[Catalyst] Password policy support for Catalyst::Authentication::Store::LDAP

Buchan Milne bgmilne at mandriva.org
Fri Jun 20 10:55:56 BST 2008

In our internal management web app (which has only been feasible due to 
Catalyst), we authenticate against our OpenLDAP (2.3) infrastructure.

Due to various security requirements (SAOX etc.), we are required to have 
password expiration etc. So, we implemented password policies a while back 
using OpenLDAP's slapo-ppolicy overlay 

Net::LDAP recently added support for the Password Policy control, so at least 
this is now feasible (without hacking Net::LDAP, which is where I got stuck 
on the previous attempt).

I think I may be able to provide a patch for Authentication::Store::LDAP, 
however, the first problem is that Catalyst::Authentication (like many other 
authentication frameworks) assumes the result of an authentication will 
always only be a boolean, and thus doesn't make provision for situations such 
-The account is locked out (the password may have been correct, but the user 
can't authenticate)
-The password was reset and needs to be changed (so, authenticate them but 
allow for a means to send them to a password changing facility)
-The password will expire soon

I wouldn't like to try and propose a solution for Catalyst::Authentication 
(yet), but I can try and provide input on any proposed solution.


More information about the Catalyst mailing list