Depending on your LDAP server you could create an ACI/ACL limiting the attributes returned to the CAS Bind User. (If you use Fast bind you could limit it by IP address.) This is fairly easy to do with Sun Directory Server, OpenLDAP, FedoraDS and OpenDS. We implemented it with Sun Directory Server and OpenLDAP.
- Rhian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Ströder Sent: Wednesday, May 21, 2008 2:04 PM To: Yale CAS mailing list Subject: ldapAttributesToPortalAttributes and attributes in LDAP search request HI! The docs at http://www.ja-sig.org/wiki/display/CASUM/Attributes contains the following example for an LDAP-based attribute repository with a mapping defined from LDAP attributes to CAS Principal attributes: --------------------------------- snip --------------------------------- <bean id="attribRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> [..] <property name="ldapAttributesToPortalAttributes"> <map> <entry key="cn" value="Name"/> <entry value="Telephone" key="telephoneNumber" /> <entry value="Fax" key="facsimileTelephoneNumber" /> </map> </property> </bean> --------------------------------- snip --------------------------------- Watching the LDAP traffic with Wireshark I noticed that the attribute list in the LDAP search request is empty which results in all attributes being returned. This causes too much unneeded traffic. Imagine LDAP entries with binary attributes like jpegPhoto or userCertificate. Wouldn't it be nice to set the attribute list in the LDAP search request to the required attributes specified above? Ciao, Michael. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
