}

        // Authentication
        final Authentication[] siteCredentialList =
                getInitParameter(AUTHENTICATIONS_PROPERTY, new Authentication[0], Authentication[].class);
        final List<Pair<FormScheme, Credentials>> formSchemeList = new ArrayList<>();
        for (final Authentication authentication : siteCredentialList) {

        } catch (final Exception e) {
            throw new SsoLoginException("Failed to parse an authentication response.", e);
        }
    }

    /**
     * Validates the nonce in the authentication result.
     * @param stateData The stored state data containing the expected nonce.
     * @param authData The authentication result containing the actual nonce.
     */

sasl_username    (string)    username for SASL/PLAIN or SASL/SCRAM authentication
sasl_password    (string)    password for SASL/PLAIN or SASL/SCRAM authentication
sasl_mechanism   (string)    sasl authentication mechanism, default 'PLAIN'
tls_client_auth  (string)    clientAuth determines the Kafka server's policy for TLS client auth
sasl             (on|off)    set to 'on' to enable SASL authentication
tls              (on|off)    set to 'on' to enable TLS

#                                                 Permission
#                                                     ------

# Admin user names for authentication.
authentication.admin.users=admin
# Admin role names for authentication.
authentication.admin.roles=admin

# Default permissions for search roles.
role.search.default.permissions=
# Default display permissions for search roles.

 *  **Proxy authenticators are now asked for preemptive authentication.** OkHttp will now request
    authentication credentials before creating TLS tunnels through HTTP proxies (HTTP `CONNECT`).
    Authenticators should identify preemptive authentications by the presence of a challenge whose
    scheme is "OkHttp-Preemptive".

                // Reset hash on error to maintain integrity
                resetPreauthHash();
                throw new CIFSException("Pre-authentication integrity hash update failed", e);
            }
        }
    }

    /**
     * Reset the pre-authentication integrity hash to initial state.
     * This should be called on negotiation failures or security errors.
     */

        }
        return isBind;
    }

    /**
     * Authenticates a user with the specified username and password against LDAP.
     *
     * @param username the username for authentication
     * @param password the password for authentication
     * @return an optional containing the authenticated user if successful, empty otherwise
     */
    public OptionalEntity<FessUser> login(final String username, final String password) {

        Integer port = sambaContainer.getMappedPort(SMB_PORT);
        baseUrl = "smb://" + host + ":" + port + "/";

        log.info("Samba container started - Base URL: {}", baseUrl);

        // Create authentication context - try guest auth first for broader compatibility
        try {
            NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication(SingletonContext.getInstance(), WORKGROUP, USERNAME, PASSWORD);

    }

    default int getLtrWindowSize() {
        return getSystemPropertyAsInt(Constants.LTR_WINDOW_SIZE_PROPERTY, 100);
    }

    /**
     * Gets the permission fields for Entra ID authentication.
     * Uses new entraid.permission.fields key with fallback to legacy aad.permission.fields.
     * @return Array of permission field names.
     */
    default String[] getEntraIdPermissionFields() {

github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=