if authentication is same for all, you can add new service validates for your services for authorization purpose. for example, use /serviceAValidate for serviceA, /serviceBValidate for serviceB and etc.
On Mon, 2011-04-18 at 14:47 +0200, Loïc Quentin wrote: > On 04/18/2011 02:05 PM, Marvin Addison wrote: > >> The thing is, each service will use a specific DN > >> to bind to the LDAP server, and I can't possibly change that behavior. > > In strict terms this is case for any LDAP server -- you bind as the > > user's DN, which is different for every user. What's different about > > each DN? Do you allow anonymous searches, or require a (possibly > > different) manager DN for each branch of users? > > > I don't know much about LDAP, actually, so I'm not sure I'm using the > right words: > here's a little scenario to explain my situation: > User Bob wants to access service A. > Service A redirects user Bob to CAS Server, where user Bob enters his > credentials. > CAS server binds to LDAP using dn=serviceA,ou=serviceUsers,etc > Depending on the answer from LDAP, user Bob is granted access to service > A or not. > > Now, user Bib wants to access service B. > Service B redirects user Bib to CAS Server, where user Bib enters his > credentials. CAS server now has to bind to LDAP using > dn=serviceB,ou=serviceUsers,etc… > > Anonymous search is allowed, though, but authentication can't be done > using it, as it doesn't provide access to the password hash (if I get it > correctly). > > > >> But I still need to know the referring service. > > When a service requests a service ticket, it always does so via the > > service query string parameter. (See > > http://www.jasig.org/cas/protocol section 2.1.1.) That part is easy. > According to the protocol page, depending on how (login or > serviceValidation) CAS is called, there is a parameter passed to the > server that concerns the service needing authentication. If I could use > this, that would probably be perfect. > > There are two hard parts that follow: > > > > 1. How do you pass the service to the authentication handler? > > 2. What do you do when someone shows up to CAS without a service? > > > > CAS separates user authentication from service access as distinct > > operations, and you're conflating them in a way that will likely cause > > problems if you need a service and don't always have one. > > > > M > > > That's a good question, I'll have to discuss it with my boss (as I said, > I'm a trainee, and I don't really know the environment…). Maybe we could > use a default service value… > > Thanks for your help > > Loïc > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
