> I have been reviewing the documentation for multiple authentication > handlers. Both examples us AD as the LDAP, but we wish to use AD for one > and OpenLDAP or SUN LDAP for the other.
There's an important requirement that the principal is globally unique across all identity stores. That's more a security policy concern than technology, but an important one nonetheless. If you're unclear the reason for the requirement, hopefully considering the following question will make it clear. Given the user "tjones" in both AD and OpenLDAP, how would a service distinguish which one is granted access if authorization is based on user ID alone? You'd need to take great care to define strict authorization requirements if you can't assume globally unique principals. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
