> 1) I have 2 authentication handlers that are used concurrently, one which > uses a DB query and the other a LDAP query... > Is this an appropriate use of the postAuthenticate > method, or am I twisting this extensibility point in a way it isn’t > intended?
Sounds like a creative use though I wouldn't call it wrong or twisted. The recommended way to do what you're doing is by leveraging the PrincipalResolver components. Resolvers naturally execute after authentication using the credential as input and produce a principal; in your case you would query AD using the objectGuid in the database record as a search filter. You can map a resolver to an authentication handler so that a particular one fires only after the desired handler succeeds. I can provide more guidance on configuration if you're interested in that approach. Again, there's nothing wrong with your approach per se, it just short circuits some of the natural authentication pipeline that could probably handle it with OOB components. > 2) I noticed objectGuid from Active Directory was being garbled... > I dug through the ldaptive code and it seems > like I need to set the objectGuid entry as binary. Apparently there is an > ObjectGuidHandler class which handles this already. Does this seem like a > reasonable change, or is this problem better handled in a different way? You did the right thing. In fact, I'm impressed by your sleuthing to figure out that you needed ObjectGuidHandler to get the proper attribute handling. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
