* caleb racey <[log in to unmask]> [2009-09-04 16:57]:
> Yale's CAS has what it calls drop through authentication, i.e. try
> auth against source 1, on failure try source2 so you might want to
> have a look at that. We use CAS as the login for our new shib
> servers.
The Shib IdP uses JAAS and this also allows to "stack" authentication
modules, as well as have them as "required" or "sufficient" etc., not
unlike PAM. Having several DSAs as "sufficient" in login.config will
do the same as above, it seems.
But I doubt this will achieve what the OP was trying to do, though
(which is: use another account to lookup additional information and
generate a different error message or even integrate a "change
password" function there, if relevant info is found).
> >It would then pull back details about the account and warn the user
> >if their account was now disabled, expired or locked out. If the
> >password was expired it would test their old credentials and if
> >they passed it would give the user the option to set a new
> >password.
How would using CAS solve this?
-peter
|