001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008 Sun Microsystems, Inc. 015 */ 016package org.forgerock.opendj.server.config.server; 017 018 019 020import java.net.InetAddress; 021import java.util.SortedSet; 022import org.forgerock.opendj.config.server.ConfigurationChangeListener; 023import org.forgerock.opendj.ldap.DN; 024import org.forgerock.opendj.ldap.schema.AttributeType; 025import org.forgerock.opendj.server.config.meta.LDAPPassThroughAuthenticationPolicyCfgDefn.MappingPolicy; 026 027 028 029/** 030 * A server-side interface for querying LDAP Pass Through 031 * Authentication Policy settings. 032 * <p> 033 * An authentication policy for users whose credentials are managed by 034 * a remote LDAP directory service. 035 */ 036public interface LDAPPassThroughAuthenticationPolicyCfg extends AuthenticationPolicyCfg { 037 038 /** 039 * Gets the configuration class associated with this LDAP Pass Through Authentication Policy. 040 * 041 * @return Returns the configuration class associated with this LDAP Pass Through Authentication Policy. 042 */ 043 Class<? extends LDAPPassThroughAuthenticationPolicyCfg> configurationClass(); 044 045 046 047 /** 048 * Register to be notified when this LDAP Pass Through Authentication Policy is changed. 049 * 050 * @param listener 051 * The LDAP Pass Through Authentication Policy configuration change listener. 052 */ 053 void addLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener); 054 055 056 057 /** 058 * Deregister an existing LDAP Pass Through Authentication Policy configuration change listener. 059 * 060 * @param listener 061 * The LDAP Pass Through Authentication Policy configuration change listener. 062 */ 063 void removeLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener); 064 065 066 067 /** 068 * Gets the "cached-password-storage-scheme" property. 069 * <p> 070 * Specifies the name of a password storage scheme which should be 071 * used for encoding cached passwords. 072 * <p> 073 * Changing the password storage scheme will cause all existing 074 * cached passwords to be discarded. 075 * 076 * @return Returns the value of the "cached-password-storage-scheme" property. 077 */ 078 String getCachedPasswordStorageScheme(); 079 080 081 082 /** 083 * Gets the "cached-password-storage-scheme" property as a DN. 084 * <p> 085 * Specifies the name of a password storage scheme which should be 086 * used for encoding cached passwords. 087 * <p> 088 * Changing the password storage scheme will cause all existing 089 * cached passwords to be discarded. 090 * 091 * @return Returns the DN value of the 092 * "cached-password-storage-scheme" property. 093 */ 094 DN getCachedPasswordStorageSchemeDN(); 095 096 097 098 /** 099 * Gets the "cached-password-ttl" property. 100 * <p> 101 * Specifies the maximum length of time that a locally cached 102 * password may be used for authentication before it is refreshed 103 * from the remote LDAP service. 104 * <p> 105 * This property represents a cache timeout. Increasing the timeout 106 * period decreases the frequency that bind operations are delegated 107 * to the remote LDAP service, but increases the risk of users 108 * authenticating using stale passwords. Note that authentication 109 * attempts which fail because the provided password does not match 110 * the locally cached password will always be retried against the 111 * remote LDAP service. 112 * 113 * @return Returns the value of the "cached-password-ttl" property. 114 */ 115 long getCachedPasswordTTL(); 116 117 118 119 /** 120 * Gets the "connection-timeout" property. 121 * <p> 122 * Specifies the timeout used when connecting to remote LDAP 123 * directory servers, performing SSL negotiation, and for individual 124 * search and bind requests. 125 * <p> 126 * If the timeout expires then the current operation will be aborted 127 * and retried against another LDAP server if one is available. 128 * 129 * @return Returns the value of the "connection-timeout" property. 130 */ 131 long getConnectionTimeout(); 132 133 134 135 /** 136 * Gets the "java-class" property. 137 * <p> 138 * Specifies the fully-qualified name of the Java class which 139 * provides the LDAP Pass Through Authentication Policy 140 * implementation. 141 * 142 * @return Returns the value of the "java-class" property. 143 */ 144 String getJavaClass(); 145 146 147 148 /** 149 * Gets the "mapped-attribute" property. 150 * <p> 151 * Specifies one or more attributes in the user's entry whose 152 * value(s) will determine the bind DN used when authenticating to 153 * the remote LDAP directory service. This property is mandatory when 154 * using the "mapped-bind" or "mapped-search" mapping policies. 