org.hsqldb.auth
Class LdapAuthBean

java.lang.Object
  org.hsqldb.auth.LdapAuthBean

All Implemented Interfaces:

AuthFunctionBean

public class LdapAuthBean
extends Object
implements AuthFunctionBean

Authenticates to a HyperSQL catalog according to entries in a LDAP database. If using LDAP StartTLS and your server has a certificate not trusted by default by your JRE, then set system property 'javax.net.ssl.trustStore' to the path to a trust store containing the cert (as well as any other certs that your app needs for other purposes).

This class with authenticate login attempts against LDAP entries with RDN of the HyperSQL account name (the precise attribute name defaults to 'uid', but you may change that).

This class purposefully does not support LDAPS, because LDAPS is deprecated in favor of StartTLS, which we do support. If you need to support LDAPS and are using SE 1.6, use our JaasAuthBean with Sun's LdapLoginModule.

This class does not support SASL/External authentication, because the work involved with securely obtaining user-specific certs would be more complex than everything else here combined. Another AuthFunctionBean would have to be written if SASL/External is needed.

To use instances of this class, you must use at least the methods setLdapHost, setParentDn, initialize, plus rolesSchemaAttribute and/or accessAttribute.

For a user to be given HyperSQL catalog access, that user must either have a value for accessAttribute if that property is set (optionally requiring a match with accessValuePattern); or, if the accessAttribute is not set then must have some (any) value for rolesSchemaAttribute (optionally requiring a match with roleSchemaValuePattern). Consequently, if you have set both accessAttribute and rolesSchemaAttribute, the latter attribute will only be consulted if the check of the former attribute succeeds.

If you want roles assigned according to the local HyperSQL database instead of according to LDAP, then set accessAttribute but not rolesSchemaAttribute.

If what is wanted is to grant access but with no roles (overriding local roles if there are any), then set both accessAttribute and rolesSchemaAttribute, but do not set any rolesSchemaAttribute attribute values for these no-role users. (I hesitate to mention it, but you could accomplish the same thing with only a rolesSchemaAttribute attribute, by setting only a dummy role/schema value for non-role users, because HyperSQL will ignore unknown roles or schemas but still give access since a list was still supplied).

Since:

2.0.1

Author:

Blaine Simpson (blaine dot simpson at admc dot com)

See Also:

AuthFunctionBean, setLdapHost(String), setParentDn(String), init()

Constructor Summary

LdapAuthBean()

Method Summary

String[]	authenticate(String userName, String password) Return a list of authorized roles or null to indicate that the implementation does not intend to produce a specific role list but only to indicate whether to allow access or not.
void	init()
static void	main(String[] sa) Run this method to try and test configuration settings for LdapAuthBeans, or to troubleshoot.
void	setAccessAttribute(String attribute) Set the attribute name of the RDN + parentDn entries which will be consulted to decide whether the user can access the HyperSQL database.
void	setAccessValuePattern(Pattern accessValuePattern) Assign a pattern to detect honored accessAttribute values.
void	setAccessValuePatternString(String patternString) String wrapper for method setAccessValuePattern(Pattern) Use the (x?) Pattern constructs to set options.
void	setInitialContextFactory(String initialContextFactory) Most users should not call this, and will get the default of "com.sun.jndi.ldap.LdapCtxFactory".
void	setLdapHost(String ldapHost) Do not specify URL scheme ("ldap:") because that is implied.
void	setLdapPort(int ldapPort)
void	setParentDn(String parentDn) Set DN which is parent of the user DNs.
void	setPrincipalTemplate(String principalTemplate) A template String containing place-holder token '${username}'.
void	setRdnAttribute(String rdnAttribute) rdnAttribute must hold the user name exactly as the HyperSQL login will be made with.
void	setRoleSchemaValuePattern(Pattern roleSchemaValuePattern) Assign a pattern to both detect honored values, and to map from a single value of "rolesSchemaAttribute"s to a HyperSQL role or schema string.
void	setRoleSchemaValuePatternString(String patternString) String wrapper for method setRoleSchemaValuePattern(Pattern) Use the (x?) Pattern constructs to set options.
void	setRolesSchemaAttribute(String attribute) Set the attribute name of the RDN + parentDn entries in which is stored the list of roles and optional schema for the authenticating user.
void	setSaslRealm(String saslRealm) Some LDAP servers using a SASL mechanism require a realm to be specified, and some mechanisms allow a realm to be specified if you wish to use that feature.
void	setSecurityMechanism(String mechanism) Defaults to "SIMPLE".
void	setStartTls(boolean isTls) If this is set, then the entire (brief) transaction with the LDAP server will be encrypted.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

LdapAuthBean

public LdapAuthBean()

Method Detail

setStartTls

public void setStartTls(boolean isTls)

If this is set, then the entire (brief) transaction with the LDAP server will be encrypted.

setLdapPort

public void setLdapPort(int ldapPort)

init

public void init()

Throws:

IllegalStateException - if any required setting has not been set.

setAccessValuePattern

public void setAccessValuePattern(Pattern accessValuePattern)

Assign a pattern to detect honored accessAttribute values. If you set accessAttribute but not accessValuePattern, then all that will be checked for access is if the RDN + parentDN entry has the accessAttribute attribute. (I.e. the specific value will not matter whatsoever).

