authenticate filter in WP 2.8

I have an LDAP authentication plugin that currently relies on replacing wp_authenticate(). I only recently noticed the new “authenticate” filter as my plugin has continued to work after the transition from 2.7.x to 2.8.x.

I have a question about this filter that I am having troubles answering. It seems that the filters are applied in order of priority. For example, authenticating with username/password in WP is set as a priority 20 while using a cookie is set at 30. I assume my integration should use 10 as that seems to be the default for added functionality.

I also grasp the idea of deferring to higher priority plugins: if ( is_a($user, ‘WP_User’) ) { return $user; }

However, when it comes to authentication a chain of multiple authentication methods which can say yea/nay to a username/password combination can be unnecessarily insecure. For instance, if my plugin attempts to log the user in with LDAP and fails, it should fail permanently, not give the same credentials a shot at the local database.

This widens the effective attack target and essentially creates two passwords (or more) that can access one username’s account.

In my current architecture I have handled this by rewriting wp_authenticate as I see fit (ie, “all willy nilly). I allow users to specify a login security mode that either permits failed logins to hit the wp system for another try or fails permanently (default).

However, using filters it seems that it will simply keep moving down the chain regardless of what I do. Is this true? Am I missing something obvious?

I have not done a tremendous amount of testing yet as this requires a significant rewrite. I’m hoping someone else can explain how this is *supposed* to work before I spend a few days doing a rewrite. 🙂

Thanks in advance,
Clif