155 * <p> 156 * At least one value must be provided. All values must refer to the 157 * name or OID of an attribute type defined in the directory server 158 * schema. At least one of the named attributes must exist in a 159 * user's local entry in order for authentication to proceed. When 160 * multiple attributes or values are found in the user's entry then 161 * the behavior is determined by the mapping policy. 162 * 163 * @return Returns an unmodifiable set containing the values of the "mapped-attribute" property. 164 */ 165 SortedSet<AttributeType> getMappedAttribute(); 166 167 168 169 /** 170 * Gets the "mapped-search-base-dn" property. 171 * <p> 172 * Specifies the set of base DNs below which to search for users in 173 * the remote LDAP directory service. This property is mandatory when 174 * using the "mapped-search" mapping policy. 175 * <p> 176 * If multiple values are given, searches are performed below all 177 * specified base DNs. 178 * 179 * @return Returns an unmodifiable set containing the values of the "mapped-search-base-dn" property. 180 */ 181 SortedSet<DN> getMappedSearchBaseDN(); 182 183 184 185 /** 186 * Gets the "mapped-search-bind-dn" property. 187 * <p> 188 * Specifies the bind DN which should be used to perform user 189 * searches in the remote LDAP directory service. 190 * 191 * @return Returns the value of the "mapped-search-bind-dn" property. 192 */ 193 DN getMappedSearchBindDN(); 194 195 196 197 /** 198 * Gets the "mapped-search-bind-password" property. 199 * <p> 200 * Specifies the bind password which should be used to perform user 201 * searches in the remote LDAP directory service. 202 * 203 * @return Returns the value of the "mapped-search-bind-password" property. 204 */ 205 String getMappedSearchBindPassword(); 206 207 208 209 /** 210 * Gets the "mapped-search-bind-password-environment-variable" property. 211 * <p> 212 * Specifies the name of an environment variable containing the bind 213 * password which should be used to perform user searches in the 214 * remote LDAP directory service. 215 * 216 * @return Returns the value of the "mapped-search-bind-password-environment-variable" property. 217 */ 218 String getMappedSearchBindPasswordEnvironmentVariable(); 219 220 221 222 /** 223 * Gets the "mapped-search-bind-password-file" property. 224 * <p> 225 * Specifies the name of a file containing the bind password which 226 * should be used to perform user searches in the remote LDAP 227 * directory service. 228 * 229 * @return Returns the value of the "mapped-search-bind-password-file" property. 230 */ 231 String getMappedSearchBindPasswordFile(); 232 233 234 235 /** 236 * Gets the "mapped-search-bind-password-property" property. 237 * <p> 238 * Specifies the name of a Java property containing the bind 239 * password which should be used to perform user searches in the 240 * remote LDAP directory service. 241 * 242 * @return Returns the value of the "mapped-search-bind-password-property" property. 243 */ 244 String getMappedSearchBindPasswordProperty(); 245 246 247 248 /** 249 * Gets the "mapped-search-filter-template" property. 250 * <p> 251 * If defined, overrides the filter used when searching for the 252 * user, substituting %s with the value of the local entry's 253 * "mapped-attribute". 254 * <p> 255 * The filter-template may include ZERO or ONE %s substitutions. If 256 * multiple mapped-attributes are configured, multiple renditions of 257 * this template will be aggregated into one larger filter using an 258 * OR (|) operator. An example use-case for this property would be to 259 * use a different attribute type on the mapped search. For example, 260 * mapped-attribute could be set to "uid" and filter-template to 261 * "(samAccountName=%s)". 262 * 263 * @return Returns the value of the "mapped-search-filter-template" property. 264 */ 265 String getMappedSearchFilterTemplate(); 266 267 268 269 /** 270 * Gets the "mapping-policy" property. 271 * <p> 272 * Specifies the mapping algorithm for obtaining the bind DN from 273 * the user's entry. 274 * 275 * @return Returns the value of the "mapping-policy" property. 276 */ 277 MappingPolicy getMappingPolicy(); 278 279 280 281 /** 282 * Gets the "primary-remote-ldap-server" property. 283 * <p> 284 * Specifies the primary list of remote LDAP servers which should be 285 * used for pass through authentication. 286 * <p> 287 * If more than one LDAP server is specified then operations may be 288 * distributed across them. If all of the primary LDAP servers are 289 * unavailable then operations will fail-over to the set of secondary 290 * LDAP servers, if defined. 291 * 292 * @return Returns an unmodifiable set containing the values of the "primary-remote-ldap-server" property. 