Package com.netscape.cms.authentication
Class DirBasedAuthentication
- java.lang.Object
-
- com.netscape.cms.authentication.DirBasedAuthentication
-
- All Implemented Interfaces:
IExtendedPluginInfo
,AuthManager
- Direct Known Subclasses:
PortalEnroll
,SharedSecret
,UidPwdDirAuthentication
,UidPwdPinDirAuthentication
,UserPwdDirAuthentication
public abstract class DirBasedAuthentication extends java.lang.Object implements AuthManager, IExtendedPluginInfo
Abstract class for directory based authentication managers Uses a pattern for formulating subject names. The pattern is read from configuration file. Syntax of the pattern is described in the init() method.- Version:
- $Revision$, $Date$
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.String
DEFAULT_DNPATTERN
static org.slf4j.Logger
logger
protected java.lang.String
mBaseDN
protected boolean
mBoundConnEnable
protected AuthManagerConfig
mConfig
protected ILdapConnFactory
mConnFactory
protected static java.util.Vector<java.lang.String>
mExtendedPluginInfo
protected java.lang.String
mGroupObjectClass
protected java.lang.String
mGroups
protected java.lang.String
mGroupsBaseDN
protected boolean
mGroupsEnable
protected java.lang.String
mGroupUserIDName
protected java.lang.String
mImplName
protected java.lang.String[]
mLdapAttrs
protected java.lang.String[]
mLdapByteAttrs
protected LDAPConfig
mLdapConfig
protected java.lang.String[]
mLdapStringAttrs
protected java.lang.String
mName
protected DNPattern
mPattern
protected boolean
mSearchGroupUserByUserdn
protected java.lang.String
mTag
protected java.lang.String
mUserIDName
protected static java.lang.String
PROP_DNPATTERN
protected static java.lang.String
PROP_GROUP_OBJECT_CLASS
protected static java.lang.String
PROP_GROUP_USERID_NAME
protected static java.lang.String
PROP_GROUPS
protected static java.lang.String
PROP_GROUPS_BASEDN
protected static java.lang.String
PROP_GROUPS_ENABLE
protected static java.lang.String
PROP_LDAP_BOUND_CONN
protected static java.lang.String
PROP_LDAPBYTEATTRS
protected static java.lang.String
PROP_LDAPSTRINGATTRS
protected static java.lang.String
PROP_SEARCH_GROUP_USER_BY_USERDN
protected static java.lang.String
PROP_USERID_NAME
protected static java.lang.String
USER_DN
-
Fields inherited from interface org.dogtagpki.server.authentication.AuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
-
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
-
Constructor Summary
Constructors Constructor Description DirBasedAuthentication()
Default constructor, initialization must follow.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description IAuthToken
authenticate(IAuthCredentials authCred)
Authenticates user through LDAP by a set of credentials.protected abstract java.lang.String
authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
Authenticates a user through directory based a set of credentials.protected void
formCertInfo(netscape.ldap.LDAPConnection conn, java.lang.String userdn, org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo, AuthToken token)
Formulate the cert info.protected java.lang.String
formSubjectName(netscape.ldap.LDAPEntry entry)
Formulate the subject nameabstract java.lang.String[]
getConfigParams()
Returns a list of configuration parameter names.AuthManagerConfig
getConfigStore()
Gets the configuration substore used by this authentication managerjava.lang.String[]
getExtendedPluginInfo(java.util.Locale locale)
This method returns an array of strings.java.lang.String
getImplName()
gets the plugin name of this authentication manager.protected java.lang.String[]
getLdapAttrs()
Return a list of LDAP attributes with String values to retrieve.protected java.lang.String[]
getLdapByteAttrs()
Return a list of LDAP attributes with byte[] values to retrieve.java.lang.String
getName()
gets the name of this authentication manager instanceabstract java.lang.String[]
getRequiredCreds()
get the list of required credentials.void
init(java.lang.String name, java.lang.String implName, AuthManagerConfig config)
Initializes the UidPwdDirBasedAuthentication auth manager.void
