Custom authentication

[Endi Sukma Dewata <en...@vergenet.com>]

Hi,

 

I have a question about implementing custom authentication on ApacheDS. I
understand that currently authentication is handled at the Interceptor level
by the AuthenticationService which in version 0.8 only supports plain text
password. The way it works now is that it will look up the userPassword
value from the backend partition and compare it with the user supplied
password.

 

In our virtual directory product we have a need to be able to perform
authentication against different types of servers such as NT server, LDAP
server, etc., that most of which do not give you back the stored password,
not even the hash value. In other words, there is nothing to compare with
the user supplied password. The question is, if we integrate the virtual
directory as a backend in ApacheDS, how should I handle this kind of
authentication?

 

One way is to add a custom authentication Interceptor into the pipeline of
Interceptors. However, I don't think that this would work as long as
AuthenticationService is still in the pipeline too. This is because the
AuthenticationService will get invoked anyway, regardless of the order of
invocation. When it gets to that point, it will still try to get the
userPassword from the backend, compare it the old way, and throw an
exception since the userPassword is not present, so the whole operation will
still fail anyway.

 

Another way is to replace the AuthenticationService altogether with the
custom authentication, but I don't think we want to do this.

 

In my opinion, the authentication should be delegated to the backend
partition. So, instead of calling lookup() method, the AuthenticationService
should call something like bind() and pass the user supplied password as-is
to the backend. The backend knows how to work with the password, whether to
compare it directly or to perform a login operation.

 

Any advice would be very appreciated. Thank you very much.

 

--

Endi S. Dewata

 

Re: Custom authentication

[Alex Karasulu <ao...@bellsouth.net>]

Endi Sukma Dewata wrote:

> Hi,
>
> I have a question about implementing custom authentication on 
> ApacheDS. I understand that currently authentication is handled at the 
> Interceptor level by the AuthenticationService which in version 0.8 
> only supports plain text password. The way it works now is that it 
> will look up the userPassword value from the backend partition and 
> compare it with the user supplied password.
>
This is correct.

> In our virtual directory product we have a need to be able to perform 
> authentication against different types of servers such as NT server, 
> LDAP server, etc., that most of which do not give you back the stored 
> password, not even the hash value. In other words, there is nothing to 
> compare with the user supplied password. The question is, if we 
> integrate the virtual directory as a backend in ApacheDS, how should I 
> handle this kind of authentication?
>
Good point. Perhaps we need to use pluggable Authenticators. Would that 
help?

> One way is to add a custom authentication Interceptor into the 
> pipeline of Interceptors.
>
Ahh you're already there hehe. Good!

> However, I don’t think that this would work as long as 
> AuthenticationService is still in the pipeline too. This is because 
> the AuthenticationService will get invoked anyway, regardless of the 
> order of invocation. When it gets to that point, it will still try to 
> get the userPassword from the backend, compare it the old way, and 
> throw an exception since the userPassword is not present, so the whole 
> operation will still fail anyway.
>
What we can do is have the AuthenticationService expose some kind of 
Authenticator SPI. We can have it switch Authenticators based on name 
space hence the backend being hit. We should make the auth mechanism as 
plugable as possible. This is something to really discuss.

> Another way is to replace the AuthenticationService altogether with 
> the custom authentication, but I don’t think we want to do this.
>
Ok let's then build some way in which the service can switch the auth 
mech based on the parameters of the request. We can register an auth 
mech implementaion, an "Authenticator" impl, with the service using a 
subtree spec. If the entry in the target bind DN is matched by the spec 
then we use that Authenticator and short or continue like a PAM based 
system. Hmmm let's brain storm this one. It is very interesting.

> In my opinion, the authentication should be delegated to the backend 
> partition. So, instead of calling lookup() method, the 
> AuthenticationService should call something like bind() and pass the 
> user supplied password as-is to the backend. The backend knows how to 
> work with the password, whether to compare it directly or to perform a 
> login operation.
>
That is a bad move IMHO. The whole point to using interceptors is to 
make this service (authentication) something that back end implementors 
do not have to worry about. By asking backends to do this, all 
implementations will have to handle auth with most duplicating the same 
code within the service.

What we can use a custom Authenticator if we design this correctly. The 
custom Authenticator may use your backend to do its bidding.

> Any advice would be very appreciated. Thank you very much.
>
Let me know what you think about making Auth mechanisms pluggable by 
making the AuthenticationService manage these authenticators. If you 
want to do this then I can help you out.

Cheers,
Alex

Re: Custom authentication

[Alex Karasulu <ao...@bellsouth.net>]

I'm going to looking into it soon. Dealing with some issues right now 
but will get back to you.

-Alex

Endi Sukma Dewata wrote:

> Hi,
>
> I have a question about implementing custom authentication on 
> ApacheDS. I understand that currently authentication is handled at the 
> Interceptor level by the AuthenticationService which in version 0.8 
> only supports plain text password. The way it works now is that it 
> will look up the userPassword value from the backend partition and 
> compare it with the user supplied password.
>
> In our virtual directory product we have a need to be able to perform 
> authentication against different types of servers such as NT server, 
> LDAP server, etc., that most of which do not give you back the stored 
> password, not even the hash value. In other words, there is nothing to 
> compare with the user supplied password. The question is, if we 
> integrate the virtual directory as a backend in ApacheDS, how should I 
> handle this kind of authentication?
>
> One way is to add a custom authentication Interceptor into the 
> pipeline of Interceptors. However, I don’t think that this would work 
> as long as AuthenticationService is still in the pipeline too. This is 
> because the AuthenticationService will get invoked anyway, regardless 
> of the order of invocation. When it gets to that point, it will still 
> try to get the userPassword from the backend, compare it the old way, 
> and throw an exception since the userPassword is not present, so the 
> whole operation will still fail anyway.
>
> Another way is to replace the AuthenticationService altogether with 
> the custom authentication, but I don’t think we want to do this.
>
> In my opinion, the authentication should be delegated to the backend 
> partition. So, instead of calling lookup() method, the 
> AuthenticationService should call something like bind() and pass the 
> user supplied password as-is to the backend. The backend knows how to 
> work with the password, whether to compare it directly or to perform a 
> login operation.
>
> Any advice would be very appreciated. Thank you very much.
>
> --
>
> Endi S. Dewata
>