Class DirBasedAuthentication

java.lang.Object
org.dogtagpki.server.authentication.AuthManager
com.netscape.cms.authentication.DirBasedAuthentication
All Implemented Interfaces:
IExtendedPluginInfo
Direct Known Subclasses:
PortalEnroll, UidPwdDirAuthentication, UidPwdPinDirAuthentication, UserPwdDirAuthentication

public abstract class DirBasedAuthentication extends AuthManager implements IExtendedPluginInfo
Abstract class for directory based authentication managers Uses a pattern for formulating subject names. The pattern is read from configuration file. Syntax of the pattern is described in the init() method.

Version:
$Revision$, $Date$
  • Field Details

  • Constructor Details

    • DirBasedAuthentication

      public DirBasedAuthentication()
      Default constructor, initialization must follow.
  • Method Details

    • init

      public void init(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config) throws EBaseException
      Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
              ldap.basedn             - the ldap base dn.
              ldap.ldapconn.host      - the ldap host.
              ldap.ldapconn.port      - the ldap port
              ldap.ldapconn.secureConn - whether port should be secure
              ldap.minConns           - minimum connections
              ldap.maxConns           - max connections
              dnpattern               - dn pattern.
       

      dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

      The syntax is

           dnpattern = SubjectNameComp *[ "," SubjectNameComp ]
      
           SubjectNameComponent = DnComp | EntryComp | ConstantComp
           DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
           EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
           ConstantComp = CertAttr "=" Constant
           DnAttr    =  an attribute in the Ldap entry dn
           EntryAttr =  an attribute in the Ldap entry
           CertAttr  =  a Component in the Certificate Subject Name
                        (multiple AVA in one RDN not supported)
           Num       =  the nth value of tha attribute  in the dn or entry.
           Constant  =  Constant String, with any accepted ldap string value.
      
       

      Example:

       dnpattern:
           E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
       
      Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
      Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.

      The subject name formulated in the cert will be :

         E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
      
            E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
            CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
            OU = the second 'ou' value in the ldap entry - IS
            O = the (first) 'o' value in the user's entry DN - "Acme.com"
            C = the constant string "US"
       
      Specified by:
      init in class AuthManager
      Parameters:
      name - The name for this authentication manager instance.
      implName - The name of the authentication manager plugin.
      config - - The configuration store for this instance.
      Throws:
      EBaseException - If an error occurs during initialization.
    • init

      public void init(AuthenticationConfig authenticationConfig, String name, String implName, AuthManagerConfig config, boolean needBaseDN) throws EBaseException
      Throws:
      EBaseException
    • getText

      public String getText(Locale locale)
      Description copied from class: AuthManager
      Retrieves the localizable description of this policy.
      Specified by:
      getText in class AuthManager
      Parameters:
      locale - end user locale
      Returns:
      localized authenticator description
    • getValueNames

      public Enumeration<String> getValueNames()
      Description copied from class: AuthManager
      Retrieves a list of names of the property.
      Specified by:
      getValueNames in class AuthManager
      Returns:
      a list of property names
    • getValueDescriptor

      public IDescriptor getValueDescriptor(Locale locale, String name)
      Description copied from class: AuthManager
      Retrieves the descriptor of the given value property by name.
      Specified by:
      getValueDescriptor in class AuthManager
      Parameters:
      locale - user locale
      name - property name
      Returns:
      descriptor of the requested property
    • isValueWriteable

      public boolean isValueWriteable(String name)
      Description copied from class: AuthManager
      Checks if the value of the given property should be serializable into the request. Passsword or other security-related value may not be desirable for storage.
      Specified by:
      isValueWriteable in class AuthManager
      Parameters:
      name - property name
      Returns:
      true if the property is not security related
    • isSSLClientRequired

      public boolean isSSLClientRequired()
      Description copied from class: AuthManager
      Checks if this authenticator requires SSL client authentication.
      Specified by:
      isSSLClientRequired in class AuthManager
      Returns:
      client authentication required or not
    • authenticate

      Authenticates user through LDAP by a set of credentials. Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo

      Specified by:
      authenticate in class AuthManager
      Parameters:
      authCred - Authentication credentials, CRED_UID and CRED_PWD.
      Returns:
      A AuthToken with a TOKEN_SUBJECT of X500name type.
      Throws:
      EMissingCredential - If a required authentication credential is missing.
      EInvalidCredentials - If credentials failed authentication.
      EBaseException - If an internal error occurred.
      See Also:
    • populate

      public void populate(AuthToken token, Request request) throws EProfileException
      Description copied from class: AuthManager
      Populates authentication specific information into the request for auditing purposes.
      Specified by:
      populate in class AuthManager
      Parameters:
      token - authentication token
      request - request
      Throws:
      EProfileException - failed to populate
    • getRequiredCreds

      public abstract String[] getRequiredCreds()
      get the list of required credentials.
      Specified by:
      getRequiredCreds in class AuthManager
      Returns:
      list of required credentials as strings.
    • shutdown

      public void shutdown()
      disconnects the ldap connections
      Specified by:
      shutdown in class AuthManager
    • authenticate

      protected abstract String authenticate(netscape.ldap.LDAPConnection conn, AuthCredentials authCreds, AuthToken token) throws EBaseException
      Authenticates a user through directory based a set of credentials.
      Parameters:
      authCreds - The authentication credentials.
      Returns:
      The user's ldap entry dn.
      Throws:
      EInvalidCredentials - If the uid and password are not valid
      EBaseException - If an internal error occurs.
    • formCertInfo

      protected void formCertInfo(netscape.ldap.LDAPConnection conn, String userdn, org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo, AuthToken token) throws EBaseException
      Formulate the cert info.
      Parameters:
      conn - A LDAP Connection authenticated to user to use.
      userdn - The user's dn.
      certinfo - A certinfo object to fill.
      token - A authentication token to fill.
      Throws:
      EBaseException - If an internal error occurs.
    • setAuthTokenValues

      protected void setAuthTokenValues(netscape.ldap.LDAPEntry e, AuthToken tok)
      Copy values from the LDAPEntry into the AuthToken. The list of values that should be store this way is given in a the ldapAttributes configuration parameter.
    • setAuthTokenStringValue

      protected void setAuthTokenStringValue(String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
    • setAuthTokenByteValue

      protected void setAuthTokenByteValue(String name, netscape.ldap.LDAPEntry entry, AuthToken tok)
    • getLdapAttrs

      protected String[] getLdapAttrs()
      Return a list of LDAP attributes with String values to retrieve. Subclasses can override to return any set of attributes.
      Returns:
      Array of LDAP attributes to retrieve from the directory.
    • getLdapByteAttrs

      protected String[] getLdapByteAttrs()
      Return a list of LDAP attributes with byte[] values to retrieve. Subclasses can override to return any set of attributes.
      Returns:
      Array of LDAP attributes to retrieve from the directory.
    • formSubjectName

      protected String formSubjectName(netscape.ldap.LDAPEntry entry) throws EAuthException
      Formulate the subject name
      Parameters:
      entry - The LDAP entry
      Returns:
      The subject name string.
      Throws:
      EBaseException - If an internal error occurs.
      EAuthException
    • getExtendedPluginInfo

      public String[] getExtendedPluginInfo()
      Description copied from interface: IExtendedPluginInfo
      This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use"
      Specified by:
      getExtendedPluginInfo in interface IExtendedPluginInfo