One of the things that was missing in CAS3, and hopefully rectified in CAS4, is our inability to display more information to the user. This includes warnings such as “Your password will expire in 10 days,” “You last logged in from IP address 128.76.544.33″, etc.
The CAS4 architecture will support this notion of informational messages (we currently call them Warnings, which may be slightly misleading). The question, since we don’t store this information currently at Rutgers, is where do people normally store this information? Is it in LDAP with the credentials, is it in a separate meta information repository, is it stored in Kerberos, or is it encoded in the credentials themselves (i.e. a certificate is going to expire in 10 days).
For us to design the architecture correctly, it would help us know where this information is commonly stored so we can make it easy to retrieve (and possibly provide some common ones).
Please leave your comments below, or on the CAS mailing list.
3 comments ↓
I think that you are now realizing that yes, the data is there and quite possibly everyone has it in some form or fashion, but you are now defining what I would call a “data collective” that has yet to be named.
I’m discussing LDAP e.g. with an associate now as a choice for identity management information. Is OpenLDAP e.g. the right storage choice for an open source community with a huge user base? I’m not sure. I’m actually trying to define what data points are important. Can you define exact data points that are needed? Have you determined a complete data model? Or, … are you hunting for data that is presently captured that “may” be of use to CAS? It’s very interesting because I think that most of your example data points are there somehow in everyone’s implementation but the format is wildly different among hostings.
Kerberos exposes this information in the authentication response. The question is – does JAAS provide access to this information?
Active Directory, when used for LDAP authentication, exposes this via LDAP fields, using a 64-bit date format representing the number of 100-nanosecond intervals since 1/1/1601 — you know, just in case the Pilgrim’s had accounts in your AD.
Luckily we can even include the first settlers from Jamestown who came in 1607
It seems then that we should be trying to get the meta information from the authentication source itself so our AuthenticationHandler interface may need to be richer.
Though I know at Rutgers even though we do authentication via LDAP, it ultimately falls through to either Safeword or Kerberos, so we may need to support two methods of obtaining this data.
Leave a Comment