Jin, With CAS, you can setup multiple authentication handlers and specify the order users are authenticated against them. In the /WEB-INF/deployerConfigContext.xml file, there is an authenticationManager bean that has a property called authenticationHandlers, which is an ordered list of authentication handlers. Since both intranet and extranet users should be authenticated against AD first, I would put the handler for AD first and then the JDBC handler.
For more information on available handlers and how to configure them, check out the following JA-SIG CAS wiki articles: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory http://www.ja-sig.org/wiki/display/CASUM/JDBC As far as AD authentication goes, I've used both LDAP and Kerberos. If you can swing LDAP, I'd go that route as older versions of Sun Java have a memory leak in the KerberosLogin module used by Kerberos authentication. HTH, Andrew On 7/1/08 3:21 PM, "auron" <[EMAIL PROTECTED]> wrote: > > Hello all - > > We have an intranet for our employees and an extranet for employees + > clients. Our intranet uses CAS + BindLDAP and everything works great. > > We have been designing our extranet and have run into a question: > > 1 - Can CAS authenticate users separately based on the domain, or some other > qualifier? Ideally, we would like to use the same CAS to authenticate our > extranet and intranet users. The intranet can authenticate based on AD, and > the extranet can authenticate based on AD + JDBC of our clients. > > 2 - If this is not possible, would running 2 separate CAS servers be our > only option? > > Thank you very much > > Jin Lee -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
