directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Delegated authentication
Date Fri, 10 May 2013 09:29:00 GMT
+1


On Fri, May 10, 2013 at 2:46 PM, Emmanuel L├ęcharny <elecharny@gmail.com>wrote:

> Hi guys,
>
> we have a delegatedAuthenticator which is supposed to authenticate a
> user against an external LDAP server. It's not working.
>
> In order to have it working, there are a few things that need to be
> fixed, and it depends on some decisions we have to make.
>
> First, we have to agree on what means a delegated authentication. We
> have two options here :
> 1) The user is not known by the server, so we try to bind on a remote
> LDAP server and if it succeeds, we create a local session
> 2) The user is known by the local server, but we don't have an
> associated password, so we have to bind on another LDAP server (same
> process tahn for 1).
>
> It's easier to deal with case 1, because we can immediately see if the
> user is present or not. In case 2, we will have to tell the local LDAP
> server when it should look into a remote server. This can be done in two
> ways :
> A) As for SASL bind, we define a search base DN, and every bind under
> this DN root will have to be authenticated by an external LDAP server
> B) Or we define an Administrative Area, and an associated subentry,
> which defines the scope of entries that are to authenticate on a remote
> LDAP server
>
> I must say that the B option is appealing, as it offers way more
> possibilities. It's also more complex to implement and handle.
>
> I would suggest we start with option A.
>
> There is more to do : as it's about authenticating, the userPassword
> will be transmitted to the remote LDAP server. It *has* to be done
> through a secure connction (either LDAPS or through the user of a
> startTLS extended operation). In both cases, some configuration is needed.
>
> I propose to implement option 2-A, with a secured connection configuration.
>
> Thoughts ?
>
> --
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message