Package com.carfey.suite.security

Class LdapAuthenticator

  • All Implemented Interfaces:
    Authenticator, Authenticator
    public class LdapAuthenticator
extends java.lang.Object
implements Authenticator


    LdapAuthenticator class provides basic authentication against the configured ldap instance using the provided url, dn base and optional groupDN for membership verification.

    When the JavaDoc refers to supported delimiter, it is always 3 tildes or ~~~

    The following are the config keys that are used.
    • com.carfey.suite.security.LdapAuthenticator.url
    • com.carfey.suite.security.LdapAuthenticator.dn.base
    • com.carfey.suite.security.LdapAuthenticator.dn.attribute
    • com.carfey.suite.security.LdapAuthenticator.accessDN
    • com.carfey.suite.security.LdapAuthenticator.role.ROLENAME.cn
    • com.carfey.suite.security.LdapAuthenticator.role.ROLENAME.roleName
    • com.carfey.suite.security.LdapAuthenticator.securityAuthentication
    • com.carfey.suite.security.LdapAuthenticator.lookupDnAttribute
    • com.carfey.suite.security.LdapAuthenticator.loginAttribute
    • com.carfey.suite.security.LdapAuthenticator.anonymousEnabled
    • com.carfey.suite.security.LdapAuthenticator.searchUserFullDn
    • com.carfey.suite.security.LdapAuthenticator.searchPassword
    • com.carfey.suite.security.LdapAuthenticator.searchUserDnBase
    • com.carfey.suite.security.LdapAuthenticator.groupMembershipAttribute
    • com.carfey.suite.security.LdapAuthenticator.dynamicRole.prefix
    • com.carfey.suite.security.LdapAuthenticator.dynamicRole.suffix
    • com.carfey.suite.security.LdapAuthenticator.checkActiveAttribute
    url is a fully qualified url with protocol - e.g. ldap://ldap.carfey.com:389 or ldaps://ldap.carfey.com:636

    dn.base is the base to which the authenticated user's cn, uuid or other will be prepended - e.g. ou=people,o=CarfeySoftware. May be a delimited list of values.

    dn.attribute is attribute type used in building up the user string - e.g. cn or uuid. It will result in a Bind request with the Security Principal set as {dn.attribute}={username},{dn.base}

    accessDN is the group against which to verify access - e.g. cn=SchedulerAccess,ou=groups,o=CarfeySoftware. May be a delimited list of values.

    role.ROLENAME.dn is used to determine membership in custom group - e.g. com.carfey.suite.security.LdapAuthenticator.role.WRITE.dn=SchedulerWrite,ou=groups,o=CarfeySoftware. May be a delimited list of values.

    role.ROLENAME.roleName is used to specify the role that will be assigned to the user when membership is verified - e.g. com.carfey.suite.security.LdapAuthenticator.role.WRITE.roleName.MyWriteRole

    securityAuthentication is optional SECURITY_AUTHENTICATION mechanism. Defaults to simple

    lookupDnAttribute defaults to false and is only used when you wish to login via an LDAP attribute that is not part of the dn. A matching entry is found in the LDAP Directory (using anonymous or a fixed lookup account). The next 4 attributes are only used when this attribute is set to true

    loginAttribute is the name of the attribute to build the dn for eventual authentication.

    anonymousEnabled defaults to false and is used to perform the dn attribute lookups anonymously (without a session authenticated by user/password).

    searchUserFullDn, searchPassword and searchUserDnBase are used to authenticate the dn attribute search request.

    groupMembershipAttribute is an optional attribute used to specify usage of additional group membership attribute(s), delimited values supported, in addition to the default supported attributes, "uniquemember","uniqueMember","member","roleOccupant","memberOf","MemberOf"

    Membership failures will result in a non-specific AuthenticationException being thrown.

    dynamicRole.prefix and dynamicRole.suffix are used to provide a convention that is used for dynamic role DNs. For example, if your convention for dynamic role DNs is cn=Scheduler<RoleName>,ou=groups,o=MyOrgHere, you would configured prefix and suffix as dynamicRole.prefix="cn=Scheduler" and dynamicRole.suffix=",ou=groups,o=MyOrgHere".

    checkActiveAttribute is used to disable active attribute checking (enabled by default). Support for ActiveDirectory is via the userAccountControl attribute (NOT Bit 2), OpenLDAP supported by shadowExpire (if -1, meaning never expires, or expires in future) or accountStatus attribute equals "active" ignoring case.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      User authenticate​(java.lang.String user, java.lang.String pass)
      User provided must be valid in building the distinguished name as follows:
      mAttribute + "=" + user + "," + mBase.
      mAttribute and mBase are defined above.
      protected void buildUpContextEnvironment​(java.lang.String pass, java.lang.String dn, java.util.Hashtable<java.lang.String,​java.lang.String> environment)
      Stores needed environment attributes.
      protected boolean isMemberOfGroup​(javax.naming.directory.DirContext authContext, java.lang.String groupNamesConfig, java.lang.String dn)
      Checks for membership of group/role trying attributes "uniquemember","uniqueMember","member","roleOccupant","memberOf" Requires browse/read permission of group or role in question.
      protected boolean isUserActive​(javax.naming.directory.DirContext authContext, java.lang.String dn)
      Overridable method to determine if a given authenticated user is active or not.
      boolean supportsRememberMe()  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • buildUpContextEnvironment

        protected void buildUpContextEnvironment​(java.lang.String pass,
                                         java.lang.String dn,
                                         java.util.Hashtable<java.lang.String,​java.lang.String> environment)
        Stores needed environment attributes. Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" Context.PROVIDER_URL, {{ldap_url}} Context.SECURITY_AUTHENTICATION, "simple" or overridden securityAuthentication by configuration com.carfey.suite.security.LdapAuthenticator.securityAuthentication Context.SECURITY_PRINCIPAL, {{user_dn}} Context.SECURITY_CREDENTIALS, {{user_pass}}

      • isMemberOfGroup

        protected boolean isMemberOfGroup​(javax.naming.directory.DirContext authContext,
                                  java.lang.String groupNamesConfig,
                                  java.lang.String dn)
                           throws javax.naming.NamingException
        Checks for membership of group/role trying attributes "uniquemember","uniqueMember","member","roleOccupant","memberOf" Requires browse/read permission of group or role in question.
        Throws:
        javax.naming.NamingException

      • isUserActive

        protected boolean isUserActive​(javax.naming.directory.DirContext authContext,
                               java.lang.String dn)
        Overridable method to determine if a given authenticated user is active or not.
        • ActiveDirectory: userAccountControl attribute if present is NOT Bit 2 = active
        • OpenLDAP: shadowExpire attribute if present is -1 (never expires) or is an epoch millis value in the future, in other words greater than System.currentTimeMillis()
        • Other: accountStatus attribute if present equals "active" ignoring case.
        • If none of the above attributes is set, assumes the user is active.

        Any LDAP attribute check failure is logged and assumes user is inactive.
        Since:
        6.3.3 method is protected and overridable