On Fri, Nov 19, 2010 at 12:43 PM, Kiran Ayyagari <kayyagari@apache.org> wrote:
On Fri, Nov 19, 2010 at 12:37 PM, Alex Karasulu <akarasulu@apache.org> wrote:
>
>
> On Fri, Nov 19, 2010 at 12:29 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
>>
>> On Fri, Nov 19, 2010 at 12:14 PM, Alex Karasulu <akarasulu@apache.org>
>> wrote:
>> > Hi Emmanuel, Antione,
>> >
>> > On Fri, Nov 19, 2010 at 11:41 AM, Emmanuel Lecharny
>> > <elecharny@gmail.com>
>> > wrote:
>> >>
>> >> Hi guys,
>> >>
>> >> yesterday, we had an interesting convo with Antoine, about the
>> >> definition
>> >> of a dedicated Authenticator, and how to configure it.
>> >>
>> >
>> > Excellent. Thanks for posting to the ML about it.
>> >
>> >>
>> >> First, the Authenticator interface can be implemented but it's probably
>> >> a
>> >> better idea to extend the AbstractAuthenticator, as it brings some
>> >> references to teh underlying DirectoryService for free, plus some
>> >> default
>> >> implementations to init and dispose the Authenticator. One thing to
>> >> take
>> >> care of is the PasswordPolicy which can be enabled or disabled. We have
>> >> to
>> >> determinate the best way to deal with this service.
>> >>
>> >
>> > PasswordPolicy AFAICT is something that kicks in when updating or
>> > creating a
>> > new password. This mechanism of delegating authentication to some
>> > external
>> > authentication service in this case AD does not change the password.
>> > Hence
>> > why I'm thinking we don't need to worry about PP.
>> > Or am I missing something here?
>> >
>> PP also comes into picture while performing a bind and compare(of
>> password) operations
>> an e.x to determine the number of failed authentication attempts
>> but all this makes sense only if the user entries are stored in the
>> local server (ApacheDS in this case).
>
> Are we tracking login results (successes/failures) per user in their profile
> (LDAP entry)?
yes we do and these details are stored in the user entry itself
> Are we tracking login attempts when the bind principal is non-existant and
> if so where we doing that?
we cannot, if we don't have the user entry locally on the server
> We should also perhaps track the last IP where
> the login occurred to prevent those trying to dictionary attack via some
> account but this is not so much related to PP.
>>
yeah

We probably need to be logging all this stuff centrally as well as on a per user basis. Per user basis for PP to correlate with the bind principal but overall we need to be tracking what's going on when authentication is being done in all it's forms especially now that we're opening  the door wider with this delegation thing.

Opening door wider => More security concerns.

--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu