You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2015/04/22 12:08:14 UTC
[ApacheDS] Authenticator selection
Hi,
yesterday, we were hit by a bus, and it was expected for a very long
time. The way we handle authenticators is far from ebing perfect.
Here is the current code :
public void bind( BindOperationContext bindContext ) throws
LdapException
{
...
for ( Authenticator authenticator : authenticators )
{
try
{
// perform the authentication
LdapPrincipal principal =
authenticator.authenticate( bindContext );
...
We have many instances of Authenticator :
- AnonymousAuthenticator
- DelegatingAuthenticator
- SimpleAuthenticator
- StrongAuthenticator
The list of authenticator we will use is determinated by the type of
requested authentication (one of none, simple, or strong). Here is the
list of the associated authentication we currently support.
Level Authenticator
Simple -> SimpleAuthenticator, DelegatingAuthenticator
None -> AnonymousAuthenticator
Strong -> StrongAuthenticator
As we can see, the 'Simple' bind will try two authenticator at least
(this is true for any authentication level, assuming some additional
Authenticator instance has been added for a specific level).
So how can we proceed ? Currently, we expect the authenticator to be
checked one after the other, even if it's a waste (typically, we will
try to do an authentication using the SimpleAuthenticator, even if the
Bind DN is part of the DelegatedAuthenticator area).
I think we should add a selector in the Authenticator interface, that
tells if the Authenticator instance has to be called or not. All in all,
we should *never* call two authenticator instances.
A method like :
Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level )
which would select the unique authenticator instance that will be used
to authenticate the session would be a good addition, IMO.
WDYT ?
Re: [ApacheDS] Authenticator selection
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Apr 22, 2015 at 6:08 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Hi,
>
> yesterday, we were hit by a bus, and it was expected for a very long
> time. The way we handle authenticators is far from ebing perfect.
>
>
Here is the current code :
>
> public void bind( BindOperationContext bindContext ) throws
> LdapException
> {
> ...
> for ( Authenticator authenticator : authenticators )
> {
> try
> {
> // perform the authentication
> LdapPrincipal principal =
> authenticator.authenticate( bindContext );
> ...
>
> We have many instances of Authenticator :
> - AnonymousAuthenticator
> - DelegatingAuthenticator
> - SimpleAuthenticator
> - StrongAuthenticator
>
> The list of authenticator we will use is determinated by the type of
> requested authentication (one of none, simple, or strong). Here is the
> list of the associated authentication we currently support.
>
> Level Authenticator
> Simple -> SimpleAuthenticator, DelegatingAuthenticator
> None -> AnonymousAuthenticator
> Strong -> StrongAuthenticator
>
>
> As we can see, the 'Simple' bind will try two authenticator at least
> (this is true for any authentication level, assuming some additional
> Authenticator instance has been added for a specific level).
>
> So how can we proceed ? Currently, we expect the authenticator to be
> checked one after the other, even if it's a waste (typically, we will
> try to do an authentication using the SimpleAuthenticator, even if the
> Bind DN is part of the DelegatedAuthenticator area).
>
> I think we should add a selector in the Authenticator interface, that
> tells if the Authenticator instance has to be called or not. All in all,
> we should *never* call two authenticator instances.
>
> A method like :
>
> Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level
> )
>
> +1 this is indeed the right thing to do
> which would select the unique authenticator instance that will be used
> to authenticate the session would be a good addition, IMO.
>
> WDYT ?
>
>
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] Authenticator selection
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 23/04/15 14:54, Emmanuel Lécharny a écrit :
> Le 22/04/15 19:08, Emmanuel Lécharny a écrit :
>> Le 22/04/15 18:31, Stefan Seelmann a écrit :
>>> +1 to your suggestion.
>>>
>>> And please remove the AuthenticationInterceptorTest I added yesterday,
>>> probably it doesn't make too much sense.
>> Will do.
> Done.
>
> It's slightly more complex, as we may have more than one authenticator
> that may be selected. In this case, I use the one which baseDN is the
> ascendant of the Bind DN, and the deepest one in any case.
>
>
I forgot to mention that I moved the ads-delegatedBaseDn attributeType
which was in the delegatingAuthenticator to the Authenticator
ObjectClass (renamed it ads-baseDn).
It also impacts the Bean classes (the one used to create the server).
All in all, not really a simple modification, but not something complex.
Bottom line, all the Authenticator will have a baseDn from which they
will be activated (the default being the emtpty DN).
Re: [ApacheDS] Authenticator selection
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 22/04/15 19:08, Emmanuel Lécharny a écrit :
> Le 22/04/15 18:31, Stefan Seelmann a écrit :
>> +1 to your suggestion.
>>
>> And please remove the AuthenticationInterceptorTest I added yesterday,
>> probably it doesn't make too much sense.
> Will do.
Done.
It's slightly more complex, as we may have more than one authenticator
that may be selected. In this case, I use the one which baseDN is the
ascendant of the Bind DN, and the deepest one in any case.
Re: [ApacheDS] Authenticator selection
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 22/04/15 18:31, Stefan Seelmann a écrit :
> +1 to your suggestion.
>
> And please remove the AuthenticationInterceptorTest I added yesterday,
> probably it doesn't make too much sense.
Will do.
Thanks !
Re: [ApacheDS] Authenticator selection
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
+1 to your suggestion.
And please remove the AuthenticationInterceptorTest I added yesterday,
probably it doesn't make too much sense.
Kind Regards,
Stefan
On 04/22/2015 12:08 PM, Emmanuel Lécharny wrote:
> Hi,
>
> yesterday, we were hit by a bus, and it was expected for a very long
> time. The way we handle authenticators is far from ebing perfect.
>
> Here is the current code :
>
> public void bind( BindOperationContext bindContext ) throws
> LdapException
> {
> ...
> for ( Authenticator authenticator : authenticators )
> {
> try
> {
> // perform the authentication
> LdapPrincipal principal =
> authenticator.authenticate( bindContext );
> ...
>
> We have many instances of Authenticator :
> - AnonymousAuthenticator
> - DelegatingAuthenticator
> - SimpleAuthenticator
> - StrongAuthenticator
>
> The list of authenticator we will use is determinated by the type of
> requested authentication (one of none, simple, or strong). Here is the
> list of the associated authentication we currently support.
>
> Level Authenticator
> Simple -> SimpleAuthenticator, DelegatingAuthenticator
> None -> AnonymousAuthenticator
> Strong -> StrongAuthenticator
>
>
> As we can see, the 'Simple' bind will try two authenticator at least
> (this is true for any authentication level, assuming some additional
> Authenticator instance has been added for a specific level).
>
> So how can we proceed ? Currently, we expect the authenticator to be
> checked one after the other, even if it's a waste (typically, we will
> try to do an authentication using the SimpleAuthenticator, even if the
> Bind DN is part of the DelegatedAuthenticator area).
>
> I think we should add a selector in the Authenticator interface, that
> tells if the Authenticator instance has to be called or not. All in all,
> we should *never* call two authenticator instances.
>
> A method like :
>
> Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level )
>
> which would select the unique authenticator instance that will be used
> to authenticate the session would be a good addition, IMO.
>
> WDYT ?
>