As a reference, here's a little more generalized form of an adapter class that allows to change the principal to an attribute in LDAP: http://www.ja-sig.org/issues/browse/CAS-373 (this is very useful for x509 logins and it might also provide a simple solution for the "aliasing" concept) -- Velpi