In our internal management web app (which has only been feasible due to Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.
Due to various security requirements (SAOX etc.), we are required to have password expiration etc. So, we implemented password policies a while back using OpenLDAP's slapo-ppolicy overlay (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release) Net::LDAP recently added support for the Password Policy control, so at least this is now feasible (without hacking Net::LDAP, which is where I got stuck on the previous attempt). I think I may be able to provide a patch for Authentication::Store::LDAP, however, the first problem is that Catalyst::Authentication (like many other authentication frameworks) assumes the result of an authentication will always only be a boolean, and thus doesn't make provision for situations such as: -The account is locked out (the password may have been correct, but the user can't authenticate) -The password was reset and needs to be changed (so, authenticate them but allow for a means to send them to a password changing facility) -The password will expire soon etc. I wouldn't like to try and propose a solution for Catalyst::Authentication (yet), but I can try and provide input on any proposed solution. Regards, Buchan _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/