Two things:
You can use fast bind and deal with an optional email address. Since the
AuthenticationManager can take a list of AuthenticationHandlers you can
define multiple FastBindLdapAuthenticationHandlers. They can have
different filters. Here is part of my
deploymentConfigContext.xml.
<bean id="Public-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter"
value="%[email protected]" />
<property name="contextSource"
ref="publicContextSource" />
<property
name="ignorePartialResultException" value="yes" />
<property name="ldapErrorDefinitions"
ref="ldapErrorDefinitionsList"
/>
</bean>
<bean id="PublicEmail-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter" value="%u" />
<property name="contextSource"
ref="publicContextSource" />
<property
name="ignorePartialResultException" value="yes" />
<property name="ldapErrorDefinitions"
ref="ldapErrorDefinitionsList"
/>
</bean>
The other thing is that earlier the was a discussion about how ldap is
case insensitive but downstream systems are not. I know you probably
canĀ¹t change the those systems but a login is a poor identifier. You
should try to get them to use a unique ID that is common to all the
systems. I bet it is a real pain when someone gets married and wants
their login to match their new name.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