293 */ 294 SortedSet<String> getPrimaryRemoteLDAPServer(); 295 296 297 298 /** 299 * Gets the "secondary-remote-ldap-server" property. 300 * <p> 301 * Specifies the secondary list of remote LDAP servers which should 302 * be used for pass through authentication in the event that the 303 * primary LDAP servers are unavailable. 304 * <p> 305 * If more than one LDAP server is specified then operations may be 306 * distributed across them. Operations will be rerouted to the 307 * primary LDAP servers as soon as they are determined to be 308 * available. 309 * 310 * @return Returns an unmodifiable set containing the values of the "secondary-remote-ldap-server" property. 311 */ 312 SortedSet<String> getSecondaryRemoteLDAPServer(); 313 314 315 316 /** 317 * Gets the "source-address" property. 318 * <p> 319 * If specified, the server will bind to the address before 320 * connecting to the remote server. 321 * <p> 322 * The address must be one assigned to an existing network 323 * interface. 324 * 325 * @return Returns the value of the "source-address" property. 326 */ 327 InetAddress getSourceAddress(); 328 329 330 331 /** 332 * Gets the "ssl-cipher-suite" property. 333 * <p> 334 * Specifies the names of the SSL cipher suites that are allowed for 335 * use in SSL based LDAP connections. 336 * 337 * @return Returns an unmodifiable set containing the values of the "ssl-cipher-suite" property. 338 */ 339 SortedSet<String> getSSLCipherSuite(); 340 341 342 343 /** 344 * Gets the "ssl-protocol" property. 345 * <p> 346 * Specifies the names of the SSL protocols which are allowed for 347 * use in SSL based LDAP connections. 348 * 349 * @return Returns an unmodifiable set containing the values of the "ssl-protocol" property. 350 */ 351 SortedSet<String> getSSLProtocol(); 352 353 354 355 /** 356 * Gets the "trust-manager-provider" property. 357 * <p> 358 * Specifies the name of the trust manager that should be used when 359 * negotiating SSL connections with remote LDAP directory servers. 360 * 361 * @return Returns the value of the "trust-manager-provider" property. 362 */ 363 String getTrustManagerProvider(); 364 365 366 367 /** 368 * Gets the "trust-manager-provider" property as a DN. 369 * <p> 370 * Specifies the name of the trust manager that should be used when 371 * negotiating SSL connections with remote LDAP directory servers. 372 * 373 * @return Returns the DN value of the "trust-manager-provider" 374 * property. 375 */ 376 DN getTrustManagerProviderDN(); 377 378 379 380 /** 381 * Gets the "use-password-caching" property. 382 * <p> 383 * Indicates whether passwords should be cached locally within the 384 * user's entry. 385 * 386 * @return Returns the value of the "use-password-caching" property. 387 */ 388 boolean isUsePasswordCaching(); 389 390 391 392 /** 393 * Gets the "use-ssl" property. 394 * <p> 395 * Indicates whether the LDAP Pass Through Authentication Policy 396 * should use SSL. 397 * <p> 398 * If enabled, the LDAP Pass Through Authentication Policy will use 399 * SSL to encrypt communication with the clients. 400 * 401 * @return Returns the value of the "use-ssl" property. 402 */ 403 boolean isUseSSL(); 404 405 406 407 /** 408 * Gets the "use-tcp-keep-alive" property. 409 * <p> 410 * Indicates whether LDAP connections should use TCP keep-alive. 411 * <p> 412 * If enabled, the SO_KEEPALIVE socket option is used to indicate 413 * that TCP keepalive messages should periodically be sent to the 414 * client to verify that the associated connection is still valid. 415 * This may also help prevent cases in which intermediate network 416 * hardware could silently drop an otherwise idle client connection, 417 * provided that the keepalive interval configured in the underlying 418 * operating system is smaller than the timeout enforced by the 419 * network hardware. 420 * 421 * @return Returns the value of the "use-tcp-keep-alive" property. 422 */ 423 boolean isUseTCPKeepAlive(); 424 425 426 427 /** 428 * Gets the "use-tcp-no-delay" property. 429 * <p> 430 * Indicates whether LDAP connections should use TCP no-delay. 431 * <p> 432 * If enabled, the TCP_NODELAY socket option is used to ensure that 433 * response messages to the client are sent immediately rather than 434 * potentially waiting to determine whether additional response 435 * messages can be sent in the same packet. In most cases, using the 436 * TCP_NODELAY socket option provides better performance and lower 437 * response times, but disabling it may help for some cases in which 438 * the server sends a large number of entries to a client in response 439 * to a search request. 440 * 441 * @return Returns the value of the "use-tcp-no-delay" property. 442 */ 443 boolean isUseTCPNoDelay(); 444 445}