001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2008 Sun Microsystems, Inc.
015 */
016package org.forgerock.opendj.server.config.server;
017
018
019
020import java.net.InetAddress;
021import java.util.SortedSet;
022import org.forgerock.opendj.config.server.ConfigurationChangeListener;
023import org.forgerock.opendj.ldap.DN;
024import org.forgerock.opendj.ldap.schema.AttributeType;
025import org.forgerock.opendj.server.config.meta.LDAPPassThroughAuthenticationPolicyCfgDefn.MappingPolicy;
026
027
028
029/**
030 * A server-side interface for querying LDAP Pass Through
031 * Authentication Policy settings.
032 * <p>
033 * An authentication policy for users whose credentials are managed by
034 * a remote LDAP directory service.
035 */
036public interface LDAPPassThroughAuthenticationPolicyCfg extends AuthenticationPolicyCfg {
037
038  /**
039   * Gets the configuration class associated with this LDAP Pass Through Authentication Policy.
040   *
041   * @return Returns the configuration class associated with this LDAP Pass Through Authentication Policy.
042   */
043  Class<? extends LDAPPassThroughAuthenticationPolicyCfg> configurationClass();
044
045
046
047  /**
048   * Register to be notified when this LDAP Pass Through Authentication Policy is changed.
049   *
050   * @param listener
051   *          The LDAP Pass Through Authentication Policy configuration change listener.
052   */
053  void addLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener);
054
055
056
057  /**
058   * Deregister an existing LDAP Pass Through Authentication Policy configuration change listener.
059   *
060   * @param listener
061   *          The LDAP Pass Through Authentication Policy configuration change listener.
062   */
063  void removeLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener);
064
065
066
067  /**
068   * Gets the "cached-password-storage-scheme" property.
069   * <p>
070   * Specifies the name of a password storage scheme which should be
071   * used for encoding cached passwords.
072   * <p>
073   * Changing the password storage scheme will cause all existing
074   * cached passwords to be discarded.
075   *
076   * @return Returns the value of the "cached-password-storage-scheme" property.
077   */
078  String getCachedPasswordStorageScheme();
079
080
081
082  /**
083   * Gets the "cached-password-storage-scheme" property as a DN.
084   * <p>
085   * Specifies the name of a password storage scheme which should be
086   * used for encoding cached passwords.
087   * <p>
088   * Changing the password storage scheme will cause all existing
089   * cached passwords to be discarded.
090   *
091   * @return Returns the DN value of the
092   *         "cached-password-storage-scheme" property.
093   */
094  DN getCachedPasswordStorageSchemeDN();
095
096
097
098  /**
099   * Gets the "cached-password-ttl" property.
100   * <p>
101   * Specifies the maximum length of time that a locally cached
102   * password may be used for authentication before it is refreshed
103   * from the remote LDAP service.
104   * <p>
105   * This property represents a cache timeout. Increasing the timeout
106   * period decreases the frequency that bind operations are delegated
107   * to the remote LDAP service, but increases the risk of users
108   * authenticating using stale passwords. Note that authentication
109   * attempts which fail because the provided password does not match
110   * the locally cached password will always be retried against the
111   * remote LDAP service.
112   *
113   * @return Returns the value of the "cached-password-ttl" property.
114   */
115  long getCachedPasswordTTL();
116
117
118
119  /**
120   * Gets the "connection-timeout" property.
121   * <p>
122   * Specifies the timeout used when connecting to remote LDAP
123   * directory servers, performing SSL negotiation, and for individual
124   * search and bind requests.
125   * <p>
126   * If the timeout expires then the current operation will be aborted
127   * and retried against another LDAP server if one is available.
128   *
129   * @return Returns the value of the "connection-timeout" property.
130   */
131  long getConnectionTimeout();
132
133
134
135  /**
136   * Gets the "java-class" property.
137   * <p>
138   * Specifies the fully-qualified name of the Java class which
139   * provides the LDAP Pass Through Authentication Policy
140   * implementation.
141   *
142   * @return Returns the value of the "java-class" property.
143   */
144  String getJavaClass();
145
146
147
148  /**
149   * Gets the "mapped-attribute" property.
150   * <p>
151   * Specifies one or more attributes in the user's entry whose
152   * value(s) will determine the bind DN used when authenticating to
153   * the remote LDAP directory service. This property is mandatory when
154   * using the "mapped-bind" or "mapped-search" mapping policies.
