Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-1926

Supply Entry to PasswordValidator instead of username



    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-M15, 2.0.0-M16
    • Fix Version/s: 2.0.0-M16
    • Component/s: core
    • Labels:


      It is very common that PasswordValidation has a requirement to ensure a login name is not part of the password. It is also common to use a 2 phase authentication in which an attribute of the user Entry is used to lookup the DN and then bind against the dn. Most commonly you see an email based lookup. Since @ is not allowed in a DN, you cannot use mail as the RDN. So, if you want to validate the the actual login name is not part of the password you will need the entry (as it could be any attribute that is used for the lookup). My proposed solution will maintain backwards compatibility while allowing for this new validation at the same time by adding PasswordValidator2 which extends PasswordValidator adding a validate that takes an Entry for the username, then in the AuthenticationInterceptor I change the add and modify methods to supply Entry to the check method which then check the type of PasswordValidator, and if type is PasswordValidator2, then uses the validate with the Entry. You will find patches attached.

      As a workaround I have to extend your AuthenticationInterceptor, override add, modify, and check with 99% identical code which would be rather unmaintainable as the project moves forward. So hopefully you will choose to integrate this into the core...


        1. AuthenticationInterceptor.patch
          3 kB
          lucas theisen
        2. PasswordValidator2.java
          2 kB
          lucas theisen



            • Assignee:
              akiran Kiran Ayyagari
              ltheisen@mitre.org lucas theisen
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: