com.netscape.cms.authentication
Class UidPwdPinDirAuthentication

java.lang.Object
  extended by com.netscape.cms.authentication.DirBasedAuthentication
      extended by com.netscape.cms.authentication.UidPwdPinDirAuthentication
All Implemented Interfaces:
IAuthManager, IExtendedPluginInfo, IProfileAuthenticator

public class UidPwdPinDirAuthentication
extends DirBasedAuthentication
implements IExtendedPluginInfo, IProfileAuthenticator

uid/pwd/pin directory based authentication manager

Version:
$Revision: 1211 $, $Date: 2010-08-18 10:15:37 -0700 (Wed, 18 Aug 2010) $

Field Summary
static java.lang.String CRED_PIN
           
static java.lang.String CRED_PWD
           
static java.lang.String CRED_UID
           
static java.lang.String DEF_PIN_ATTR
           
static boolean DEF_REMOVE_PIN
           
protected static java.lang.String[] mConfigParams
           
protected  java.security.MessageDigest mMD5Digest
           
protected  java.lang.String mPinAttr
           
protected  boolean mRemovePin
           
protected static java.lang.String[] mRequiredCreds
           
protected  java.security.MessageDigest mSHADigest
           
static java.lang.String PROP_PIN_ATTR
           
static java.lang.String PROP_REMOVE_PIN
           
protected static byte SENTINEL_MD5
           
protected static byte SENTINEL_NONE
           
protected static byte SENTINEL_SHA
           
 
Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication
DEFAULT_DNPATTERN, mBaseDN, mConfig, mConnFactory, mExtendedPluginInfo, mImplName, mLdapAttrs, mLdapByteAttrs, mLdapConfig, mLdapStringAttrs, mLogger, mName, mPattern, PROP_BASEDN, PROP_DNPATTERN, PROP_LDAP, PROP_LDAPBYTEATTRS, PROP_LDAPSTRINGATTRS, USER_DN
 
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
 
Fields inherited from interface com.netscape.certsrv.profile.IProfileAuthenticator
AUTHENTICATED_NAME
 
Fields inherited from interface com.netscape.certsrv.authentication.IAuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
 
Constructor Summary
UidPwdPinDirAuthentication()
          Default constructor, initialization must follow.
 
Method Summary
protected  java.lang.String authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
          Authenticates a user based on its uid, pwd, pin in the directory.
protected  void checkpin(netscape.ldap.LDAPConnection conn, java.lang.String userdn, java.lang.String uid, java.lang.String pin)
           
 java.lang.String[] getConfigParams()
          Returns a list of configuration parameter names.
 java.lang.String getName(java.util.Locale locale)
          Retrieves the localizable name of this policy.
 java.lang.String[] getRequiredCreds()
          Returns array of required credentials for this authentication manager.
 java.lang.String getText(java.util.Locale locale)
          Retrieves the localizable description of this policy.
 IDescriptor getValueDescriptor(java.util.Locale locale, java.lang.String name)
          Retrieves the descriptor of the given value parameter by name.
 java.util.Enumeration getValueNames()
          Retrieves a list of names of the value parameter.
 void init(IProfile profile, IConfigStore config)
          Initializes this default policy.
 void init(java.lang.String name, java.lang.String implName, IConfigStore config)
          Initializes the UidPwdDirBasedAuthentication auth manager.
 boolean isSSLClientRequired()
          Checks if this authenticator requires SSL client authentication.
 boolean isValueWriteable(java.lang.String name)
          Checks if the value of the given property should be serializable into the request.
 void populate(IAuthToken token, IRequest request)
          Populates authentication specific information into the request for auditing purposes.
protected  void verifyPassword(java.lang.String Password)
           
 
Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication
authenticate, formCertInfo, formSubjectName, getConfigStore, getExtendedPluginInfo, getImplName, getLdapAttrs, getLdapByteAttrs, getName, init, log, setAuthTokenByteValue, setAuthTokenStringValue, setAuthTokenValues, shutdown
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
getExtendedPluginInfo
 
Methods inherited from interface com.netscape.certsrv.profile.IProfileAuthenticator
getConfigStore
 
Methods inherited from interface com.netscape.certsrv.authentication.IAuthManager
authenticate, getImplName, getName, shutdown
 

Field Detail

CRED_UID

public static final java.lang.String CRED_UID
See Also:
Constant Field Values

CRED_PWD

public static final java.lang.String CRED_PWD
See Also:
Constant Field Values

CRED_PIN

public static final java.lang.String CRED_PIN
See Also:
Constant Field Values

mRequiredCreds

protected static java.lang.String[] mRequiredCreds

PROP_REMOVE_PIN

public static final java.lang.String PROP_REMOVE_PIN
See Also:
Constant Field Values

PROP_PIN_ATTR

public static final java.lang.String PROP_PIN_ATTR
See Also:
Constant Field Values

DEF_REMOVE_PIN

public static final boolean DEF_REMOVE_PIN
See Also:
Constant Field Values

DEF_PIN_ATTR

public static final java.lang.String DEF_PIN_ATTR
See Also:
Constant Field Values

SENTINEL_SHA

protected static final byte SENTINEL_SHA
See Also:
Constant Field Values

SENTINEL_MD5

protected static final byte SENTINEL_MD5
See Also:
Constant Field Values

SENTINEL_NONE

protected static final byte SENTINEL_NONE
See Also:
Constant Field Values

mConfigParams

protected static java.lang.String[] mConfigParams

mRemovePin

protected boolean mRemovePin

mPinAttr

protected java.lang.String mPinAttr

mSHADigest

protected java.security.MessageDigest mSHADigest

mMD5Digest

protected java.security.MessageDigest mMD5Digest
Constructor Detail

UidPwdPinDirAuthentication

public UidPwdPinDirAuthentication()
Default constructor, initialization must follow.

