When you say "need to have access", it sounds like you are trying to
combine authentication and authorization. Is the existing ldap
configuration also using the same AD? Is there a reason these users cannot
be authenticated that way? Then authorization is a separate action.
You can use the searchFilter to refine the users allowed to authenticate.
That's just a normal LDAP filter so you should be able to use any other
attribute in addition to cn. For example:
cas.authn.ldap[0].searchFilter=(&(cn={user})(otherAttribute=LetMeIn))
That would give you control over what accounts CAS will match the username
against.
As an Identity Provider, CAS is not necessarily responsible for authorizing
into other applications. The IdP authenticates the user, possibly with
multiple factors and provides agreed upon attributes to the service
provider. The service provider then makes the authorization decision. CAS
does allow you to per service access strategies, which might also be useful
in this case:
https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html
Maybe a little more context of your situation would help us provide better
suggestions.
-dirk
On Thu, Nov 15, 2018 at 9:54 AM Zach Tackett <[email protected]> wrote:
> Sorry, I am not very well versed in AD. Simply going off of what another
> coworker was trying to explain. There is already an ldap[0] config setup
> and working. This one needs to be setup for the OU IDM, inside that OU
> there are quite a few OU's that need to have access. It works if I do
> cas.authn.ldap[1].dnFormat=cn=%s,ou=IDM, ou=IDM-BANNER,dc=marshall,dc=edu
>
> But I do not want to have to do that for each one, is there a way to allow
> anyone within the IDM OU access?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ee6c8d13-ec29-4795-8f72-ba7abecffd4c%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ee6c8d13-ec29-4795-8f72-ba7abecffd4c%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZy3OnBthkbSEF%2Bo2Z7UdBbrd9FPuzcpU5suCvuwm%3DSoww%40mail.gmail.com.
