directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] Authenticator selection
Date Wed, 22 Apr 2015 10:15:12 GMT
On Wed, Apr 22, 2015 at 6:08 PM, Emmanuel L├ęcharny <elecharny@gmail.com>
wrote:

> Hi,
>
> yesterday, we were hit by a bus, and it was expected for a very long
> time. The way we handle authenticators is far from ebing perfect.
>
>
Here is the current code :
>
>     public void bind( BindOperationContext bindContext ) throws
> LdapException
>     {
>         ...
>             for ( Authenticator authenticator : authenticators )
>             {
>                 try
>                 {
>                     // perform the authentication
>                     LdapPrincipal principal =
> authenticator.authenticate( bindContext );
>                     ...
>
> We have many instances of Authenticator :
> - AnonymousAuthenticator
> - DelegatingAuthenticator
> - SimpleAuthenticator
> - StrongAuthenticator
>
> The list of authenticator we will use is determinated by the type of
> requested authentication (one of none, simple, or strong). Here is the
> list of the associated authentication we currently support.
>
> Level     Authenticator
> Simple -> SimpleAuthenticator, DelegatingAuthenticator
> None   -> AnonymousAuthenticator
> Strong -> StrongAuthenticator
>
>
> As we can see, the 'Simple' bind will try two authenticator at least
> (this is true for any authentication level, assuming some additional
> Authenticator instance has been added for a specific level).
>
> So how can we proceed ? Currently, we expect the authenticator to be
> checked one after the other, even if it's a waste (typically, we will
> try to do an authentication using the SimpleAuthenticator, even if the
> Bind DN is part of the DelegatedAuthenticator area).
>
> I think we should add a selector in the Authenticator interface, that
> tells if the Authenticator instance has to be called or not. All in all,
> we should *never* call two authenticator instances.
>
> A method like :
>
>     Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level
> )
>
> +1 this is indeed the right thing to do

> which would select the unique authenticator instance that will be used
> to authenticate the session would be a good addition, IMO.
>
> WDYT ?
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message