Advanced JSS Authentication Extension

Use advanced authentication when the password or password hash are unknown by the authenticator; usually when authentication is being handled by an external system.

There are two methods that needs to be implemented are:

checkUserName(userName, userInfo)
authenticate(userName, password, authInfo)

When the server call these methods in your authenticator, it supplies user information that enables your extension to look up that user's authentication details from an external source.

Optionally, a setPassword() method can be defined, which enables users who have logged in via this authenticator to change their passwords:

setPassword(userName, newPassword, oldPassword)

function checkUserName(userName, userInfo)

Indicates whether or not the given user-name is valid. If true is returned the CompleteFTP won't allow other authenticators to try to authenticate this user.

If it's not possible to determine whether or not a user-name is valid also having a password then this method may return true regardless of the value of userName. However, if this is done then no authenticators (with lesser precedence) will be utilized.

The first argument is a string containing the user-name. If that's all that's required then the second argument may be left out.

The second argument, userInfo, has the following fields:

• userName - the user-name being presented by the client.
• siteName - the name of the site that the client is connecting to.
• remoteEndPoint - object with two fields, ip and port.
• session - object containing information about the session.

function authenticate(userName, password, authInfo)

Authenticates the client. This method will only be called if checkUserName return true.

The first and second arguments are strings containing the user-name and the password, respectively. If that's all that's required then the third argument may be left out.

The third argument, authInfo, has the following fields.

• userName - the user-name being presented by the client.
• password - the password being presented by the client.
• siteName - the name of the site that the client is connecting to.
• remoteEndPoint - object with two fields, IP and port.
• session - object containing information about the session.
• authenticationMethod - authentication method being used - either 'Password' or 'PublicKey'.
• keyAlgorithm - the key algorithm - either 'DSA' or 'RSA'.

This method may return either a boolean or an object containing the following fields:

• isCorrectPassword - indicates whether or not the password is correct (only used if authenticationMethod is 'Password').
• isValidKey - indicates whether or not the public key is correct (only used if authenticationMethod is 'PublicKey').
• homeDirectory - home directory to be used (Windows path).
• mustChangePassword - indicates whether or not the user will be forced to change their password (SFTP/SCP only).
• groups - array of the names of groups (strings) of which the user should be a member.
• tags - object whose fields are arbitrary name-value pairs that will be available via the system.user.tags field for the lifetime of the user's session.

The methods isValidDSAKey(key) and isValidRSAKey(key) may be used to check keys. The argument must be a public key in a common format such as OpenSSH.

function setPassword(userName, newPassword, oldPassword)

Sets the password of the user to newPassword.