Marc-Antoine Garrigue wrote: >> Since the authentication server needs access to the LDAP >> directory for login, the whole scheme breaks down. >> >> Hasn't this been encountered before? How do other people solve this? > > You may let the LDAP in the internal network and establish a secured > trust channel between your CAS Server in the DMZ and the LDAP in the > internal network.
Right, this is a workaround that we sometimes use now. For some customers it is ok, but for the more paranoid ones, it is not. This is what I would like to use CAS for, but it all fails because of the validation phase that requires access from B to A. > I may have missed something : I don't get why this configuration ( > server CAS and WEB in the DMZ, LDAP behind a firewall in the internal > network) differs from a classical 3 tiers architecture? As above, it doesn't, and this is indeed how we solve it in some cases. I'd just like to be able to solve all cases, where opening connections from DMZ to internal networks, whether "secure" or not (and this is merely a matter of how secure the web app in DMZ is, rather than the security of the connection itself), just isn't an option. I think the distributed ticket registry would work. Not superpretty (as it requires yet another server), but it's ok. /Rickard _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
