Annotation Interface LdapIdentityStoreDefinition
IdentityStore
that stores
caller credentials and identity attributes (together caller identities) in an
LDAP store, and make that implementation available as an enabled CDI bean.
The container-provided IdentityStore
must support validating UsernamePasswordCredential
,
and may support validating other credential types.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
Enum representing LDAP search scope values. -
Optional Element Summary
Modifier and TypeOptional ElementDescriptionDistinguished name for the application or administrative user that will be used to make the initial connection to the LDAP and to perform searches and lookups.Password for the application/admin user defined by the bindDn member.Base distinguished name for callers in the LDAP store (e.g., "ou=caller,dc=jsr375,dc=net
").Name of the attribute that contains the callers name in the person object (e.g., "uid
").Search base for looking up callers (e.g., "ou=caller,dc=jsr375,dc=net
").Search filter to find callers when callerSearchBase is set.Search scope for caller searches: determines depth of the search in the LDAP tree.Allow callerSearchScope to be specified as an EL expression.Name of the attribute in a group object that identifies the members of the group (e.g., "member
").Name of the attribute in a person object that identifies the groups the caller belongs to (e.g., "memberOf
").Name of the attribute of a group object that represents the group name (e.g., "cn
")Search base for looking up groups (e.g., "ou=group,dc=jsr375,dc=net
").Search filter to find groups when groupSearchBase is set.Search scope for group searches, determines depth of the search in the LDAP tree.Allow groupSearchScope to be specified as an EL expression.int
Set the maximum number of results (objects) the server should return in response to a search.Allow maxResults to be specified as an EL expression.int
Determines the order in case multiple IdentityStores are found.Allow priority to be specified as an EL expression.int
Set the timeout value that should be used when waiting for the LDAP server to return results.Allow readTimeout to be specified as an EL expression.URL where the LDAP server can be reached.Determines what the identity store is used forAllow useFor to be specified as an EL expression.
-
Element Details
-
url
String urlURL where the LDAP server can be reached.E.g.:
ldap://localhost:33389
- Returns:
- URL where the LDAP server can be reached
- Default:
- ""
-
bindDn
String bindDnDistinguished name for the application or administrative user that will be used to make the initial connection to the LDAP and to perform searches and lookups.This value is needed if caller or group lookup will be done. It is not needed if the store will be used only to authenticate callers using direct binding (see callerBaseDn).
This user needs search permission in the LDAP for persons and/or groups.
E.g.:
uid=ldap,ou=apps,dc=jsr375,dc=net
- Returns:
- The distinguished name for the application user.
- Default:
- ""
-
bindDnPassword
String bindDnPasswordPassword for the application/admin user defined by the bindDn member. Only used when the member bindDn is filled in.- Returns:
- password for the application user.
- Default:
- ""
-
callerBaseDn
String callerBaseDnBase distinguished name for callers in the LDAP store (e.g., "ou=caller,dc=jsr375,dc=net
").When this member value is specified, and callerSearchBase is not, direct binding is attempted.
The callerNameAttribute must be specified along with this attribute so that the runtime can create the "leaf" RDN needed to concatenate with the base DN to create the full DN of the caller.
- Returns:
- The base distinguished name for callers.
- Default:
- ""
-
callerNameAttribute
String callerNameAttributeName of the attribute that contains the callers name in the person object (e.g., "uid
").This attribute will be used, with callerBaseDn, to construct caller DNs for direct binding. It is also used to retrieve the caller's name when the caller object is instead looked up using search.
The value of this attribute is returned as the caller principal name for a successful credential validation.
The following gives an example in ldif format:
dn: uid=peter,ou=caller,dc=jsr375,dc=net objectclass: top objectclass: uidObject objectclass: person uid: peter cn: Peter Smith sn: Peter userPassword: secret1
- Returns:
- Name of the attribute that represents the caller name
- Default:
- "uid"
-
callerSearchBase
String callerSearchBaseSearch base for looking up callers (e.g., "ou=caller,dc=jsr375,dc=net
").Overrides callerBaseDn, if configured, causing caller search to be used instead of direct binding. Requires that the bindDn member be filled in.
- Returns:
- Base DN for searching the LDAP tree for callers.
- Default:
- ""
-
callerSearchFilter
String callerSearchFilterSearch filter to find callers when callerSearchBase is set. The search is performed starting from the callerSearchBase DN with the scope specified by callerSearchScope.- Returns:
- Search expression to find callers.
