diff --git a/plugins/CasAuthentication/CasAuthenticationPlugin.php b/plugins/CasAuthentication/CasAuthenticationPlugin.php
index cf0bf4ac52..02ed4cb166 100644
--- a/plugins/CasAuthentication/CasAuthenticationPlugin.php
+++ b/plugins/CasAuthentication/CasAuthenticationPlugin.php
@@ -40,6 +40,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
     public $port = 443;
     public $path = '';
     public $takeOverLogin = false;
+    public $user_whitelist = null;
 
     function checkPassword($username, $password)
     {
@@ -145,6 +146,7 @@ class CasAuthenticationPlugin extends AuthenticationPlugin
         $casSettings['port']=$this->port;
         $casSettings['path']=$this->path;
         $casSettings['takeOverLogin']=$this->takeOverLogin;
+        $casSettings['user_whitelist']=$this->user_whitelist;
     }
 
     function onPluginVersion(array &$versions)
diff --git a/plugins/CasAuthentication/README b/plugins/CasAuthentication/README
index c17a28e54a..2e770a0867 100644
--- a/plugins/CasAuthentication/README
+++ b/plugins/CasAuthentication/README
@@ -24,6 +24,11 @@ path (): Path on the server to CAS. Usually blank.
 takeOverLogin (false): Take over the main login action. If takeOverLogin is
     set, anytime the standard username/password login form would be shown,
     a CAS login will be done instead.
+user_whitelist (null): Only allow login via CAS for users listed in this
+    array. This is useful when both CAS and password authentication is enabled
+    and there is a mismatch between some GNU social account names and CAS user
+    names. This prevents CAS users from logging in as someone else on GNU
+    social. When set to null, no CAS logins are filtered by this feature.
 
 * required
 default values are in (parenthesis)
diff --git a/plugins/CasAuthentication/actions/caslogin.php b/plugins/CasAuthentication/actions/caslogin.php
index 7310072d92..9250b43b7a 100644
--- a/plugins/CasAuthentication/actions/caslogin.php
+++ b/plugins/CasAuthentication/actions/caslogin.php
@@ -41,6 +41,11 @@ class CasloginAction extends Action
                 $this->serverError(_m('Incorrect username or password.'));
             }
 
+            if ($casSettings['user_whitelist'] != null && !in_array($user->nickname, $casSettings['user_whitelist'])) {
+                // TRANS: Server error displayed when trying to log in with non-whitelisted user name (when whitelists are enabled.)
+                $this->serverError(_m('Incorrect username or password.'));
+            }
+
             // success!
             if (!common_set_user($user)) {
                 // TRANS: Server error displayed when login fails in CAS authentication plugin.