directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny <elecha...@gmail.com>
Subject [ApacheDS] Authenticator selection
Date Wed, 22 Apr 2015 10:08:14 GMT
Hi,

yesterday, we were hit by a bus, and it was expected for a very long
time. The way we handle authenticators is far from ebing perfect.

Here is the current code :

    public void bind( BindOperationContext bindContext ) throws
LdapException
    {
        ...
            for ( Authenticator authenticator : authenticators )
            {
                try
                {
                    // perform the authentication
                    LdapPrincipal principal =
authenticator.authenticate( bindContext );
                    ...

We have many instances of Authenticator :
- AnonymousAuthenticator
- DelegatingAuthenticator
- SimpleAuthenticator
- StrongAuthenticator

The list of authenticator we will use is determinated by the type of
requested authentication (one of none, simple, or strong). Here is the
list of the associated authentication we currently support.

Level     Authenticator
Simple -> SimpleAuthenticator, DelegatingAuthenticator
None   -> AnonymousAuthenticator
Strong -> StrongAuthenticator


As we can see, the 'Simple' bind will try two authenticator at least
(this is true for any authentication level, assuming some additional
Authenticator instance has been added for a specific level).

So how can we proceed ? Currently, we expect the authenticator to be
checked one after the other, even if it's a waste (typically, we will
try to do an authentication using the SimpleAuthenticator, even if the
Bind DN is part of the DelegatedAuthenticator area).

I think we should add a selector in the Authenticator interface, that
tells if the Authenticator instance has to be called or not. All in all,
we should *never* call two authenticator instances.

A method like :

    Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level )

which would select the unique authenticator instance that will be used
to authenticate the session would be a good addition, IMO.

WDYT ?


Mime
View raw message