init(java.lang.String name, java.lang.String implName, AuthManagerConfig config, boolean needBaseDN)
protected void
setAuthTokenByteValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
protected void
setAuthTokenStringValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
protected void
setAuthTokenValues(netscape.ldap.LDAPEntry e, AuthToken tok)
Copy values from the LDAPEntry into the AuthToken.void
shutdown()
disconnects the ldap connections
-
-
-
Field Detail
-
logger
public static org.slf4j.Logger logger
-
USER_DN
protected static final java.lang.String USER_DN
- See Also:
- Constant Field Values
-
PROP_GROUPS_ENABLE
protected static final java.lang.String PROP_GROUPS_ENABLE
- See Also:
- Constant Field Values
-
PROP_GROUPS_BASEDN
protected static final java.lang.String PROP_GROUPS_BASEDN
- See Also:
- Constant Field Values
-
PROP_GROUPS
protected static final java.lang.String PROP_GROUPS
- See Also:
- Constant Field Values
-
PROP_GROUP_OBJECT_CLASS
protected static final java.lang.String PROP_GROUP_OBJECT_CLASS
- See Also:
- Constant Field Values
-
PROP_GROUP_USERID_NAME
protected static final java.lang.String PROP_GROUP_USERID_NAME
- See Also:
- Constant Field Values
-
PROP_USERID_NAME
protected static final java.lang.String PROP_USERID_NAME
- See Also:
- Constant Field Values
-
PROP_SEARCH_GROUP_USER_BY_USERDN
protected static final java.lang.String PROP_SEARCH_GROUP_USER_BY_USERDN
- See Also:
- Constant Field Values
-
PROP_DNPATTERN
protected static final java.lang.String PROP_DNPATTERN
- See Also:
- Constant Field Values
-
PROP_LDAPSTRINGATTRS
protected static final java.lang.String PROP_LDAPSTRINGATTRS
- See Also:
- Constant Field Values
-
PROP_LDAPBYTEATTRS
protected static final java.lang.String PROP_LDAPBYTEATTRS
- See Also:
- Constant Field Values
-
PROP_LDAP_BOUND_CONN
protected static final java.lang.String PROP_LDAP_BOUND_CONN
- See Also:
- Constant Field Values
-
mName
protected java.lang.String mName
-
mImplName
protected java.lang.String mImplName
-
mConfig
protected AuthManagerConfig mConfig
-
mLdapConfig
protected LDAPConfig mLdapConfig
-
mBaseDN
protected java.lang.String mBaseDN
-
mGroupsEnable
protected boolean mGroupsEnable
-
mGroups
protected java.lang.String mGroups
-
mGroupsBaseDN
protected java.lang.String mGroupsBaseDN
-
mGroupObjectClass
protected java.lang.String mGroupObjectClass
-
mUserIDName
protected java.lang.String mUserIDName
-
mGroupUserIDName
protected java.lang.String mGroupUserIDName
-
mSearchGroupUserByUserdn
protected boolean mSearchGroupUserByUserdn
-
mBoundConnEnable
protected boolean mBoundConnEnable
-
mConnFactory
protected ILdapConnFactory mConnFactory
-
mPattern
protected DNPattern mPattern
-
mLdapStringAttrs
protected java.lang.String[] mLdapStringAttrs
-
mLdapByteAttrs
protected java.lang.String[] mLdapByteAttrs
-
mLdapAttrs
protected java.lang.String[] mLdapAttrs
-
mTag
protected java.lang.String mTag
-
DEFAULT_DNPATTERN
protected static java.lang.String DEFAULT_DNPATTERN
-
mExtendedPluginInfo
protected static java.util.Vector<java.lang.String> mExtendedPluginInfo
-
-
Method Detail
-
init
public void init(java.lang.String name, java.lang.String implName, AuthManagerConfig config) throws EBaseException
Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
ldap.basedn - the ldap base dn. ldap.ldapconn.host - the ldap host. ldap.ldapconn.port - the ldap port ldap.ldapconn.secureConn - whether port should be secure ldap.minConns - minimum connections ldap.maxConns - max connections dnpattern - dn pattern.
dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
The syntax is
dnpattern = SubjectNameComp *[ "," SubjectNameComp ] SubjectNameComponent = DnComp | EntryComp | ConstantComp DnComp = CertAttr "=" "$dn" "." DnAttr "." Num EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num ConstantComp = CertAttr "=" Constant DnAttr = an attribute in the Ldap entry dn EntryAttr = an attribute in the Ldap entry CertAttr = a Component in the Certificate Subject Name (multiple AVA in one RDN not supported) Num = the nth value of tha attribute in the dn or entry. Constant = Constant String, with any accepted ldap string value.
