Package com.netscape.cms.authentication

Class DirBasedAuthentication

    • Field Detail

      • logger

        public static org.slf4j.Logger logger

      • PROP_GROUPS_ENABLE

        protected static final java.lang.String PROP_GROUPS_ENABLE
        See Also:
        Constant Field Values

      • PROP_GROUPS_BASEDN

        protected static final java.lang.String PROP_GROUPS_BASEDN
        See Also:
        Constant Field Values

      • PROP_GROUP_OBJECT_CLASS

        protected static final java.lang.String PROP_GROUP_OBJECT_CLASS
        See Also:
        Constant Field Values

      • PROP_GROUP_USERID_NAME

        protected static final java.lang.String PROP_GROUP_USERID_NAME
        See Also:
        Constant Field Values

      • PROP_USERID_NAME

        protected static final java.lang.String PROP_USERID_NAME
        See Also:
        Constant Field Values

      • PROP_SEARCH_GROUP_USER_BY_USERDN

        protected static final java.lang.String PROP_SEARCH_GROUP_USER_BY_USERDN
        See Also:
        Constant Field Values

      • PROP_LDAPSTRINGATTRS

        protected static final java.lang.String PROP_LDAPSTRINGATTRS
        See Also:
        Constant Field Values

      • PROP_LDAPBYTEATTRS

        protected static final java.lang.String PROP_LDAPBYTEATTRS
        See Also:
        Constant Field Values

      • PROP_LDAP_BOUND_CONN

        protected static final java.lang.String PROP_LDAP_BOUND_CONN
        See Also:
        Constant Field Values

      • mName

        protected java.lang.String mName

      • mImplName

        protected java.lang.String mImplName

      • mBaseDN

        protected java.lang.String mBaseDN

      • mGroupsEnable

        protected boolean mGroupsEnable

      • mGroups

        protected java.lang.String mGroups

      • mGroupsBaseDN

        protected java.lang.String mGroupsBaseDN

      • mGroupObjectClass

        protected java.lang.String mGroupObjectClass

      • mUserIDName

        protected java.lang.String mUserIDName

      • mGroupUserIDName

        protected java.lang.String mGroupUserIDName

      • mSearchGroupUserByUserdn

        protected boolean mSearchGroupUserByUserdn

      • mBoundConnEnable

        protected boolean mBoundConnEnable

      • mLdapStringAttrs

        protected java.lang.String[] mLdapStringAttrs

      • mLdapByteAttrs

        protected java.lang.String[] mLdapByteAttrs

      • mLdapAttrs

        protected java.lang.String[] mLdapAttrs

      • mTag

        protected java.lang.String mTag

      • DEFAULT_DNPATTERN

        protected static java.lang.String DEFAULT_DNPATTERN

      • mExtendedPluginInfo

        protected static java.util.Vector<java.lang.String> mExtendedPluginInfo

    • Constructor Detail

      • DirBasedAuthentication

        public DirBasedAuthentication()
        Default constructor, initialization must follow.

    • Method Detail

      • init

        public void init​(java.lang.String name,
                 java.lang.String implName,
                 AuthManagerConfig config)
          throws EBaseException
        Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters: 
                ldap.basedn             - the ldap base dn.
        ldap.ldapconn.host      - the ldap host.
        ldap.ldapconn.port      - the ldap port
        ldap.ldapconn.secureConn - whether port should be secure
        ldap.minConns           - minimum connections
        ldap.maxConns           - max connections
        dnpattern               - dn pattern.

        dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

        The syntax is 

             dnpattern = SubjectNameComp *[ "," SubjectNameComp ]

     SubjectNameComponent = DnComp | EntryComp | ConstantComp
     DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
     EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
     ConstantComp = CertAttr "=" Constant
     DnAttr    =  an attribute in the Ldap entry dn
     EntryAttr =  an attribute in the Ldap entry
     CertAttr  =  a Component in the Certificate Subject Name
                  (multiple AVA in one RDN not supported)
     Num       =  the nth value of tha attribute  in the dn or entry.
     Constant  =  Constant String, with any accepted ldap string value.

        Example: 

         dnpattern:
     E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
 
        
 Ldap entry dn:
     UID=joesmith, OU=people, O=Acme.com
 
        
 Ldap attributes:
     cn: Joe Smith
     sn: Smith
     mail: joesmith@acme.com
     mail: joesmith@redhat.com
     ou: people
     ou: IS
     etc.

