Package org.opends.server.core
Class BindOperation
- java.lang.Object
-
- org.opends.server.types.Operation
-
- org.opends.server.core.BindOperation
-
- All Implemented Interfaces:
Runnable
,PluginOperation
,PostCommitOperation
,PostOperationBindOperation
,PostOperationOperation
,PostResponseBindOperation
,PostResponseOperation
,PreOperationBindOperation
,PreOperationOperation
,PreParseBindOperation
,PreParseOperation
public final class BindOperation extends Operation implements PreOperationBindOperation, PreParseBindOperation, PostOperationBindOperation, PostResponseBindOperation
This class defines an operation that may be used to authenticate a user to the Directory Server. Note that for security restrictions, response messages that may be returned to the client must be carefully cleaned to ensure that they do not provide a malicious client with information that may be useful in an attack. This does impact the debuggability of the server, but that can be addressed by calling thesetAuthFailureReason(LocalizableMessage)
method, which can provide a reason for a failure in a form that will not be returned to the client but may be written to a log file.
-
-
Field Summary
-
Fields inherited from class org.opends.server.types.Operation
requestContext
-
-
Constructor Summary
Constructors Constructor Description BindOperation(org.forgerock.services.context.Context context, BindRequest request)
Creates a new bind operation with the provided information.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addResponseControl(Control control)
Adds the provided control to the set of controls to include in the response to the client.AuthenticationType
getAuthenticationType()
Retrieves the authentication type for this bind operation.LocalizableMessage
getAuthFailureReason()
Retrieves a human-readable message providing the reason that the authentication failed, if available.Dn
getBindDN()
Retrieves the bind DN for this bind operation.OperationType
getOperationType()
Retrieves the operation type for this operation.Dn
getProxiedAuthorizationDN()
Retrieves the proxied authorization DN for this operation if proxied authorization has been requested.List<Control>
getResponseControls()
Retrieves the set of controls to include in the response to the client.Entry
getSASLAuthUserEntry()
Retrieves the user entry associated with the SASL authentication attempt.ByteString
getSASLCredentials()
Retrieves the SASL credentials for this bind operation.String
getSASLMechanism()
Retrieves the SASL mechanism for this bind operation.SaslServer
getSaslServer()
Returns theSaslServer
to use by the underlying connection, ornull
if SASL integrity and/or privacy protection must not be enabled.ByteString
getServerSASLCredentials()
Retrieves the set of server SASL credentials to include in the bind response.ByteString
getSimplePassword()
Retrieves the simple authentication password for this bind operation.Dn
getUserEntryDN()
Retrieves the user entry DN for this bind operation.void
removeResponseControl(Control control)
Removes the provided control from the set of controls to include in the response to the client.protected void
run0()
Performs the work of actually processing this operation.static void
runFakePasswordMatches(Dn bindDn, ByteString password)
When using cost based hashes, ensure similar response times when login with non-existing vs.void
setAuthenticationInfo(AuthenticationInfo authInfo)
Specifies the authentication info that resulted from processing this bind operation.void
setAuthFailureReason(LocalizableMessage reason)
Specifies the reason that the authentication failed.void
setBindDN(Dn bindDN)
Specifies the bind DN for this bind operation.void
setProxiedAuthorizationDN(Dn proxiedAuthorizationDN)
Set the proxied authorization DN for this operation if proxied authorization has been requested.void
setSASLAuthUserEntry(Entry saslAuthUserEntry)
Specifies the user entry associated with the SASL authentication attempt.void
setSASLCredentials(String saslMechanism, ByteString saslCredentials)
Specifies the SASL credentials for this bind operation.void
setSaslServer(SaslServer saslServer)
Sets the SASL server.void
setServerSASLCredentials(ByteString serverSASLCredentials)
Specifies the set of server SASL credentials to include in the bind response.void
setSimplePassword(ByteString simplePassword)
Specifies the simple authentication password for this bind operation.void
toString(StringBuilder buffer)
Appends a string representation of this operation to the provided buffer.-
Methods inherited from class org.opends.server.types.Operation