You may only use this property if you have set property accessAttribute. If you have set accessAttribute but not this property, then access will be decided based solely upon existence of this attribute.

Capture groups in the pattern will be ignored and serve no purpose.

N.b. this Pattern will be used for the matches() operation, therefore it must match the entire candidate value strings (this is different than the find operation which does not need to satisfy the entire candidate value).

Example1 :

     TRUE
 

This will match true values per OpenLDAP's boolean OID.

See Also:

Matcher.matches()

setAccessValuePatternString

public void setAccessValuePatternString(String patternString)

String wrapper for method setAccessValuePattern(Pattern) Use the (x?) Pattern constructs to set options.

Throws:

PatternSyntaxException

See Also:

setAccessValuePattern(Pattern)

setRoleSchemaValuePattern

public void setRoleSchemaValuePattern(Pattern roleSchemaValuePattern)

Assign a pattern to both detect honored values, and to map from a single value of "rolesSchemaAttribute"s to a HyperSQL role or schema string. If your rolesSchemaAttribute holds only the String values precisely as HyperSQL needs them, then don't use this method at all and all matching attribute values will be passed directly.

You may only use this property if you have set property rolesSchemaAttribute. If rolesSchemaAttribute is set but this property is not set, then the value will directly determine the user's roles and schema.

Unlike the rolesSchemaAttribute, the property at-hand uses the singular for "role", because whereas rolesSchemaAttribute is the attribute for listing multiple roles, roleSchemaValuePattern is used to evaluate single role values.

These are two distinct and important purposes for the specified Pattern.

1. Values that do not successfully match the pattern will be ignored.
2. Optionally uses parentheses to specify a single capture group (if you use parentheses to specify more than one matching group, we will only capture for the first). What is captured by this group is exactly the role or schema that HyperSQL will attempt to assign. If no capture parens are given then the Pattern is only used for the acceptance decision, and the LDAP-provided value will be returned verbatim.

Together, these two features work great to extract just the needed role and schema names from 'memberof' DNs, and will have no problem if you also use 'memberof' for unrelated purposes.

N.b. this Pattern will be used for the matches() operation, therefore it must match the entire candidate value strings (this is different than the find operation which does not need to satisfy the entire candidate value).

Example1 :

     cn=([^,]+),ou=dbRole,dc=admc,dc=com
 

will extract the CN value from matching attribute values.

Example1 :

     cn=[^,]+,ou=dbRole,dc=admc,dc=com
 

will return the entire cn...com string for matching attribute values.

See Also:

Matcher.matches()

setRoleSchemaValuePatternString

public void setRoleSchemaValuePatternString(String patternString)

String wrapper for method setRoleSchemaValuePattern(Pattern) Use the (x?) Pattern constructs to set options.

Throws:

PatternSyntaxException

See Also:

setRoleSchemaValuePattern(Pattern)

setSecurityMechanism

public void setSecurityMechanism(String mechanism)

Defaults to "SIMPLE".

Parameters:

mechanism - Either 'SIMPLE' (the default) for LDAP Simple, or one of the LDAP SASL mechamisms, such as 'DIGEST-MD5'.

setLdapHost

public void setLdapHost(String ldapHost)

Do not specify URL scheme ("ldap:") because that is implied. (Since we purposefully don't support LDAPS, there would be no reason to change that).

If using StartTLS, then this host name must match the cn of the LDAP server's certificate.

If you need to support LDAPS and are using SE 1.6, use our JaasAuthBean with Sun's LdapLoginModule instead of this class.

See Also:

JaasAuthBean

setPrincipalTemplate

public void setPrincipalTemplate(String principalTemplate)

A template String containing place-holder token '${username}'. All occurrences of '${username}' (without the quotes) will be translated to the username that authentication is being attempted with.

If you supply a principalTemplate that does not contain '${username}', then authentication will be user-independent.

