Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 81328 invoked from network); 1 Jul 2010 08:07:39 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 1 Jul 2010 08:07:39 -0000 Received: (qmail 22685 invoked by uid 500); 1 Jul 2010 08:07:39 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 22489 invoked by uid 500); 1 Jul 2010 08:07:37 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 22482 invoked by uid 99); 1 Jul 2010 08:07:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Jul 2010 08:07:36 +0000 X-ASF-Spam-Status: No, hits=-1997.8 required=10.0 tests=ALL_TRUSTED,HTML_MESSAGE,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 01 Jul 2010 08:07:33 +0000 Received: (qmail 81097 invoked by uid 99); 1 Jul 2010 08:07:11 -0000 Received: from localhost.apache.org (HELO mail-fx0-f50.google.com) (127.0.0.1) (smtp-auth username elecharny, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Jul 2010 08:07:11 +0000 Received: by fxm9 with SMTP id 9so1273942fxm.37 for ; Thu, 01 Jul 2010 01:07:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.65.73 with SMTP id h9mr8913743fai.75.1277971629243; Thu, 01 Jul 2010 01:07:09 -0700 (PDT) Reply-To: elecharny@apache.org Received: by 10.223.113.2 with HTTP; Thu, 1 Jul 2010 01:07:09 -0700 (PDT) In-Reply-To: References: Date: Thu, 1 Jul 2010 10:07:09 +0200 Message-ID: Subject: Re: [ApacheDS] changes to Authenticator interface for password policy From: Emmanuel Lecharny To: Apache Directory Developers List Content-Type: multipart/alternative; boundary=001517475434fe7e06048a4ef41a X-Virus-Checked: Checked by ClamAV on apache.org --001517475434fe7e06048a4ef41a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Wed, Jun 30, 2010 at 4:16 PM, Kiran Ayyagari wrote= : > hello guys, > > Its been a while since I started working on implementing password > policy[1]. > > Here are a few things I wanted to let you know about the implementation > > 1. The PasswordPolicyInterceptor cannot be used to enforce this > policy cause we need access to the > userpassword and other special attributes before the > authentication process starts, so am removing this > interceptor > You can access those elements in the intereceptor : the modified entry is already loaded when the interceptor is processed (we do a load of all the modified entry fields before going through the chain). I'm not sure that removing the interceptor is necessary at this point. > > 2. Am planning to make some changes to the Authenticator interface > to inject the password policy configuration > so that the authenticator can have access to this config which > needs to be used to determine whether a > user can be authenticated based on the policy state information > present in the user's entry. > The authentication is not impacted by the passwordPolicy AFAICT. PP is a matter of controlling that the password respect some conditions whe= n added or modified (it's controlled for the Add and Modify operation only). Otherwise, the PP is transparent. --=20 Regards, Cordialement, Emmanuel L=E9charny www.iktek.com --001517475434fe7e06048a4ef41a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Wed, Jun 30, 2010 at 4:16 PM, Kiran A= yyagari <kayya= gari@apache.org> wrote:
hello guys,

=A0Its been a while since I started working on implementing password polic= y[1].

=A0Here are a few things I wanted to let you know about the implementation=

=A0 1. The PasswordPolicyInterceptor cannot be used to enforce this
policy cause we need access to the
=A0 =A0 =A0 userpassword and other special attributes before the
authentication process starts, so am removing this
=A0 =A0 =A0 interceptor

You can access= those elements in the intereceptor : the modified entry is already loaded = when the interceptor is processed (we do a load of all the modified entry f= ields before going through the chain).

I'm not sure that removing the interceptor is neces= sary at this point.=A0

=A0 2. Am planning to make some changes to the Authenticator interface
to inject the password policy configuration
=A0 =A0 =A0 so that the authenticator can have access to this config which=
needs to be used to determine whether a
=A0 =A0 =A0 user can be authenticated based on the policy state informatio= n
present in the user's entry.

The au= thentication is not impacted by the passwordPolicy AFAICT.=A0
PP is a matter of controlling that the password respect some co= nditions when added or modified (it's controlled for the Add and Modify= operation only). Otherwise, the PP is transparent.



--
Regards,
Co= rdialement,
Emmanuel L=E9charny
www.= iktek.com
--001517475434fe7e06048a4ef41a--