@MinDoc(copyright="Copyright 2006, 2009 A. Weinert", author="Albrecht Weinert", version="V.39", lastModified="17.04.2021", usage="use for access to directory services", purpose="reading from and authenticating to LDAP") public class LDAPauthRead extends Object
LDAPauthRead
properties. That
account is only required ifLDAPauthRead
object is not to be mixed up with the other many
single users, that may be just authenticated bay the connected LDAP / AD
server.LDAPauthRead
object correctly constructed and set describes a
usable LDAP / AD connection (quite) plenary.InitialLdapContext
object
supplied by this LDAPauthRead
object. That context allows for
multiple uses as long as confined to a single thread. For fetching and
this class has the fitting (helper) methods.de.frame4j
,
FastStringSet
Modifier and Type | Field and Description |
---|---|
protected Hashtable<String,String> |
authEnv
Base properties for authentication.
|
String |
authName
Name of authorised user (SECURITY_PRINCIPAL).
|
String |
classAndName
Class name + name.
|
protected boolean |
followRoles
Do follow roles of roles as group in group.
|
boolean |
isADconnection
AD instead of the "standard" LDAP connection.
|
String |
ldapURL
LDAP server's or provider's URL.
|
protected String |
ldapUserBase
LDAP user base.
|
protected String |
ldapUserPrefix
Name prefix for the user to authenticate.
|
protected String[] |
memberOfOnly
Criteria for role retrieval.
|
static Control |
msLDAPcontrol
A Microsoft-LDAP-Control.
|
String |
name
The LDAP-Server's / connection's name.
|
protected String |
pass
The authorised user's password (SECURITY_CREDENTIALS).
|
protected Hashtable<String,String> |
readEnv
Base properties for authentication and read access.
|
protected String |
roleNameInAttributePrefix
Prefix for role retrieval.
|
protected String |
roleUserBase
User base for role retrieval.
|
protected String |
roleUserPrefix
User prefix for role retrieval.
|
protected SearchControls |
userRoleCriteria
Criteria for role retrieval.
|
Constructor and Description |
---|
LDAPauthRead(CharSequence name,
CharSequence ldapURL,
CharSequence ldapUserPrefix,
CharSequence ldapUserBase)
Generate a (minimal)
LDAPauthRead object. |
LDAPauthRead(CharSequence name,
CharSequence ldapURL,
CharSequence authName,
CharSequence pass,
boolean isADconnection,
CharSequence ldapUserPrefix,
CharSequence ldapUserBase)
Generate a
LDAPauthRead object.. |
Modifier and Type | Method and Description |
---|---|
String |
authBy(InitialLdapContext ctx,
CharSequence userName,
CharSequence pass)
Authentication to a LDAP server.
|
String |
authDnBy(CharSequence distName,
CharSequence pass)
Authentication against a LDAP server.
|
InitialLdapContext |
getAuthContext()
Fetch an authentication context.
|
String |
getLdapUserBase()
LDAP user base.
|
String |
getLdapUserPrefix()
Name prefix for the user to authenticate.
|
static Control[] |
getMSldapCont()
Array containing (exactly) one Microsoft-LDAP-Control.
|
InitialLdapContext |
getReadContext()
Fetch a read context.
|
String |
getRoleNameInAttributePrefix()
Prefix for role retrieval.
|
SearchResult |
getUAccount(String filter,
InitialLdapContext readCtx)
Find first (user) account matching group attributes.
|
String[] |
getUserRoles(CharSequence user,
int maxRoles,
InitialLdapContext readCtx)
Retrieve the roles of an user.
|
FastStringSet |
getUserRoles(SearchResult sr,
int maxRoles,
int addShortRoles,
InitialLdapContext readCtx)
Retrieve the roles of an user.
|
boolean |
isAnoOnly()
Use only anonymous binding to LDAP.
|
boolean |
isRoleInList(CharSequence role,
String[] list)
Is role in a list.
|
boolean |
isUserInRole(CharSequence user,
CharSequence role,
InitialLdapContext readCtx)
Check a role of an user.
|
NamingEnumeration<?> |
search(InitialLdapContext readCtx,
String name,
String crit,
SearchControls scntls)
Search entries.
|
void |
setLdapUserBase(CharSequence ldapUserBase)
Set LDAP user base.
|
void |
setLdapUserPrefix(CharSequence ldapUserPrefix)
Set the name prefix for the user to authenticate.
|
void |
setUserRoleCriteria(CharSequence roleUserBase,
CharSequence roleUserPrefix,
boolean roleUserSubtree,
CharSequence roleAttributeId,
CharSequence roleNameInAttributePrefix,
boolean followRoles)
Set criteria for role retrieval.
|
static String |
snUidCn(CharSequence name)
String of criteria.
|
String |
toString()
Present itself as String.
