directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: Writing a new authenticator
Date Tue, 18 Nov 2014 12:16:06 GMT
On Tue, Nov 18, 2014 at 6:37 PM, Paul Simpkins <>

> Hi there,
> I'm trying to work out what is needed to implement a new authenticator
> within ApacheDS. The reason for this is that we have a legacy user system
> which we're unable to migrate.
> I've looked at quite a few websites and I think that the process would be
> as follows :
> 1) Add an extra authenticator entry under
> ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors
> This would need to be the last authenticator used to ensure that the LDAP
> DIT is first checked and if the user is not found then to check the legacy
> system
> 2) Create the code that will pass the provided username / password to the
> external system and pass back a success or failure condition
> Furthermore how will the password policy be used ? For example if the
> legacy user attempts to login and supplies the incorrect password 3 times
> and locks his account in the legacy system - how will the authenticator /
> ldap system handle that. Does it's own password policy come in to play or
> is it completely ignored ?
the best to make it work is to disable default(i.e global) password policy
and inject your custom

If password policy is still needed for the existing entries in DIT then
configure the policy using
'pwdPolicySubentry' attribute.

> I've found the DelegatingAuthenticator example code - but if I was to use
> that, what would the entry look like in the DIT ?
> here you can just create dummy DefaultEntry instance filled with person or
inetorgperson objectclass
MUST attributes with values mapped from your legacy system and return


> Regards
> Paul

Kiran Ayyagari

View raw message