Ray,
No-- I don't want person "A" to be able to authenticate on behalf of person "B".
Currently, our users log on with a system assigned username. I'd like them to also be able to claim their own username alias and be able to log on with that. So for example, user "smithe" could have an alias "catlover86" and use that as their username.
OpenLDAP has a concept of alias entries for its DIT that can refer to other entries. Potentially, I could use this, but there are some caveats:
- The LDAP client has to explicitly dereference aliases.
- When an entry is being dereferenced, it won't be returned in a search if you are searching for attributes on the alias itself. This is because the filter matches the attributes on the dereferenced entry.
The 2nd rule is very counter-intuitive in my opinion. It took me a while to wrap my head around what was going on. But you can set the LDAP base DN to the alias during a SEARCH operation, and the dereferenced target will be returned assuming you have a filter that matches the target.
Typically, our 2 step BIND in CAS looks like this:
- SEARCH the LDAP DIT for an entry with an attribute (let's say "uid") that matches the username provided. This search is done while BINDed as a DN with elevated search privs.
- Once a matching entry is found, BIND to it using the password provided.
CAS lets me set up a search filter like "(uid={user})" where it will do the substitution for "user", so this works fine.
To use aliases, I'd want to do something like:
- SEARCH the LDAP DIT for an entry with a base DN of "uid={user},ou=aliases,o=myorg". Again, the search would be done while BINDed as a DN with elevated search privs.
- Once a matching *dereferenced* entry is found, BIND to it using the password provided.
The configuration I'm not sure about is that CAS would need to be able to substitute {user} into the base DN for the search, making sure to escape it properly. Also, the SEARCH would need to indicate that alias entries should be dereferenced.
I'm not sure if CAS supports this without getting into some magical Java bean territory.
Thanks,
Carl Waldbieser