directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Delegated Authenti cation
Date Wed, 15 May 2013 10:24:19 GMT
Le 5/15/13 11:27 AM, Kiran Ayyagari a écrit :
> On Wed, May 15, 2013 at 1:43 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:
>
>> Hi guys,
>>
>> a quick heads up,
>>
>> I fixed the delegatedAuthentication for basic use cases. We now can have
>> a remote LDAP server to authenticate a user which is not present
>> locally, assuming the DelegatedAuthenticator is added in the
>> authenticator lists.
>>
>> It's very basic, still.
>>
>> What remains to be done, and I'm working on it, is to add SSL and
>> startTLS so that we cna safely authenticate to a remote server. I will
>> have to add some more parameters (like the TrustManager to use), and
>> most certainly differentiate SSL from StartTLS.
>>
>> One more thing to do : determinate when to use the
>> DelegatedAuthentication depending on the baseDN (ie, when the user is
>> present locally, we may still want to delegate the authn to a remote
>> server, and for that, we just expect the authenticator to be called
>> based on the user DN). This is slaightly more complicated, but it's
>> definitively doable.
>>
>> just curious why would this be complicated, if the searchBaseDn is already
> configured
> and the said user entry is below this then the authentication will be
> delegated no?

The thing is to determinate when to use the DelegatedAuthenticator. Atm,
we loop on all the existing authenticator, whatever the bindDn is.

This is where there is some kind of work to do, and I was thinking that
using the Administrative Model would be good, but later.
ATM, I will just use the BaseDN if there is one in each Authenticator
(otherwise it will be the full DIT).

The algo would be something like :

for each Authenticator
  if the bindDN is withing the authenticator search base DN
    then try to authenticate
  else
    next authenticator


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message