directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: Custom authentication
Date Tue, 15 Feb 2005 23:35:58 GMT
I'm going to looking into it soon. Dealing with some issues right now 
but will get back to you.


Endi Sukma Dewata wrote:

> Hi,
> I have a question about implementing custom authentication on 
> ApacheDS. I understand that currently authentication is handled at the 
> Interceptor level by the AuthenticationService which in version 0.8 
> only supports plain text password. The way it works now is that it 
> will look up the userPassword value from the backend partition and 
> compare it with the user supplied password.
> In our virtual directory product we have a need to be able to perform 
> authentication against different types of servers such as NT server, 
> LDAP server, etc., that most of which do not give you back the stored 
> password, not even the hash value. In other words, there is nothing to 
> compare with the user supplied password. The question is, if we 
> integrate the virtual directory as a backend in ApacheDS, how should I 
> handle this kind of authentication?
> One way is to add a custom authentication Interceptor into the 
> pipeline of Interceptors. However, I don’t think that this would work 
> as long as AuthenticationService is still in the pipeline too. This is 
> because the AuthenticationService will get invoked anyway, regardless 
> of the order of invocation. When it gets to that point, it will still 
> try to get the userPassword from the backend, compare it the old way, 
> and throw an exception since the userPassword is not present, so the 
> whole operation will still fail anyway.
> Another way is to replace the AuthenticationService altogether with 
> the custom authentication, but I don’t think we want to do this.
> In my opinion, the authentication should be delegated to the backend 
> partition. So, instead of calling lookup() method, the 
> AuthenticationService should call something like bind() and pass the 
> user supplied password as-is to the backend. The backend knows how to 
> work with the password, whether to compare it directly or to perform a 
> login operation.
> Any advice would be very appreciated. Thank you very much.
> --
> Endi S. Dewata

View raw message