Annotation Interface LdapIdentityStoreDefinition


@Retention(RUNTIME) @Target(TYPE) public @interface LdapIdentityStoreDefinition
Annotation used to define a container-provided IdentityStore that stores caller credentials and identity attributes (together caller identities) in an LDAP store, and make that implementation available as an enabled CDI bean.

The container-provided IdentityStore must support validating UsernamePasswordCredential, and may support validating other credential types.

  • Element Details

    • url

      String url
      URL where the LDAP server can be reached.

      E.g.: ldap://localhost:33389

      Returns:
      URL where the LDAP server can be reached
      Default:
      ""
    • bindDn

      String bindDn
      Distinguished name for the application or administrative user that will be used to make the initial connection to the LDAP and to perform searches and lookups.

      This value is needed if caller or group lookup will be done. It is not needed if the store will be used only to authenticate callers using direct binding (see callerBaseDn).

      This user needs search permission in the LDAP for persons and/or groups.

      E.g.: uid=ldap,ou=apps,dc=jsr375,dc=net

      Returns:
      The distinguished name for the application user.
      Default:
      ""
    • bindDnPassword

      String bindDnPassword
      Password for the application/admin user defined by the bindDn member. Only used when the member bindDn is filled in.
      Returns:
      password for the application user.
      Default:
      ""
    • callerBaseDn

      String callerBaseDn
      Base distinguished name for callers in the LDAP store (e.g., "ou=caller,dc=jsr375,dc=net").

      When this member value is specified, and callerSearchBase is not, direct binding is attempted.

      The callerNameAttribute must be specified along with this attribute so that the runtime can create the "leaf" RDN needed to concatenate with the base DN to create the full DN of the caller.

      Returns:
      The base distinguished name for callers.
      Default:
      ""
    • callerNameAttribute

      String callerNameAttribute
      Name of the attribute that contains the callers name in the person object (e.g., "uid").

      This attribute will be used, with callerBaseDn, to construct caller DNs for direct binding. It is also used to retrieve the caller's name when the caller object is instead looked up using search.

      The value of this attribute is returned as the caller principal name for a successful credential validation.

      The following gives an example in ldif format:

       
       dn: uid=peter,ou=caller,dc=jsr375,dc=net
       objectclass: top
       objectclass: uidObject
       objectclass: person
       uid: peter
       cn: Peter Smith
       sn: Peter
       userPassword: secret1
       
       
      Returns:
      Name of the attribute that represents the caller name
      Default:
      "uid"
    • callerSearchBase

      String callerSearchBase
      Search base for looking up callers (e.g., "ou=caller,dc=jsr375,dc=net").

      Overrides callerBaseDn, if configured, causing caller search to be used instead of direct binding. Requires that the bindDn member be filled in.

      Returns:
      Base DN for searching the LDAP tree for callers.
      Default:
      ""
    • callerSearchFilter

      String callerSearchFilter
      Search filter to find callers when callerSearchBase is set. The search is performed starting from the callerSearchBase DN with the scope specified by callerSearchScope.
      Returns:
      Search expression to find callers.
      Default:
      ""
    • callerSearchScope

      Search scope for caller searches: determines depth of the search in the LDAP tree.
      Returns:
      The search scope
      Default:
      SUBTREE
    • callerSearchScopeExpression

      String callerSearchScopeExpression
      Allow callerSearchScope to be specified as an EL expression. If set, overrides any value set with callerSearchScope.
      Returns:
      the callerSearchScope EL expression
      Default:
      ""
    • groupSearchBase

      String groupSearchBase
      Search base for looking up groups (e.g., "ou=group,dc=jsr375,dc=net").

      Needed only for a store that performs group lookup. Requires that the bindDn member be filled in.

