directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Extending Authentication for Bind
Date Fri, 22 Feb 2013 11:34:31 GMT
On Fri, Feb 22, 2013 at 3:08 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 2/22/13 9:11 AM, Kiran Ayyagari a écrit :
> > On Thu, Feb 21, 2013 at 11:29 PM, Emmanuel Lécharny <elecharny@gmail.com
> >wrote:
> >
> >> Le 2/21/13 6:54 PM, Kiran Ayyagari a écrit :
> >>> On Thu, Feb 21, 2013 at 11:10 PM, Emmanuel Lécharny <
> elecharny@gmail.com
> >>> wrote:
> >>>
> >>>> Le 2/21/13 5:25 PM, Kiran Ayyagari a écrit :
> >>>>> don't think we have such a support right now do we? is that looping
> of
> >>>>> authenticators makes this a possibility?
> >>>> I see that the Authenticator interface provide a checkPwdPolicy()
> >> method :
> >>>>     /**
> >>>>      *  performs checks on the given entry based on the specified
> >>>> password policy configuration
> >>>>      *
> >>>>      * @param userEntry the user entry to be checked for
> authentication
> >>>>      * @throws PasswordPolicyException
> >>>>      */
> >>>>     void checkPwdPolicy( Entry userEntry ) throws LdapException;
> >>>>
> >>>> Why can't we do all the passwordPolicy checks in the authenticator,
> >>>> instead of the interceptor ?
> >>>>
> >>>> The only pb is that we need the user entry at this point, but couldn't
> >>>> we pass the BindContext, so for the checkPwdPolicy() to fetch the
> entry
> >>>> from the DS instead ?
> >>>>
> >>>> Does it make sense ?
> >>>>
> >>>> password policy is enforced not only during authentication but also
> >> after
> >>> authentication and while doing modify operation
> >> Absolutly, but here, I'm just mentioning the check when doing a bind.
> >> Every other operation should be done in the interceptors.
> >>
> >> we still need to perform several checkes during and after authentication
> > in the same bind operation
> > so we cannot move this logic entirely to authenticators
> >
>
> The thing is that we may not need the entry to do those checks. If we
> do, then it's a problem, because that means we can't delegate
> authentication...
>
> no we can bypass this by overriding the checkPwdPolicy() method (the
DelegatingAuthenticator does just that)

> So we have to find a way to avoid requesting the entry.
>
> What are the checks we need to do btw ? (I've not spent much time on
> this part of the code...)
>
> it does  password expiration, grace logins, locking/unlocking and checks
if the password is ready for use based on the activation time

> Thanks !
>
> PS : Moving this discussion to the dev mailing list
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message