|
public final String name
ldapURL
will be
used.public final String classAndName
public final boolean isADconnection
public final String ldapURL
public final String authName
authName
) has to be a full name (like
"cn=otto,ou=people,dc=fh-bochum,dc=de" e.g.).authName
+ password
checked against the LDAP server. Use therefore the supplied authenticating
methods.authName
may be the basic
pre-condition for any LDAP access beyond plain authentication.pass
,
isAnoOnly()
protected String pass
authName
) or password (pass
) means
anonymous bind.authName
protected String ldapUserBase
getLdapUserBase()
protected String ldapUserPrefix
getLdapUserPrefix()
protected final Hashtable<String,String> authEnv
authName
and pass.InitialLdapContext
s
there.readEnv
protected final Hashtable<String,String> readEnv
authName
and pass, if given.isAnoOnly()
true readEnv is identical to
authEnv
.protected SearchControls userRoleCriteria
protected String[] memberOfOnly
protected boolean followRoles
protected String roleUserBase
protected String roleUserPrefix
protected String roleNameInAttributePrefix
public static final Control msLDAPcontrol
javax.naming.ldap.Control
is cooked
to the recipe to allows a LDAP access to a MS Active Directory (AD).Control[]
of length one. The method
getMSldapCont()
fetches a singleton of such array.public LDAPauthRead(CharSequence name, CharSequence ldapURL, CharSequence ldapUserPrefix, CharSequence ldapUserBase) throws IllegalArgumentException
LDAPauthRead
object. LDAPauthRead
object will be made, describing the minimal
properties of a "normal" LDAP connection using anonymous bind.
It is hence usually not suitable for AD access.LDAPauthRead(name, ldapURL, null, null, false, ldapUserPrefix, ldapUserBase)
.
name
- the name ; empty will use ldapURL here alsoldapURL
- provider-URLldapUserPrefix
- setting for authentication serviceldapUserBase
- setting for authentication serviceIllegalArgumentException
- on missing or (very) obviously incorrect
ldapURLpublic LDAPauthRead(CharSequence name, CharSequence ldapURL, CharSequence authName, CharSequence pass, boolean isADconnection, CharSequence ldapUserPrefix, CharSequence ldapUserBase) throws IllegalArgumentException
LDAPauthRead
object.. LDAPauthRead
object will be made, describing a LDAP connection.
This is the "complete" constructor.authBy(InitialLdapContext, CharSequence, CharSequence)
).
For AD, that is with isADconnection
true, both
"domain-name\" and null make sense and for a "normal"
LDAP server something like
"uid=" und "ou=People,dc=fh-bochum,dc=de".name
- the name; empty will use ldapURL here alsoldapURL
- provider-URL; valid denotation like
ldap://ldap.fh-bochum.de:389authName
- if null or empty, pass has to be so toopass
- if null or empty, authName has to be so tooisADconnection
- true if ldapURL is an LDAP connection to
Active Directory (ADldapUserPrefix
- setting for authentication serviceldapUserBase
- setting for authentication serviceIllegalArgumentException
- on missing or (very) obviously incorrect
ldapURL as well as on contradictory authName and passsetLdapUserPrefix(CharSequence)
,
setLdapUserBase(CharSequence)
public final boolean isAnoOnly()
LDAPauthRead
only describes an anonymous bind
connection.public final String getLdapUserPrefix()
authBy()
).getLdapUserBase()
public final String getLdapUserBase()
authBy()
).getLdapUserPrefix()
public void setLdapUserBase(CharSequence ldapUserBase) throws IllegalArgumentException
IllegalArgumentException
- (not 'till now, see syntax hint)getLdapUserBase()
public void setLdapUserPrefix(CharSequence ldapUserPrefix) throws IllegalArgumentException
IllegalArgumentException
- (not 'till now, see syntax hint)getLdapUserPrefix()
public InitialLdapContext getAuthContext() throws NamingException
InitialLdapContext
according to this
LDAPauthRead
object's properties without regarding a security
principal (authName
, pass
), given or not). The returned
InitialLdapContext
may be used multiply, e.g. for the static
authentication methods, as long as confined in one thread.isADconnection
true.
