Menu
▾
▴
Re: [Bodington-developers] LDAP Authentication - OpenLDAP versus JNDI
|
From: Alistair Y. <ali...@sm...> - 2006-07-19 11:54:54
|
> Actually it is a problem in the Authenticator yes, I suspected as much. The way bod "authenticates" is a bit weird and I obviously hadn't fully grasped that weirdness > If credentials are set then valid is set false ... set valid=true > when the authentication failed this kind of weirdness! > eventually I'll generalise it and commit > back to the release version can you not generalise it from the start? you'll have to let us test it here before you commit. We also need the auto creation so that can't be removed. We also need the Alias handling to speed up searching for users, i.e. where it stores your DN as an Alias for you in the db. Finding it in bod is quicker than trawling an enterprise system. One cleanup thing that needs done is loading the XML conf file from the CLASSPATH. It uses getBodingtonRoot() just now but some versions of BuildingServer don't have it. What I definitely want to avoidi is site specific LDAPAuthenticator. Basically, everything that's in the curent LDAPAuthenticator has to be in the "Leeds specific" one if it's going into head. Alistair On 19 Jul 2006, at 12:31, Jon Maber wrote: > Alistair Young wrote: >> Hi Jon, hopefully I can answer your questions: >> > Thanks. I had found the API docs but somehow overlooked that alternate > constructor - I was looking in the LDAPConstraints class. Looks > like I > can do what I want with the OpenLDAP API so there's no real argument > left for switching. >> There are a few things to consider when doing LDAP "authentication". >> Bod always calls the LDAPAuthenticator no matter what page you're >> viewing. This has led to problems here and at Leeds I beilieve. >> >> I also haven't ruled out something wrong in the ldap code! haven't >> had time to look at it. >> > Actually it is a problem in the Authenticator. Bodington repeatedly > calls the isAuthenticated() method to allow an authenticator to > time out > an authentication session if it wants. However, there is > absolutely no > need to repeatedly bind to the LDAP server every time that > isAuthenticated is called. You can see the basic pattern in the plain > password authenticator - the 'valid' variable is used to prevent > repeated authentication. If credentials are set then valid is set > false > to indicate that the class doesn't know if the user is > authenticated or > not. If the authenticator is asked if the user is authenticated and > valid is false then it calls the private authenticate method, > otherwise > if valid is true it just gives the stored result. > > Your code was failing to set valid=true when the authentication failed > which was forcing the LDAP connection to be repeated over and over. > I've fixed it (and a number of other potential bugs) in the custom > authenticator I'm creating and eventually I'll generalise it and > commit > back to the release version (2.10?). > > Thanks Alistair. > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys -- and earn > cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
