You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Richard Scott <gr...@gmail.com> on 2010/01/06 22:39:01 UTC
Query re: installing custom authenticator
The documentation in the (1.5) Advanced User's Guide in section 2.4 for
"Writing a custom authenticator" asserts it is both out-of-date and that the
example configuration isn't correct. I am certainly hoping that only means
the documentation isn't up-to-date rather than meaning it currently can't be
done. If it can be done, can some knowledgeable person please provide some
hints of what needs to be done. Here is my specific quandary, and how I
naively thought I might circumvent it.
The essence of the problem that I'm trying to solve is that we use a
third-party product that can either use its own database for storing
credentials and user roles OR it can talk to an external provider via its
built-in LDAP (v3) client. Company security policy dictates that it must
utilize the corporate "customer LDAP", but because of the believed need for
additional controls, this LDAP can be accessed only through a specific
[java] API. So, my not-fully-baked idea was that I could set up Apache DS
and point the 3rd-party product at it, and then add a custom authenticator
which invoked the supplied API when the bind request was processed by Apache
DS.
If that doesn't sound too unreasonable, in the absence of current
documentation, can some kind soul suggest what the simplest approach to
accomplish that might be (including what to add to the server.xml file and
where it belongs)? A simplification is that no search results are needed;
that is, all I need is a "pass/fail" on the authentication as this mechanism
will be used only for a specific "class" of users all of whom have the same
roles associated with their credentials. Thus, I am hoping that I'm not
being overly optimistic in thinking it's just a simple bind which can either
succeed or barf.
All shared wisdom is greatly appreciated!
Richard
--
Outside of a dog, a book is man's best friend; inside of a dog, it's too
dark to read - Mark Twain
Re: Query re: installing custom authenticator
Posted by Richard Scott <gr...@gmail.com>.
Thanks, Kiran. (I have heretofore largely avoid spring as well ;~)
On Wed, Jan 6, 2010 at 11:48 PM, Kiran Ayyagari <ay...@gmail.com>wrote:
> hi Richard,
>
>
>
>> The essence of the problem that I'm trying to solve is that we use a
>> third-party product that can either use its own database for storing
>> credentials and user roles OR it can talk to an external provider via its
>> built-in LDAP (v3) client. Company security policy dictates that it must
>> utilize the corporate "customer LDAP", but because of the believed need
>> for
>> additional controls, this LDAP can be accessed only through a specific
>> [java] API. So, my not-fully-baked idea was that I could set up Apache DS
>> and point the 3rd-party product at it, and then add a custom authenticator
>> which invoked the supplied API when the bind request was processed by
>> Apache
>> DS.
>>
>
> It is certainly possible. Take a look at the various authenticators present
> under
> the package org.apache.directory.server.core.authn
>
> You need to write a custom authenticator and inject it in the server.xml
> replacing the
> <authenticationInterceptor/> tag
>
> <authenticationInterceptor>
> <authenticators>
> <!-- this authenticators property takes Set<Authenticator> -->
> <set>
> <bean id="myAuthenticator" class="my.auth.class.name">
> </bean>
> </set>
> </authenticators>
> </authenticationInterceptor>
>
> PS:- am no spring expert so please double check about setting the value of
> <authenticators> using spring
>
> HTH
>
> Kiran Ayyagari
>
--
Outside of a dog, a book is man's best friend; inside of a dog, it's too
dark to read - Mark Twain
Re: Query re: installing custom authenticator
Posted by Kiran Ayyagari <ay...@gmail.com>.
hi Richard,
>
> The essence of the problem that I'm trying to solve is that we use a
> third-party product that can either use its own database for storing
> credentials and user roles OR it can talk to an external provider via its
> built-in LDAP (v3) client. Company security policy dictates that it must
> utilize the corporate "customer LDAP", but because of the believed need for
> additional controls, this LDAP can be accessed only through a specific
> [java] API. So, my not-fully-baked idea was that I could set up Apache DS
> and point the 3rd-party product at it, and then add a custom authenticator
> which invoked the supplied API when the bind request was processed by Apache
> DS.
It is certainly possible. Take a look at the various authenticators present under
the package org.apache.directory.server.core.authn
You need to write a custom authenticator and inject it in the server.xml replacing the
<authenticationInterceptor/> tag
<authenticationInterceptor>
<authenticators>
<!-- this authenticators property takes Set<Authenticator> -->
<set>
<bean id="myAuthenticator" class="my.auth.class.name">
</bean>
</set>
</authenticators>
</authenticationInterceptor>
PS:- am no spring expert so please double check about setting the value of <authenticators> using spring
HTH
Kiran Ayyagari