com.netscape.cms.authentication

Class DirBasedAuthentication

java.lang.Object

com.netscape.cms.authentication.DirBasedAuthentication

All Implemented Interfaces:

IAuthManager, IExtendedPluginInfo

Direct Known Subclasses:

PortalEnroll, UidPwdDirAuthentication, UidPwdPinDirAuthentication, UserPwdDirAuthentication

public abstract class DirBasedAuthentication
extends java.lang.Object
implements IAuthManager, IExtendedPluginInfo

Abstract class for directory based authentication managers Uses a pattern for formulating subject names. The pattern is read from configuration file. Syntax of the pattern is described in the init() method.

Version:

$Revision$, $Date$

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	DEFAULT_DNPATTERN
protected java.lang.String	mBaseDN
protected boolean	mBoundConnEnable
protected IConfigStore	mConfig
protected ILdapConnFactory	mConnFactory
protected static java.util.Vector<java.lang.String>	mExtendedPluginInfo
protected java.lang.String	mGroupObjectClass
protected java.lang.String	mGroups
protected java.lang.String	mGroupsBaseDN
protected boolean	mGroupsEnable
protected java.lang.String	mGroupUserIDName
protected java.lang.String	mImplName
protected java.lang.String[]	mLdapAttrs
protected java.lang.String[]	mLdapByteAttrs
protected IConfigStore	mLdapConfig
protected java.lang.String[]	mLdapStringAttrs
protected ILogger	mLogger
protected java.lang.String	mName
protected DNPattern	mPattern
protected boolean	mSearchGroupUserByUserdn
protected java.lang.String	mTag
protected java.lang.String	mUserIDName
protected static java.lang.String	PROP_BASEDN
protected static java.lang.String	PROP_DNPATTERN
protected static java.lang.String	PROP_GROUP_OBJECT_CLASS
protected static java.lang.String	PROP_GROUP_USERID_NAME
protected static java.lang.String	PROP_GROUPS
protected static java.lang.String	PROP_GROUPS_BASEDN
protected static java.lang.String	PROP_GROUPS_ENABLE
protected static java.lang.String	PROP_LDAP
protected static java.lang.String	PROP_LDAP_BOUND_CONN
protected static java.lang.String	PROP_LDAP_BOUND_TAG
protected static java.lang.String	PROP_LDAPBYTEATTRS
protected static java.lang.String	PROP_LDAPSTRINGATTRS
protected static java.lang.String	PROP_SEARCH_GROUP_USER_BY_USERDN
protected static java.lang.String	PROP_USERID_NAME
protected static java.lang.String	USER_DN

Fields inherited from interface com.netscape.certsrv.authentication.IAuthManager

CRED_CERT_SERIAL_TO_REVOKE, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT

Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo

HELP_TEXT, HELP_TOKEN

Constructor Summary

Constructors

Constructor and Description
DirBasedAuthentication() Default constructor, initialization must follow.

Method Summary

Modifier and Type	Method and Description
IAuthToken	authenticate(IAuthCredentials authCred) Authenticates user through LDAP by a set of credentials.
protected abstract java.lang.String	authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) Authenticates a user through directory based a set of credentials.
protected void	formCertInfo(netscape.ldap.LDAPConnection conn, java.lang.String userdn, netscape.security.x509.X509CertInfo certinfo, AuthToken token) Formulate the cert info.
protected java.lang.String	formSubjectName(netscape.ldap.LDAPEntry entry) Formulate the subject name
abstract java.lang.String[]	getConfigParams() Returns a list of configuration parameter names.
IConfigStore	getConfigStore() Gets the configuration substore used by this authentication manager
java.lang.String[]	getExtendedPluginInfo(java.util.Locale locale) This method returns an array of strings.
java.lang.String	getImplName() gets the plugin name of this authentication manager.
protected java.lang.String[]	getLdapAttrs() Return a list of LDAP attributes with String values to retrieve.
protected java.lang.String[]	getLdapByteAttrs() Return a list of LDAP attributes with byte[] values to retrieve.
java.lang.String	getName() gets the name of this authentication manager instance
abstract java.lang.String[]	getRequiredCreds() get the list of required credentials.
void	init(java.lang.String name, java.lang.String implName, IConfigStore config) Initializes the UidPwdDirBasedAuthentication auth manager.
void	init(java.lang.String name, java.lang.String implName, IConfigStore config, boolean needBaseDN)
protected void	log(int level, java.lang.String msg) Logs a message for this class in the system log file.
protected void	setAuthTokenByteValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
protected void	setAuthTokenStringValue(java.lang.String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
protected void	setAuthTokenValues(netscape.ldap.LDAPEntry e, AuthToken tok) Copy values from the LDAPEntry into the AuthToken.
void	shutdown() disconnects the ldap connections

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

USER_DN

protected static final java.lang.String USER_DN

See Also:

