directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Writing a specific Authenticator, and add some configuration for iy
Date Fri, 19 Nov 2010 10:49:48 GMT
On Fri, Nov 19, 2010 at 12:43 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Fri, Nov 19, 2010 at 12:37 PM, Alex Karasulu <akarasulu@apache.org>
> wrote:
> >
> >
> > On Fri, Nov 19, 2010 at 12:29 PM, Kiran Ayyagari <kayyagari@apache.org>
> > wrote:
> >>
> >> On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <akarasulu@apache.org>
> >> wrote:
> >> > Hi Emmanuel, Antione,
> >> >
> >> > On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny
> >> > <elecharny@gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi guys,
> >> >>
> >> >> yesterday, we had an interesting convo with Antoine, about the
> >> >> definition
> >> >> of a dedicated Authenticator, and how to configure it.
> >> >>
> >> >
> >> > Excellent. Thanks for posting to the ML about it.
> >> >
> >> >>
> >> >> First, the Authenticator interface can be implemented but it's
> probably
> >> >> a
> >> >> better idea to extend the AbstractAuthenticator, as it brings some
> >> >> references to teh underlying DirectoryService for free, plus some
> >> >> default
> >> >> implementations to init and dispose the Authenticator. One thing to
> >> >> take
> >> >> care of is the PasswordPolicy which can be enabled or disabled. We
> have
> >> >> to
> >> >> determinate the best way to deal with this service.
> >> >>
> >> >
> >> > PasswordPolicy AFAICT is something that kicks in when updating or
> >> > creating a
> >> > new password. This mechanism of delegating authentication to some
> >> > external
> >> > authentication service in this case AD does not change the password.
> >> > Hence
> >> > why I'm thinking we don't need to worry about PP.
> >> > Or am I missing something here?
> >> >
> >> PP also comes into picture while performing a bind and compare(of
> >> password) operations
> >> an e.x to determine the number of failed authentication attempts
> >> but all this makes sense only if the user entries are stored in the
> >> local server (ApacheDS in this case).
> >
> > Are we tracking login results (successes/failures) per user in their
> profile
> > (LDAP entry)?
> yes we do and these details are stored in the user entry itself
> > Are we tracking login attempts when the bind principal is non-existant
> and
> > if so where we doing that?
> we cannot, if we don't have the user entry locally on the server
> > We should also perhaps track the last IP where
> > the login occurred to prevent those trying to dictionary attack via some
> > account but this is not so much related to PP.
> >>
> yeah


We probably need to be logging all this stuff centrally as well as on a per
user basis. Per user basis for PP to correlate with the bind principal but
overall we need to be tracking what's going on when authentication is being
done in all it's forms especially now that we're opening  the door wider
with this delegation thing.

Opening door wider => More security concerns.

-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu

Mime
View raw message