com.hazelcast.security.loginimpl

Class BasicLdapLoginModule

java.lang.Object

com.hazelcast.security.ClusterLoginModule

com.hazelcast.security.loginimpl.BasicLdapLoginModule

All Implemented Interfaces:

LoginModule

Direct Known Subclasses:

LdapLoginModule

public class BasicLdapLoginModule
extends ClusterLoginModule

JAAS login module which uses LDAP as a user population store. It binds to the configured server with provided username (DN) and password. Within the established LDAP context it loads the user attributes and makes role search queries if necessary.

Field Summary

Fields

Modifier and Type	Field and Description
protected LdapContext	ctx
static boolean	DEFAULT_PARSE_DN
static int	DEFAULT_ROLE_RECURSION_MAX_DEPTH Role search recursion is disabled by default
static String	DEFAULT_USER_NAME_ATTRIBUTE
protected String	login
protected int	maxRecursionDepth
protected String	name
static String	OPTION_PARSE_DN Login module option name - If the option is set to true, then it treats the value of the roleMappingAttribute as a DN and extracts only roleNameAttribute attribute values as role names.
static String	OPTION_ROLE_CONTEXT Login module option name - LDAP Context in which assigned roles are searched.
static String	OPTION_ROLE_FILTER Login module option name - LDAP search string which usually contains placeholder {memberDN} to be replaced by provided login name.
static String	OPTION_ROLE_MAPPING_ATTRIBUTE Login module option name - Name of the LDAP attribute which contains either role name or role DN.
static String	OPTION_ROLE_MAPPING_MODE Login module option name - Role mapping mode - it can have one of the following values: attribute - user object in the LDAP contains directly role name in the given attribute.
static String	OPTION_ROLE_NAME_ATTRIBUTE This option either refers to a name of LDAP attribute within role object which contains the role name in case of "direct" and "reverse" roleMappingMode values.
static String	OPTION_ROLE_RECURSION_MAX_DEPTH Login module option name - Sets max depth of role search recursion.
static String	OPTION_ROLE_SEARCH_SCOPE LDAP search scope used for roleFilter search.
static String	OPTION_USER_NAME_ATTRIBUTE Login module option name - LDAP Attribute name which value will be used as a name in ClusterIdentityPrincipal added to the JAAS Subject.
protected boolean	parseFromDN
protected String	password
static String	PLACEHOLDER_DN Placeholder string to be replaced by a user or role DN in the "roleFilter" option.
protected String	roleContext
protected String	roleFilter
protected String	roleMappingAttribute
protected com.hazelcast.config.security.LdapRoleMappingMode	roleMappingMode
protected String	roleNameAttribute
protected com.hazelcast.config.security.LdapSearchScope	roleSearchScope
protected Attributes	userAttributes
protected String	userDN
protected String	userNameAttribute
protected Set<String>	visitedRoleDns

Fields inherited from class com.hazelcast.security.ClusterLoginModule

callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject

Constructor Summary

Constructors

Constructor and Description
BasicLdapLoginModule()

Method Summary

Modifier and Type	Method and Description
protected LdapContext	createLdapContext()
protected String	getName()
protected com.hazelcast.config.security.LdapSearchScope	getSearchScope(String optionName)
protected boolean	hasMoreIgnorePartResEx(NamingEnumeration<SearchResult> namingEnum)
protected void	initAuthentication()
protected void	logLdapContextProperties(Properties env)
protected void	onInitialize()
protected boolean	onLogin()
protected Attributes	setUserDnAndGetAttributes()
protected void	verifyOptions()

Methods inherited from class com.hazelcast.security.ClusterLoginModule

abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PLACEHOLDER_DN

public static final String PLACEHOLDER_DN

Placeholder string to be replaced by a user or role DN in the "roleFilter" option.

See Also:

Constant Field Values

OPTION_USER_NAME_ATTRIBUTE

public static final String OPTION_USER_NAME_ATTRIBUTE

Login module option name - LDAP Attribute name which value will be used as a name in ClusterIdentityPrincipal added to the JAAS Subject.

See Also:

Constant Field Values

OPTION_PARSE_DN

public static final String OPTION_PARSE_DN

Login module option name - If the option is set to true, then it treats the value of the roleMappingAttribute as a DN and extracts only roleNameAttribute attribute values as role names. When the option value is false, then the whole value of roleMappingAttribute is used as a role name.

This option is only used when the roleMappingMode option has value "attribute".

See Also:

Constant Field Values

OPTION_ROLE_MAPPING_MODE

public static final String OPTION_ROLE_MAPPING_MODE

Login module option name - Role mapping mode - it can have one of the following values:

• attribute - user object in the LDAP contains directly role name in the given attribute. Role name can be parsed from a DN string when parseDN=true. No additional LDAP query is done to find assigned roles.
• direct - user object contains an attribute with DN(s) of assigned role(s). Role object(s) is/are loaded from the LDAP and the role name is retrieved from its attributes. Role search recursion can be enabled for this mode.
• reverse - role objects are located by executing an LDAP search query with given roleFilter. In this case, the role object usually contains attributes with DNs of assigned users. Role search recursion can be enabled for this mode.