addAdditionalLogItem, addPasswordPolicyWarningToLog, addPostReadResponse, addPreReadResponse, addRequestControl, appendErrorMessage, appendMaskedErrorMessage, checkAttributeConformsToSyntax, checkIfBackendIsWritable, checkIfCanceled, createLdapException, disconnectClient, dontSynchronize, equals, evaluateProxyAuthControls, filterNonDisclosableMatchedDN, getAdditionalLogItems, getAttachment, getAttachments, getAuthorizationDN, getAuthorizationEntry, getClientConnection, getConnectionID, getContext, getErrorMessage, getLargestEntrySize, getLocalBackend, getMatchedDN, getMessageID, getOperationID, getReferralURLs, getRequestControl, getRequestControls, getResultCode, getServerContext, hashCode, hasPrivilege, hasRequestControl, invokePostResponseCallbacks, isInnerOperation, isInternalOperation, isProxyAuthzControl, isSynchronizationOperation, mustCheckSchema, operationCompleted, processOperationResult, processOperationResult, registerPostResponseCallback, removeAllDisallowedControls, removeAttachment, run, setAttachment, setAttachments, setAuthorizationEntry, setDontSynchronize, setErrorMessage, setInnerOperation, setInternalOperation, setMatchedDN, setReferralURLs, setResult, setResult, setResultCode, setResultCodeAndMessageNoInfoDisclosure, setSynchronizationOperation, toString, trySetLargestEntrySize
-
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.opends.server.types.operation.PluginOperation
checkIfCanceled, disconnectClient, getAttachment, getAttachments, getClientConnection, getConnectionID, getMessageID, getOperationID, getRequestControl, getRequestControl, getRequestControls, isInternalOperation, isSynchronizationOperation, removeAttachment, setAttachment, toString
-
Methods inherited from interface org.opends.server.types.operation.PostOperationOperation
addAdditionalLogItem, appendErrorMessage, getAdditionalLogItems, getAuthorizationDN, getErrorMessage, getMatchedDN, getReferralURLs, getResultCode, setErrorMessage, setMatchedDN, setReferralURLs, setResult, setResultCode
-
Methods inherited from interface org.opends.server.types.operation.PreOperationOperation
addAdditionalLogItem, appendErrorMessage, getAdditionalLogItems, getAuthorizationDN, getErrorMessage, setErrorMessage
-
Methods inherited from interface org.opends.server.types.operation.PreParseOperation
addAdditionalLogItem, addRequestControl, appendErrorMessage, getAdditionalLogItems, getErrorMessage, setErrorMessage
-
-
-
-
Constructor Detail
-
BindOperation
public BindOperation(org.forgerock.services.context.Context context, BindRequest request)
Creates a new bind operation with the provided information.- Parameters:
context
- The context with which this operation is associated.request
- The bind request.
-
-
Method Detail
-
getProxiedAuthorizationDN
public Dn getProxiedAuthorizationDN()
Description copied from class:Operation
Retrieves the proxied authorization DN for this operation if proxied authorization has been requested.- Specified by:
getProxiedAuthorizationDN
in classOperation
- Returns:
- The proxied authorization DN for this operation if proxied authorization has been requested, or
null
if proxied authorization has not been requested.
-
setProxiedAuthorizationDN
public void setProxiedAuthorizationDN(Dn proxiedAuthorizationDN)
Description copied from class:Operation
Set the proxied authorization DN for this operation if proxied authorization has been requested.- Specified by:
setProxiedAuthorizationDN
in classOperation
- Parameters:
proxiedAuthorizationDN
- The proxied authorization DN for this operation if proxied authorization has been requested, ornull
if proxied authorization has not been requested.
-
getAuthenticationType
public AuthenticationType getAuthenticationType()
Description copied from interface:PreOperationBindOperation
Retrieves the authentication type for this bind operation.- Specified by:
getAuthenticationType
in interfacePostOperationBindOperation
- Specified by:
getAuthenticationType
in interfacePostResponseBindOperation
- Specified by:
getAuthenticationType
in interfacePreOperationBindOperation
- Specified by:
getAuthenticationType
in interfacePreParseBindOperation
- Returns:
- The authentication type for this bind operation.
-
setBindDN
public void setBindDN(Dn bindDN)
Description copied from interface:PreParseBindOperation
Specifies the bind DN for this bind operation.- Specified by:
setBindDN
in interfacePreParseBindOperation
- Parameters:
bindDN
- The bind DN for this bind
-
getBindDN
public Dn getBindDN()
Description copied from interface:PreOperationBindOperation
Retrieves the bind DN for this bind operation.- Specified by:
getBindDN
in interfacePostOperationBindOperation
- Specified by:
getBindDN
in interfacePostResponseBindOperation
- Specified by:
getBindDN
in interfacePreOperationBindOperation
- Specified by:
getBindDN
in interfacePreParseBindOperation
- Returns:
- The bind DN for this bind operation.
