On 11.01.2007 17:00, André Cruz wrote: > But that means another LDAP query which is wasteful... > > What if I alter the BindLDAPAuthenticationHandler to receive an > additional parameter which is an LDAP attribute and after the LDAP > query, if it was successful, do a setUserName on the credentials with > the attribute value? > > Scott Battaglia wrote: > >>I'm assuming you want REMOTE_USER set on the client side and not on >>the CAS server? If that's the case you merely need to create a >>CredentialsToPrincipalResolver that will take the user supplied >>credentials (i.e. email address and password) and map them to the >>appropriate username. CAS will return to the clients whatever ID >>value the principal has as the username.
I agree with André Cruz: the current model splitting artificially the authentication and resolution of the principal forces two connections with the LDAP server (this because there is another problem that prevents LDAP connection pooling). If it uses SSL (ldaps) it can be quite expensive. Although I can see the generality of that architecture, it seems to me that the two functions could be integrated to allow more efficiency in simple cases while still allowing more complex cases. There is something about that on the CAS WIKI: http://www.ja-sig.org/wiki/display/CAS/Authentication+module Many authentication systems with LDAP perform first a SEARCH to find the dn then a BIND to authenticate. It would be quite efficient to ask for the attributes that compose the principal in the initial search and if the authentification succeeds to construct the principal from them. Is there a way to do this in the current model/distribution: i.e. to pass information from the AuthenticationHandler to the PrincipalResolver? (I am not a java developper) Best regards, Dominique Petitpierre -- * Unsolicited commercial email is NOT welcome at this address. * Mr Dominique Petitpierre Email: [EMAIL PROTECTED] Division Informatique User=Dominique.Petitpierre University of Geneva Domain=adm.unige.ch _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