      Returns:
      Base DN for searching the LDAP tree for groups.
      Default:
      ""
    • groupSearchFilter

      String groupSearchFilter
      Search filter to find groups when groupSearchBase is set. The search is performed starting from the groupSearchBase DN with the scope specified by groupSearchScope.
      Returns:
      Search expression to find groups.
      Default:
      ""
    • groupSearchScope

      Search scope for group searches, determines depth of the search in the LDAP tree.
      Returns:
      The search scope
      Default:
      SUBTREE
    • groupSearchScopeExpression

      String groupSearchScopeExpression
      Allow groupSearchScope to be specified as an EL expression. If set, overrides any value set with groupSearchScope.
      Returns:
      the groupSearchScope EL expression
      Default:
      ""
    • groupNameAttribute

      String groupNameAttribute
      Name of the attribute of a group object that represents the group name (e.g., "cn")
      Returns:
      Name of the attribute that represents the group name
      Default:
      "cn"
    • groupMemberAttribute

      String groupMemberAttribute
      Name of the attribute in a group object that identifies the members of the group (e.g., "member").

      The value of this attribute must be the full DN of the caller. The following gives an example entry in ldif format:

       
       dn: cn=foo,ou=group,dc=jsr375,dc=net
       objectclass: top
       objectclass: groupOfNames
       cn: foo
       member: uid=pete,ou=caller,dc=jsr375,dc=net
       member: uid=john,ou=caller,dc=jsr375,dc=net
       
       
      Returns:
      Attribute for the group members
      Default:
      "member"
    • groupMemberOfAttribute

      String groupMemberOfAttribute
      Name of the attribute in a person object that identifies the groups the caller belongs to (e.g., "memberOf").

      This attribute is used only if: a) group search is not configured (i.e., no groupSearchBase and groupSearchFilter configured); and, b) the caller's DN is available, either because groups are being returned during the credential validation phase by an identity store that performs both validation and group lookup, or because the DN is available in the CredentialValidationResult passed to the IdentityStore.getCallerGroups(CredentialValidationResult) method.

      The value of this attribute must be the full DN of the group. The following gives an example entry in ldif format:

       
       dn: uid=peter,ou=caller,dc=jsr375,dc=net
       objectclass: top
       objectclass: uidObject
       objectclass: person
       uid: peter
       cn: Peter Smith
       memberOf: cn=foo,ou=group,dc=jsr375,dc=net
       memberOf: cn=bar,ou=group,dc=jsr375,dc=net
       
       
      Returns:
      Attribute for group membership
      Default:
      "memberOf"
    • readTimeout

      int readTimeout
      Set the timeout value that should be used when waiting for the LDAP server to return results. Note that this is different from the connection timeout for the underlying socket connection;

      The default value of 0 means wait forever (assuming the connection itself does not time out).

      Returns:
      The readTimeout value.
      Default:
      0
    • readTimeoutExpression

      String readTimeoutExpression
      Allow readTimeout to be specified as an EL expression. If set, overrides any value set with readTimeout.
      Returns:
      The readTimeout EL expression
      Default:
      ""
    • maxResults

      int maxResults
      Set the maximum number of results (objects) the server should return in response to a search.

      The default value is set to 1000, which corresponds to the maximum number of results most LDAP servers will return for in a single response. Most LDAP servers support paging through result sets larger than 1000, but doing so should rarely be necessary for normal validation and group lookup use cases. Implementations of the built-in LDAP IdentityStore MAY support paging through larger result sets, but are NOT REQUIRED to.

      Returns:
      The maximum number of results the LDAP server should return.
      Default:
      1000
    • maxResultsExpression

      String maxResultsExpression
      Allow maxResults to be specified as an EL expression. If set, overrides any value set with maxResults.
      Returns:
      The maxResults EL expression
      Default:
      ""
    • priority

      int priority
      Determines the order in case multiple IdentityStores are found.
      Returns:
      The priority.
      Default:
      80
    • priorityExpression

      String priorityExpression
      Allow priority to be specified as an EL expression. If set, overrides any value set with priority.
      Returns:
      The priority EL expression
      Default:
      ""
    • useFor

      Determines what the identity store is used for
      Returns:
      The type the identity store is used for
      Default:
      {VALIDATE, PROVIDE_GROUPS}
    • useForExpression

      String useForExpression
      Allow useFor to be specified as an EL expression. If set, overrides any value set with useFor.
      Returns:
      The useFor EL expression
      Default:
      ""