I'm not really sure what you asking for in the last sentence, but I did read your meditation about WIP delivery system. My taste is to leverage what already exists (in this case using an ldap bind call to authenticate users). Do you ever anticipate implementing a password policy that requires changes (e.g. once a quarter)? In my project I have to be able to support a password policy for accounts in the directory -- so I think my authentication method has to be a bind as the user. Our directory is public so I don't think allowing anonymous access to userPassword
would be a good idea.
Here is a code sample of what we're a prototyping:
# anonymous bind to determine user DN
$msg = $ldap->bind();
$msg = $ldap->search (
base => $BASE,
filter => "(uid=$uid)"
die "no entries" if ! $msg->count;
my $entry = $msg->shift_entry;
my $dn = $entry->dn;
$msg = $ldap->bind( $dn, password => $secret );