^^^ you assume every authentication can be turned in a value compare;
for those cases, draft-behera is just fine, because it already accounts
for compare on the pwdAttribute as an authentication method. However,
there are other password-based methods that need the value, not just a
yes/no. This is what I'm discussing, and that's why I need separate
"lookup" and "done" methods; that's also why my needs are currently out
of the scope of draft-behera, requiring me to (re-)implement its logics
in the authentication application, using hacks to update the
authentication state info in the DSA.