[cas-dev] Extended Attributes Architecture for 3.1
Stephen A. Cochran
stephen.a.cochran at Dartmouth.EDU
Mon Feb 5 20:42:26 EST 2007
But not really, because even in LDAP, you can do a authenticated
search, ie BIND to o the query. So you can verify the user/pass at
the same time as ask for the information. Our local directory service
(which supports LDAP and a proprietary protocol) also does this; a
VALIDATE command can also return a query.
So I think it makes sense to architect the authentication manager
flow to accommodate handlers that could return principals directly
instead of needing a C2PResolver. If we're going to design a way to
map one hander to a C2PResolver, we could add the ability to not map
one at all. This would mean the handler is responsible for returning
the principal.
Steve
On Feb 5, 2007, at 2:32 PM, Velpi wrote:
> For SQL this makes sense: why hit the same SQL twice (probably even
> the
> same table, or most likely the same DB)?
> For LDAP however there is always a phase where a bind is done as if it
> were the user itself that's connecting to the directory. In this
> case it
> would be nice to have both a persistent and a "switching" connection.
More information about the cas-dev
mailing list