Le 16/10/14 12:56, Kiran Ayyagari a écrit : > On Thu, Oct 16, 2014 at 1:13 PM, Emmanuel Lécharny <elecha...@gmail.com> > wrote: > >> Hi ! >> >> as we decided to replace the UnboundId API by the Apache Ldap API, we >> have a bit of work to do, and we need a plan for that. >> >> 1) API selection >> Currently, Fortress uses the two APIs, though some configuration that >> tells which one to use. We can now get rid of this configuration and >> remove completely the classes that uses the UID API. We typically have >> classes for the 2 libs : >> >> o UnboundIdDataProvider >> o ApacheDsDataProvider >> >> Those two classes are doing the exact same thing, and are the base for >> many other classes (the DAO : AcceleratorDAO, AdminRoleDAO, AuditDAO, >> ConfigDAO, OrgUnitDAO, PermDAO, PolicyDAO, RoleDAO, SdDAO, UserDAO). We >> have to inherit from the ApacheDsDataProvider for all those classes now. >> >> 2) DAO romoval >> >> As we had two data provider, we also had two classes for each DAO, one >> per data provider. We can now get rid of the UID DAO, which are in >> org.openldap.fortress.rbac.dao.unboundid. >> >> 3) DAO Interface removal >> It would make sense to also get rid of the DAO interfaces, if we are to >> use only one single implementation. We could just merge the interface >> and the classes. >> >> >> That should be an easy task, as we won't have a lot to do to have it >> working : the Fortress code is already able to handle those two APIs. >> There are only one thing we have to troubleshoot, and it's related to >> the passwordPolicy management. I don't exactly remember what's the >> problem, but from the top of my head, it's just that the Apache LDAP API >> doesn't have a way to define the attributeType which will store the >> password. That might requires a sligth modification in the Apache LDAP API. >> >> are there any real world usecase that need this password attribute mapping? > or are we just trying to allow this flexibility as per the ppolicy draft? It's in the RFC draft :
5.2.1 <https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.2.1>. pwdAttribute This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute. ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )