Thank you .. This confirms what I was arriving at.
Our use case is that we have an AD LDAP which expires accounts based on individual campus policy. But the application we are configuring CAS for provides information concerning W2 forms, transcripts, class history, etc. They do not want to bump these people off of access for this particular application. Yesterday, the story changed a bit. We had intended to use the EDIR Sun LDAP, but were concerned about these two LDAPs not being in sync. We decided to use a front end program written in-house that behaves like an LDAP repository, but actually will work as intermediary (proxy). They use userPrincipalName for the sAMAccountName, for example, so I think this removes the issue of naming. I need to pass the credentials to their proxy program, but treat it as if it were LDAP. Regarding Principal resolution methods, do you mean that the class associated with the Principal Resolver for AD, in our case org.jasis.cas.authentication.principal.UsernmaePasswordCredentialsToPrincipalResolver, needs to differ? Perhaps something like org.jasig.cas.authentication.principal.BasicPrincipalResolver would work or perhaps PersonDirectoryPrincipalResolver? Honestly, the subtleties of which to use in this case are not immediately clear to me since it is not a typical vendor LDAP. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 [email protected] | www.alaska.edu/oit/ On Fri, Mar 7, 2014 at 3:22 AM, Marvin Addison <[email protected]>wrote: > > I am not sure why Ellucian did not make use of a key-ref, but there it > is. > > I think an explanation of why attribute filters are defined in both > places > > would be of great help to me .. this has always been murky in my > > understanding. > > I've read your original post a couple times and I'm not entirely clear > on the use case. I do understand, however, the need for > > LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager > and key-ref in your case. That component is needed whenever you have > two credential classes of the same type (UsernamePasswordCredentials > are used to authenticate to both SunDS and AD) but you need different > principal resolution methods. The solution is to switch on the > authentication handler, by reference, that successfully authenticated > the credentials. Thus the reference (key-ref) to the authentication > handler. You're using the authentication handler to select the > principal resolver that refers to the same directory that > authenticated the user. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
