Marvin The situation is that users expire in AD and Sun LDAP, but SunLDAP will grant access to users, as long as they exist and the password is correct.
For one of our services, this is a desirable feature. We want to fail over to Sun LDAP if the former student is attempting to access their Banner records to request a transcript, for example, or print a W2 form. The general consensus is let them authenticate, but if they are not authorized, the client will prohibit that access. Personally, I feel we are swimming in murky waters without a full understanding of how all of our authentication/authorization systems interact. Alaskans are very independent in geneHaving said that, we are using CAS only for authentication to Ellucian Banner Products - at this time. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 [email protected] | www.alaska.edu/oit/ On Thu, Feb 27, 2014 at 11:33 AM, Marvin Addison <[email protected]>wrote: > > I have been reviewing the documentation for multiple authentication > > handlers. Both examples us AD as the LDAP, but we wish to use AD for one > > and OpenLDAP or SUN LDAP for the other. > > There's an important requirement that the principal is globally unique > across all identity stores. That's more a security policy concern than > technology, but an important one nonetheless. If you're unclear the > reason for the requirement, hopefully considering the following > question will make it clear. Given the user "tjones" in both AD and > OpenLDAP, how would a service distinguish which one is granted access > if authorization is based on user ID alone? You'd need to take great > care to define strict authorization requirements if you can't assume > globally unique principals. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
