The documentation in the (1.5) Advanced User's Guide in section 2.4 for "Writing a custom authenticator" asserts it is both out-of-date and that the example configuration isn't correct. I am certainly hoping that only means the documentation isn't up-to-date rather than meaning it currently can't be done. If it can be done, can some knowledgeable person please provide some hints of what needs to be done. Here is my specific quandary, and how I naively thought I might circumvent it.
The essence of the problem that I'm trying to solve is that we use a third-party product that can either use its own database for storing credentials and user roles OR it can talk to an external provider via its built-in LDAP (v3) client. Company security policy dictates that it must utilize the corporate "customer LDAP", but because of the believed need for additional controls, this LDAP can be accessed only through a specific [java] API. So, my not-fully-baked idea was that I could set up Apache DS and point the 3rd-party product at it, and then add a custom authenticator which invoked the supplied API when the bind request was processed by Apache DS. If that doesn't sound too unreasonable, in the absence of current documentation, can some kind soul suggest what the simplest approach to accomplish that might be (including what to add to the server.xml file and where it belongs)? A simplification is that no search results are needed; that is, all I need is a "pass/fail" on the authentication as this mechanism will be used only for a specific "class" of users all of whom have the same roles associated with their credentials. Thus, I am hoping that I'm not being overly optimistic in thinking it's just a simple bind which can either succeed or barf. All shared wisdom is greatly appreciated! Richard -- Outside of a dog, a book is man's best friend; inside of a dog, it's too dark to read - Mark Twain
