Ray,
No-- I don't want person "A" to be able to authenticate on behalf of person
"B".
Currently, our users log on with a system assigned username. I'd like them
to also be able to claim their own username alias and be able to log on
with that. So for example, user "smithe" could have an alias "catlover86"
and use that as their username.
OpenLDAP has a concept of alias entries for its DIT that can refer to other
entries. Potentially, I could use this, but there are some caveats:
1. The LDAP client has to explicitly dereference aliases.
2. When an entry is being dereferenced, it won't be returned in a search
if you are searching for attributes on the alias itself. This is because
the filter matches the attributes on the dereferenced entry.
The 2nd rule is very counter-intuitive in my opinion. It took me a while
to wrap my head around what was going on. But you can set the LDAP base DN
to the alias during a SEARCH operation, and the dereferenced target will be
returned assuming you have a filter that matches the target.
Typically, our 2 step BIND in CAS looks like this:
1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid")
that matches the username provided. This search is done while BINDed as a
DN with elevated search privs.
2. Once a matching entry is found, BIND to it using the password
provided.
CAS lets me set up a search filter like "(uid={user})" where it will do the
substitution for "user", so this works fine.
To use aliases, I'd want to do something like:
1. SEARCH the LDAP DIT for an entry with a base DN of
"uid={user},ou=aliases,o=myorg". Again, the search would be done while
BINDed as a DN with elevated search privs.
2. Once a matching *dereferenced* entry is found, BIND to it using the
password provided.
The configuration I'm not sure about is that CAS would need to be able to
substitute {user} into the base DN for the search, making sure to escape it
properly. Also, the SEARCH would need to indicate that alias entries
should be dereferenced.
I'm not sure if CAS supports this without getting into some magical Java
bean territory.
Thanks,
Carl Waldbieser
On Wed, May 18, 2022 at 7:09 PM Ray Bon <r...@uvic.ca> wrote:
> Carl,
>
> Are you referring to surrogate authentication?
>
> https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html
>
> Ray
>
> On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> If I have an entry and an alias in an OpenLDAP DIT such that searching on
> "alias" dereferences "entry", is it possible to configure CAS to perform a
> 2 stage BIND in this way?
>
> I.e.
>
>
> 1. User enters "alias" and password at the CAS login form.
> 2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg"
> and a filter like "(objectClass=*)".
> 3. The actual entry dereferenced has DN
> "uid=entry,ou=somedepartment,o=myorg".
> 4. CAS attempts a BIND against this DN with the provided password.
>
>
> It's not obvious from the documentation how one might configure that, or
> even if it is possible.
>
> Thanks,
> Carl Waldbieser
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPf7o0L%3DVOf58e4b6V%2B9n5JLyHyky-MW0gahbAjD2OU0A%40mail.gmail.com.
