View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
22  import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
23  import java.util.ArrayList;
24  import java.util.List;
25  import java.util.Map;
26  import org.apache.syncope.common.lib.AbstractLDAPConf;
27  import org.apache.syncope.common.lib.to.AuthModuleTO;
28  
29  public class LDAPAuthModuleConf extends AbstractLDAPConf implements AuthModuleConf {
30  
31      private static final long serialVersionUID = -471527731042579422L;
32  
33      /**
34       * The enum Authentication types.
35       */
36      public enum AuthenticationType {
37  
38          /**
39           * Active Directory.
40           */
41          AD,
42          /**
43           * Authenticated Search.
44           */
45          AUTHENTICATED,
46          /**
47           * Direct Bind.
48           */
49          DIRECT,
50          /**
51           * Anonymous Search.
52           */
53          ANONYMOUS
54  
55      }
56  
57      public enum DerefAliasesType {
58          NEVER,
59          SEARCHING,
60          FINDING,
61          ALWAYS
62  
63      }
64  
65      /**
66       * The authentication type.
67       * <ul>
68       * <li>{@code AD} - Users authenticate with {@code sAMAccountName}. </li>
69       *
70       * <li>{@code AUTHENTICATED} - Manager bind/search type of authentication.
71       * If {@code} principalAttributePassword}
72       * is empty then a user simple bind is done to validate credentials. Otherwise the given
73       * attribute is compared with the given {@code principalAttributePassword} using
74       * the {@code SHA} encrypted value of it.</li>
75       *
76       * <li>{@code ANONYMOUS}: Similar semantics as {@code AUTHENTICATED} except no {@code bindDn}
77       * and {@code bindCredential} may be specified to initialize the connection.
78       * If {@code principalAttributePassword} is empty then a user simple bind is done
79       * to validate credentials. Otherwise the given attribute is compared with
80       * the given {@code principalAttributePassword} using the {@code SHA} encrypted value of it.</li>
81       *
82       * <li>DIRECT: Direct Bind - Compute user DN from format string and perform simple bind.
83       * This is relevant when no search is required to compute the DN needed for a bind operation.
84       * Use cases for this type are:
85       * 1) All users are under a single branch in the directory, {@code e.g. ou=Users,dc=example,dc=org.}
86       * 2) The username provided on the CAS login form is part of the DN, e.g.
87       * {@code uid=%s,ou=Users,dc=example,dc=org}.</li>
88       *
89       * </ul>
90       */
91      private AuthenticationType authenticationType = AuthenticationType.AUTHENTICATED;
92  
93      /**
94       * Specify the dn format accepted by the AD authenticator, etc.
95       * Example format might be {@code uid=%s,ou=people,dc=example,dc=org}.
96       */
97      private String dnFormat;
98  
99      /**
100      * Whether specific search entry resolvers need to be set
101      * on the authenticator, or the default should be used.
102      */
103     private boolean enhanceWithEntryResolver = true;
104 
105     /**
106      * Define how aliases are de-referenced.
107      * Accepted values are:
108      * <ul>
109      * <li>{@code NEVER}</li>
110      * <li>{@code SEARCHING}: dereference when searching the entries beneath the starting point but not when searching
111      * for the starting entry.</li>
112      * <li>{@code FINDING}: dereference when searching for the starting entry but not when searching the entries beneath
113      * the starting point.</li>
114      * <li>{@code ALWAYS}: dereference when searching for the starting entry and when searching the entries beneath the
115      * starting point.</li>
116      * </ul>
117      */
118     private DerefAliasesType derefAliases;
119 
120     /**
121      * If this attribute is set, the value found in the first attribute
122      * value will be used in place of the DN.
123      */
124     private String resolveFromAttribute;
125 
126     /**
127      * The attribute value that should be used for the authenticated username, upon a successful authentication attempt.
128      */
129     private String principalAttributeId;
130 
131     /**
132      * Name of attribute to be used for principal's DN.
