Hello CAS-users, I have a question about where best to implement an extension/feature related to LDAP memberOf attributes.
We have a LDAP structure in which we have many groups that are members of other groups. Our CAS server must return a flattened list of "MemberOf" attributes that contains all groups the user is directly and indirectly a member of. By flattening the group hierarchy client applications can easily make group-base authorization decisions by looking for the presence of a particular "MemberOf" value without knowing about the structure of the directory. For example, we create a group for users allowed to access a particular service: CN=MyServiceUsers,OU=Authorizations,OU=Groups,DC=domain,DC=edu Rather than adding users directly to the group, other groups are members of the above group: CN=Students,OU=Groups,DC=domain,DC=edu CN=Faculty,OU=Groups,DC=domain,DC=edu CN=Staff,OU=Groups,DC=domain,DC=edu This allows the membership of the parent group to stay current as the membership of the child groups change over time. With this feature in place a user who is only directly a member of the Students group would have both it and the MyServiceUsers groups returned in his/her attribute list: ... <cas:MemberOf>CN=Students,OU=Groups,DC=domain,DC=edu</cas:MemberOf> <cas:MemberOf>CN=MyServiceUsers,OU=Authorizations,OU=Groups,DC=domain,DC=edu</cas:MemberOf> ... In CAS 3.x we accomplished this by extending the LdapPersonAttributeDao to do recursive group search for each memberOf attribute. You can view the full source that supports this feature here: https://gist.github.com/adamfranco/c88f582694b8dddcfef7 For CAS 4.0, it seems that the LdapPersonAttributeDao is no longer used and the org.jasig.cas.authentication.LdapAuthenticationHandler handles attribute mapping instead. Would extending the LdapAuthenticationHandler in a similar way that I extended the LdapPersonAttributeDao be the best way to add this feature to CAS 4.0 or is there a better way to lookup and inject these extra attribute values? Ideally I'd like to implement this feature in a way that others can use it as I can imagine that we are not alone in using hierarchical group structures for permission-groups. Thanks for any feedback you might have as to where to add such a feature. Best Adam -- Adam Franco Senior Software Developer Information Technology Services Middlebury College Middlebury, VT 05753 [email protected] 802.443.2244 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
