mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
| opends/resource/schema/02-config.ldif | ●●●●● patch | view | raw | blame | history | |
| opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml | ●●●●● patch | view | raw | blame | history | |
| opends/src/admin/messages/LDAPPassThroughAuthenticationPolicyCfgDefn.properties | ●●●●● patch | view | raw | blame | history | |
| opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java | ●●●●● patch | view | raw | blame | history |
opends/resource/schema/02-config.ldif
@@ -2581,6 +2581,36 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.12 NAME 'ds-cfg-primary-remote-ldap-server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.13 NAME 'ds-cfg-secondary-remote-ldap-server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.14 NAME 'ds-cfg-mapping-policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.15 NAME 'ds-cfg-mapped-attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.16 NAME 'ds-cfg-mapped-search-bind-dn' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.17 NAME 'ds-cfg-mapped-search-bind-password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.18 NAME 'ds-cfg-mapped-search-base-dn' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'OpenDJ Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.1 NAME 'ds-cfg-access-control-handler' SUP top @@ -4321,3 +4351,16 @@ MUST ( ds-cfg-pwd-sync-policy ) MAY ( ds-cfg-samba-administrator-dn ) X-ORIGIN 'OpenDJ Directory Server' ) objectClasses: ( 1.3.6.1.4.1.36733.2.1.2.4 NAME 'ds-cfg-ldap-pass-through-authentication-policy' SUP ds-cfg-authentication-policy STRUCTURAL MUST ( ds-cfg-java-class $ ds-cfg-primary-remote-ldap-server $ ds-cfg-mapping-policy ) MAY ( ds-cfg-secondary-remote-ldap-server $ ds-cfg-mapped-attribute $ ds-cfg-mapped-search-bind-dn $ ds-cfg-mapped-search-bind-password $ ds-cfg-mapped-search-base-dn ) X-ORIGIN 'OpenDJ Directory Server' ) opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml
New file @@ -0,0 +1,296 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- ! CDDL HEADER START ! ! The contents of this file are subject to the terms of the ! Common Development and Distribution License, Version 1.0 only ! (the "License"). You may not use this file except in compliance ! with the License. ! ! You can obtain a copy of the license at ! trunk/opends/resource/legal-notices/OpenDS.LICENSE ! or https://OpenDS.dev.java.net/OpenDS.LICENSE. ! See the License for the specific language governing permissions ! and limitations under the License. ! ! When distributing Covered Code, include this CDDL HEADER in each ! file and include the License file at ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, ! add the following below this CDDL HEADER, with the fields enclosed ! by brackets "[]" replaced with your own identifying information: ! Portions Copyright [yyyy] [name of copyright owner] ! ! CDDL HEADER END ! ! ! Copyright 2011 ForgeRock AS ! --> <adm:managed-object name="ldap-pass-through-authentication-policy" plural-name="ldap-pass-through-authentication-policies" extends="authentication-policy" package="org.opends.server.admin.std" xmlns:adm="http://www.opends.org/admin" xmlns:ldap="http://www.opends.org/admin-ldap"> <adm:synopsis> An authentication policy for users whose credentials are managed by a remote LDAP directory service. </adm:synopsis> <adm:description> Authentication attempts will be redirected to the remote LDAP directory service based on a combination of the criteria specified in this policy and the content of the user's entry in this directory server. </adm:description> <adm:constraint> <adm:synopsis> One or more mapped attributes must be specified when using the "mapped-bind" or "mapped-search" mapping policies. </adm:synopsis> <adm:condition> <adm:implies> <adm:or> <adm:contains property="mapping-policy" value="mapped-bind" /> <adm:contains property="mapping-policy" value="mapped-search" /> </adm:or> <adm:is-present property="mapped-attribute" /> </adm:implies> </adm:condition> </adm:constraint> <adm:constraint> <adm:synopsis> One or more search base DNs must be specified when using the "mapped-search" mapping policies. </adm:synopsis> <adm:condition> <adm:implies> <adm:or> <adm:contains property="mapping-policy" value="mapped-search" /> </adm:or> <adm:is-present property="mapped-search-base-dn" /> </adm:implies> </adm:condition> </adm:constraint> <adm:profile name="ldap"> <ldap:object-class> <ldap:name>ds-cfg-ldap-pass-through-authentication-policy</ldap:name> <ldap:superior>ds-cfg-authentication-policy</ldap:superior> </ldap:object-class> </adm:profile> <adm:property-override name="java-class" advanced="true"> <adm:default-behavior> <adm:defined> <adm:value> org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory </adm:value> </adm:defined> </adm:default-behavior> </adm:property-override> <adm:property name="primary-remote-ldap-server" multi-valued="true" mandatory="true"> <adm:synopsis> Specifies the primary list of remote LDAP servers which should be used for pass through authentication. </adm:synopsis> <adm:description> If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined. </adm:description> <adm:syntax> <adm:string> <adm:pattern> <adm:regex>^.