "guaranteed" unique are very different with respect to identity considerations. If you have some namespace management system in place that guarantees uniqueness, you're safe to proceed. Anything else allows the potential for confusion about which "asmith" is authenticating to CAS-enabled services. Recall all the service gets is the username in the standard CAS protocols. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
