I try to get all my authentication connected to my central LDAP server. Since Silverstripe doesn't have LDAP support I cobbled something together. It is a loose coupling to the LDAP. First try to authenticate against the LDAP, if that fails, authenticate against the password stored in the SilverStripe database.
With this in place I can set my Silverstripe password to some incredibly complex string that can't be brute forced and at the same time allow me to use my normal password, which I cycle monthly, with SilverStripe (and this password is not stored cleartext either). The account must be created in Silverstripe first before anyone can authenticate succesfully (it's authentication only, not authorization)
The attached patch shows what I have done (it's quite simple really). I have a few questions about what I have done:
1) Is there any interest in including this kind of functionality? If so, maybe I can develop this further.
2) Did I violate any security model already in place? I did some tricking with the error handler, to prevent an error screen when bind failed