Method Detail

init

public void init(java.lang.String name,
                 java.lang.String implName,
                 IConfigStore config)
          throws EBaseException
Description copied from class: DirBasedAuthentication
Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
                ldap.basedn             - the ldap base dn.
                ldap.ldapconn.host      - the ldap host.
                ldap.ldapconn.port      - the ldap port 
                ldap.ldapconn.secureConn - whether port should be secure 
                ldap.minConns           - minimum connections
                ldap.maxConns           - max connections
                dnpattern               - dn pattern.
 

dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

The syntax is

     dnpattern = SubjectNameComp *[ "," SubjectNameComp ]

     SubjectNameComponent = DnComp | EntryComp | ConstantComp  
     DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
     EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
     ConstantComp = CertAttr "=" Constant
     DnAttr    =  an attribute in the Ldap entry dn
     EntryAttr =  an attribute in the Ldap entry 
     CertAttr  =  a Component in the Certificate Subject Name
                  (multiple AVA in one RDN not supported) 
     Num       =  the nth value of tha attribute  in the dn or entry.
     Constant  =  Constant String, with any accepted ldap string value. 
 
 

Example:

 dnpattern: 
     E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
 
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.

The subject name formulated in the cert will be :

   E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
   
      E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com 
      CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith 
      OU = the second 'ou' value in the ldap entry - IS
      O = the (first) 'o' value in the user's entry DN - "Acme.com" 
      C = the constant string "US"
 

Specified by:
init in interface IAuthManager
Overrides:
init in class DirBasedAuthentication
Parameters:
name - The name for this authentication manager instance.
implName - The name of the authentication manager plugin.
config - - The configuration store for this instance.
Throws:
EBaseException - If an error occurs during initialization.

verifyPassword

protected void verifyPassword(java.lang.String Password)

authenticate

protected java.lang.String authenticate(netscape.ldap.LDAPConnection conn,
                                        IAuthCredentials authCreds,
                                        AuthToken token)
                                 throws EBaseException
Authenticates a user based on its uid, pwd, pin in the directory.

Specified by:
authenticate in class DirBasedAuthentication
Parameters:
authCreds - The authentication credentials with uid, pwd, pin.
Returns:
The user's ldap entry dn.
Throws:
EInvalidCredentials - If the uid and password are not valid
EBaseException - If an internal error occurs.

checkpin

protected void checkpin(netscape.ldap.LDAPConnection conn,
                        java.lang.String userdn,
                        java.lang.String uid,
                        java.lang.String pin)
                 throws EBaseException,
                        netscape.ldap.LDAPException
Throws:
EBaseException
netscape.ldap.LDAPException

getConfigParams

public java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

Specified by:
getConfigParams in interface IAuthManager
Specified by:
getConfigParams in class DirBasedAuthentication
Returns:
String array of configuration parameter names.

getRequiredCreds

public java.lang.String[] getRequiredCreds()
Returns array of required credentials for this authentication manager.

Specified by:
getRequiredCreds in interface IAuthManager
Specified by:
getRequiredCreds in class DirBasedAuthentication
Returns:
Array of required credentials.

init

public void init(IProfile profile,
                 IConfigStore config)
          throws EProfileException
Description copied from interface: IProfileAuthenticator
Initializes this default policy.

Specified by:
init in interface IProfileAuthenticator
Parameters:
profile - owner of this authenticator
config - configuration store
Throws:
EProfileException - failed to initialize

getName

public java.lang.String getName(java.util.Locale locale)
Retrieves the localizable name of this policy.

Specified by:
getName in interface IProfileAuthenticator
Parameters:
locale - end user locale
Returns:
localized authenticator name

getText

public java.lang.String getText(java.util.Locale locale)
Retrieves the localizable description of this policy.

Specified by:
getText in interface IProfileAuthenticator
Parameters:
locale - end user locale
Returns:
localized authenticator description

getValueNames

public java.util.Enumeration getValueNames()
Retrieves a list of names of the value parameter.

Specified by:
getValueNames in interface IProfileAuthenticator
Returns:
a list of property names

isValueWriteable

public boolean isValueWriteable(java.lang.String name)
Description copied from interface: IProfileAuthenticator
Checks if the value of the given property should be serializable into the request. Passsword or other security-related value may not be desirable for storage.

Specified by:
isValueWriteable in interface IProfileAuthenticator
Parameters:
name - property name
Returns:
true if the property is not security related

getValueDescriptor

public IDescriptor getValueDescriptor(java.util.Locale locale,
                                      java.lang.String name)
Retrieves the descriptor of the given value parameter by name.

Specified by:
getValueDescriptor in interface IProfileAuthenticator
Parameters:
locale - user locale
name - property name
Returns:
descriptor of the requested property

populate

public void populate(IAuthToken token,
                     IRequest request)
              throws EProfileException
Description copied from interface: IProfileAuthenticator
Populates authentication specific information into the request for auditing purposes.

Specified by:
populate in interface IProfileAuthenticator
Parameters:
token - authentication token
request - request
Throws:
EProfileException - failed to populate

isSSLClientRequired

public boolean isSSLClientRequired()
Description copied from interface: IProfileAuthenticator
Checks if this authenticator requires SSL client authentication.

Specified by:
isSSLClientRequired in interface IProfileAuthenticator
Returns:
client authentication required or not