Annotation Type LdapIdentityStoreDefinition
-
@Retention(RUNTIME) @Target(TYPE) public @interface LdapIdentityStoreDefinition
Annotation used to define a container-providedIdentityStore
that stores caller credentials and identity attributes (together caller identities) in an LDAP store, and make that implementation available as an enabled CDI bean.The container-provided
IdentityStore
must support validatingUsernamePasswordCredential
, and may support validating other credential types.
-
-
Optional Element Summary
Optional Elements Modifier and Type Optional Element Description java.lang.String
bindDn
Distinguished name for the application or administrative user that will be used to make the initial connection to the LDAP and to perform searches and lookups.java.lang.String
bindDnPassword
Password for the application/admin user defined by the bindDn member.java.lang.String
callerBaseDn
Base distinguished name for callers in the LDAP store (e.g., "ou=caller,dc=jsr375,dc=net
").java.lang.String
callerNameAttribute
Name of the attribute that contains the callers name in the person object (e.g., "uid
").java.lang.String
callerSearchBase
Search base for looking up callers (e.g., "ou=caller,dc=jsr375,dc=net
").java.lang.String
callerSearchFilter
Search filter to find callers when callerSearchBase is set.LdapIdentityStoreDefinition.LdapSearchScope
callerSearchScope
Search scope for caller searches: determines depth of the search in the LDAP tree.java.lang.String
callerSearchScopeExpression
Allow callerSearchScope to be specified as an EL expression.java.lang.String
groupMemberAttribute
Name of the attribute in a group object that identifies the members of the group (e.g., "member
").java.lang.String
groupMemberOfAttribute
Name of the attribute in a person object that identifies the groups the caller belongs to (e.g., "memberOf
").java.lang.String
groupNameAttribute
Name of the attribute of a group object that represents the group name (e.g., "cn
")java.lang.String
groupSearchBase
Search base for looking up groups (e.g., "ou=group,dc=jsr375,dc=net
").java.lang.String
groupSearchFilter
Search filter to find groups when groupSearchBase is set.LdapIdentityStoreDefinition.LdapSearchScope
groupSearchScope
Search scope for group searches, determines depth of the search in the LDAP tree.java.lang.String
groupSearchScopeExpression
Allow groupSearchScope to be specified as an EL expression.int
maxResults
Set the maximum number of results (objects) the server should return in response to a search.java.lang.String
maxResultsExpression
Allow maxResults to be specified as an EL expression.int
priority
Determines the order in case multiple IdentityStores are found.java.lang.String
priorityExpression
Allow priority to be specified as an EL expression.int
readTimeout
Set the timeout value that should be used when waiting for the LDAP server to return results.java.lang.String
readTimeoutExpression
Allow readTimeout to be specified as an EL expression.java.lang.String
url
URL where the LDAP server can be reached.IdentityStore.ValidationType[]
useFor
Determines what the identity store is used forjava.lang.String
useForExpression
Allow useFor to be specified as an EL expression.
-
-
-
-
bindDn
java.lang.String bindDn
Distinguished name for the application or administrative user that will be used to make the initial connection to the LDAP and to perform searches and lookups.This value is needed if caller or group lookup will be done. It is not needed if the store will be used only to authenticate callers using direct binding (see callerBaseDn).
This user needs search permission in the LDAP for persons and/or groups.
E.g.:
uid=ldap,ou=apps,dc=jsr375,dc=net
- Returns:
- The distinguished name for the application user.
- Default:
- ""
-
-
-
callerBaseDn
java.lang.String callerBaseDn
Base distinguished name for callers in the LDAP store (e.g., "ou=caller,dc=jsr375,dc=net
").When this member value is specified, and callerSearchBase is not, direct binding is attempted.
The callerNameAttribute must be specified along with this attribute so that the runtime can create the "leaf" RDN needed to concatenate with the base DN to create the full DN of the caller.
- Returns:
- The base distinguished name for callers.