-
getSimplePassword
public ByteString getSimplePassword()
Description copied from interface:PreOperationBindOperation
Retrieves the simple authentication password for this bind operation.- Specified by:
getSimplePassword
in interfacePostOperationBindOperation
- Specified by:
getSimplePassword
in interfacePostResponseBindOperation
- Specified by:
getSimplePassword
in interfacePreOperationBindOperation
- Specified by:
getSimplePassword
in interfacePreParseBindOperation
- Returns:
- The simple authentication password for this bind operation.
-
setSimplePassword
public void setSimplePassword(ByteString simplePassword)
Description copied from interface:PreParseBindOperation
Specifies the simple authentication password for this bind operation.- Specified by:
setSimplePassword
in interfacePreParseBindOperation
- Parameters:
simplePassword
- The simple authentication password for this bind operation.
-
getSASLMechanism
public String getSASLMechanism()
Description copied from interface:PreOperationBindOperation
Retrieves the SASL mechanism for this bind operation.- Specified by:
getSASLMechanism
in interfacePostOperationBindOperation
- Specified by:
getSASLMechanism
in interfacePostResponseBindOperation
- Specified by:
getSASLMechanism
in interfacePreOperationBindOperation
- Specified by:
getSASLMechanism
in interfacePreParseBindOperation
- Returns:
- The SASL mechanism for this bind operation, or
null
if the bind does not use SASL authentication.
-
getSASLCredentials
public ByteString getSASLCredentials()
Description copied from interface:PreOperationBindOperation
Retrieves the SASL credentials for this bind operation.- Specified by:
getSASLCredentials
in interfacePostOperationBindOperation
- Specified by:
getSASLCredentials
in interfacePostResponseBindOperation
- Specified by:
getSASLCredentials
in interfacePreOperationBindOperation
- Specified by:
getSASLCredentials
in interfacePreParseBindOperation
- Returns:
- The SASL credentials for this bind operation, or
null
if there are none or if the bind does not use SASL authentication.
-
setSASLCredentials
public void setSASLCredentials(String saslMechanism, ByteString saslCredentials)
Description copied from interface:PreParseBindOperation
Specifies the SASL credentials for this bind operation.- Specified by:
setSASLCredentials
in interfacePreParseBindOperation
- Parameters:
saslMechanism
- The SASL mechanism for this bind operation.saslCredentials
- The SASL credentials for this bind operation, ornull
if there are none.
-
getServerSASLCredentials
public ByteString getServerSASLCredentials()
Description copied from interface:PostOperationBindOperation
Retrieves the set of server SASL credentials to include in the bind response.- Specified by:
getServerSASLCredentials
in interfacePostOperationBindOperation
- Specified by:
getServerSASLCredentials
in interfacePostResponseBindOperation
- Returns:
- The set of server SASL credentials to include in the bind response, or
null
if there are none.
-
setServerSASLCredentials
public void setServerSASLCredentials(ByteString serverSASLCredentials)
Description copied from interface:PreOperationBindOperation
Specifies the set of server SASL credentials to include in the bind response.- Specified by:
setServerSASLCredentials
in interfacePostOperationBindOperation
- Specified by:
setServerSASLCredentials
in interfacePreOperationBindOperation
- Specified by:
setServerSASLCredentials
in interfacePreParseBindOperation
- Parameters:
serverSASLCredentials
- The set of server SASL credentials to include in the bind response.
-
getSASLAuthUserEntry
public Entry getSASLAuthUserEntry()
Description copied from interface:PostOperationBindOperation
Retrieves the user entry associated with the SASL authentication attempt. This should be set by any SASL mechanism in which the processing was able to get far enough to make this determination, regardless of whether the authentication was ultimately successful.- Specified by:
getSASLAuthUserEntry
in interfacePostOperationBindOperation
- Specified by:
getSASLAuthUserEntry
in interfacePostResponseBindOperation
- Returns:
- The user entry associated with the SASL authentication attempt, or
null
if it was not a SASL authentication or the SASL processing was not able to map the request to a user.
-
setSASLAuthUserEntry
public void setSASLAuthUserEntry(Entry saslAuthUserEntry)
Specifies the user entry associated with the SASL authentication attempt. This should be set by any SASL mechanism in which the processing was able to get far enough to make this determination, regardless of whether the authentication was ultimately successful.- Parameters:
saslAuthUserEntry
- The user entry associated with the SASL authentication attempt.
