Rafal (and everyone else),
We are going to need a number of LDAP related properties in
TurbineResources.properties. One of these is, of course, the LDAP
PROVIDER_URL when setting up the JNDI context.
However, I got to thinking that if we are using LDAP V3 (which I am at
least), I can query the server for the list of SASL authentication
mechanisms that this server supports.
This led me to the realization that we may want to specify a list of
SASL mechanisms in TurbineResources.properties for our application to
use with the specified server. Right now I have a half baked private
method in my LDAPUser class that gets the list of SASL mechanisms from
the LDAP server and then searches a list for the first match amongst
those returned.
I'd like to propose a list of properties named
"ldap.authentication.mechanism" for the TurbineResources.properties file
to fill this role. The site administrator, if using LDAP can then
specify as few or as many of these mechanisms as desired.
Also, for security reasons, I would like to suggest that if an
authentication mechanism is not found in the list that Turbine NOT
default to simple (clear text) authentication. Instead it should fail to
authenticate (a "3" error in the validate method) due to communication
problems. My take on this is if a site administrator is willing to fall
back to "simple" authentication then he can specify that as one of the
"ldap.authentication.mechanism" entries.
These are my current thoughts on the problem but I am willing to hear
others. Also, I suspect that I will be writing a series of convenience
functions (like getAuthenticationMechanism) that the LDAPUser class will
utilize as well as the LDAPSecurityService. My first thought is that
these might belong to the SecurityService but I wanted to run this past
you first for your input (and anyone else on the list).
Thanks,
David Ramsey
--
==============================================================
"Always listen to experts. They'll tell you what can't be
done, and why. Then do it."
-- Lazarus Long, in Robert Heinlein's Time Enough for Love
==============================================================
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