155   * <p>
156   * At least one value must be provided. All values must refer to the
157   * name or OID of an attribute type defined in the directory server
158   * schema. At least one of the named attributes must exist in a
159   * user's local entry in order for authentication to proceed. When
160   * multiple attributes or values are found in the user's entry then
161   * the behavior is determined by the mapping policy.
162   *
163   * @return Returns an unmodifiable set containing the values of the "mapped-attribute" property.
164   */
165  SortedSet<AttributeType> getMappedAttribute();
166
167
168
169  /**
170   * Gets the "mapped-search-base-dn" property.
171   * <p>
172   * Specifies the set of base DNs below which to search for users in
173   * the remote LDAP directory service. This property is mandatory when
174   * using the "mapped-search" mapping policy.
175   * <p>
176   * If multiple values are given, searches are performed below all
177   * specified base DNs.
178   *
179   * @return Returns an unmodifiable set containing the values of the "mapped-search-base-dn" property.
180   */
181  SortedSet<DN> getMappedSearchBaseDN();
182
183
184
185  /**
186   * Gets the "mapped-search-bind-dn" property.
187   * <p>
188   * Specifies the bind DN which should be used to perform user
189   * searches in the remote LDAP directory service.
190   *
191   * @return Returns the value of the "mapped-search-bind-dn" property.
192   */
193  DN getMappedSearchBindDN();
194
195
196
197  /**
198   * Gets the "mapped-search-bind-password" property.
199   * <p>
200   * Specifies the bind password which should be used to perform user
201   * searches in the remote LDAP directory service.
202   *
203   * @return Returns the value of the "mapped-search-bind-password" property.
204   */
205  String getMappedSearchBindPassword();
206
207
208
209  /**
210   * Gets the "mapped-search-bind-password-environment-variable" property.
211   * <p>
212   * Specifies the name of an environment variable containing the bind
213   * password which should be used to perform user searches in the
214   * remote LDAP directory service.
215   *
216   * @return Returns the value of the "mapped-search-bind-password-environment-variable" property.
217   */
218  String getMappedSearchBindPasswordEnvironmentVariable();
219
220
221
222  /**
223   * Gets the "mapped-search-bind-password-file" property.
224   * <p>
225   * Specifies the name of a file containing the bind password which
226   * should be used to perform user searches in the remote LDAP
227   * directory service.
228   *
229   * @return Returns the value of the "mapped-search-bind-password-file" property.
230   */
231  String getMappedSearchBindPasswordFile();
232
233
234
235  /**
236   * Gets the "mapped-search-bind-password-property" property.
237   * <p>
238   * Specifies the name of a Java property containing the bind
239   * password which should be used to perform user searches in the
240   * remote LDAP directory service.
241   *
242   * @return Returns the value of the "mapped-search-bind-password-property" property.
243   */
244  String getMappedSearchBindPasswordProperty();
245
246
247
248  /**
249   * Gets the "mapped-search-filter-template" property.
250   * <p>
251   * If defined, overrides the filter used when searching for the
252   * user, substituting %s with the value of the local entry's
253   * "mapped-attribute".
254   * <p>
255   * The filter-template may include ZERO or ONE %s substitutions. If
256   * multiple mapped-attributes are configured, multiple renditions of
257   * this template will be aggregated into one larger filter using an
258   * OR (|) operator. An example use-case for this property would be to
259   * use a different attribute type on the mapped search. For example,
260   * mapped-attribute could be set to "uid" and filter-template to
261   * "(samAccountName=%s)".
262   *
263   * @return Returns the value of the "mapped-search-filter-template" property.
264   */
265  String getMappedSearchFilterTemplate();
266
267
268
269  /**
270   * Gets the "mapping-policy" property.
271   * <p>
272   * Specifies the mapping algorithm for obtaining the bind DN from
273   * the user's entry.
274   *
275   * @return Returns the value of the "mapping-policy" property.
276   */
277  MappingPolicy getMappingPolicy();
278
279
280
281  /**
282   * Gets the "primary-remote-ldap-server" property.
283   * <p>
284   * Specifies the primary list of remote LDAP servers which should be
285   * used for pass through authentication.
286   * <p>
287   * If more than one LDAP server is specified then operations may be
288   * distributed across them. If all of the primary LDAP servers are
289   * unavailable then operations will fail-over to the set of secondary
290   * LDAP servers, if defined.
291   *
292   * @return Returns an unmodifiable set containing the values of the "primary-remote-ldap-server" property.
293   */
294  SortedSet<String> getPrimaryRemoteLDAPServer();
295
296
297
298  /**
299   * Gets the "secondary-remote-ldap-server" property.
