Module io.inverno.mod.security.ldap
Package io.inverno.mod.security.ldap.authentication

Class LDAPAuthenticator

java.lang.Object
io.inverno.mod.security.ldap.authentication.LDAPAuthenticator
All Implemented Interfaces:
Authenticator<LoginCredentials,LDAPAuthentication>
public class LDAPAuthenticator extends Object implements Authenticator<LoginCredentials,LDAPAuthentication>

Generic LDAP authenticator.

Since:
1.5
Author:
Jeremy Kuhn

  • Field Details

  • Constructor Details

    • LDAPAuthenticator

      public LDAPAuthenticator(LDAPClient ldapClient, String base)

      Creates an LDAP authenticator with the specified LDAP client and base DN.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      base - the base DN where to search for groups

    • LDAPAuthenticator

      public LDAPAuthenticator(LDAPClient ldapClient, String base, String searchGroupFilter)

      Creates an LDAP authenticator with the specified LDAP client, base DN and search group filter.

      The search group filter is parameterized and is formatted using the user's DN and the uid.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      base - the base DN where to search for groups
      searchGroupFilter - the search group filter

    • LDAPAuthenticator

      public LDAPAuthenticator(LDAPClient ldapClient, String base, String searchGroupFilter, String usernameFormat)

      Creates an LDAP authenticator with the specified LDAP client, base DN and search group filter.

      The search group filter is parameterized and is formatted using the user's DN and the uid.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      base - the base DN where to search for groups
      searchGroupFilter - the search group filter
      usernameFormat - the user DN format

    • LDAPAuthenticator

      public LDAPAuthenticator(LDAPClient ldapClient, String base, String searchGroupFilter, String usernameFormat, String searchUserFilter)

      Creates an LDAP authenticator with the specified LDAP client, base DN and search group filter.

      The search group filter is parameterized and is formatted using the user's DN and the uid.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      base - the base DN where to search for groups
      searchGroupFilter - the search group filter
      usernameFormat - the user DN format
      searchUserFilter - the search user filter

    • LDAPAuthenticator

      public LDAPAuthenticator(LDAPClient ldapClient, String base, String searchGroupFilter, String usernameFormat, String searchUserFilter, String passwordAttribute)

      Creates an LDAP authenticator with the specified LDAP client, base DN and search group filter.

      The search group filter is formatted using the user's DN and the uid.

      The bind name formatted using the uid.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      base - the base DN where to search for groups
      searchGroupFilter - the search group filter
      usernameFormat - the user DN format
      searchUserFilter - the search user filter
      passwordAttribute - the id of the password attribute

  • Method Details

    • setTerminal

      public void setTerminal(boolean terminal)

      Sets whether the authenticator is terminal and should return denied authentication on failed authentication or no authentication to indicate it was not able to authenticate credentials.

      Parameters:
      terminal - true to terminate authentication, false otherwise

    • getBase

      public String getBase()

      Returns the base DN where to search for groups.

      Returns:
      the base DN

    • getUsernameFormat

      public String getUsernameFormat()

      Returns the user DN format used when binding a user or fetching a user entry.

      Returns:
      a user DN format

    • getSearchGroupFilter

      public String getSearchGroupFilter()

      Returns the search group filter.

      Returns:
      a filter

    • getSearchUserFilter

      public String getSearchUserFilter()

      Returns the search user filter.

      Returns:
      a filter

    • getPasswordAttribute

      public String getPasswordAttribute()

      Returns the name of the password attribute.

      Returns:
      an attribute name

    • authenticate

      public Mono<LDAPAuthentication> authenticate(LoginCredentials credentials)
      Description copied from interface: Authenticator

      Authenticates the specified credentials and returns an authentication.

      Implementations can return an empty mono to indicate that they were unable to authenticate the credentials. This does not mean credentials are invalid, this simply mean that a particular authenticator does not manage them and therefore can's possibly determine whether they are valid. For example, when considering login credentials composed of a user and a password, an authenticator which does not manage that particular user can return an empty mono.

      Implementations must return denied authentications with AuthenticationException when they were able to authenticate credentials which turned out to be invalid. For example, a login credentials authenticator must return a denied authentication exception when it does manage a particular username but the provided password was invalid.

      A denied authentication can also bre reported by throwing an AuthenticationException when returning an actual authentication instance is not practical.

      Specified by:
      authenticate in interface Authenticator<LoginCredentials,LDAPAuthentication>
      Parameters:
      credentials - the credentials to authenticate
      Returns:
      a mono emitting an authentication, an error mono or an empty mono if the authenticator could not authenticate the credentials