Package com.hazelcast.security.loginimpl
Class BasicLdapLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.BasicLdapLoginModule
- All Implemented Interfaces:
LoginModule
- Direct Known Subclasses:
LdapLoginModule
JAAS login module which uses LDAP as a user population store. It binds to the configured server with provided username (DN)
and password. Within the established LDAP context it loads the user attributes and makes role search queries if necessary.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected LdapContextstatic final booleanstatic final intRole search recursion is disabled by defaultstatic final Stringprotected Stringprotected intprotected Stringstatic final StringLogin module option name - If the option is set totrue, then it treats the value of theroleMappingAttributeas a DN and extracts onlyroleNameAttributeattribute values as role names.static final StringLogin module option name - LDAP Context in which assigned roles are searched.static final StringLogin module option name - LDAP search string which usually contains placeholder {memberDN} to be replaced by provided login name.static final StringLogin module option name - Name of the LDAP attribute which contains either role name or role DN.static final StringLogin module option name - Role mapping mode - it can have one of the following values: attribute - user object in the LDAP contains directly role name in the given attribute.static final StringThis option either refers to a name of LDAP attribute within role object which contains the role name in case of "direct" and "reverse" roleMappingMode values.static final StringLogin module option name - Sets max depth of role search recursion.static final StringLDAP search scope used for roleFilter search.static final StringLogin module option name - LDAP Attribute name which value will be used as a name in ClusterIdentityPrincipal added to the JAAS Subject.protected booleanprotected Stringstatic final StringPlaceholder string to be replaced by a user or role DN in the "roleFilter" option.protected Stringprotected Stringprotected Stringprotected com.hazelcast.config.security.LdapRoleMappingModeprotected Stringprotected com.hazelcast.config.security.LdapSearchScopeprotected Attributesprotected Stringprotected StringFields inherited from class com.hazelcast.security.ClusterLoginModule
callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected LdapContextprotected StringgetName()protected com.hazelcast.config.security.LdapSearchScopegetSearchScope(String optionName) protected booleanhasMoreIgnorePartResEx(NamingEnumeration<SearchResult> namingEnum) protected voidprotected voidprotected voidprotected booleanonLogin()protected Attributesprotected voidMethods inherited from class com.hazelcast.security.ClusterLoginModule
abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout
-
Field Details
-
PLACEHOLDER_DN
Placeholder string to be replaced by a user or role DN in the "roleFilter" option.- See Also:
-
OPTION_USER_NAME_ATTRIBUTE
Login module option name - LDAP Attribute name which value will be used as a name in ClusterIdentityPrincipal added to the JAAS Subject.- See Also:
-
OPTION_PARSE_DN
Login module option name - If the option is set totrue, then it treats the value of theroleMappingAttributeas a DN and extracts onlyroleNameAttributeattribute values as role names. When the option value isfalse, then the whole value ofroleMappingAttributeis used as a role name.This option is only used when the roleMappingMode option has value "attribute".
- See Also:
-
OPTION_ROLE_MAPPING_MODE
Login module option name - Role mapping mode - it can have one of the following values:- attribute - user object in the LDAP contains directly role name in the given attribute. Role name can be parsed from a DN string when parseDN=true. No additional LDAP query is done to find assigned roles.
- direct - user object contains an attribute with DN(s) of assigned role(s). Role object(s) is/are loaded from the LDAP and the role name is retrieved from its attributes. Role search recursion can be enabled for this mode.
- reverse - role objects are located by executing an LDAP search query with given roleFilter. In this case, the role object usually contains attributes with DNs of assigned users. Role search recursion can be enabled for this mode.
- See Also:
-
OPTION_ROLE_MAPPING_ATTRIBUTE
Login module option name - Name of the LDAP attribute which contains either role name or role DN.This option is only used when the roleMappingMode option has value "attribute" or "direct".
- See Also:
-
OPTION_ROLE_CONTEXT
Login module option name - LDAP Context in which assigned roles are searched. (E.g. ou=Roles,dc=hazelcast,dc=com)This option is only used when the roleMappingMode option has value "reverse".
- See Also:
-
OPTION_ROLE_FILTER
Login module option name - LDAP search string which usually contains placeholder {memberDN} to be replaced by provided login name. (E.g. (member={memberDN}))If the role search recursion is enabled (see roleRecursionMaxDepth), the {memberDN} is replaced by role DNs in the recurrent searches.
This option is only used when the roleMappingMode option has value "reverse".
- See Also:
-
OPTION_ROLE_RECURSION_MAX_DEPTH
Login module option name - Sets max depth of role search recursion. The default value 1 means the role search recursion is disabled.This option is only used when the roleMappingMode option has value "direct" or "reverse".
- See Also:
-
OPTION_ROLE_NAME_ATTRIBUTE
This option either refers to a name of LDAP attribute within role object which contains the role name in case of "direct" and "reverse" roleMappingMode values. Or it refers to the attribute name within X.500 name stored in roleMappingAttribute when roleMappingMode=attribute and parseDN=true.- See Also:
-
OPTION_ROLE_SEARCH_SCOPE
LDAP search scope used for roleFilter search. Allowed values comes from theLdapSearchScopeenum:- subtree - searches for objects in the given context and its subtree
- one-level - searches just one-level under the given context
- object - searches (or tests) just for the context object itself (if it matches the filter criteria)
This option is only used when the roleMappingMode option has value "reverse".
- See Also:
-
DEFAULT_USER_NAME_ATTRIBUTE
-
DEFAULT_PARSE_DN
public static final boolean DEFAULT_PARSE_DN- See Also:
-
DEFAULT_ROLE_RECURSION_MAX_DEPTH
public static final int DEFAULT_ROLE_RECURSION_MAX_DEPTHRole search recursion is disabled by default -
name
-
login
-
password
-
userDN
-
userNameAttribute
-
roleMappingAttribute
-
roleMappingMode
protected com.hazelcast.config.security.LdapRoleMappingMode roleMappingMode -
roleNameAttribute
-
roleFilter
-
roleContext
-
roleSearchScope
protected com.hazelcast.config.security.LdapSearchScope roleSearchScope -
parseFromDN
protected boolean parseFromDN -
maxRecursionDepth
protected int maxRecursionDepth -
userAttributes
-
ctx
-
visitedRoleDns
-
-
Constructor Details
-
BasicLdapLoginModule
public BasicLdapLoginModule()
-
-
Method Details
-
onInitialize
protected void onInitialize()- Overrides:
onInitializein classClusterLoginModule
-
onLogin
- Specified by:
onLoginin classClusterLoginModule- Throws:
LoginException
-
initAuthentication
- Throws:
FailedLoginException
-
verifyOptions
protected void verifyOptions() -
setUserDnAndGetAttributes
- Throws:
NamingExceptionFailedLoginException
-
createLdapContext
- Throws:
NamingException
-
logLdapContextProperties
-
hasMoreIgnorePartResEx
protected boolean hasMoreIgnorePartResEx(NamingEnumeration<SearchResult> namingEnum) throws NamingException - Throws:
NamingException
-
getSearchScope
-
getName
- Specified by:
getNamein classClusterLoginModule
-