On 07/12/2013 02:09 PM, Marvin Addison wrote:
>> However, when using username+password authentication, the literal
>> username entered by the client is returned to the CAS client (cf.
>> serviceValidate). I enter 'FrEd' and the application sees 'FrEd' instead
>> of 'fred' or whatever it might be expecting.
>
> We recommend doing name canonicalization as part of principal
> resolution. Many resolvers, including the LDAP components, provide a
> means to specify an attribute to use for the principal ID. If you're
> fetching attributes from the directory anyway (as most folks are) as
> part of principal resolution, then it's pretty natural to do
> normalization here. Many deployments will use the same attribute that
> is the basis of the search that is part of the authentication process
> (search+bind), but there's no measurable overhead if you're already
> fetching attributes for other purposes.
We don't currently use/need attributes from CAS (use Shibboleth for
that) so am using JAAS + direct bind with a snapshot of ldaptive that
supports connection pooling:
> CAS {
> org.ldaptive.jaas.LdapLoginModule sufficient debug="true"
> ldapProvider="org.ldaptive.provider.jndi.JndiProvider"
> ldapUrl="ldap://ldap.ucdavis.edu";
> useStartTLS="true"
> dnResolver="org.ldaptive.auth.FormatDnResolver"
> format="uid=%1$s,...,dc=ucdavis,dc=edu"
>
> authenticationHandler="org.ldaptive.auth.PooledBindAuthenticationHandler"
> minPoolSize="3"
> maxPoolSize="6"
...
> };
We're doing this way for the ability to fall back to Kerberos (our
current authN source) should something go horribly awry with LDAP after
deployment.
Also avoids the need to (1) embed credentials in the JAAS config file
(or change LDAP access rules to allow anonymous DN resolution), and (2)
halves the number of directory operations.
Sounds like I may have to backpedal. No recommended way to do this in
the CAS server webapp itself?
Thanks.
Tom.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
