Password policy support for Catalyst::Authentication::Store::LDAP

> In our internal management web app (which has only been feasible due to
> Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.
>
> Due to various security requirements (SAOX etc.), we are required to have
> password expiration etc. So, we implemented password policies a while back
> using OpenLDAP's slapo-ppolicy overlay
> (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release)
>
> Net::LDAP recently added support for the Password Policy control, so at least
> this is now feasible (without hacking Net::LDAP, which is where I got stuck
> on the previous attempt).
>
> I think I may be able to provide a patch for Authentication::Store::LDAP,
> however, the first problem is that Catalyst::Authentication (like many other
> authentication frameworks) assumes the result of an authentication will
> always only be a boolean, and thus doesn't make provision for situations such
> as:
> -The account is locked out (the password may have been correct, but the user
> can't authenticate)
> -The password was reset and needs to be changed (so, authenticate them but
> allow for a means to send them to a password changing facility)
> -The password will expire soon
> etc.
>
> I wouldn't like to try and propose a solution for Catalyst::Authentication
> (yet), but I can try and provide input on any proposed solution.
>

> 2008/6/20 Buchan Milne <bgmilne@...>:
> > In our internal management web app (which has only been feasible due to
> > Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.
> >
> > Due to various security requirements (SAOX etc.), we are required to have
> > password expiration etc. So, we implemented password policies a while
> > back using OpenLDAP's slapo-ppolicy overlay
> > (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&a
> >propos=0&manpath=OpenLDAP+2.3-Release)
> >
> > Net::LDAP recently added support for the Password Policy control, so at
> > least this is now feasible (without hacking Net::LDAP, which is where I
> > got stuck on the previous attempt).
> >
> > I think I may be able to provide a patch for Authentication::Store::LDAP,
> > however, the first problem is that Catalyst::Authentication (like many
> > other authentication frameworks) assumes the result of an authentication
> > will always only be a boolean, and thus doesn't make provision for
> > situations such as:
> > -The account is locked out (the password may have been correct, but the
> > user can't authenticate)
> > -The password was reset and needs to be changed (so, authenticate them
> > but allow for a means to send them to a password changing facility)
> > -The password will expire soon
> > etc.
> >
> > I wouldn't like to try and propose a solution for
> > Catalyst::Authentication (yet), but I can try and provide input on any
> > proposed solution.
>
> Can't you still return a true/false and then provide/use an error
> method which will then contain the reason for failure, which include
> the response from ppolicy?

> On Friday 20 June 2008 12:20:49 Gavin Henry wrote:
> > 2008/6/20 Buchan Milne <bgmilne@...>:
> > > In our internal management web app (which has only been feasible due to
> > > Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.
> > >
> > > Due to various security requirements (SAOX etc.), we are required to have
> > > password expiration etc. So, we implemented password policies a while
> > > back using OpenLDAP's slapo-ppolicy overlay
> > > (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&a
> > >propos=0&manpath=OpenLDAP+2.3-Release)
> > >
> > > Net::LDAP recently added support for the Password Policy control, so at
> > > least this is now feasible (without hacking Net::LDAP, which is where I
> > > got stuck on the previous attempt).
> > >
> > > I think I may be able to provide a patch for Authentication::Store::LDAP,
> > > however, the first problem is that Catalyst::Authentication (like many
> > > other authentication frameworks) assumes the result of an authentication
> > > will always only be a boolean, and thus doesn't make provision for
> > > situations such as:
> > > -The account is locked out (the password may have been correct, but the
> > > user can't authenticate)
> > > -The password was reset and needs to be changed (so, authenticate them
> > > but allow for a means to send them to a password changing facility)
> > > -The password will expire soon
> > > etc.
> > >
> > > I wouldn't like to try and propose a solution for
> > > Catalyst::Authentication (yet), but I can try and provide input on any
> > > proposed solution.
> >
> > Can't you still return a true/false and then provide/use an error
> > method which will then contain the reason for failure, which include
> > the response from ppolicy?
>
> In theory, yes (from Store::LDAP), but I want to get something back from
> login(), which just checks the boolean it gets back from the store (I think,
> don't have anything in front of me now).