You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Paul Simpkins <si...@googlemail.com> on 2014/11/18 11:37:59 UTC

Writing a new authenticator

Hi there,
I'm trying to work out what is needed to implement a new authenticator
within ApacheDS. The reason for this is that we have a legacy user system
which we're unable to migrate.

I've looked at quite a few websites and I think that the process would be
as follows :

1) Add an extra authenticator entry under
ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors

This would need to be the last authenticator used to ensure that the LDAP
DIT is first checked and if the user is not found then to check the legacy
system

2) Create the code that will pass the provided username / password to the
external system and pass back a success or failure condition

Furthermore how will the password policy be used ? For example if the
legacy user attempts to login and supplies the incorrect password 3 times
and locks his account in the legacy system - how will the authenticator /
ldap system handle that. Does it's own password policy come in to play or
is it completely ignored ?

I've found the DelegatingAuthenticator example code - but if I was to use
that, what would the entry look like in the DIT ?

Regards
Paul

Re: Writing a new authenticator

Posted by Kiran Ayyagari <ka...@apache.org>.

On Tue, Nov 18, 2014 at 6:37 PM, Paul Simpkins <si...@googlemail.com>
wrote:

> Hi there,
> I'm trying to work out what is needed to implement a new authenticator
> within ApacheDS. The reason for this is that we have a legacy user system
> which we're unable to migrate.
>
> I've looked at quite a few websites and I think that the process would be
> as follows :
>
> 1) Add an extra authenticator entry under
>
> ou=authenticators,ads-interceptorId=authenticationInterceptor,ou=interceptors
>
> This would need to be the last authenticator used to ensure that the LDAP
> DIT is first checked and if the user is not found then to check the legacy
> system
>
> 2) Create the code that will pass the provided username / password to the
> external system and pass back a success or failure condition
>
> Furthermore how will the password policy be used ? For example if the
> legacy user attempts to login and supplies the incorrect password 3 times
> and locks his account in the legacy system - how will the authenticator /
> ldap system handle that. Does it's own password policy come in to play or
> is it completely ignored ?
>
the best to make it work is to disable default(i.e global) password policy
and inject your custom
authenticator.

If password policy is still needed for the existing entries in DIT then
configure the policy using
'pwdPolicySubentry' attribute.

>
> I've found the DelegatingAuthenticator example code - but if I was to use
> that, what would the entry look like in the DIT ?
>
> here you can just create dummy DefaultEntry instance filled with person or
inetorgperson objectclass
MUST attributes with values mapped from your legacy system and return

HTH

> Regards
> Paul
>
>
>


-- 
Kiran Ayyagari
http://keydap.com