directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endi Sukma Dewata" <end...@vergenet.com>
Subject Custom authentication
Date Tue, 15 Feb 2005 22:52:04 GMT
Hi,

 

I have a question about implementing custom authentication on ApacheDS. I
understand that currently authentication is handled at the Interceptor level
by the AuthenticationService which in version 0.8 only supports plain text
password. The way it works now is that it will look up the userPassword
value from the backend partition and compare it with the user supplied
password.

 

In our virtual directory product we have a need to be able to perform
authentication against different types of servers such as NT server, LDAP
server, etc., that most of which do not give you back the stored password,
not even the hash value. In other words, there is nothing to compare with
the user supplied password. The question is, if we integrate the virtual
directory as a backend in ApacheDS, how should I handle this kind of
authentication?

 

One way is to add a custom authentication Interceptor into the pipeline of
Interceptors. However, I don't think that this would work as long as
AuthenticationService is still in the pipeline too. This is because the
AuthenticationService will get invoked anyway, regardless of the order of
invocation. When it gets to that point, it will still try to get the
userPassword from the backend, compare it the old way, and throw an
exception since the userPassword is not present, so the whole operation will
still fail anyway.

 

Another way is to replace the AuthenticationService altogether with the
custom authentication, but I don't think we want to do this.

 

In my opinion, the authentication should be delegated to the backend
partition. So, instead of calling lookup() method, the AuthenticationService
should call something like bind() and pass the user supplied password as-is
to the backend. The backend knows how to work with the password, whether to
compare it directly or to perform a login operation.

 

Any advice would be very appreciated. Thank you very much.

 

--

Endi S. Dewata

 


Mime
View raw message