CAS integration at Rutgers (and other large organizations)
Smith, Matt
matt.smith at uconn.edu
Mon Mar 5 14:24:51 EST 2007
On Thu, 2007-03-01 at 10:03 -0500, Stephane Bailliez wrote:
> Smith, Matt wrote:
> > UConn is inverting what you describe -- instead of using CAS for
> webdav,
> > etc, use a mechanism (Kerberos/LDAP) better suited for those non
> > browser-based services, and then use CAS to easily extend those
> > mechanisms to the browser environment.
>
> Yes, that would be my preference as well rather than having to bend so
> many things to integrate with CAS.
>
> Out of curiosity, how do you structure your LDAP ?
>
LDAP's structure is very simple - one big ou ("people") containing
~70,000 inetorgperson + eduperson objects. We supply some basic
attributes, but nothing service/application specific. Authentication
occurs against CAS & Kerberos (although we still do a bunch of LDAP
authentication, proxied back to Kerberos, for legacy reasons).
Authorization is handled by each service, either leveraging lists of
NetIDs (ACL) or accessing LDAP (and eventually Shibboleth and/or
CAS/SAML) to obtain user-centric attributes (affiliation, department,
etc). We do not store any service specific attributes in the directory
- in other words, there is no (and will not be) "allowAccessToServiceX"
in our LDAP. Services instead grant access using service-specific
instructions (ACI) equating to "allow access X to users of type Y",
where X is a service-specific type of access (read, write, change email
address, etc), and Y is some derivation of attributes (full-time
undergraduate students on main campus).
BTW -- this kind of abstract, multi-technology, higher-ed centric
discussion is good to have on the EDUCAUSE IdM list
IDM at LISTSERV.EDUCAUSE.EDU.
HTH,
-Matt
--
Matthew J. Smith <matt.smith at uconn.edu>
University of Connecticut UITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070305/0d3f4d77/attachment.bin
More information about the cas
mailing list