Marvin, et al Sorry, I picked the wrong Principal Resolver bean to ask about.
The configuration Ellucian uses is PrincipalBearningCredentialsToPrincipalResolver CredentialsToLDAPAttributePrincipalResolver, and then within that UsernamePasswordCrednetialsToPrincipalResolver. I think the CredentialsToLDAPAttributePrincipalResolver is the one that must be different for multiple LDAPs. Is that right? Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Mar 7, 2014 at 11:52 AM, Linda Toth <ltt...@alaska.edu> wrote: > Thank you .. > > This confirms what I was arriving at. > > Our use case is that we have an AD LDAP which expires accounts based on > individual campus policy. But the application we are configuring CAS for > provides information concerning W2 forms, transcripts, class history, etc. > They do not want to bump these people off of access for this particular > application. > > Yesterday, the story changed a bit. We had intended to use the EDIR Sun > LDAP, but were concerned about these two LDAPs not being in sync. We > decided to use a front end program written in-house that behaves like an > LDAP repository, but actually will work as intermediary (proxy). They use > userPrincipalName for the sAMAccountName, for example, so I think this > removes the issue of naming. > > > I need to pass the credentials to their proxy program, but treat it as if > it were LDAP. > > Regarding Principal resolution methods, do you mean that the class > associated with the Principal Resolver for AD, in our case > org.jasis.cas.authentication.principal.UsernmaePasswordCredentialsToPrincipalResolver, > needs to differ? Perhaps something like > org.jasig.cas.authentication.principal.BasicPrincipalResolver would work or > perhaps PersonDirectoryPrincipalResolver? > > Honestly, the subtleties of which to use in this case are not immediately > clear to me since it is not a typical vendor LDAP. > > > > > Linda Toth > University of Alaska - Office of Information Technology (OIT) - Identity > and Access Management > 910 Yukon Drive, Suite 103 > Fairbanks, Alaska 99775 > Tel: 907-450-8320 > Fax: 907-450-8381 > linda.t...@alaska.edu | www.alaska.edu/oit/ > > > > On Fri, Mar 7, 2014 at 3:22 AM, Marvin Addison > <marvin.addi...@gmail.com>wrote: > >> > I am not sure why Ellucian did not make use of a key-ref, but there it >> is. >> > I think an explanation of why attribute filters are defined in both >> places >> > would be of great help to me .. this has always been murky in my >> > understanding. >> >> I've read your original post a couple times and I'm not entirely clear >> on the use case. I do understand, however, the need for >> >> LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager >> and key-ref in your case. That component is needed whenever you have >> two credential classes of the same type (UsernamePasswordCredentials >> are used to authenticate to both SunDS and AD) but you need different >> principal resolution methods. The solution is to switch on the >> authentication handler, by reference, that successfully authenticated >> the credentials. Thus the reference (key-ref) to the authentication >> handler. You're using the authentication handler to select the >> principal resolver that refers to the same directory that >> authenticated the user. >> >> M >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> ltt...@alaska.edu >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user