[Catalyst] Password policy support for Catalyst::Authentication::Store::LDAP

[Buchan Milne]

In our internal management web app (which has only been feasible due to 
Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.

Due to various security requirements (SAOX etc.), we are required to have 
password expiration etc. So, we implemented password policies a while back 
using OpenLDAP's slapo-ppolicy overlay 
(http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release)

Net::LDAP recently added support for the Password Policy control, so at least 
this is now feasible (without hacking Net::LDAP, which is where I got stuck 
on the previous attempt).

I think I may be able to provide a patch for Authentication::Store::LDAP, 
however, the first problem is that Catalyst::Authentication (like many other 
authentication frameworks) assumes the result of an authentication will 
always only be a boolean, and thus doesn't make provision for situations such 
as:
-The account is locked out (the password may have been correct, but the user 
can't authenticate)
-The password was reset and needs to be changed (so, authenticate them but 
allow for a means to send them to a password changing facility)
-The password will expire soon
etc.

I wouldn't like to try and propose a solution for Catalyst::Authentication 
(yet), but I can try and provide input on any proposed solution.

Regards,
Buchan