Hi guys, we have a delegatedAuthenticator which is supposed to authenticate a user against an external LDAP server. It's not working.
In order to have it working, there are a few things that need to be fixed, and it depends on some decisions we have to make. First, we have to agree on what means a delegated authentication. We have two options here : 1) The user is not known by the server, so we try to bind on a remote LDAP server and if it succeeds, we create a local session 2) The user is known by the local server, but we don't have an associated password, so we have to bind on another LDAP server (same process tahn for 1). It's easier to deal with case 1, because we can immediately see if the user is present or not. In case 2, we will have to tell the local LDAP server when it should look into a remote server. This can be done in two ways : A) As for SASL bind, we define a search base DN, and every bind under this DN root will have to be authenticated by an external LDAP server B) Or we define an Administrative Area, and an associated subentry, which defines the scope of entries that are to authenticate on a remote LDAP server I must say that the B option is appealing, as it offers way more possibilities. It's also more complex to implement and handle. I would suggest we start with option A. There is more to do : as it's about authenticating, the userPassword will be transmitted to the remote LDAP server. It *has* to be done through a secure connction (either LDAPS or through the user of a startTLS extended operation). In both cases, some configuration is needed. I propose to implement option 2-A, with a secured connection configuration. Thoughts ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
