Package com.netscape.cms.authentication
Class UidPwdPinDirAuthentication
- java.lang.Object
-
- com.netscape.cms.authentication.DirBasedAuthentication
-
- com.netscape.cms.authentication.UidPwdPinDirAuthentication
-
- All Implemented Interfaces:
IExtendedPluginInfo
,ProfileAuthenticator
,AuthManager
public class UidPwdPinDirAuthentication extends DirBasedAuthentication implements IExtendedPluginInfo, ProfileAuthenticator
uid/pwd/pin directory based authentication manager- Version:
- $Revision$, $Date$
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CRED_PIN
static java.lang.String
CRED_PWD
static java.lang.String
CRED_UID
static java.lang.String
DEF_PIN_ATTR
static boolean
DEF_REMOVE_PIN
static org.slf4j.Logger
logger
protected static java.lang.String[]
mConfigParams
protected java.security.MessageDigest
mMD5Digest
protected java.lang.String
mPinAttr
protected boolean
mRemovePin
protected static java.lang.String[]
mRequiredCreds
protected java.security.MessageDigest
mSHA256Digest
protected java.security.MessageDigest
mSHADigest
static java.lang.String
PROP_PIN_ATTR
static java.lang.String
PROP_REMOVE_PIN
protected static byte
SENTINEL_MD5
protected static byte
SENTINEL_NONE
protected static byte
SENTINEL_SHA
protected static byte
SENTINEL_SHA256
-
Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication
DEFAULT_DNPATTERN, mBaseDN, mBoundConnEnable, mConfig, mConnFactory, mExtendedPluginInfo, mGroupObjectClass, mGroups, mGroupsBaseDN, mGroupsEnable, mGroupUserIDName, mImplName, mLdapAttrs, mLdapByteAttrs, mLdapConfig, mLdapStringAttrs, mName, mPattern, mSearchGroupUserByUserdn, mTag, mUserIDName, PROP_DNPATTERN, PROP_GROUP_OBJECT_CLASS, PROP_GROUP_USERID_NAME, PROP_GROUPS, PROP_GROUPS_BASEDN, PROP_GROUPS_ENABLE, PROP_LDAP_BOUND_CONN, PROP_LDAPBYTEATTRS, PROP_LDAPSTRINGATTRS, PROP_SEARCH_GROUP_USER_BY_USERDN, PROP_USERID_NAME, USER_DN
-
Fields inherited from interface org.dogtagpki.server.authentication.AuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
-
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
Fields inherited from interface com.netscape.cms.profile.ProfileAuthenticator
AUTHENTICATED_NAME
-
-
Constructor Summary
Constructors Constructor Description UidPwdPinDirAuthentication()
Default constructor, initialization must follow.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.String
authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
Authenticates a user based on its uid, pwd, pin in the directory.protected void
checkpin(netscape.ldap.LDAPConnection conn, java.lang.String userdn, java.lang.String uid, java.lang.String pin)
java.lang.String[]
getConfigParams()
Returns a list of configuration parameter names.java.lang.String
getName(java.util.Locale locale)
Retrieves the localizable name of this policy.java.lang.String[]
getRequiredCreds()
Returns array of required credentials for this authentication manager.java.lang.String
getText(java.util.Locale locale)
Retrieves the localizable description of this policy.IDescriptor
getValueDescriptor(java.util.Locale locale, java.lang.String name)
Retrieves the descriptor of the given value parameter by name.java.util.Enumeration<java.lang.String>
getValueNames()
Retrieves a list of names of the value parameter.void
init(Profile profile, IConfigStore config)
Initializes this default policy.void
init(java.lang.String name, java.lang.String implName, AuthManagerConfig config)
Initializes the UidPwdDirBasedAuthentication auth manager.boolean
isSSLClientRequired()
Checks if this authenticator requires SSL client authentication.boolean
isValueWriteable(java.lang.String name)
Checks if the value of the given property should be serializable into the request.void
populate(IAuthToken token, IRequest request)
Populates authentication specific information into the request for auditing purposes.protected void
verifyPassword(java.lang.String Password)
-
Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication
authenticate, formCertInfo, formSubjectName, getConfigStore, getExtendedPluginInfo, getImplName, getLdapAttrs, getLdapByteAttrs, getName, init, setAuthTokenByteValue, setAuthTokenStringValue, setAuthTokenValues, shutdown
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.dogtagpki.server.authentication.AuthManager
authenticate, getImplName, getName, shutdown
-
Methods inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
getExtendedPluginInfo
-
Methods inherited from interface com.netscape.cms.profile.ProfileAuthenticator
getConfigStore
-
-
-
-
Field Detail
-
logger
public static org.slf4j.Logger logger
-
CRED_UID
public static final java.lang.String CRED_UID
- See Also:
- Constant Field Values
-
CRED_PWD
public static final java.lang.String CRED_PWD
- See Also:
- Constant Field Values
-
CRED_PIN
public static final java.lang.String CRED_PIN
- See Also:
- Constant Field Values
-
mRequiredCreds
protected static java.lang.String[] mRequiredCreds
-
PROP_REMOVE_PIN
public static final java.lang.String PROP_REMOVE_PIN
- See Also:
- Constant Field Values
-
PROP_PIN_ATTR
public static final java.lang.String PROP_PIN_ATTR
- See Also:
- Constant Field Values
-
DEF_REMOVE_PIN
public static final boolean DEF_REMOVE_PIN
- See Also:
- Constant Field Values
-
DEF_PIN_ATTR
public static final java.lang.String DEF_PIN_ATTR
- See Also:
- Constant Field Values
-
SENTINEL_SHA
protected static final byte SENTINEL_SHA
- See Also:
- Constant Field Values
-
SENTINEL_MD5
protected static final byte SENTINEL_MD5
- See Also:
- Constant Field Values
-
SENTINEL_SHA256
protected static final byte SENTINEL_SHA256
- See Also:
- Constant Field Values
-
SENTINEL_NONE
protected static final byte SENTINEL_NONE
- See Also:
- Constant Field Values
-
mConfigParams
protected static java.lang.String[] mConfigParams
-
mRemovePin
protected boolean mRemovePin
-
mPinAttr
protected java.lang.String mPinAttr
-
mSHADigest
protected java.security.MessageDigest mSHADigest
-
mMD5Digest
protected java.security.MessageDigest mMD5Digest
-
mSHA256Digest
protected java.security.MessageDigest mSHA256Digest
-
-
Method Detail
-
init
public void init(java.lang.String name, java.lang.String implName, AuthManagerConfig config) throws EBaseException
Description copied from class:DirBasedAuthentication
Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
ldap.basedn - the ldap base dn. ldap.ldapconn.host - the ldap host. ldap.ldapconn.port - the ldap port ldap.ldapconn.secureConn - whether port should be secure ldap.minConns - minimum connections ldap.maxConns - max connections dnpattern - dn pattern.
dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
The syntax is
dnpattern = SubjectNameComp *[ "," SubjectNameComp ] SubjectNameComponent = DnComp | EntryComp | ConstantComp DnComp = CertAttr "=" "$dn" "." DnAttr "." Num EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num ConstantComp = CertAttr "=" Constant DnAttr = an attribute in the Ldap entry dn EntryAttr = an attribute in the Ldap entry CertAttr = a Component in the Certificate Subject Name (multiple AVA in one RDN not supported) Num = the nth value of tha attribute in the dn or entry. Constant = Constant String, with any accepted ldap string value.
Example:
dnpattern: E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.The subject name formulated in the cert will be :
E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith OU = the second 'ou' value in the ldap entry - IS O = the (first) 'o' value in the user's entry DN - "Acme.com" C = the constant string "US"
- Specified by:
init
in interfaceAuthManager
- Overrides:
init
in classDirBasedAuthentication
- Parameters:
name
- The name for this authentication manager instance.implName
- The name of the authentication manager plugin.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
verifyPassword
protected void verifyPassword(java.lang.String Password)
-
authenticate
protected java.lang.String authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) throws EBaseException
Authenticates a user based on its uid, pwd, pin in the directory.- Specified by:
authenticate
in classDirBasedAuthentication
- Parameters:
authCreds
- The authentication credentials with uid, pwd, pin.- Returns:
- The user's ldap entry dn.
- Throws:
EInvalidCredentials
- If the uid and password are not validEBaseException
- If an internal error occurs.
-
checkpin
protected void checkpin(netscape.ldap.LDAPConnection conn, java.lang.String userdn, java.lang.String uid, java.lang.String pin) throws EBaseException, netscape.ldap.LDAPException
- Throws:
EBaseException
netscape.ldap.LDAPException
-
getConfigParams
public java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceAuthManager
- Specified by:
getConfigParams
in classDirBasedAuthentication
- Returns:
- String array of configuration parameter names.
-
getRequiredCreds
public java.lang.String[] getRequiredCreds()
Returns array of required credentials for this authentication manager.- Specified by:
getRequiredCreds
in interfaceAuthManager
- Specified by:
getRequiredCreds
in classDirBasedAuthentication
- Returns:
- Array of required credentials.
-
init
public void init(Profile profile, IConfigStore config) throws EProfileException
Description copied from interface:ProfileAuthenticator
Initializes this default policy.- Specified by:
init
in interfaceProfileAuthenticator
- Parameters:
profile
- owner of this authenticatorconfig
- configuration store- Throws:
EProfileException
- failed to initialize
-
getName
public java.lang.String getName(java.util.Locale locale)
Retrieves the localizable name of this policy.- Specified by:
getName
in interfaceProfileAuthenticator
- Parameters:
locale
- end user locale- Returns:
- localized authenticator name
-
getText
public java.lang.String getText(java.util.Locale locale)
Retrieves the localizable description of this policy.- Specified by:
getText
in interfaceProfileAuthenticator
- Parameters:
locale
- end user locale- Returns:
- localized authenticator description
-
getValueNames
public java.util.Enumeration<java.lang.String> getValueNames()
Retrieves a list of names of the value parameter.- Specified by:
getValueNames
in interfaceProfileAuthenticator
- Returns:
- a list of property names
-
isValueWriteable
public boolean isValueWriteable(java.lang.String name)
Description copied from interface:ProfileAuthenticator
Checks if the value of the given property should be serializable into the request. Passsword or other security-related value may not be desirable for storage.- Specified by:
isValueWriteable
in interfaceProfileAuthenticator
- Parameters:
name
- property name- Returns:
- true if the property is not security related
-
getValueDescriptor
public IDescriptor getValueDescriptor(java.util.Locale locale, java.lang.String name)
Retrieves the descriptor of the given value parameter by name.- Specified by:
getValueDescriptor
in interfaceProfileAuthenticator
- Parameters:
locale
- user localename
- property name- Returns:
- descriptor of the requested property
-
populate
public void populate(IAuthToken token, IRequest request) throws EProfileException
Description copied from interface:ProfileAuthenticator
Populates authentication specific information into the request for auditing purposes.- Specified by:
populate
in interfaceProfileAuthenticator
- Parameters:
token
- authentication tokenrequest
- request- Throws:
EProfileException
- failed to populate
-
isSSLClientRequired
public boolean isSSLClientRequired()
Description copied from interface:ProfileAuthenticator
Checks if this authenticator requires SSL client authentication.- Specified by:
isSSLClientRequired
in interfaceProfileAuthenticator
- Returns:
- client authentication required or not
-
-