        The subject name formulated in the cert will be : 

           E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US

      E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
      CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
      OU = the second 'ou' value in the ldap entry - IS
      O = the (first) 'o' value in the user's entry DN - "Acme.com"
      C = the constant string "US"
        Specified by:
        init in interface AuthManager
        Parameters:
        name - The name for this authentication manager instance.
        implName - The name of the authentication manager plugin.
        config - - The configuration store for this instance.
        Throws:
        EBaseException - If an error occurs during initialization.

      • getName

        public java.lang.String getName()
        gets the name of this authentication manager instance
        Specified by:
        getName in interface AuthManager
        Returns:
        the name of this authentication manager.

      • getImplName

        public java.lang.String getImplName()
        gets the plugin name of this authentication manager.
        Specified by:
        getImplName in interface AuthManager
        Returns:
        the name of the authentication manager plugin.

      • getRequiredCreds

        public abstract java.lang.String[] getRequiredCreds()
        get the list of required credentials.
        Specified by:
        getRequiredCreds in interface AuthManager
        Returns:
        list of required credentials as strings.

      • getConfigParams

        public abstract java.lang.String[] getConfigParams()
        Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.
        Specified by:
        getConfigParams in interface AuthManager
        Returns:
        String array of configuration parameter names.

      • shutdown

        public void shutdown()
        disconnects the ldap connections
        Specified by:
        shutdown in interface AuthManager

      • getConfigStore

        public AuthManagerConfig getConfigStore()
        Gets the configuration substore used by this authentication manager
        Specified by:
        getConfigStore in interface AuthManager
        Returns:
        configuration store

      • authenticate

        protected abstract java.lang.String authenticate​(netscape.ldap.LDAPConnection conn,
                                                 IAuthCredentials authCreds,
                                                 AuthToken token)
                                          throws EBaseException
        Authenticates a user through directory based a set of credentials.
        Parameters:
        authCreds - The authentication credentials.
        Returns:
        The user's ldap entry dn.
        Throws:
        EInvalidCredentials - If the uid and password are not valid
        EBaseException - If an internal error occurs.

      • formCertInfo

        protected void formCertInfo​(netscape.ldap.LDAPConnection conn,
                            java.lang.String userdn,
                            org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo,
                            AuthToken token)
                     throws EBaseException
        Formulate the cert info.
        Parameters:
        conn - A LDAP Connection authenticated to user to use.
        userdn - The user's dn.
        certinfo - A certinfo object to fill.
        token - A authentication token to fill.
        Throws:
        EBaseException - If an internal error occurs.

      • setAuthTokenValues

        protected void setAuthTokenValues​(netscape.ldap.LDAPEntry e,
                                  AuthToken tok)
        Copy values from the LDAPEntry into the AuthToken. The list of values that should be store this way is given in a the ldapAttributes configuration parameter.

      • setAuthTokenStringValue

        protected void setAuthTokenStringValue​(java.lang.String name,
                                       netscape.ldap.LDAPEntry entry,
                                       AuthToken tok)

      • setAuthTokenByteValue

        protected void setAuthTokenByteValue​(java.lang.String name,
                                     netscape.ldap.LDAPEntry entry,
                                     AuthToken tok)

      • getLdapAttrs

        protected java.lang.String[] getLdapAttrs()
        Return a list of LDAP attributes with String values to retrieve. Subclasses can override to return any set of attributes.
        Returns:
        Array of LDAP attributes to retrieve from the directory.

      • getLdapByteAttrs

        protected java.lang.String[] getLdapByteAttrs()
        Return a list of LDAP attributes with byte[] values to retrieve. Subclasses can override to return any set of attributes.
        Returns:
        Array of LDAP attributes to retrieve from the directory.

      • formSubjectName

        protected java.lang.String formSubjectName​(netscape.ldap.LDAPEntry entry)
                                    throws EAuthException
        Formulate the subject name
        Parameters:
        entry - The LDAP entry
        Returns:
        The subject name string.
        Throws:
        EBaseException - If an internal error occurs.
        EAuthException

      • getExtendedPluginInfo

        public java.lang.String[] getExtendedPluginInfo​(java.util.Locale locale)
        Description copied from interface: IExtendedPluginInfo
        This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name ;[,required];;... Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use"
        Specified by:
        getExtendedPluginInfo in interface IExtendedPluginInfo