My organization has a situation where we want to use CAS as authentication, but without caring about the users. We basically just want to say "if you logged in through CAS and were verified, then you can see this page". All we really care about is getting their username, but only to pass it into a database and retrieve some values. It doesn't seem like this sort of thing is doable, as implied by the "Should Drupal user accounts be automatically created?" If I don't choose that, then I must manually create them. I'd really like to do neither, and just let them access the page. Is this sort of thing doable?

And while this is not in the scope of the CAS module, if anyone knows: if I must create them in Drupal, is there any other module in existence to check against LDAP, and delete users who are no longer in LDAP (they would also not be in CAS, and thus not able to log in - but I would at least like to try to keep the users table somewhat manageable, as we're talking 15,000 initial users with 1500 more annually).

Comments

samo’s picture

samo commented
Status: Active » Closed (fixed)

It should be fairly simple to hack CAS to assign *all* logins the same user ("authenticated" user) after the CAS ticket is verified. This would mean only creating one user in Drupal with very limited privileges.

There is no automated mechanism to delete accounts in Drupal that no longer have a corresponding LDAP account, but it should be pretty simple to create that functionality in a hook_cron method. Every cron run you could pull a batch of users and do a simple LDAP lookup on them. If there is not a valid user, user_delete

metzlerd’s picture

metzlerd commented

See #619422: CAS session check for one users story regarding this.

Another option is to look at project/inactive_user to remove inactive accounts periodically. Since cas stops you from logging in this is the aproach, inactive users might be just as good as removing those who get cas authed.

Dave

donn-1’s picture

donn-1 commented

It should be fairly simple to hack CAS to assign *all* logins the same user ("authenticated" user) after the CAS ticket is verified. This would mean only creating one user in Drupal with very limited privileges.

We actually want to avoid that. It is important to know who the user is, but not important to store any details besides their activity (which is exported from MySQL and integrated into a reporting application). We currently do this via forms authentication in .NET + CAS and it works wonderfully.

Another option is to look at project/inactive_user to remove inactive accounts periodically. Since cas stops you from logging in this is the aproach, inactive users might be just as good as removing those who get cas authed.

This might work, since we know all users will no longer be in the system (almost guaranteed) after 5 years, and if they are we could simply recreate them. Thank you.