+:[0-9]+$</adm:regex> <adm:usage>HOST:PORT</adm:usage> <adm:synopsis> A host name followed by a ":" and a port number. </adm:synopsis> </adm:pattern> </adm:string> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-primary-remote-ldap-server</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="secondary-remote-ldap-server" multi-valued="true"> <adm:synopsis> Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. </adm:synopsis> <adm:description> If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis>No secondary LDAP servers.</adm:synopsis> </adm:alias> </adm:default-behavior> <adm:syntax> <adm:string> <adm:pattern> <adm:regex>^.+:[0-9]+$</adm:regex> <adm:usage>HOST:PORT</adm:usage> <adm:synopsis> A host name followed by a ":" and a port number. </adm:synopsis> </adm:pattern> </adm:string> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-secondary-remote-ldap-server</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="mapping-policy" mandatory="true"> <adm:synopsis> Specifies the mapping algorithm for obtaining the bind DN from the user's entry. </adm:synopsis> <adm:default-behavior> <adm:defined> <adm:value>unmapped</adm:value> </adm:defined> </adm:default-behavior> <adm:syntax> <adm:enumeration> <adm:value name="unmapped"> <adm:synopsis> Bind to the remote LDAP directory service using the DN of the user's entry in this directory server. </adm:synopsis> </adm:value> <adm:value name="mapped-bind"> <adm:synopsis> Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "match-attribute" property. If more than one attribute or value is present then the first one will be used. </adm:synopsis> </adm:value> <adm:value name="mapped-search"> <adm:synopsis> Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "match-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union). </adm:synopsis> </adm:value> </adm:enumeration> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-mapping-policy</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="mapped-attribute" multi-valued="true"> <adm:synopsis> Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. </adm:synopsis> <adm:description> At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy. </adm:description> <adm:default-behavior> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:attribute-type /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-mapped-attribute</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="mapped-search-bind-dn"> <adm:synopsis> Specifies the bind DN which should be used for perform user searches in the remote LDAP directory service. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis>Searches will be performed anonymously.</adm:synopsis> </adm:alias> </adm:default-behavior> <adm:syntax> <adm:dn /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-mapped-search-bind-dn</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="mapped-search-bind-password"> <adm:synopsis> Specifies the bind password which should be used for perform user searches in the remote LDAP directory service. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis>Searches will be performed anonymously.</adm:synopsis> </adm:alias> </adm:default-behavior> <adm:syntax> <adm:password /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-mapped-search-bind-password</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="mapped-search-base-dn" multi-valued="true"> <adm:synopsis> Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. </adm:synopsis> <adm:description> If multiple values are given, searches are performed below all specified base DNs. </adm:description> <adm:default-behavior> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:dn /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-mapped-search-base-dn</ldap:name> </ldap:attribute> </adm:profile> </adm:property> </adm:managed-object> opends/src/admin/messages/LDAPPassThroughAuthenticationPolicyCfgDefn.properties
New file @@ -0,0 +1,26 @@ user-friendly-name=LDAP Pass Through Authentication Policy user-friendly-plural-name=LDAP Pass Through Authentication Policies synopsis=An authentication policy for users whose credentials are managed by a remote LDAP directory service. description=Authentication attempts will be redirected to the remote LDAP directory service based on a combination of the criteria specified in this policy and the content of the user's entry in this directory server. constraint.1.synopsis=One or more mapped attributes must be specified when using the "mapped-bind" or "mapped-search" mapping policies. constraint.2.synopsis=One or more search base DNs must be specified when using the "mapped-search" mapping policies. property.java-class.synopsis=Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation. property.mapped-attribute.synopsis=Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. property.mapped-attribute.description=At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy. property.mapped-search-base-dn.synopsis=Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. property.mapped-search-base-dn.description=If multiple values are given, searches are performed below all specified base DNs. property.mapped-search-bind-dn.synopsis=Specifies the bind DN which should be used for perform user searches in the remote LDAP directory