Set REMOTE_USER to LDAP attribute

Dominique Petitpierre Dominique.Petitpierre at adm.unige.ch
Fri Jan 12 14:06:13 EST 2007 

On 11.01.2007 17:00, André Cruz wrote:
> But that means another LDAP query which is wasteful...
> 
> What if I alter the BindLDAPAuthenticationHandler to receive an
> additional parameter which is an LDAP attribute and after the LDAP
> query, if it was successful, do a setUserName on the credentials with
> the attribute value?
> 
> Scott Battaglia wrote:
> 
>>I'm assuming you want REMOTE_USER set on the client side and not on
>>the CAS server?  If that's the case you merely need to create a
>>CredentialsToPrincipalResolver that will take the user supplied
>>credentials (i.e. email address and password) and map them to the
>>appropriate username.  CAS will return to the clients whatever ID
>>value the principal has as the username.

I agree with André Cruz: the current model splitting artificially the
authentication and resolution of the principal forces two connections
with the LDAP server (this because there is another problem that
prevents LDAP connection pooling).  If it uses SSL (ldaps) it can be
quite expensive.
Although I can see the generality of that architecture, it seems to me
that the two functions could be integrated to allow more efficiency
in simple cases while still allowing more complex cases.

There is something about that on the CAS WIKI:
http://www.ja-sig.org/wiki/display/CAS/Authentication+module

Many authentication systems with LDAP perform first a SEARCH to find
the dn then a BIND to authenticate.  It would be quite efficient to
ask for the attributes that compose the principal in the
initial search and if the authentification succeeds to construct
the principal from them.

Is there a way to do this in the current model/distribution: i.e.
to pass information from the AuthenticationHandler to
the PrincipalResolver? (I am not a java developper)


Best regards,
Dominique Petitpierre
--
* Unsolicited commercial email is NOT welcome at this address. *
Mr Dominique Petitpierre       Email: User at Domain
Division Informatique                 User=Dominique.Petitpierre
University of Geneva                  Domain=adm.unige.ch

More information about the cas mailing list