Constant Field Values

PROP_LDAP

protected static final java.lang.String PROP_LDAP

See Also:

Constant Field Values

PROP_BASEDN

protected static final java.lang.String PROP_BASEDN

See Also:

Constant Field Values

PROP_GROUPS_ENABLE

protected static final java.lang.String PROP_GROUPS_ENABLE

See Also:

Constant Field Values

PROP_GROUPS_BASEDN

protected static final java.lang.String PROP_GROUPS_BASEDN

See Also:

Constant Field Values

PROP_GROUPS

protected static final java.lang.String PROP_GROUPS

See Also:

Constant Field Values

PROP_GROUP_OBJECT_CLASS

protected static final java.lang.String PROP_GROUP_OBJECT_CLASS

See Also:

Constant Field Values

PROP_GROUP_USERID_NAME

protected static final java.lang.String PROP_GROUP_USERID_NAME

See Also:

Constant Field Values

PROP_USERID_NAME

protected static final java.lang.String PROP_USERID_NAME

See Also:

Constant Field Values

PROP_SEARCH_GROUP_USER_BY_USERDN

protected static final java.lang.String PROP_SEARCH_GROUP_USER_BY_USERDN

See Also:

Constant Field Values

PROP_DNPATTERN

protected static final java.lang.String PROP_DNPATTERN

See Also:

Constant Field Values

PROP_LDAPSTRINGATTRS

protected static final java.lang.String PROP_LDAPSTRINGATTRS

See Also:

Constant Field Values

PROP_LDAPBYTEATTRS

protected static final java.lang.String PROP_LDAPBYTEATTRS

See Also:

Constant Field Values

PROP_LDAP_BOUND_CONN

protected static final java.lang.String PROP_LDAP_BOUND_CONN

See Also:

Constant Field Values

PROP_LDAP_BOUND_TAG

protected static final java.lang.String PROP_LDAP_BOUND_TAG

See Also:

Constant Field Values

mName

protected java.lang.String mName

mImplName

protected java.lang.String mImplName

mConfig

protected IConfigStore mConfig

mLdapConfig

protected IConfigStore mLdapConfig

mBaseDN

protected java.lang.String mBaseDN

mGroupsEnable

protected boolean mGroupsEnable

mGroups

protected java.lang.String mGroups

mGroupsBaseDN

protected java.lang.String mGroupsBaseDN

mGroupObjectClass

protected java.lang.String mGroupObjectClass

mUserIDName

protected java.lang.String mUserIDName

mGroupUserIDName

protected java.lang.String mGroupUserIDName

mSearchGroupUserByUserdn

protected boolean mSearchGroupUserByUserdn

mBoundConnEnable

protected boolean mBoundConnEnable

mConnFactory

protected ILdapConnFactory mConnFactory

mLogger

protected ILogger mLogger

mPattern

protected DNPattern mPattern

mLdapStringAttrs

protected java.lang.String[] mLdapStringAttrs

mLdapByteAttrs

protected java.lang.String[] mLdapByteAttrs

mLdapAttrs

protected java.lang.String[] mLdapAttrs

mTag

protected java.lang.String mTag

DEFAULT_DNPATTERN

protected static java.lang.String DEFAULT_DNPATTERN

mExtendedPluginInfo

protected static java.util.Vector<java.lang.String> mExtendedPluginInfo

Constructor Detail

DirBasedAuthentication

public DirBasedAuthentication()

Default constructor, initialization must follow.

Method Detail

init

public void init(java.lang.String name,
                 java.lang.String implName,
                 IConfigStore config)
          throws EBaseException

Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:

        ldap.basedn             - the ldap base dn.
        ldap.ldapconn.host      - the ldap host.
        ldap.ldapconn.port      - the ldap port
        ldap.ldapconn.secureConn - whether port should be secure
        ldap.minConns           - minimum connections
        ldap.maxConns           - max connections
        dnpattern               - dn pattern.
 

dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

The syntax is

     dnpattern = SubjectNameComp *[ "," SubjectNameComp ]

     SubjectNameComponent = DnComp | EntryComp | ConstantComp
     DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
     EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
     ConstantComp = CertAttr "=" Constant
     DnAttr    =  an attribute in the Ldap entry dn
     EntryAttr =  an attribute in the Ldap entry
     CertAttr  =  a Component in the Certificate Subject Name
                  (multiple AVA in one RDN not supported)
     Num       =  the nth value of tha attribute  in the dn or entry.
     Constant  =  Constant String, with any accepted ldap string value.

 

Example:

 dnpattern:
     E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
 

 Ldap entry dn:
     UID=joesmith, OU=people, O=Acme.com
 

 Ldap attributes:
     cn: Joe Smith
     sn: Smith
     mail: joesmith@acme.com
     mail: joesmith@redhat.com
     ou: people
     ou: IS
     etc.
 

