Package com.netscape.cms.authentication
Class DirBasedAuthentication
java.lang.Object
org.dogtagpki.server.authentication.AuthManager
com.netscape.cms.authentication.DirBasedAuthentication
- All Implemented Interfaces:
IExtendedPluginInfo
- Direct Known Subclasses:
PortalEnroll
,UidPwdDirAuthentication
,UidPwdPinDirAuthentication
,UserPwdDirAuthentication
Abstract class for directory based authentication managers
Uses a pattern for formulating subject names.
The pattern is read from configuration file.
Syntax of the pattern is described in the init() method.
- Version:
- $Revision$, $Date$
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
static final String
protected static String
static org.slf4j.Logger
protected String
protected boolean
protected LdapConnFactory
protected String
protected String
protected String
protected boolean
protected String
protected String[]
protected String[]
protected LDAPConfig
protected String[]
protected DNPattern
protected boolean
protected String
protected String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
Fields inherited from class org.dogtagpki.server.authentication.AuthManager
AUTHENTICATED_NAME, authenticationConfig, CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT, engine, mConfig, mConfigParams, mImplName, mName
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthenticate
(AuthCredentials authCred) Authenticates user through LDAP by a set of credentials.protected abstract String
authenticate
(netscape.ldap.LDAPConnection conn, AuthCredentials authCreds, AuthToken token) Authenticates a user through directory based a set of credentials.protected void
formCertInfo
(netscape.ldap.LDAPConnection conn, String userdn, org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo, AuthToken token) Formulate the cert info.protected String
formSubjectName
(netscape.ldap.LDAPEntry entry) Formulate the subject nameString[]
This method returns an array of strings.protected String[]
Return a list of LDAP attributes with String values to retrieve.protected String[]
Return a list of LDAP attributes with byte[] values to retrieve.abstract String[]
get the list of required credentials.Retrieves the localizable description of this policy.getValueDescriptor
(Locale locale, String name) Retrieves the descriptor of the given value property by name.Retrieves a list of names of the property.void
init
(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config) Initializes the UidPwdDirBasedAuthentication auth manager.void
init
(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config, boolean needBaseDN) boolean
Checks if this authenticator requires SSL client authentication.boolean
isValueWriteable
(String name) Checks if the value of the given property should be serializable into the request.void
Populates authentication specific information into the request for auditing purposes.protected void
setAuthTokenByteValue
(String name, netscape.ldap.LDAPEntry entry, AuthToken tok) protected void
setAuthTokenStringValue
(String name, netscape.ldap.LDAPEntry entry, AuthToken tok) protected void
setAuthTokenValues
(netscape.ldap.LDAPEntry e, AuthToken tok) Copy values from the LDAPEntry into the AuthToken.void
shutdown()
disconnects the ldap connectionsMethods inherited from class org.dogtagpki.server.authentication.AuthManager
getAuthenticationConfig, getCMSEngine, getConfigParams, getConfigStore, getImplName, getName, getName, init, setAuthenticationConfig, setCMSEngine
-
Field Details
-
logger
public static org.slf4j.Logger logger -
CRED_UID
- See Also:
-
CRED_PWD
- See Also:
-
CRED_USER_PASSWORD
- See Also:
-
CRED_PIN
- See Also:
-
CRED_ShrTok
- See Also:
-
USER_DN
- See Also:
-
PROP_GROUPS_ENABLE
- See Also:
-
PROP_GROUPS_BASEDN
- See Also:
-
PROP_GROUPS
- See Also:
-
PROP_GROUP_OBJECT_CLASS
- See Also:
-
PROP_GROUP_USERID_NAME
- See Also:
-
PROP_USERID_NAME
- See Also:
-
PROP_SEARCH_GROUP_USER_BY_USERDN
- See Also:
-
PROP_DNPATTERN
- See Also:
-
PROP_LDAPSTRINGATTRS
- See Also:
-
PROP_LDAPBYTEATTRS
- See Also:
-
PROP_LDAP_BOUND_CONN
- See Also:
-
mLdapConfig
-
mBaseDN
-
mGroupsEnable
protected boolean mGroupsEnable -
mGroups
-
mGroupsBaseDN
-
mGroupObjectClass
-
mUserIDName
-
mGroupUserIDName
-
mSearchGroupUserByUserdn
protected boolean mSearchGroupUserByUserdn -
mBoundConnEnable
protected boolean mBoundConnEnable -
mConnFactory
-
mPattern
-
mLdapStringAttrs
-
mLdapByteAttrs
-
mLdapAttrs
-
mTag
-
DEFAULT_DNPATTERN
-
mExtendedPluginInfo
-
-
Constructor Details
-
DirBasedAuthentication
public DirBasedAuthentication()Default constructor, initialization must follow.
