Package hudson.security

Class LDAPSecurityRealm

java.lang.Object
hudson.model.AbstractDescribableImpl<SecurityRealm>
hudson.security.SecurityRealm
hudson.security.AbstractPasswordBasedSecurityRealm
hudson.security.LDAPSecurityRealm
All Implemented Interfaces:
ExtensionPoint, Describable<SecurityRealm>
public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm
SecurityRealm implementation that uses LDAP for authentication.

Key Object Classes

Group Membership

Two object classes seem to be relevant. These are in RFC 2256 and core.schema. These use DN for membership, so it can create a group of anything. I don't know what the difference between these two are. 

   attributetype ( 2.5.4.31 NAME 'member'
     DESC 'RFC2256: member of a group'
     SUP distinguishedName )

   attributetype ( 2.5.4.50 NAME 'uniqueMember'
     DESC 'RFC2256: unique member of a group'
     EQUALITY uniqueMemberMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )

   objectclass ( 2.5.6.9 NAME 'groupOfNames'
     DESC 'RFC2256: a group of names (DNs)'
     SUP top STRUCTURAL
     MUST ( member $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

   objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
     DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
     SUP top STRUCTURAL
     MUST ( uniqueMember $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

This one is from nis.schema, and appears to model POSIX group/user thing more closely. 

   objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
     DESC 'Abstraction of a group of accounts'
     SUP top STRUCTURAL
     MUST ( cn $ gidNumber )
     MAY ( userPassword $ memberUid $ description ) )

   attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
     EQUALITY caseExactIA5Match
     SUBSTR caseExactIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

   objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
     DESC 'Abstraction of an account with POSIX attributes'
     SUP top AUXILIARY
     MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
     MAY ( userPassword $ loginShell $ gecos $ description ) )

   attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
     DESC 'An integer uniquely identifying a user in an administrative domain'
     EQUALITY integerMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

   attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
     DESC 'An integer uniquely identifying a group in an administrative domain'
     EQUALITY integerMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

Active Directory specific schemas (from here). 

   objectclass ( 1.2.840.113556.1.5.8
     NAME 'group'
     SUP top
     STRUCTURAL
     MUST (groupType )
     MAY (member $ nTGroupMembers $ operatorCount $ adminCount $
         groupAttributes $ groupMembershipSAM $ controlAccessRights $
         desktopProfile $ nonSecurityMember $ managedBy $
         primaryGroupToken $ mail ) )

   objectclass ( 1.2.840.113556.1.5.9
     NAME 'user'
     SUP organizationalPerson
     STRUCTURAL
     MAY (userCertificate $ networkAddress $ userAccountControl $
         badPwdCount $ codePage $ homeDirectory $ homeDrive $
         badPasswordTime $ lastLogoff $ lastLogon $ dBCSPwd $
         localeID $ scriptPath $ logonHours $ logonWorkstation $
         maxStorage $ userWorkstations $ unicodePwd $
         otherLoginWorkstations $ ntPwdHistory $ pwdLastSet $
         preferredOU $ primaryGroupID $ userParameters $
         profilePath $ operatorCount $ adminCount $ accountExpires $
         lmPwdHistory $ groupMembershipSAM $ logonCount $
         controlAccessRights $ defaultClassStore $ groupsToIgnore $
         groupPriority $ desktopProfile $ dynamicLDAPServer $
         userPrincipalName $ lockoutTime $ userSharedFolder $
         userSharedFolderOther $ servicePrincipalName $
         aCSPolicyName $ terminalServer $ mSMQSignCertificates $
         mSMQDigests $ mSMQDigestsMig $ mSMQSignCertificatesMig $
         msNPAllowDialin $ msNPCallingStationID $
         msNPSavedCallingStationID $ msRADIUSCallbackNumber $
         msRADIUSFramedIPAddress $ msRADIUSFramedRoute $
         msRADIUSServiceType $ msRASSavedCallbackNumber $
         msRASSavedFramedIPAddress $ msRASSavedFramedRoute $
         mS-DS-CreatorSID ) )

References

Standard Schemas
The downloadable distribution contains schemas that define the structure of LDAP entries. Because this is a standard, we expect most LDAP servers out there to use it, although there are different objectClasses that can be used for similar purposes, and apparently many deployments choose to use different objectClasses.
RFC 2256
Defines the meaning of several key datatypes used in the schemas with some explanations.
Active Directory schema
More navigable schema list, including core and MS extensions specific to Active Directory.
Since:
1.166
Author:
Kohsuke Kawaguchi

  • Field Details

    • server

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String server
      Deprecated.
      LDAP server name(s) separated by spaces, optionally with TCP port number, like "ldap.acme.org" or "ldap.acme.org:389" and/or with protocol, like "ldap://ldap.acme.org".

    • rootDN

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String rootDN
      Deprecated.
      The root DN to connect to. Normally something like "dc=sun,dc=com" How do I infer this?

    • inhibitInferRootDN

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient boolean inhibitInferRootDN
      Deprecated.
      Allow the rootDN to be inferred? Default is false. If true, allow rootDN to be blank.