Example:
dnpattern: E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.The subject name formulated in the cert will be :
E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith OU = the second 'ou' value in the ldap entry - IS O = the (first) 'o' value in the user's entry DN - "Acme.com" C = the constant string "US"
- Specified by:
init
in interfaceAuthManager
- Parameters:
name
- The name for this authentication manager instance.implName
- The name of the authentication manager plugin.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
init
public void init(java.lang.String name, java.lang.String implName, AuthManagerConfig config, boolean needBaseDN) throws EBaseException
- Throws:
EBaseException
-
getName
public java.lang.String getName()
gets the name of this authentication manager instance- Specified by:
getName
in interfaceAuthManager
- Returns:
- the name of this authentication manager.
-
getImplName
public java.lang.String getImplName()
gets the plugin name of this authentication manager.- Specified by:
getImplName
in interfaceAuthManager
- Returns:
- the name of the authentication manager plugin.
-
authenticate
public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException
Authenticates user through LDAP by a set of credentials. Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo- Specified by:
authenticate
in interfaceAuthManager
- Parameters:
authCred
- Authentication credentials, CRED_UID and CRED_PWD.- Returns:
- A AuthToken with a TOKEN_SUBJECT of X500name type.
- Throws:
EMissingCredential
- If a required authentication credential is missing.EInvalidCredentials
- If credentials failed authentication.EBaseException
- If an internal error occurred.- See Also:
AuthToken
-
getRequiredCreds
public abstract java.lang.String[] getRequiredCreds()
get the list of required credentials.- Specified by:
getRequiredCreds
in interfaceAuthManager
- Returns:
- list of required credentials as strings.
-
getConfigParams
public abstract java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceAuthManager
- Returns:
- String array of configuration parameter names.
-
shutdown
public void shutdown()
disconnects the ldap connections- Specified by:
shutdown
in interfaceAuthManager
-
getConfigStore
public AuthManagerConfig getConfigStore()
Gets the configuration substore used by this authentication manager- Specified by:
getConfigStore
in interfaceAuthManager
- Returns:
- configuration store
-
authenticate
protected abstract java.lang.String authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) throws EBaseException
Authenticates a user through directory based a set of credentials.- Parameters:
authCreds
- The authentication credentials.- Returns:
- The user's ldap entry dn.
- Throws:
EInvalidCredentials
- If the uid and password are not validEBaseException
- If an internal error occurs.
-
formCertInfo
protected void formCertInfo(netscape.ldap.LDAPConnection conn, java.lang.String userdn, org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo, AuthToken token) throws EBaseException
Formulate the cert info.- Parameters:
conn
- A LDAP Connection authenticated to user to use.userdn
- The user's dn.certinfo
- A certinfo object to fill.token
- A authentication token to fill.- Throws:
EBaseException
- If an internal error occurs.
-
setAuthTokenValues
protected void setAuthTokenValues(netscape.ldap.LDAPEntry e, AuthToken tok)
Copy values from the LDAPEntry into the AuthToken. The list of values that should be store this way is given in a the ldapAttributes configuration parameter.
-
setAuthTokenStringValue
protected void setAuthTokenStringValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
-
setAuthTokenByteValue
protected void setAuthTokenByteValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
-
getLdapAttrs
protected java.lang.String[] getLdapAttrs()
Return a list of LDAP attributes with String values to retrieve. Subclasses can override to return any set of attributes.- Returns:
- Array of LDAP attributes to retrieve from the directory.
-
getLdapByteAttrs
protected java.lang.String[] getLdapByteAttrs()
Return a list of LDAP attributes with byte[] values to retrieve. Subclasses can override to return any set of attributes.- Returns:
- Array of LDAP attributes to retrieve from the directory.
-
formSubjectName
protected java.lang.String formSubjectName(netscape.ldap.LDAPEntry entry) throws EAuthException
Formulate the subject name- Parameters:
entry
- The LDAP entry- Returns:
- The subject name string.
- Throws:
EBaseException
- If an internal error occurs.EAuthException
-
getExtendedPluginInfo
public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)
Description copied from interface:IExtendedPluginInfo
This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use"- Specified by:
getExtendedPluginInfo
in interfaceIExtendedPluginInfo
-
-