So real quick some assumptions on this implementation:
To minimize changes to existing code around users, roles, etc I'll assume that AD/LDAP user's have an account stubbed out in the database. This means that the first time an AD/LDAP user logs in we'll authenticate them to AD and if it work we'll jam as much of the AD data as we can into the corresponding fields in the tracmor DB
So what about the basic design? Right now you have a need for two authentication "providers"
1) Tracmoor DB
2) AD/LDAP
I'm looking at a common interface for both with the following methods:
public function authenticate();
- Exceptions: invalid username password, account locked, account disabled, password expired
- Returns valid UserAccount object if it works
- For AD/LDAP this will check to see if the username/password combo is valid in AD. If not or account is locked or whatever an exception is thrown. If it works a check in the DB will be made for a matching account and if not found a new one will be stubbed in, saved and returned. If the user already had an account it will simply return the existing info.
public function changePassword();
- Exceptions: invalid username password, account disabled, bad password (e.g. too short, no lower and upper case, etc)
- Return boolean
- Self explanatory.
The two provider classes above would be instantiated by a factory pattern unless you have a preference for some other method.
Let the WTF's fly...if I could get feedback ironed out by EOD tomorrow I can get started on it next week. Other questions:
1) Where would the interface and classes described above go in the tracmoor folder structure.
2) Where would the exceptions above go? Is there some parent qcodo or tracmor exception I should inherit from or go right after the base PHP Exception?
3) Do you want AD settings in it's own config file?