133      */
134     private String principalDnAttributeName = "principalLdapDn";
135 
136     /**
137      * Sets a flag that determines whether multiple values are allowed for the {@link #principalAttributeId}.
138      * This flag only has an effect if {@link #principalAttributeId} is configured. If multiple values are detected
139      * when the flag is false, the first value is used and a warning is logged. If multiple values are detected
140      * when the flag is true, an exception is raised.
141      */
142     private boolean allowMultiplePrincipalAttributeValues;
143 
144     /**
145      * List of additional attributes to retrieve, if any.
146      */
147     private final List<String> additionalAttributes = new ArrayList<>();
148 
149     /**
150      * Flag to indicate whether CAS should block authentication
151      * if a specific/configured principal id attribute is not found.
152      */
153     private boolean allowMissingPrincipalAttributeValue = true;
154 
155     /**
156      * When entry DN should be called as an attribute and stored into the principal.
157      */
158     private boolean collectDnAttribute;
159 
160     public AuthenticationType getAuthenticationType() {
161         return authenticationType;
162     }
163 
164     public void setAuthenticationType(final AuthenticationType authenticationType) {
165         this.authenticationType = authenticationType;
166     }
167 
168     public String getDnFormat() {
169         return dnFormat;
170     }
171 
172     public void setDnFormat(final String dnFormat) {
173         this.dnFormat = dnFormat;
174     }
175 
176     public boolean isEnhanceWithEntryResolver() {
177         return enhanceWithEntryResolver;
178     }
179 
180     public void setEnhanceWithEntryResolver(final boolean enhanceWithEntryResolver) {
181         this.enhanceWithEntryResolver = enhanceWithEntryResolver;
182     }
183 
184     public DerefAliasesType getDerefAliases() {
185         return derefAliases;
186     }
187 
188     public void setDerefAliases(final DerefAliasesType derefAliases) {
189         this.derefAliases = derefAliases;
190     }
191 
192     public String getResolveFromAttribute() {
193         return resolveFromAttribute;
194     }
195 
196     public void setResolveFromAttribute(final String resolveFromAttribute) {
197         this.resolveFromAttribute = resolveFromAttribute;
198     }
199 
200     public String getPrincipalAttributeId() {
201         return principalAttributeId;
202     }
203 
204     public void setPrincipalAttributeId(final String principalAttributeId) {
205         this.principalAttributeId = principalAttributeId;
206     }
207 
208     public String getPrincipalDnAttributeName() {
209         return principalDnAttributeName;
210     }
211 
212     public void setPrincipalDnAttributeName(final String principalDnAttributeName) {
213         this.principalDnAttributeName = principalDnAttributeName;
214     }
215 
216     @JacksonXmlElementWrapper(localName = "additionalAttributes")
217     @JacksonXmlProperty(localName = "additionalAttribute")
218     public List<String> getAdditionalAttributes() {
219         return additionalAttributes;
220     }
221 
222     public boolean isAllowMultiplePrincipalAttributeValues() {
223         return allowMultiplePrincipalAttributeValues;
224     }
225 
226     public void setAllowMultiplePrincipalAttributeValues(final boolean allowMultiplePrincipalAttributeValues) {
227         this.allowMultiplePrincipalAttributeValues = allowMultiplePrincipalAttributeValues;
228     }
229 
230     public boolean isAllowMissingPrincipalAttributeValue() {
231         return allowMissingPrincipalAttributeValue;
232     }
233 
234     public void setAllowMissingPrincipalAttributeValue(final boolean allowMissingPrincipalAttributeValue) {
235         this.allowMissingPrincipalAttributeValue = allowMissingPrincipalAttributeValue;
236     }
237 
238     public boolean isCollectDnAttribute() {
239         return collectDnAttribute;
240     }
241 
242     public void setCollectDnAttribute(final boolean collectDnAttribute) {
243         this.collectDnAttribute = collectDnAttribute;
244     }
245 
246     @Override
247     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
248         return mapper.map(authModule, this);
249     }
250 }