300   * <p>
301   * Specifies the secondary list of remote LDAP servers which should
302   * be used for pass through authentication in the event that the
303   * primary LDAP servers are unavailable.
304   * <p>
305   * If more than one LDAP server is specified then operations may be
306   * distributed across them. Operations will be rerouted to the
307   * primary LDAP servers as soon as they are determined to be
308   * available.
309   *
310   * @return Returns an unmodifiable set containing the values of the "secondary-remote-ldap-server" property.
311   */
312  SortedSet<String> getSecondaryRemoteLDAPServer();
313
314
315
316  /**
317   * Gets the "source-address" property.
318   * <p>
319   * If specified, the server will bind to the address before
320   * connecting to the remote server.
321   * <p>
322   * The address must be one assigned to an existing network
323   * interface.
324   *
325   * @return Returns the value of the "source-address" property.
326   */
327  InetAddress getSourceAddress();
328
329
330
331  /**
332   * Gets the "ssl-cipher-suite" property.
333   * <p>
334   * Specifies the names of the SSL cipher suites that are allowed for
335   * use in SSL based LDAP connections.
336   *
337   * @return Returns an unmodifiable set containing the values of the "ssl-cipher-suite" property.
338   */
339  SortedSet<String> getSSLCipherSuite();
340
341
342
343  /**
344   * Gets the "ssl-protocol" property.
345   * <p>
346   * Specifies the names of the SSL protocols which are allowed for
347   * use in SSL based LDAP connections.
348   *
349   * @return Returns an unmodifiable set containing the values of the "ssl-protocol" property.
350   */
351  SortedSet<String> getSSLProtocol();
352
353
354
355  /**
356   * Gets the "trust-manager-provider" property.
357   * <p>
358   * Specifies the name of the trust manager that should be used when
359   * negotiating SSL connections with remote LDAP directory servers.
360   *
361   * @return Returns the value of the "trust-manager-provider" property.
362   */
363  String getTrustManagerProvider();
364
365
366
367  /**
368   * Gets the "trust-manager-provider" property as a DN.
369   * <p>
370   * Specifies the name of the trust manager that should be used when
371   * negotiating SSL connections with remote LDAP directory servers.
372   *
373   * @return Returns the DN value of the "trust-manager-provider"
374   *         property.
375   */
376  DN getTrustManagerProviderDN();
377
378
379
380  /**
381   * Gets the "use-password-caching" property.
382   * <p>
383   * Indicates whether passwords should be cached locally within the
384   * user's entry.
385   *
386   * @return Returns the value of the "use-password-caching" property.
387   */
388  boolean isUsePasswordCaching();
389
390
391
392  /**
393   * Gets the "use-ssl" property.
394   * <p>
395   * Indicates whether the LDAP Pass Through Authentication Policy
396   * should use SSL.
397   * <p>
398   * If enabled, the LDAP Pass Through Authentication Policy will use
399   * SSL to encrypt communication with the clients.
400   *
401   * @return Returns the value of the "use-ssl" property.
402   */
403  boolean isUseSSL();
404
405
406
407  /**
408   * Gets the "use-tcp-keep-alive" property.
409   * <p>
410   * Indicates whether LDAP connections should use TCP keep-alive.
411   * <p>
412   * If enabled, the SO_KEEPALIVE socket option is used to indicate
413   * that TCP keepalive messages should periodically be sent to the
414   * client to verify that the associated connection is still valid.
415   * This may also help prevent cases in which intermediate network
416   * hardware could silently drop an otherwise idle client connection,
417   * provided that the keepalive interval configured in the underlying
418   * operating system is smaller than the timeout enforced by the
419   * network hardware.
420   *
421   * @return Returns the value of the "use-tcp-keep-alive" property.
422   */
423  boolean isUseTCPKeepAlive();
424
425
426
427  /**
428   * Gets the "use-tcp-no-delay" property.
429   * <p>
430   * Indicates whether LDAP connections should use TCP no-delay.
431   * <p>
432   * If enabled, the TCP_NODELAY socket option is used to ensure that
433   * response messages to the client are sent immediately rather than
434   * potentially waiting to determine whether additional response
435   * messages can be sent in the same packet. In most cases, using the
436   * TCP_NODELAY socket option provides better performance and lower
437   * response times, but disabling it may help for some cases in which
438   * the server sends a large number of entries to a client in response
439   * to a search request.
440   *
441   * @return Returns the value of the "use-tcp-no-delay" property.
442   */
443  boolean isUseTCPNoDelay();
444
445}