Package com.hazelcast.security.loginimpl
Class LdapLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.BasicLdapLoginModule
com.hazelcast.security.loginimpl.LdapLoginModule
- All Implemented Interfaces:
- LoginModule
JAAS Login module which uses LDAP protocol to verify credentials and load roles. Compared to
 the 
BasicLdapLoginModule, this module doesn't expect full user DN to be provided as a login name. This module allows
 to verify provided user credentials by doing a new LDAP bind similarly to the BasicLdapLoginModule, but it also allow
 to compare provided password against a value defined in passwordAttribute module option. This login module expects an LDAP
 account to be pre-configured. This account is used for searching user and roles objects. Account configuration is done by
 using well-known InitialLdapContext environment variables as login module options:
 - java.naming.security.authentication
- java.naming.security.principal
- java.naming.security.credentials
- ...
- 
Field SummaryFieldsModifier and TypeFieldDescriptionstatic final StringDefault value for the "userFilter" option.static final StringLogin module option name - Credentials verification is done by new LDAP binds by default.static final StringOption name for referencing Security realm name in Hazelcast configuration.static final StringLogin module option name - Allows disabling password verification and only takes care about fillingHazelcastPrincipalinstances into the Subject.static final StringLogin module option name - LDAP Context in which user objects are searched.static final StringLogin module option name - LDAP search string for retrieving user objects based on provided login name.static final StringLogin module option name - LDAP search scope used for "userFilter" search.static final StringPlaceholder string to be replaced by provided login name in the "userFilter" option.Fields inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModulectx, DEFAULT_PARSE_DN, DEFAULT_ROLE_RECURSION_MAX_DEPTH, DEFAULT_USER_NAME_ATTRIBUTE, login, maxRecursionDepth, name, OPTION_PARSE_DN, OPTION_ROLE_CONTEXT, OPTION_ROLE_FILTER, OPTION_ROLE_MAPPING_ATTRIBUTE, OPTION_ROLE_MAPPING_MODE, OPTION_ROLE_NAME_ATTRIBUTE, OPTION_ROLE_RECURSION_MAX_DEPTH, OPTION_ROLE_SEARCH_SCOPE, OPTION_USER_NAME_ATTRIBUTE, parseFromDN, password, PLACEHOLDER_DN, roleContext, roleFilter, roleMappingAttribute, roleMappingMode, roleNameAttribute, roleSearchScope, userAttributes, userDN, userNameAttribute, visitedRoleDnsFields inherited from class com.hazelcast.security.ClusterLoginModulecallbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionprotected LdapContextprotected voidprotected voidprotected booleanonLogin()protected AttributesMethods inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModulegetName, getSearchScope, hasMoreIgnorePartResEx, logLdapContextProperties, verifyOptionsMethods inherited from class com.hazelcast.security.ClusterLoginModuleabort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout
- 
Field Details- 
PLACEHOLDER_LOGINPlaceholder string to be replaced by provided login name in the "userFilter" option.- See Also:
 
- 
OPTION_USER_CONTEXTLogin module option name - LDAP Context in which user objects are searched. (E.g. ou=Users,dc=hazelcast,dc=com)- See Also:
 
- 
OPTION_USER_FILTERLogin module option name - LDAP search string for retrieving user objects based on provided login name. It usually contains placeholder substring "{login}" which is replaced by the provided login name.- See Also:
 
- 
OPTION_USER_SEARCH_SCOPELogin module option name - LDAP search scope used for "userFilter" search. Allowed values:- subtree - searches for objects in the given context and its subtree
- one-level - searches just one-level under the given context
- object - searches (or tests) just for the context object itself (if it matches the filter criteria)
 - See Also:
 
- 
OPTION_PASSWORD_ATTRIBUTELogin module option name - Credentials verification is done by new LDAP binds by default. Nevertheless, the password can be stored in a non-default LDAP attribute and in this case use passwordAttribute to configure against which LDAP attribute (within user object) is the password provided during the login compared. As a result, if the passwordAttribute option is provided, then the extra LDAP bind to verify credentials is not done and passwords are just compared within the login module code after the retrieving user object from the LDAP server.- See Also:
 
- 
OPTION_SKIP_AUTHENTICATIONLogin module option name - Allows disabling password verification and only takes care about fillingHazelcastPrincipalinstances into the Subject.- See Also:
 
- 
OPTION_SECURITY_REALMOption name for referencing Security realm name in Hazelcast configuration. The realm's authentication configuration (when defined) will be used to authenticate the "run-as Subject" for LDAP queries.- See Also:
 
- 
DEFAULT_USER_FILTERDefault value for the "userFilter" option.- See Also:
 
 
- 
- 
Constructor Details- 
LdapLoginModulepublic LdapLoginModule()
 
- 
- 
Method Details- 
onInitializeprotected void onInitialize()- Overrides:
- onInitializein class- BasicLdapLoginModule
 
- 
onLogin- Overrides:
- onLoginin class- BasicLdapLoginModule
- Throws:
- LoginException
 
- 
setUserDnAndGetAttributes- Overrides:
- setUserDnAndGetAttributesin class- BasicLdapLoginModule
- Throws:
- NamingException
- FailedLoginException
 
- 
initAuthentication- Overrides:
- initAuthenticationin class- BasicLdapLoginModule
- Throws:
- FailedLoginException
 
- 
createLdapContext- Overrides:
- createLdapContextin class- BasicLdapLoginModule
- Throws:
- NamingException
 
 
-