directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Extending Authentication for Bind
Date Fri, 22 Feb 2013 09:38:40 GMT
Le 2/22/13 9:11 AM, Kiran Ayyagari a écrit :
> On Thu, Feb 21, 2013 at 11:29 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:
>
>> Le 2/21/13 6:54 PM, Kiran Ayyagari a écrit :
>>> On Thu, Feb 21, 2013 at 11:10 PM, Emmanuel Lécharny <elecharny@gmail.com
>>> wrote:
>>>
>>>> Le 2/21/13 5:25 PM, Kiran Ayyagari a écrit :
>>>>> don't think we have such a support right now do we? is that looping of
>>>>> authenticators makes this a possibility?
>>>> I see that the Authenticator interface provide a checkPwdPolicy()
>> method :
>>>>     /**
>>>>      *  performs checks on the given entry based on the specified
>>>> password policy configuration
>>>>      *
>>>>      * @param userEntry the user entry to be checked for authentication
>>>>      * @throws PasswordPolicyException
>>>>      */
>>>>     void checkPwdPolicy( Entry userEntry ) throws LdapException;
>>>>
>>>> Why can't we do all the passwordPolicy checks in the authenticator,
>>>> instead of the interceptor ?
>>>>
>>>> The only pb is that we need the user entry at this point, but couldn't
>>>> we pass the BindContext, so for the checkPwdPolicy() to fetch the entry
>>>> from the DS instead ?
>>>>
>>>> Does it make sense ?
>>>>
>>>> password policy is enforced not only during authentication but also
>> after
>>> authentication and while doing modify operation
>> Absolutly, but here, I'm just mentioning the check when doing a bind.
>> Every other operation should be done in the interceptors.
>>
>> we still need to perform several checkes during and after authentication
> in the same bind operation
> so we cannot move this logic entirely to authenticators
>

The thing is that we may not need the entry to do those checks. If we
do, then it's a problem, because that means we can't delegate
authentication...

So we have to find a way to avoid requesting the entry.

What are the checks we need to do btw ? (I've not spent much time on
this part of the code...)

Thanks !

PS : Moving this discussion to the dev mailing list


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message