service. property.mapped-search-bind-dn.default-behavior.alias.synopsis=Searches will be performed anonymously. property.mapped-search-bind-password.synopsis=Specifies the bind password which should be used for perform user searches in the remote LDAP directory service. property.mapped-search-bind-password.default-behavior.alias.synopsis=Searches will be performed anonymously. property.mapping-policy.synopsis=Specifies the mapping algorithm for obtaining the bind DN from the user's entry. property.mapping-policy.syntax.enumeration.value.mapped-bind.synopsis=Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "match-attribute" property. If more than one attribute or value is present then the first one will be used. property.mapping-policy.syntax.enumeration.value.mapped-search.synopsis=Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "match-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union). property.mapping-policy.syntax.enumeration.value.unmapped.synopsis=Bind to the remote LDAP directory service using the DN of the user's entry in this directory server. property.primary-remote-ldap-server.synopsis=Specifies the primary list of remote LDAP servers which should be used for pass through authentication. property.primary-remote-ldap-server.description=If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined. property.primary-remote-ldap-server.syntax.string.pattern.synopsis=A host name followed by a ":" and a port number. property.secondary-remote-ldap-server.synopsis=Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. property.secondary-remote-ldap-server.description=If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available. property.secondary-remote-ldap-server.default-behavior.alias.synopsis=No secondary LDAP servers. property.secondary-remote-ldap-server.syntax.string.pattern.synopsis=A host name followed by a ":" and a port number. opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java
New file @@ -0,0 +1,207 @@ /* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * trunk/opends/resource/legal-notices/OpenDS.LICENSE * or https://OpenDS.dev.java.net/OpenDS.LICENSE. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Copyright 2011 ForgeRock AS. */ package org.opends.server.extensions; import java.util.List; import org.opends.messages.Message; import org.opends.server.admin.server.ConfigurationChangeListener; import org.opends.server.admin.std.server. LDAPPassThroughAuthenticationPolicyCfg; import org.opends.server.api.AuthenticationPolicy; import org.opends.server.api.AuthenticationPolicyFactory; import org.opends.server.api.AuthenticationPolicyState; import org.opends.server.config.ConfigException; import org.opends.server.types.*; /** * LDAP pass through authentication policy implementation. */ public final class LDAPPassThroughAuthenticationPolicyFactory implements AuthenticationPolicyFactory<LDAPPassThroughAuthenticationPolicyCfg> { /** * LDAP PTA policy state implementation. */ private static final class StateImpl extends AuthenticationPolicyState { private final PolicyImpl policy; private StateImpl(PolicyImpl policy) { this.policy = policy; } /** * {@inheritDoc} */ public boolean passwordMatches(ByteString password) throws DirectoryException { // TODO: perform PTA here. return false; } /** * {@inheritDoc} */ public AuthenticationPolicy getAuthenticationPolicy() { return policy; } /** * {@inheritDoc} */ public void finalizeStateAfterBind() throws DirectoryException { // TODO: cache password if needed. } } /** * LDAP PTA policy implementation. */ private static final class PolicyImpl extends AuthenticationPolicy implements ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> { private PolicyImpl(LDAPPassThroughAuthenticationPolicyCfg configuration) { this.configuration = configuration; } // Current configuration. private LDAPPassThroughAuthenticationPolicyCfg configuration; /** * {@inheritDoc} */ public boolean isConfigurationChangeAcceptable( LDAPPassThroughAuthenticationPolicyCfg configuration, List<Message> unacceptableReasons) { // The configuration is always valid. return true; } /** * {@inheritDoc} */ public ConfigChangeResult applyConfigurationChange( LDAPPassThroughAuthenticationPolicyCfg configuration) { // TODO: close and re-open connections if servers have changed. this.configuration = configuration; return new ConfigChangeResult(ResultCode.SUCCESS, false); } /** * {@inheritDoc} */ public DN getDN() { return configuration.dn(); } /** * {@inheritDoc} */ public AuthenticationPolicyState createAuthenticationPolicyState( Entry userEntry, long time) throws DirectoryException { return new StateImpl(this); } /** * {@inheritDoc} */ public void finalizeAuthenticationPolicy() { // TODO: release pooled connections, etc. } } /** * {@inheritDoc} */ public AuthenticationPolicy createAuthenticationPolicy( LDAPPassThroughAuthenticationPolicyCfg configuration) throws ConfigException, InitializationException { PolicyImpl policy = new PolicyImpl(configuration); configuration.addLDAPPassThroughChangeListener(policy); return policy; } /** * {@inheritDoc} */ public boolean isConfigurationAcceptable( LDAPPassThroughAuthenticationPolicyCfg configuration, List<Message> unacceptableReasons) { // The configuration is always valid. return true; } }
