directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: [ApacheDS] changes to Authenticator interface for password policy
Date Thu, 01 Jul 2010 08:20:32 GMT
On Thu, Jul 1, 2010 at 1:37 PM, Emmanuel Lecharny <> wrote:
> On Wed, Jun 30, 2010 at 4:16 PM, Kiran Ayyagari <>
> wrote:
>> hello guys,
>>  Its been a while since I started working on implementing password
>> policy[1].
>>  Here are a few things I wanted to let you know about the implementation
>>   1. The PasswordPolicyInterceptor cannot be used to enforce this
>> policy cause we need access to the
>>       userpassword and other special attributes before the
>> authentication process starts, so am removing this
>>       interceptor
> You can access those elements in the intereceptor : the modified entry is
> already loaded when the interceptor is processed (we do a load of all the
> modified entry fields before going through the chain).
we have access to the entry but we need them before we start
authenticaing, (more below..)

> I'm not sure that removing the interceptor is necessary at this point.
IMO this interceptor has no use anymore as the functionality is gonna
be present in
AuthenticationInterceptor (more below..)
>>   2. Am planning to make some changes to the Authenticator interface
>> to inject the password policy configuration
>>       so that the authenticator can have access to this config which
>> needs to be used to determine whether a
>>       user can be authenticated based on the policy state information
>> present in the user's entry.
> The authentication is not impacted by the passwordPolicy AFAICT.
it gets impacted in cases like
 a. expired password
 b. locked account
in both of these cases we refuse to authenticate the user
(irrespective of the passed credentials)
> PP is a matter of controlling that the password respect some conditions when
> added or modified (it's controlled for the Add and Modify operation only).
> Otherwise, the PP is transparent.
it is not just add and modify but also the bind, cause this is where
we handle the above
mentioned cases so the best place to have this policy implementation is the
AuthenticationInterceptor and in the AbstractAuthenticator(for
checking the locked or expired
passwords before authenticating).

Kiran Ayyagari

View raw message