- Default:
- ""
-
-
-
callerNameAttribute
java.lang.String callerNameAttribute
Name of the attribute that contains the callers name in the person object (e.g., "uid
").This attribute will be used, with callerBaseDn, to construct caller DNs for direct binding. It is also used to retrieve the caller's name when the caller object is instead looked up using search.
The value of this attribute is returned as the caller principal name for a successful credential validation.
The following gives an example in ldif format:
dn: uid=peter,ou=caller,dc=jsr375,dc=net objectclass: top objectclass: uidObject objectclass: person uid: peter cn: Peter Smith sn: Peter userPassword: secret1
- Returns:
- Name of the attribute that represents the caller name
- Default:
- "uid"
-
-
-
callerSearchBase
java.lang.String callerSearchBase
Search base for looking up callers (e.g., "ou=caller,dc=jsr375,dc=net
").Overrides callerBaseDn, if configured, causing caller search to be used instead of direct binding. Requires that the bindDn member be filled in.
- Returns:
- Base DN for searching the LDAP tree for callers.
- Default:
- ""
-
-
-
callerSearchScope
LdapIdentityStoreDefinition.LdapSearchScope callerSearchScope
Search scope for caller searches: determines depth of the search in the LDAP tree.- Returns:
- The search scope
- Default:
- javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE
-
-
-
groupSearchScope
LdapIdentityStoreDefinition.LdapSearchScope groupSearchScope
Search scope for group searches, determines depth of the search in the LDAP tree.- Returns:
- The search scope
- Default:
- javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE
-
-
-
groupMemberAttribute
java.lang.String groupMemberAttribute
Name of the attribute in a group object that identifies the members of the group (e.g., "member
").The value of this attribute must be the full DN of the caller. The following gives an example entry in ldif format:
dn: cn=foo,ou=group,dc=jsr375,dc=net objectclass: top objectclass: groupOfNames cn: foo member: uid=pete,ou=caller,dc=jsr375,dc=net member: uid=john,ou=caller,dc=jsr375,dc=net
- Returns:
- Attribute for the group members
- Default:
- "member"
-
-
-
groupMemberOfAttribute
java.lang.String groupMemberOfAttribute
Name of the attribute in a person object that identifies the groups the caller belongs to (e.g., "memberOf
").This attribute is used only if: a) group search is not configured (i.e., no groupSearchBase and groupSearchFilter configured); and, b) the caller's DN is available, either because groups are being returned during the credential validation phase by an identity store that performs both validation and group lookup, or because the DN is available in the
CredentialValidationResult
passed to theIdentityStore.getCallerGroups(CredentialValidationResult)
method.The value of this attribute must be the full DN of the group. The following gives an example entry in ldif format:
dn: uid=peter,ou=caller,dc=jsr375,dc=net objectclass: top objectclass: uidObject objectclass: person uid: peter cn: Peter Smith memberOf: cn=foo,ou=group,dc=jsr375,dc=net memberOf: cn=bar,ou=group,dc=jsr375,dc=net
- Returns:
- Attribute for group membership
- Default:
- "memberOf"
-
-
-
readTimeout
int readTimeout
Set the timeout value that should be used when waiting for the LDAP server to return results. Note that this is different from the connection timeout for the underlying socket connection;The default value of 0 means wait forever (assuming the connection itself does not time out).
- Returns:
- The readTimeout value.
- Default:
- 0
-
-
-
maxResults
int maxResults
Set the maximum number of results (objects) the server should return in response to a search.The default value is set to 1000, which corresponds to the maximum number of results most LDAP servers will return for in a single response. Most LDAP servers support paging through result sets larger than 1000, but doing so should rarely be necessary for normal validation and group lookup use cases. Implementations of the built-in LDAP IdentityStore MAY support paging through larger result sets, but are NOT REQUIRED to.
- Returns:
- The maximum number of results the LDAP server should return.
- Default:
- 1000
-
-
-
useFor
IdentityStore.ValidationType[] useFor
Determines what the identity store is used for- Returns:
- The type the identity store is used for
- Default:
- {javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE, javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS}
-
-