On Thu, Apr 25, 2013 at 2:44 PM, Emmanuel Lécharny <[email protected]>wrote:
> Le 4/24/13 6:00 PM, Emmanuel Lecharny a écrit : > > hi guys, > > > > I was wondering if it makes sense at all to process the bind operation > > through the interceptirs ? currently, we process it in the authn > > interceptor, all the other interceptors just ignore the operation. Why > > don't we handle this op in the bind handler ? > > > > Let me explain a but further why I'm suggesting that (as I can now use a > computer, and not a mobile phone...) > > Right now, a Bind is just a logical process that does not access the > backend (ie, there is no Bind operation done on any partition). > Basically, it's all about fetching the user's entry from the provided > DN, and compare the password in it with the provided password. For > external bind, it may be more ocmplex but again, it does not involve the > partitions. > > The thing is we have two interceptors implementing the bind() operation : > - NormalizationInterceptor : it normalize the user's DN > - AuthenticationInterceptor : This is where we process the authentication > > having bind in interceptor will give control to the user when a custom interceptor is injected, except this I don't see any other advantages. I know, we allow users to configure custom authenticator but the control through an authenticator is limited compared with the power of having access to the whole interceptor chain so, personally I like to have bind method in the interceptor > We don't need to process the Bind in the NormalizationInterceptor, the > DN is already normalized (actually, I removed the implementation in this > class. It works like a charm without it). > > > So the question is really to know if we should not process the bind in > the OperationManager, as it's the entry point for any operation done in > the DirectoryService. It would not be the only operation that would hav > some pre-processing done in the OperationManager : for the add, compare, > delete, modify, move, moveAndRename, rename, search operations, we > pre-process referrals. > > That would also make the addition of new authenticator easier, as they > will not depend on the AuthenticatorInterceptor configuration to be > added : we can associate them to the DirectoryService configuration > instead. > > so wdyt ? > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