- Default:
- ""
-
callerSearchScope
LdapIdentityStoreDefinition.LdapSearchScope callerSearchScopeSearch scope for caller searches: determines depth of the search in the LDAP tree.- Returns:
- The search scope
- Default:
- SUBTREE
-
callerSearchScopeExpression
String callerSearchScopeExpressionAllow callerSearchScope to be specified as an EL expression. If set, overrides any value set with callerSearchScope.- Returns:
- the callerSearchScope EL expression
- Default:
- ""
-
groupSearchBase
String groupSearchBaseSearch base for looking up groups (e.g., "ou=group,dc=jsr375,dc=net
").Needed only for a store that performs group lookup. Requires that the bindDn member be filled in.
- Returns:
- Base DN for searching the LDAP tree for groups.
- Default:
- ""
-
groupSearchFilter
String groupSearchFilterSearch filter to find groups when groupSearchBase is set. The search is performed starting from the groupSearchBase DN with the scope specified by groupSearchScope.- Returns:
- Search expression to find groups.
- Default:
- ""
-
groupSearchScope
LdapIdentityStoreDefinition.LdapSearchScope groupSearchScopeSearch scope for group searches, determines depth of the search in the LDAP tree.- Returns:
- The search scope
- Default:
- SUBTREE
-
groupSearchScopeExpression
String groupSearchScopeExpressionAllow groupSearchScope to be specified as an EL expression. If set, overrides any value set with groupSearchScope.- Returns:
- the groupSearchScope EL expression
- Default:
- ""
-
groupNameAttribute
String groupNameAttributeName of the attribute of a group object that represents the group name (e.g., "cn
")- Returns:
- Name of the attribute that represents the group name
- Default:
- "cn"
-
groupMemberAttribute
String groupMemberAttributeName of the attribute in a group object that identifies the members of the group (e.g., "member
").The value of this attribute must be the full DN of the caller. The following gives an example entry in ldif format:
dn: cn=foo,ou=group,dc=jsr375,dc=net objectclass: top objectclass: groupOfNames cn: foo member: uid=pete,ou=caller,dc=jsr375,dc=net member: uid=john,ou=caller,dc=jsr375,dc=net
- Returns:
- Attribute for the group members
- Default:
- "member"
-
groupMemberOfAttribute
String groupMemberOfAttributeName of the attribute in a person object that identifies the groups the caller belongs to (e.g., "memberOf
").This attribute is used only if: a) group search is not configured (i.e., no groupSearchBase and groupSearchFilter configured); and, b) the caller's DN is available, either because groups are being returned during the credential validation phase by an identity store that performs both validation and group lookup, or because the DN is available in the
CredentialValidationResult
passed to theIdentityStore.getCallerGroups(CredentialValidationResult)
method.The value of this attribute must be the full DN of the group. The following gives an example entry in ldif format:
dn: uid=peter,ou=caller,dc=jsr375,dc=net objectclass: top objectclass: uidObject objectclass: person uid: peter cn: Peter Smith memberOf: cn=foo,ou=group,dc=jsr375,dc=net memberOf: cn=bar,ou=group,dc=jsr375,dc=net
- Returns:
- Attribute for group membership
- Default:
- "memberOf"
-
readTimeout
int readTimeoutSet the timeout value that should be used when waiting for the LDAP server to return results. Note that this is different from the connection timeout for the underlying socket connection;The default value of 0 means wait forever (assuming the connection itself does not time out).
- Returns:
- The readTimeout value.
- Default:
- 0
-
readTimeoutExpression
String readTimeoutExpressionAllow readTimeout to be specified as an EL expression. If set, overrides any value set with readTimeout.- Returns:
- The readTimeout EL expression
- Default:
- ""
-
maxResults
int maxResultsSet the maximum number of results (objects) the server should return in response to a search.The default value is set to 1000, which corresponds to the maximum number of results most LDAP servers will return for in a single response. Most LDAP servers support paging through result sets larger than 1000, but doing so should rarely be necessary for normal validation and group lookup use cases. Implementations of the built-in LDAP IdentityStore MAY support paging through larger result sets, but are NOT REQUIRED to.
- Returns:
- The maximum number of results the LDAP server should return.
- Default:
- 1000
-
maxResultsExpression
String maxResultsExpressionAllow maxResults to be specified as an EL expression. If set, overrides any value set with maxResults.- Returns:
- The maxResults EL expression
- Default:
- ""
-
priority
int priorityDetermines the order in case multiple IdentityStores are found.- Returns:
- The priority.
- Default:
- 80
-
priorityExpression
String priorityExpressionAllow priority to be specified as an EL expression. If set, overrides any value set with priority.- Returns:
- The priority EL expression
- Default:
- ""
-
useFor
IdentityStore.ValidationType[] useForDetermines what the identity store is used for- Returns:
- The type the identity store is used for
- Default:
- {VALIDATE, PROVIDE_GROUPS}
-
useForExpression
String useForExpressionAllow useFor to be specified as an EL expression. If set, overrides any value set with useFor.- Returns:
- The useFor EL expression
- Default:
- ""
-