directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Delegation of Authentication
Date Tue, 16 Nov 2010 16:35:21 GMT
On 11/16/10 5:24 PM, Antoine Levy-Lambert wrote:
>  Hi,
> I am going to start today writing an implementation of the delegation 
> of authentication. Once I will have written something that works I 
> will attach my code to JIRA [1].
Great !
> I plan to use the JNDIRealm [2] [3] of tomcat as a reference to know 
> how to configure and implement the delegation of authentication.
What would be better is to use the Apache LDAP API which is available 
and works pretty well at this point. It's available in the 
client-ldap-api project.
> Funny, I thought that perhaps there was a magic LDAP API to know 
> whether a password is valid and it turns out that JNDIRealm actually 
> binds the user to the target LDAP server to find out whether his/her 
> credentials are valid.
There is no way to check that a password is valid. Passwords aren't 
stored in the server, we just keep a Hash value. So you have to compare 
the hashed value of the Password you just got with the stored hashed 
value of the user's password. This is done internally in the server, so 
the best solution is always to do a bind, which handle the comparison 
(including the selection of the algorithm) with the stored hashed value.
> What would be the steps to implement this ? I guess I should start by 
> listing the attributes needed to do this delegation of authentication, 
> then create a new object class in the adsconfig schema, for instance 
> adsAuthDelegation and the corresponding attribute types for instance 
> adsAuthDelegationURL.
The problem is mostly to know when to call the remote server. If you can 
know that a user credential is not managed by the server, then you can 
do a bind to the remote server and if it succeed, bind the user locally. 
All of this should be done in the AuthenticationInterceptor, in the 
BindMethod, by adding a specific Authenticator. Sadly, we don't 
currently have a way to tell that a user should be authenticated outside 
of the server, so we try all the existing authenticator until at least 
one authenticate the user.

But OTOH, that just means you simply have to implement an Authenticator 
and add it into the configuration, possibly putting it at first place in 
the Authenticator list.

I hope I'm not 100% wrong, but checking the current code, it seems I'm 
not totally off base...

Anyway, I'll be around to give an hand if needed.

Emmanuel L├ęcharny

View raw message