It is common to authenticate to LDAP servers with the DN of the user's LDAP entry. In this situation, set principalTemplate to <RDN_ATTR=>${username},<PARENT_DN>. For example if you use parentDn of "ou=people,dc=admc,dc=com" and rdnAttribute of uid, then you would set

     "uid=${username},ou=people,dc=admc,dc=com"
 

By default the user name will be passed exactly as it is, so don't use this setter if that is what you want. (This works great for OpenLDAP with DIGEST-MD5 SASL, for example).

setInitialContextFactory

public void setInitialContextFactory(String initialContextFactory)

Most users should not call this, and will get the default of "com.sun.jndi.ldap.LdapCtxFactory". Use this method if you prefer to use a context factory provided by your framework or container, for example, or if you are using a non-Sun JRE.

setSaslRealm

public void setSaslRealm(String saslRealm)

Some LDAP servers using a SASL mechanism require a realm to be specified, and some mechanisms allow a realm to be specified if you wish to use that feature. By default no realm will be sent to the LDAP server.

Don't use this setter if you are not setting a SASL mechanism.

setParentDn

public void setParentDn(String parentDn)

Set DN which is parent of the user DNs. E.g. "ou=people,dc=admc,dc=com"

setRdnAttribute

public void setRdnAttribute(String rdnAttribute)

rdnAttribute must hold the user name exactly as the HyperSQL login will be made with.

This is the RDN relative to the Parent DN specified with setParentDN. Defaults to 'uid'.

See Also:

setParentDn(String)

setRolesSchemaAttribute

public void setRolesSchemaAttribute(String attribute)

Set the attribute name of the RDN + parentDn entries in which is stored the list of roles and optional schema for the authenticating user.

There is no default. You must set this attribute if you want LDAP instead of the local HyperSQL database to determine the user's roles! You must set the rolesSchemaAttribute property and/or the accessAttribute property. Consequently, if you do no tset this property, then you must set the accessAttribute property, and this LdapAuthBean will only determine access not roles.

To use the nice reverse group membership feature of LDAP, set this value to "memberof".

If you have set both rolesSchemaAttribute and this value, then the attribute set here will only be consulted if the accessAttribute check succeeds.

setAccessAttribute

public void setAccessAttribute(String attribute)

Set the attribute name of the RDN + parentDn entries which will be consulted to decide whether the user can access the HyperSQL database.

There is no default. If you set this attribute, then the attribute will determine whether the user can access the HyperSQL database, regardless of whether the rolesSchemaAttribute attribute is set.

If you set just this property, then the local HyperSQL database will decide all roles for the user. If you set this property and propety rolesSchemaAttribute then this attribute will determine access, and if this attribute grants access then the rolesSchemaAttribute value will determine the user's roles.

authenticate

public String[] authenticate(String userName,
                             String password)
                      throws org.hsqldb.auth.DenyException

Description copied from interface: AuthFunctionBean

Return a list of authorized roles or null to indicate that the implementation does not intend to produce a specific role list but only to indicate whether to allow access or not. A return value of String[0] is different from returning null, and means that the user should not be granted any roles.

Specified by:

authenticate in interface AuthFunctionBean

Returns:

null or String[] according to the contract of HyperSQL authentication function contract, except that the role/schema list is returned as a String[] instead of a java.sql.Array.

Throws:

org.hsqldb.auth.DenyException

See Also:

AuthFunctionBean.authenticate(String, String)

main

public static void main(String[] sa)
                 throws IOException

Run this method to try and test configuration settings for LdapAuthBeans, or to troubleshoot. It purposefully does not test the Java Function or the JDBC layer at all. This program will attempt to retrieve and display the schema/roles list for the specified user and with the specified password from the LDAP server according to the specified properties.

Passwords typed on the command line are inherently not secure, so only use this program when the computer it is run on is secured and where your command line may not be observed, directly or indirectly, by others.

Set the properties in a properties file to match your LDAP security and Directory Information Tree structure and use this program to check everything between the LdapAuthBean and your LDAP server. You then know the exact settings to use for an LdapAuthBean that you can plug into AuthBeanMultiplexer.

Run with no arguments to see required syntax.

The property file may contain any of the following properties, which exactly match the corresponding setter methods in this class.

• trustStore. This is the only property without a corresponding setter method. Setting this property has the same effect as setting Java system property 'javax.net.ssl.trustStore'.
• startTls. Takes a boolean value according to method java.util.Boolean.parseBoolean.
• roleSchemaValuePattern. Correponds to method setRoleSchemaValuePatternString
• accessValuePattern. Correponds to method setAccessValuePatternString
• ldapPort
• securityMechanism
• ldapHost
• principalTemplate
• initialContextFactory
• saslRealm
• parentDn
• rdnAttribute
• rolesSchemaAttribute
• accessAttribute

Tokens like ${this} will not be expanded to system property values, and your bean will get the values exactly as you type them in.

The file sample/ldap-exerciser.properties in the HyperSQL distribution may be used as a template or example.

Throws:

IOException