Marvin, So let me see if I got this right. I will need to 1. develop new CtoPResolver to extract the EDIPI number from the CN. 2. once develop I can use Maven2 Overlay method to injest the new .class file into the WAR 3. update the appropriate CAS configuration files to include the new CtoPResolver Where does the LDAP lookup come in. How do I tell CAS to use the EDIPI number I extracted from the CN to look up to see if there is an LDAP account associated with the EDIPI number. Thanks again for the pointers and references. Schawn
________________________________ From: Marvin Addison <[email protected]> To: [email protected] Sent: Wednesday, September 26, 2012 12:58 PM Subject: Re: [cas-user] Using LDAP and X509 for authentication/authorization > We are not fronted with Apache. So Tomcat is both > the server and servlet container in our case. Tomcat has the same features, but the details depend upon the kind of connector (BIO/NIO vs APR). See http://tomcat.apache.org/tomcat-7.0-doc/config/http.html for more info. >I have the example set up and seems to > be accepting my X509 certificate and allowing me to login, but that is just > with the basic X509 authentication, I still need to validate that the user > is allowed into the site, via a LDAP lookup. We actually do something conceptually similar. You'll have to roll your own CToPResolver, but I can offer some inspiration in code we have used successfully for a similar purpose: https://svn.middleware.vt.edu/svn/middleware/cas/cas-server/tags/cas-server-3.4.12/vt-cas-server-ext/src/main/java/edu/vt/middleware/cas/authentication/principal/AbstractCredentialsToPrincipalResolver.java https://svn.middleware.vt.edu/svn/middleware/cas/cas-server/tags/cas-server-3.4.12/vt-cas-server-ext/src/main/java/edu/vt/middleware/cas/authentication/principal/PDCCredentialsToPrincipalResolver.java In our case the attribute on the DN is called UID and we use that to perform a directory lookup to resolve the principal. You should be able to adapt it to your use case fairly easily. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
