directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Extending Authentication for Bind
Date Fri, 22 Feb 2013 08:11:53 GMT
On Thu, Feb 21, 2013 at 11:29 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 2/21/13 6:54 PM, Kiran Ayyagari a écrit :
> > On Thu, Feb 21, 2013 at 11:10 PM, Emmanuel Lécharny <elecharny@gmail.com
> >wrote:
> >
> >> Le 2/21/13 5:25 PM, Kiran Ayyagari a écrit :
> >>> don't think we have such a support right now do we? is that looping of
> >>> authenticators makes this a possibility?
> >> I see that the Authenticator interface provide a checkPwdPolicy()
> method :
> >>
> >>     /**
> >>      *  performs checks on the given entry based on the specified
> >> password policy configuration
> >>      *
> >>      * @param userEntry the user entry to be checked for authentication
> >>      * @throws PasswordPolicyException
> >>      */
> >>     void checkPwdPolicy( Entry userEntry ) throws LdapException;
> >>
> >> Why can't we do all the passwordPolicy checks in the authenticator,
> >> instead of the interceptor ?
> >>
> >> The only pb is that we need the user entry at this point, but couldn't
> >> we pass the BindContext, so for the checkPwdPolicy() to fetch the entry
> >> from the DS instead ?
> >>
> >> Does it make sense ?
> >>
> >> password policy is enforced not only during authentication but also
> after
> > authentication and while doing modify operation
>
> Absolutly, but here, I'm just mentioning the check when doing a bind.
> Every other operation should be done in the interceptors.
>
> we still need to perform several checkes during and after authentication
in the same bind operation
so we cannot move this logic entirely to authenticators

> Btw, I'm mocing the PPolicy test which is in core-integ into
> server-integ, as it requires a LdapNetworkConnection, and not a
> LdapCoreSessionConnection.
>
> +1

> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message