-
getAuthFailureReason
public LocalizableMessage getAuthFailureReason()
Description copied from interface:PostOperationBindOperation
Retrieves a human-readable message providing the reason that the authentication failed, if available.- Specified by:
getAuthFailureReason
in interfacePostOperationBindOperation
- Specified by:
getAuthFailureReason
in interfacePostResponseBindOperation
- Returns:
- A human-readable message providing the reason that the authentication failed, or
null
if none is available.
-
setAuthFailureReason
public void setAuthFailureReason(LocalizableMessage reason)
Description copied from interface:PreOperationBindOperation
Specifies the reason that the authentication failed.- Specified by:
setAuthFailureReason
in interfacePostOperationBindOperation
- Specified by:
setAuthFailureReason
in interfacePreOperationBindOperation
- Specified by:
setAuthFailureReason
in interfacePreParseBindOperation
- Parameters:
reason
- A human-readable message providing the reason that the authentication failed.
-
getUserEntryDN
public Dn getUserEntryDN()
Description copied from interface:PreOperationBindOperation
Retrieves the user entry DN for this bind operation. It will only be available for simple bind operations (and may be different than the bind DN from the client request).- Specified by:
getUserEntryDN
in interfacePostOperationBindOperation
- Specified by:
getUserEntryDN
in interfacePostResponseBindOperation
- Specified by:
getUserEntryDN
in interfacePreOperationBindOperation
- Returns:
- The user entry DN for this bind operation, or
null
if the bind processing has not progressed far enough to identify the user or if the user DN could not be determined.
-
setAuthenticationInfo
public void setAuthenticationInfo(AuthenticationInfo authInfo)
Specifies the authentication info that resulted from processing this bind operation. This method must only be called by SASL mechanism handlers during the course of processing theprocessSASLBind
method.- Parameters:
authInfo
- The authentication info that resulted from processing this bind operation.
-
getOperationType
public OperationType getOperationType()
Description copied from interface:PluginOperation
Retrieves the operation type for this operation.- Specified by:
getOperationType
in interfacePluginOperation
- Returns:
- The operation type for this operation.
-
getResponseControls
public List<Control> getResponseControls()
Description copied from interface:PluginOperation
Retrieves the set of controls to include in the response to the client. The contents of this list must not be altered.- Specified by:
getResponseControls
in interfacePluginOperation
- Returns:
- The set of controls to include in the response to the client.
-
addResponseControl
public void addResponseControl(Control control)
Description copied from class:Operation
Adds the provided control to the set of controls to include in the response to the client.This method may not be called by post-response plugins.
- Specified by:
addResponseControl
in interfacePostOperationOperation
- Specified by:
addResponseControl
in interfacePreOperationOperation
- Specified by:
addResponseControl
in interfacePreParseOperation
- Specified by:
addResponseControl
in classOperation
- Parameters:
control
- The control to add to the set of controls to include in the response to the client.
-
removeResponseControl
public void removeResponseControl(Control control)
Description copied from class:Operation
Removes the provided control from the set of controls to include in the response to the client.This method may not be called by post-response plugins.
- Specified by:
removeResponseControl
in interfacePostOperationOperation
- Specified by:
removeResponseControl
in interfacePreOperationOperation
- Specified by:
removeResponseControl
in interfacePreParseOperation
- Specified by:
removeResponseControl
in classOperation
- Parameters:
control
- The control to remove from the set of controls to include in the response to the client.
-
toString
public void toString(StringBuilder buffer)
Description copied from interface:PluginOperation
Appends a string representation of this operation to the provided buffer.- Specified by:
toString
in interfacePluginOperation
- Specified by:
toString
in classOperation
- Parameters:
buffer
- The buffer into which a string representation of this operation should be appended.
-
run0
protected void run0()
Description copied from class:Operation
Performs the work of actually processing this operation.
-
getSaslServer
public SaslServer getSaslServer()
Returns theSaslServer
to use by the underlying connection, ornull
if SASL integrity and/or privacy protection must not be enabled.- Returns:
- The
SaslServer
to use by the underlying connection, ornull
if SASL integrity and/or privacy protection must not enabled.
-
setSaslServer
public void setSaslServer(SaslServer saslServer)
Sets the SASL server.- Parameters:
saslServer
- the SASL server to set
-
runFakePasswordMatches
public static void runFakePasswordMatches(Dn bindDn, ByteString password) throws LdapException
When using cost based hashes, ensure similar response times when login with non-existing vs. existing users, this also applies to other failure conditions.- Parameters:
bindDn
- the bind DNpassword
- the bind password- Throws:
LdapException
- If a problem occurs while attempting to encode the password.
-
-