Package com.hazelcast.security.loginimpl
Class LdapLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.BasicLdapLoginModule
com.hazelcast.security.loginimpl.LdapLoginModule
- All Implemented Interfaces:
LoginModule
JAAS Login module which uses LDAP protocol to verify credentials and load roles. Compared to
the
BasicLdapLoginModule, this module doesn't expect full user DN to be provided as a login name. This module allows
to verify provided user credentials by doing a new LDAP bind similarly to the BasicLdapLoginModule, but it also allow
to compare provided password against a value defined in passwordAttribute module option. This login module expects an LDAP
account to be pre-configured. This account is used for searching user and roles objects. Account configuration is done by
using well-known InitialLdapContext environment variables as login module options:
- java.naming.security.authentication
- java.naming.security.principal
- java.naming.security.credentials
- ...
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringDefault value for the "userFilter" option.static final StringLogin module option name - Credentials verification is done by new LDAP binds by default.static final StringOption name for referencing Security realm name in Hazelcast configuration.static final StringLogin module option name - Allows disabling password verification and only takes care about fillingHazelcastPrincipalinstances into the Subject.static final StringLogin module option name - LDAP Context in which user objects are searched.static final StringLogin module option name - LDAP search string for retrieving user objects based on provided login name.static final StringLogin module option name - LDAP search scope used for "userFilter" search.static final StringPlaceholder string to be replaced by provided login name in the "userFilter" option.Fields inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModule
ctx, DEFAULT_PARSE_DN, DEFAULT_ROLE_RECURSION_MAX_DEPTH, DEFAULT_USER_NAME_ATTRIBUTE, login, maxRecursionDepth, name, OPTION_PARSE_DN, OPTION_ROLE_CONTEXT, OPTION_ROLE_FILTER, OPTION_ROLE_MAPPING_ATTRIBUTE, OPTION_ROLE_MAPPING_MODE, OPTION_ROLE_NAME_ATTRIBUTE, OPTION_ROLE_RECURSION_MAX_DEPTH, OPTION_ROLE_SEARCH_SCOPE, OPTION_USER_NAME_ATTRIBUTE, parseFromDN, password, PLACEHOLDER_DN, roleContext, roleFilter, roleMappingAttribute, roleMappingMode, roleNameAttribute, roleSearchScope, userAttributes, userDN, userNameAttribute, visitedRoleDnsFields inherited from class com.hazelcast.security.ClusterLoginModule
callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected LdapContextprotected voidprotected voidprotected booleanonLogin()protected AttributesMethods inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModule
getName, getSearchScope, hasMoreIgnorePartResEx, logLdapContextProperties, verifyOptionsMethods inherited from class com.hazelcast.security.ClusterLoginModule
abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout
-
Field Details
-
PLACEHOLDER_LOGIN
Placeholder string to be replaced by provided login name in the "userFilter" option.- See Also:
-
OPTION_USER_CONTEXT
Login module option name - LDAP Context in which user objects are searched. (E.g. ou=Users,dc=hazelcast,dc=com)- See Also:
-
OPTION_USER_FILTER
Login module option name - LDAP search string for retrieving user objects based on provided login name. It usually contains placeholder substring "{login}" which is replaced by the provided login name.- See Also:
-
OPTION_USER_SEARCH_SCOPE
Login module option name - LDAP search scope used for "userFilter" search. Allowed values:- subtree - searches for objects in the given context and its subtree
- one-level - searches just one-level under the given context
- object - searches (or tests) just for the context object itself (if it matches the filter criteria)
- See Also:
-
OPTION_PASSWORD_ATTRIBUTE
Login module option name - Credentials verification is done by new LDAP binds by default. Nevertheless, the password can be stored in a non-default LDAP attribute and in this case use passwordAttribute to configure against which LDAP attribute (within user object) is the password provided during the login compared. As a result, if the passwordAttribute option is provided, then the extra LDAP bind to verify credentials is not done and passwords are just compared within the login module code after the retrieving user object from the LDAP server.- See Also:
-
OPTION_SKIP_AUTHENTICATION
Login module option name - Allows disabling password verification and only takes care about fillingHazelcastPrincipalinstances into the Subject.- See Also:
-
OPTION_SECURITY_REALM
Option name for referencing Security realm name in Hazelcast configuration. The realm's authentication configuration (when defined) will be used to authenticate the "run-as Subject" for LDAP queries.- See Also:
-
DEFAULT_USER_FILTER
Default value for the "userFilter" option.- See Also:
-
-
Constructor Details
-
LdapLoginModule
public LdapLoginModule()
-
-
Method Details
-
onInitialize
protected void onInitialize()- Overrides:
onInitializein classBasicLdapLoginModule
-
onLogin
- Overrides:
onLoginin classBasicLdapLoginModule- Throws:
LoginException
-
setUserDnAndGetAttributes
- Overrides:
setUserDnAndGetAttributesin classBasicLdapLoginModule- Throws:
NamingExceptionFailedLoginException
-
initAuthentication
- Overrides:
initAuthenticationin classBasicLdapLoginModule- Throws:
FailedLoginException
-
createLdapContext
- Overrides:
createLdapContextin classBasicLdapLoginModule- Throws:
NamingException
-