See Also:

Constant Field Values

OPTION_ROLE_MAPPING_ATTRIBUTE

public static final String OPTION_ROLE_MAPPING_ATTRIBUTE

Login module option name - Name of the LDAP attribute which contains either role name or role DN.

This option is only used when the roleMappingMode option has value "attribute" or "direct".

See Also:

Constant Field Values

OPTION_ROLE_CONTEXT

public static final String OPTION_ROLE_CONTEXT

Login module option name - LDAP Context in which assigned roles are searched. (E.g. ou=Roles,dc=hazelcast,dc=com)

This option is only used when the roleMappingMode option has value "reverse".

See Also:

Constant Field Values

OPTION_ROLE_FILTER

public static final String OPTION_ROLE_FILTER

Login module option name - LDAP search string which usually contains placeholder {memberDN} to be replaced by provided login name. (E.g. (member={memberDN}))

If the role search recursion is enabled (see roleRecursionMaxDepth), the {memberDN} is replaced by role DNs in the recurrent searches.

This option is only used when the roleMappingMode option has value "reverse".

See Also:

Constant Field Values

OPTION_ROLE_RECURSION_MAX_DEPTH

public static final String OPTION_ROLE_RECURSION_MAX_DEPTH

Login module option name - Sets max depth of role search recursion. The default value 1 means the role search recursion is disabled.

This option is only used when the roleMappingMode option has value "direct" or "reverse".

See Also:

Constant Field Values

OPTION_ROLE_NAME_ATTRIBUTE

public static final String OPTION_ROLE_NAME_ATTRIBUTE

This option either refers to a name of LDAP attribute within role object which contains the role name in case of "direct" and "reverse" roleMappingMode values. Or it refers to the attribute name within X.500 name stored in roleMappingAttribute when roleMappingMode=attribute and parseDN=true.

See Also:

Constant Field Values

OPTION_ROLE_SEARCH_SCOPE

public static final String OPTION_ROLE_SEARCH_SCOPE

LDAP search scope used for roleFilter search. Allowed values comes from the LdapSearchScope enum:

• subtree - searches for objects in the given context and its subtree
• one-level - searches just one-level under the given context
• object - searches (or tests) just for the context object itself (if it matches the filter criteria)

This option is only used when the roleMappingMode option has value "reverse".

See Also:

Constant Field Values

DEFAULT_USER_NAME_ATTRIBUTE

public static final String DEFAULT_USER_NAME_ATTRIBUTE

See Also:

OPTION_USER_NAME_ATTRIBUTE, Constant Field Values

DEFAULT_PARSE_DN

public static final boolean DEFAULT_PARSE_DN

See Also:

OPTION_PARSE_DN, Constant Field Values

DEFAULT_ROLE_RECURSION_MAX_DEPTH

public static final int DEFAULT_ROLE_RECURSION_MAX_DEPTH

Role search recursion is disabled by default

See Also:

OPTION_ROLE_RECURSION_MAX_DEPTH, Constant Field Values

name

protected String name

login

protected String login

password

protected String password

userDN

protected String userDN

userNameAttribute

protected String userNameAttribute

roleMappingAttribute

protected String roleMappingAttribute

roleMappingMode

protected com.hazelcast.config.security.LdapRoleMappingMode roleMappingMode

roleNameAttribute

protected String roleNameAttribute

roleFilter

protected String roleFilter

roleContext

protected String roleContext

roleSearchScope

protected com.hazelcast.config.security.LdapSearchScope roleSearchScope

parseFromDN

protected boolean parseFromDN

maxRecursionDepth

protected int maxRecursionDepth

userAttributes

protected Attributes userAttributes

ctx

protected LdapContext ctx

visitedRoleDns

protected Set<String> visitedRoleDns

Constructor Detail

BasicLdapLoginModule

public BasicLdapLoginModule()

Method Detail

onInitialize

protected void onInitialize()

Overrides:

onInitialize in class ClusterLoginModule

onLogin

protected boolean onLogin()
                   throws LoginException

Specified by:

onLogin in class ClusterLoginModule

Throws:

LoginException

initAuthentication

protected void initAuthentication()
                           throws FailedLoginException

Throws:

FailedLoginException

verifyOptions

protected void verifyOptions()

setUserDnAndGetAttributes

protected Attributes setUserDnAndGetAttributes()
                                        throws NamingException,
                                               FailedLoginException

Throws:

NamingException

FailedLoginException

createLdapContext

protected LdapContext createLdapContext()
                                 throws NamingException

Throws:

NamingException

logLdapContextProperties

protected void logLdapContextProperties(Properties env)

hasMoreIgnorePartResEx

protected boolean hasMoreIgnorePartResEx(NamingEnumeration<SearchResult> namingEnum)
                                  throws NamingException

Throws:

NamingException

getSearchScope

protected com.hazelcast.config.security.LdapSearchScope getSearchScope(String optionName)

getName

protected String getName()

Specified by:

getName in class ClusterLoginModule