The subject name formulated in the cert will be :

   E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US

      E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
      CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
      OU = the second 'ou' value in the ldap entry - IS
      O = the (first) 'o' value in the user's entry DN - "Acme.com"
      C = the constant string "US"
 

Specified by:

init in interface IAuthManager

Parameters:

name - The name for this authentication manager instance.

implName - The name of the authentication manager plugin.

config - - The configuration store for this instance.

Throws:

EBaseException - If an error occurs during initialization.

init

public void init(java.lang.String name,
                 java.lang.String implName,
                 IConfigStore config,
                 boolean needBaseDN)
          throws EBaseException

Throws:

EBaseException

getName

public java.lang.String getName()

gets the name of this authentication manager instance

Specified by:

getName in interface IAuthManager

Returns:

the name of this authentication manager.

getImplName

public java.lang.String getImplName()

gets the plugin name of this authentication manager.

Specified by:

getImplName in interface IAuthManager

Returns:

the name of the authentication manager plugin.

authenticate

public IAuthToken authenticate(IAuthCredentials authCred)
                        throws EMissingCredential,
                               EInvalidCredentials,
                               EBaseException

Authenticates user through LDAP by a set of credentials. Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo

Specified by:

authenticate in interface IAuthManager

Parameters:

authCred - Authentication credentials, CRED_UID and CRED_PWD.

Returns:

A AuthToken with a TOKEN_SUBJECT of X500name type.

Throws:

EMissingCredential - If a required authentication credential is missing.

EInvalidCredentials - If credentials failed authentication.

EBaseException - If an internal error occurred.

See Also:

AuthToken

getRequiredCreds

public abstract java.lang.String[] getRequiredCreds()

get the list of required credentials.

Specified by:

getRequiredCreds in interface IAuthManager

Returns:

list of required credentials as strings.

getConfigParams

public abstract java.lang.String[] getConfigParams()

Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

Specified by:

getConfigParams in interface IAuthManager

Returns:

String array of configuration parameter names.

shutdown

public void shutdown()

disconnects the ldap connections

Specified by:

shutdown in interface IAuthManager

getConfigStore

public IConfigStore getConfigStore()

Gets the configuration substore used by this authentication manager

Specified by:

getConfigStore in interface IAuthManager

Returns:

configuration store

authenticate

protected abstract java.lang.String authenticate(netscape.ldap.LDAPConnection conn,
                                                 IAuthCredentials authCreds,
                                                 AuthToken token)
                                          throws EBaseException

Authenticates a user through directory based a set of credentials.

Parameters:

authCreds - The authentication credentials.

Returns:

The user's ldap entry dn.

Throws:

EInvalidCredentials - If the uid and password are not valid

EBaseException - If an internal error occurs.

formCertInfo

protected void formCertInfo(netscape.ldap.LDAPConnection conn,
                            java.lang.String userdn,
                            netscape.security.x509.X509CertInfo certinfo,
                            AuthToken token)
                     throws EBaseException

Formulate the cert info.

Parameters:

conn - A LDAP Connection authenticated to user to use.

userdn - The user's dn.

certinfo - A certinfo object to fill.

token - A authentication token to fill.

Throws:

EBaseException - If an internal error occurs.

setAuthTokenValues

protected void setAuthTokenValues(netscape.ldap.LDAPEntry e,
                                  AuthToken tok)

Copy values from the LDAPEntry into the AuthToken. The list of values that should be store this way is given in a the ldapAttributes configuration parameter.

setAuthTokenStringValue

protected void setAuthTokenStringValue(java.lang.String name,
                                       netscape.ldap.LDAPEntry entry,
                                       AuthToken tok)

setAuthTokenByteValue

protected void setAuthTokenByteValue(java.lang.String name,
                                     netscape.ldap.LDAPEntry entry,
                                     AuthToken tok)

getLdapAttrs

protected java.lang.String[] getLdapAttrs()

Return a list of LDAP attributes with String values to retrieve. Subclasses can override to return any set of attributes.

Returns:

Array of LDAP attributes to retrieve from the directory.

getLdapByteAttrs

protected java.lang.String[] getLdapByteAttrs()

Return a list of LDAP attributes with byte[] values to retrieve. Subclasses can override to return any set of attributes.

Returns:

Array of LDAP attributes to retrieve from the directory.

formSubjectName

protected java.lang.String formSubjectName(netscape.ldap.LDAPEntry entry)
                                    throws EAuthException

Formulate the subject name

Parameters:

entry - The LDAP entry

Returns:

The subject name string.

Throws:

EBaseException - If an internal error occurs.

EAuthException

log

protected void log(int level,
                   java.lang.String msg)

Logs a message for this class in the system log file.

Parameters:

level - The log level.

msg - The message to log.

See Also:

ILogger

getExtendedPluginInfo

public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)

Description copied from interface: IExtendedPluginInfo

This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name ;[,required];;... Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use"

Specified by:

getExtendedPluginInfo in interface IExtendedPluginInfo