-
-
Method Details
-
init
public void init(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config) throws EBaseException Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
ldap.basedn - the ldap base dn. ldap.ldapconn.host - the ldap host. ldap.ldapconn.port - the ldap port ldap.ldapconn.secureConn - whether port should be secure ldap.minConns - minimum connections ldap.maxConns - max connections dnpattern - dn pattern.
dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
The syntax is
dnpattern = SubjectNameComp *[ "," SubjectNameComp ] SubjectNameComponent = DnComp | EntryComp | ConstantComp DnComp = CertAttr "=" "$dn" "." DnAttr "." Num EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num ConstantComp = CertAttr "=" Constant DnAttr = an attribute in the Ldap entry dn EntryAttr = an attribute in the Ldap entry CertAttr = a Component in the Certificate Subject Name (multiple AVA in one RDN not supported) Num = the nth value of tha attribute in the dn or entry. Constant = Constant String, with any accepted ldap string value.
Example:
dnpattern: E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.The subject name formulated in the cert will be :
E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith OU = the second 'ou' value in the ldap entry - IS O = the (first) 'o' value in the user's entry DN - "Acme.com" C = the constant string "US"
- Specified by:
init
in classAuthManager
- Parameters:
name
- The name for this authentication manager instance.implName
- The name of the authentication manager plugin.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
init
public void init(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config, boolean needBaseDN) throws EBaseException - Throws:
EBaseException
-
getText
Description copied from class:AuthManager
Retrieves the localizable description of this policy.- Specified by:
getText
in classAuthManager
- Parameters:
locale
- end user locale- Returns:
- localized authenticator description
-
getValueNames
Description copied from class:AuthManager
Retrieves a list of names of the property.- Specified by:
getValueNames
in classAuthManager
- Returns:
- a list of property names
-
getValueDescriptor
Description copied from class:AuthManager
Retrieves the descriptor of the given value property by name.- Specified by:
getValueDescriptor
in classAuthManager
- Parameters:
locale
- user localename
- property name- Returns:
- descriptor of the requested property
-
isValueWriteable
Description copied from class:AuthManager
Checks if the value of the given property should be serializable into the request. Passsword or other security-related value may not be desirable for storage.- Specified by:
isValueWriteable
in classAuthManager
- Parameters:
name
- property name- Returns:
- true if the property is not security related
-
isSSLClientRequired
public boolean isSSLClientRequired()Description copied from class:AuthManager
Checks if this authenticator requires SSL client authentication.- Specified by:
isSSLClientRequired
in classAuthManager
- Returns:
- client authentication required or not
-
authenticate
public AuthToken authenticate(AuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException Authenticates user through LDAP by a set of credentials. Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo- Specified by:
authenticate
in classAuthManager
- Parameters:
authCred
- Authentication credentials, CRED_UID and CRED_PWD.- Returns:
- A AuthToken with a TOKEN_SUBJECT of X500name type.
- Throws:
EMissingCredential
- If a required authentication credential is missing.EInvalidCredentials
- If credentials failed authentication.EBaseException
- If an internal error occurred.- See Also:
-
populate
Description copied from class:AuthManager
Populates authentication specific information into the request for auditing purposes.- Specified by:
populate
in classAuthManager
- Parameters:
token
- authentication tokenrequest
- request- Throws:
EProfileException
- failed to populate
-
getRequiredCreds
get the list of required credentials.- Specified by:
getRequiredCreds
in classAuthManager
- Returns:
- list of required credentials as strings.
-
shutdown
public void shutdown()disconnects the ldap connections- Specified by:
shutdown
in classAuthManager
-
authenticate
protected abstract String authenticate(netscape.ldap.LDAPConnection conn, AuthCredentials authCreds, AuthToken token) throws EBaseException Authenticates a user through directory based a set of credentials.- Parameters:
authCreds
- The authentication credentials.- Returns:
- The user's ldap entry dn.
- Throws:
EInvalidCredentials
- If the uid and password are not validEBaseException
- If an internal error occurs.
-
formCertInfo
protected void formCertInfo(netscape.ldap.LDAPConnection conn, String userdn, org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo, AuthToken token) throws EBaseException Formulate the cert info.- Parameters:
conn
- A LDAP Connection authenticated to user to use.userdn
- The user's dn.certinfo
- A certinfo object to fill.token
- A authentication token to fill.- Throws:
EBaseException
- If an internal error occurs.
-
setAuthTokenValues
Copy values from the LDAPEntry into the AuthToken. The list of values that should be store this way is given in a the ldapAttributes configuration parameter. -
setAuthTokenStringValue
-
setAuthTokenByteValue
-
getLdapAttrs
Return a list of LDAP attributes with String values to retrieve. Subclasses can override to return any set of attributes.- Returns:
- Array of LDAP attributes to retrieve from the directory.
-
getLdapByteAttrs
Return a list of LDAP attributes with byte[] values to retrieve. Subclasses can override to return any set of attributes.- Returns:
- Array of LDAP attributes to retrieve from the directory.
-
formSubjectName
Formulate the subject name- Parameters:
entry
- The LDAP entry- Returns:
- The subject name string.
- Throws:
EBaseException
- If an internal error occurs.EAuthException
-
getExtendedPluginInfo
Description copied from interface:IExtendedPluginInfo
This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use"- Specified by:
getExtendedPluginInfo
in interfaceIExtendedPluginInfo
-