Geoffrey, Can you just map both 'uid' and 'cn' to 'UDC_IDENTIFIER'? I could see a potential issue with that if one directory supports both attributes and there would be some potential ambiguity about which attribute would actually end up being mapped.
I am guessing there is likely to be a solution to this baked into CAS. You can also handle this by manipulating the LDAP response before it reaches CAS with an LDAP proxy. Specifically, you could convert the 'cn' attribute in the response of LDAP2 to 'uid'. I wrote a blurb on setting up an LDAP proxy [1], though I am just noticing that my code formatting was messed up. A well-formatted code example can be found on github[2]. This is a more heavy-handed approach, so I'd probably try experimenting with CAS attribute mappings first. Thanks, Carl Waldbieser [1] https://lifeonlayer7.wordpress.com/2015/07/18/ldap-proxy/ [2] https://github.com/twisted/ldaptor/blob/master/docs/source/cookbook/ldap-proxy.rst ----- Original Message ----- From: "Geoffrey Whittaker" <[email protected]> To: [email protected] Sent: Monday, July 27, 2015 7:36:19 AM Subject: [cas-user] Attribute repository with multiple different sources I have CAS4 with two LDAP Auth Handlers. The first is pointed at my local Active Directory (LDAP1) which has my Employees, Staff, Faculty, etc.. The second is pointed at another LDAP server (ldap2) which contains alumni, parents, and other 'special' people. Currently, if the search of LDAP1 fails CAS falls through to LDAP2. In the past, it's been sufficient for those people only in LDAP2 to merely authenticate. Now, I need to get an attribute from that directory and map it to the attribute map to the same field that LDAP1 would use. The problem is the name of the fields is different. In LDAP1 the field is 'cn' in LDAP2 the field is 'uid'. I somehow have to get that value from into a custom Attribute field we called UDC_IDENTIFIER regardless of the directory. Can I have more than one attribute repository, and if can someone point to an example config? Am I making this too complicated? Is there another way to handle this? Thanks -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
