> The thing is, each service will use a specific DN > to bind to the LDAP server, and I can't possibly change that behavior.
In strict terms this is case for any LDAP server -- you bind as the user's DN, which is different for every user. What's different about each DN? Do you allow anonymous searches, or require a (possibly different) manager DN for each branch of users? > So, my guess is, I should use a different bean, inherited from > BindLdapAuthenticationHandler, that supports this service-depending binding. This is the correct approach for your use case based on the little you've shared. I would imagine the most difficult part will be obtaining the service from within the authentication handler. It may be next to impossible, in fact. > But I still need to know the referring service. When a service requests a service ticket, it always does so via the service query string parameter. (See http://www.jasig.org/cas/protocol section 2.1.1.) That part is easy. There are two hard parts that follow: 1. How do you pass the service to the authentication handler? 2. What do you do when someone shows up to CAS without a service? CAS separates user authentication from service access as distinct operations, and you're conflating them in a way that will likely cause problems if you need a service and don't always have one. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
