Package org.forgerock.opendj.server.config.server

Interface LdapPassThroughAuthenticationPolicyCfg

  • All Superinterfaces:
    AuthenticationPolicyCfg, Configuration
    public interface LdapPassThroughAuthenticationPolicyCfg
extends AuthenticationPolicyCfg
    A server-side interface for querying LDAP Pass Through Authentication Policy settings.

    An authentication policy for users whose credentials are managed by a remote LDAP directory service.

    • Method Detail

      • addLdapPassThroughChangeListener

        void addLdapPassThroughChangeListener​(ConfigurationChangeListener<LdapPassThroughAuthenticationPolicyCfg> listener)
        Register to be notified when this LDAP Pass Through Authentication Policy is changed.
        Parameters:
        listener - The LDAP Pass Through Authentication Policy configuration change listener.

      • removeLdapPassThroughChangeListener

        void removeLdapPassThroughChangeListener​(ConfigurationChangeListener<LdapPassThroughAuthenticationPolicyCfg> listener)
        Deregister an existing LDAP Pass Through Authentication Policy configuration change listener.
        Parameters:
        listener - The LDAP Pass Through Authentication Policy configuration change listener.

      • getCachedPasswordStorageScheme

        String getCachedPasswordStorageScheme()
        Gets the "cached-password-storage-scheme" property.

        Specifies the name of a password storage scheme which should be used for encoding cached passwords.

        Changing the password storage scheme will cause all existing cached passwords to be discarded.

        Default value is undefined

        Returns:
        Returns the value of the "cached-password-storage-scheme" property.

      • getCachedPasswordStorageSchemeDn

        Dn getCachedPasswordStorageSchemeDn()
        Gets the "cached-password-storage-scheme" property as a DN.

        Specifies the name of a password storage scheme which should be used for encoding cached passwords.

        Changing the password storage scheme will cause all existing cached passwords to be discarded.

        Returns:
        Returns the DN value of the "cached-password-storage-scheme" property.

      • getCachedPasswordTtl

        long getCachedPasswordTtl()
        Gets the "cached-password-ttl" property.

        Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service.

        This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.

        Default value: 8 hours

        Returns:
        Returns the value of the "cached-password-ttl" property.

      • getConnectionTimeout

        long getConnectionTimeout()
        Gets the "connection-timeout" property.

        Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests.

        If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

        Default value: 3 seconds

        Returns:
        Returns the value of the "connection-timeout" property.

      • getJavaClass

        String getJavaClass()
        Gets the "java-class" property.

        Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.

        Default value: org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory

        Specified by:
        getJavaClass in interface AuthenticationPolicyCfg
        Returns:
        Returns the value of the "java-class" property.

      • getMappedAttribute

        SortedSet<AttributeType> getMappedAttribute()
        Gets the "mapped-attribute" property.

        Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies.

        At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.

        Default value is undefined

        Returns:
        Returns an unmodifiable set containing the values of the "mapped-attribute" property.

      • getMappedSearchBaseDn

        SortedSet<Dn> getMappedSearchBaseDn()
        Gets the "mapped-search-base-dn" property.

        Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy.

        If multiple values are given, searches are performed below all specified base DNs.

        Default value is undefined

        Returns:
        Returns an unmodifiable set containing the values of the "mapped-search-base-dn" property.

      • getMappedSearchBindDn

        Dn getMappedSearchBindDn()
        Gets the "mapped-search-bind-dn" property.

        Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.

        Returns:
        Returns the value of the "mapped-search-bind-dn" property.

      • getMappedSearchBindPassword

        String getMappedSearchBindPassword()
        Gets the "mapped-search-bind-password" property.

        Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.

        Default value is undefined

        Returns:
        Returns the value of the "mapped-search-bind-password" property.

      • getMappedSearchFilterTemplate

        String getMappedSearchFilterTemplate()
        Gets the "mapped-search-filter-template" property.

        If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute".

        The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)". You can also use the filter to restrict search results. For example: " (&(uid=%s)(objectclass=student))"

        Default value is undefined

        Returns:
        Returns the value of the "mapped-search-filter-template" property.

      • getMappingPolicy

        LdapPassThroughAuthenticationPolicyCfgDefn.MappingPolicy getMappingPolicy()
        Gets the "mapping-policy" property.

        Specifies the mapping algorithm for obtaining the bind DN from the user's entry.

        Default value: unmapped

        Returns:
        Returns the value of the "mapping-policy" property.

      • getPrimaryRemoteLdapServer

        SortedSet<com.forgerock.opendj.util.HostPort> getPrimaryRemoteLdapServer()
        Gets the "primary-remote-ldap-server" property.

        Specifies the primary list of remote LDAP servers which should be used for pass through authentication.

        If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined. When using an IPv6 address as the hostname, put brackets around the address as in "[IPv6Address]:port".

        Returns:
        Returns an unmodifiable set containing the values of the "primary-remote-ldap-server" property.

      • getSecondaryRemoteLdapServer

        SortedSet<com.forgerock.opendj.util.HostPort> getSecondaryRemoteLdapServer()
        Gets the "secondary-remote-ldap-server" property.

        Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable.

        If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available. When using an IPv6 address as the hostname, put brackets around the address as in "[IPv6Address]:port".

        Returns:
        Returns an unmodifiable set containing the values of the "secondary-remote-ldap-server" property.

      • getSourceAddress

        com.forgerock.opendj.util.Host getSourceAddress()
        Gets the "source-address" property.

        If specified, the server will bind to the address before connecting to the remote server.

        The address must be one assigned to an existing network interface.

        Returns:
        Returns the value of the "source-address" property.

      • getSslCipherSuite

        SortedSet<String> getSslCipherSuite()
        Gets the "ssl-cipher-suite" property.

        Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.

        Returns:
        Returns an unmodifiable set containing the values of the "ssl-cipher-suite" property.

      • getSslProtocol

        SortedSet<String> getSslProtocol()
        Gets the "ssl-protocol" property.

        Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.

        Returns:
        Returns an unmodifiable set containing the values of the "ssl-protocol" property.

      • getTrustManagerProvider

        String getTrustManagerProvider()
        Gets the "trust-manager-provider" property.

        Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.

        Returns:
        Returns the value of the "trust-manager-provider" property.

      • getTrustManagerProviderDn

        Dn getTrustManagerProviderDn()
        Gets the "trust-manager-provider" property as a DN.

        Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.

        Returns:
        Returns the DN value of the "trust-manager-provider" property.

      • isUsePasswordCaching

        boolean isUsePasswordCaching()
        Gets the "use-password-caching" property.

        Indicates whether passwords should be cached locally within the user's entry.

        Default value: false

        Returns:
        Returns the value of the "use-password-caching" property.

      • isUseSsl

        boolean isUseSsl()
        Gets the "use-ssl" property.

        Indicates whether the LDAP Pass Through Authentication Policy should use SSL.

        If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.

        Default value: false

        Returns:
        Returns the value of the "use-ssl" property.

      • isUseTcpKeepAlive

        boolean isUseTcpKeepAlive()
        Gets the "use-tcp-keep-alive" property.

        Indicates whether LDAP connections should use TCP keep-alive.

        If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

        Default value: true

        Returns:
        Returns the value of the "use-tcp-keep-alive" property.

      • isUseTcpNoDelay

        boolean isUseTcpNoDelay()
        Gets the "use-tcp-no-delay" property.

        Indicates whether LDAP connections should use TCP no-delay.

        If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

        Default value: true

        Returns:
        Returns the value of the "use-tcp-no-delay" property.