The Windows feature itself works (as it seems) only for / since
Windows Server 2003.NamingException
- if the making of failsgetReadContext()
,
getMSldapCont()
public InitialLdapContext getReadContext() throws NamingException
InitialLdapContext
according to this
LDAPauthRead
object's properties with regarding a security
principal (authName
, pass
), if given). The returned
InitialLdapContext
may be used multiply, as long as confined in
one thread.isAnoOnly()
true this method does the same as
getAuthContext()
. See all hints there.NamingException
- if the making of failsgetAuthContext()
public String authBy(InitialLdapContext ctx, CharSequence userName, CharSequence pass)
ctx
- The context. May be supplied to be re-used multiply in
one (!) thread. If null a local throwaway context will be
made.userName
- The user's / account's name. Will be decorated with
ldapUserPrefix
and ldapUserBase
if givenpass
- password for userNamepublic String authDnBy(CharSequence distName, CharSequence pass)
distName
- The user's / account's name as distinguished namepass
- password for distNamepublic NamingEnumeration<?> search(InitialLdapContext readCtx, String name, String crit, SearchControls scntls) throws NamingException
readCtx
- The read context
. May be supplied
to be re-used multiply in one (!) thread. If null a local
throwaway context will be made.name
- denotes the place to start search; crit
- search criteria; scntls
- search settings; if null simple defaults applyNamingException
- on LDAP or syntax problemssnUidCn(CharSequence)
public static String snUidCn(CharSequence name) throws InvalidSearchFilterException
name
provided, that will
accept it as cn, sn as well as as uid.search()
for informal searches.name
- will be stripped from surrounding white space; must not be
empty (then)InvalidSearchFilterException
- for empty namepublic void setUserRoleCriteria(CharSequence roleUserBase, CharSequence roleUserPrefix, boolean roleUserSubtree, CharSequence roleAttributeId, CharSequence roleNameInAttributePrefix, boolean followRoles)
ldapUserBase
and
ldapUserPrefix
be used under many
circumstances.roleUserBase
- null or leer means no LDAP based role searchroleUserPrefix
- default: cn=roleUserSubtree
- true means subtrees on bas of roleUserBase are to
be searched (only one hit); false means
roleUserBase being the sole container for role
searchroleAttributeId
- default: memberOffollowRoles
- do follow role in role (group in group)roleNameInAttributePrefix
- default: cn=public final String getRoleNameInAttributePrefix()
public SearchResult getUAccount(String filter, InitialLdapContext readCtx) throws NamingException
setUserRoleCriteria()
and LDAPauthRead()
.filter
- The filter expression for the account searched for,
e.g. "(CN=uhuKont)"NamingException
- on context or search problems; in that case a
retry using another or newly re-opened context
(=LDAP server / AD domain controller) may succeedpublic boolean isUserInRole(CharSequence user, CharSequence role, InitialLdapContext readCtx)
user
and role
are not empty and if userRoleCriteria
were set, it will be determined if the user
has
/ is in the role
.setUserRoleCriteria()
will be searched. For the first fitting user entry
found role attributes are searched for. If one attribute is found fitting
the parameter role
(disregarding case) true is returned.getUserRoles(SearchResult, int, int, InitialLdapContext)
)
on authentication e.g.user
- the (LDAP / AD) account's namerole
- the (LDAP / AD) account's role to be checked also one stage
indirectly in the sense of role of rolereadCtx
- The read context
. May be supplied
to be re-used multiply in one (!) thread. If null a local
throwaway context will be made.public String[] getUserRoles(CharSequence user, int maxRoles, InitialLdapContext readCtx)
user
is not empty and if userRoleCriteria
were set all direct and one stage indirect roles of
user
will be determined.setUserRoleCriteria()
will be searched for the user
's roles.maxRoles
were collected.ComVar.NO_STRINGS
).user
- the (LDAP / AD) account's namemaxRoles
- the maximum number of roles to retrieve directly or
recursively as roles of rolereadCtx
- The read context
. May be supplied
to be re-used multiply in one (!) thread. If null a local
throwaway context will be made.ComVar.NO_STRINGS
)public FastStringSet getUserRoles(SearchResult sr, int maxRoles, int addShortRoles, InitialLdapContext readCtx)
sr
is not null and represents a user account with all related
(memberof) attributes and if userRoleCriteria
were set all direct and (recursively) indirect roles of
user account sr
will be determined.setUserRoleCriteria()
will be searched for sr
's roles.maxRoles
were collected.FastStringSet
.sr
- the (LDAP / AD) account with all (group / memberof) attributesmaxRoles
- the maximum number of roles to retrieve directly or
recursively as roles of roleaddShortRoles
- == 2: also the distinguished name's first component
(between the first = and the following colon or end) will be
collected as "short role name" in the role
set if that shortening is feasible.readCtx
- The read context
. May be supplied
to be re-used multiply in one (!) thread. If null a local
throwaway context will be made.public boolean isRoleInList(CharSequence role, String[] list)
roleNameInAttributePrefix
occurs as start of at least on element of roles, non regarding case. For
the prefix, please see userRoleCriteria
.
String[] roleList = getUserRoles(userN, 9999, ctx)
;
boolean inside = isRoleInList(role, roleList);
is equivalent to
boolean inside = isUserInRole(userN, role, ctx)
;
From the second role inquiry on the first variant will save LDAP accesses
thus bringing better performance.
role
- (short role), will be prefixed by a set role prefix (mostly
cn=)list
- a prepared list of (original / long) roles)getUserRoles(CharSequence, int, InitialLdapContext)
public static Control[] getMSldapCont()