On Sun, Jul 12, 2015 at 05:09:21PM -0500, Milt Epstein wrote: > As I recall, we were able to get this working, basically, but we had > to use some overlay with our LDAP server (OpenLDAP). We also had to > use a different attribute name (than memberOf) -- but maybe we > could've avoided that by configuring it differently.
Yes, openldap doesn't support the memberOf attribute unless you load the memberof overlay. We have that working, we didn't have to use a different attribute name. The one catch is that it is considered an operational attribute, so you either need to request it specifically or request all operational attributes, it's not returned otherwise. > I'm not sure what to make of the fact that in your logs you see the > memberOf attribute and value in the response. That seems to suggest > that mod_auth_cas is getting it, where my comments I think have more > to do with getting the CAS server to handle memberOf correctly in the > first place. So maybe these things aren't relevant to your situation. I was playing with mod_auth_cas last year sometime and I know I had authorization using memberOf working. I don't have the specific config I used though. It's on my shortlist to get that deployed in producion, but probably not soon enough to help the OP out, sorry :(. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
