directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: Delegated authentication
Date Thu, 16 May 2013 11:34:09 GMT
+1 as well.

Seems like a pretty good start.

Regards,
Pierre-Arnaud

On 10 mai 2013, at 11:16, Emmanuel L├ęcharny <elecharny@gmail.com> wrote:

> Hi guys,
> 
> we have a delegatedAuthenticator which is supposed to authenticate a
> user against an external LDAP server. It's not working.
> 
> In order to have it working, there are a few things that need to be
> fixed, and it depends on some decisions we have to make.
> 
> First, we have to agree on what means a delegated authentication. We
> have two options here :
> 1) The user is not known by the server, so we try to bind on a remote
> LDAP server and if it succeeds, we create a local session
> 2) The user is known by the local server, but we don't have an
> associated password, so we have to bind on another LDAP server (same
> process tahn for 1).
> 
> It's easier to deal with case 1, because we can immediately see if the
> user is present or not. In case 2, we will have to tell the local LDAP
> server when it should look into a remote server. This can be done in two
> ways :
> A) As for SASL bind, we define a search base DN, and every bind under
> this DN root will have to be authenticated by an external LDAP server
> B) Or we define an Administrative Area, and an associated subentry,
> which defines the scope of entries that are to authenticate on a remote
> LDAP server
> 
> I must say that the B option is appealing, as it offers way more
> possibilities. It's also more complex to implement and handle.
> 
> I would suggest we start with option A.
> 
> There is more to do : as it's about authenticating, the userPassword
> will be transmitted to the remote LDAP server. It *has* to be done
> through a secure connction (either LDAPS or through the user of a
> startTLS extended operation). In both cases, some configuration is needed.
> 
> I propose to implement option 2-A, with a secured connection configuration.
> 
> Thoughts ?
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com 
> 


Mime
View raw message