On Friday 20 June 2008 12:20:49 Gavin Henry wrote: > 2008/6/20 Buchan Milne <[EMAIL PROTECTED]>: > > In our internal management web app (which has only been feasible due to > > Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure. > > > > Due to various security requirements (SAOX etc.), we are required to have > > password expiration etc. So, we implemented password policies a while > > back using OpenLDAP's slapo-ppolicy overlay > > (http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&a > >propos=0&manpath=OpenLDAP+2.3-Release) > > > > Net::LDAP recently added support for the Password Policy control, so at > > least this is now feasible (without hacking Net::LDAP, which is where I > > got stuck on the previous attempt). > > > > I think I may be able to provide a patch for Authentication::Store::LDAP, > > however, the first problem is that Catalyst::Authentication (like many > > other authentication frameworks) assumes the result of an authentication > > will always only be a boolean, and thus doesn't make provision for > > situations such as: > > -The account is locked out (the password may have been correct, but the > > user can't authenticate) > > -The password was reset and needs to be changed (so, authenticate them > > but allow for a means to send them to a password changing facility) > > -The password will expire soon > > etc. > > > > I wouldn't like to try and propose a solution for > > Catalyst::Authentication (yet), but I can try and provide input on any > > proposed solution. > > Can't you still return a true/false and then provide/use an error > method which will then contain the reason for failure, which include > the response from ppolicy?
In theory, yes (from Store::LDAP), but I want to get something back from login(), which just checks the boolean it gets back from the store (I think, don't have anything in front of me now). Regards, Buchan _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/