    • userSearchBase

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String userSearchBase
      Deprecated.
      Specifies the relative DN from the root DN. This is used to narrow down the search space when doing user search. Something like "ou=people" but can be empty.

    • userSearch

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String userSearch
      Deprecated.
      Query to locate an entry that identifies the user, given the user name string. Normally "uid={0}"
      See Also:
      • FilterBasedLdapUserSearch

    • groupSearchBase

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String groupSearchBase
      Deprecated.
      This defines the organizational unit that contains groups. Normally "" to indicate the full LDAP search, but can be often narrowed down to something like "ou=groups"
      See Also:
      • FilterBasedLdapUserSearch

    • groupSearchFilter

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String groupSearchFilter
      Deprecated.
      Query to locate an entry that identifies the group, given the group name string. If non-null it will override the default specified by GROUP_SEARCH
      Since:
      1.5

    • groupMembershipFilter

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String groupMembershipFilter
      Deprecated.
      use groupMembershipStrategy
      Query to locate the group entries that a user belongs to, given the user object. {0} is the user's full DN while {1} is the username. If non-null it will override the default
      Since:
      1.5

    • groupMembershipStrategy

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient LDAPGroupMembershipStrategy groupMembershipStrategy
      Deprecated.
      Since:
      2.0

    • managerDN

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public transient String managerDN
      Deprecated.
      If non-null, we use this and managerPasswordSecret when binding to LDAP. This is necessary when LDAP doesn't support anonymous access.

    • disableMailAddressResolver

      public final boolean disableMailAddressResolver
      Since:
      1.2

    • LOGGER

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static final Logger LOGGER

  • Constructor Details

  • Method Details

    • getConfigurations

      public List<LDAPConfiguration> getConfigurations()

    • isDisableRolePrefixing

      public boolean isDisableRolePrefixing()

    • setDisableRolePrefixing

      @DataBoundSetter public void setDisableRolePrefixing(boolean disableRolePrefixing)

    • getServerUrl

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getServerUrl()
      Deprecated.

    • getUserIdStrategy

      public IdStrategy getUserIdStrategy()
      Overrides:
      getUserIdStrategy in class SecurityRealm

    • getGroupIdStrategy

      public IdStrategy getGroupIdStrategy()
      Overrides:
      getGroupIdStrategy in class SecurityRealm

    • getCache

      public LDAPSecurityRealm.CacheConfiguration getCache()

    • getCacheSize

      public Integer getCacheSize()

    • getCacheTTL

      public Integer getCacheTTL()

    • getGroupMembershipFilter

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getGroupMembershipFilter()
      Deprecated.

    • getGroupMembershipStrategy

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public LDAPGroupMembershipStrategy getGroupMembershipStrategy()
      Deprecated.

    • getGroupSearchFilter

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getGroupSearchFilter()
      Deprecated.

    • getExtraEnvVars

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public Map<String,String> getExtraEnvVars()
      Deprecated.

    • getEnvironmentProperties

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public LDAPSecurityRealm.EnvironmentProperty[] getEnvironmentProperties()
      Deprecated.

    • getManagerPassword

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getManagerPassword()
      Deprecated.

    • getManagerPasswordSecret

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public Secret getManagerPasswordSecret()
      Deprecated.

    • getLDAPURL

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getLDAPURL()
      Deprecated.

    • getDisplayNameAttributeName

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getDisplayNameAttributeName()
      Deprecated.

    • getMailAddressAttributeName

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public String getMailAddressAttributeName()
      Deprecated.

    • getConfigurationFor

      @CheckForNull @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public LDAPConfiguration getConfigurationFor(org.springframework.security.ldap.userdetails.LdapUserDetails d)

    • hasMultiConfiguration

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public boolean hasMultiConfiguration()

    • getConfigurationFor

      @CheckForNull @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public LDAPConfiguration getConfigurationFor(String configurationId)

    • toProviderUrl

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static String toProviderUrl(String serverUrl, String rootDN)

    • createSecurityComponents

      @NonNull public SecurityRealm.SecurityComponents createSecurityComponents()
      Overrides:
      createSecurityComponents in class AbstractPasswordBasedSecurityRealm

    • authenticate2

      protected org.springframework.security.core.userdetails.UserDetails authenticate2(String username, String password) throws org.springframework.security.core.AuthenticationException
      Overrides:
      authenticate2 in class AbstractPasswordBasedSecurityRealm
      Throws:
      org.springframework.security.core.AuthenticationException

    • loadUserByUsername2

      public org.springframework.security.core.userdetails.UserDetails loadUserByUsername2(String username) throws org.springframework.security.core.userdetails.UsernameNotFoundException
      Overrides:
      loadUserByUsername2 in class AbstractPasswordBasedSecurityRealm
      Throws:
      org.springframework.security.core.userdetails.UsernameNotFoundException

    • updateUserDetails

      public org.springframework.security.core.Authentication updateUserDetails(org.springframework.security.core.Authentication authentication, @CheckForNull org.springframework.security.ldap.search.LdapUserSearch ldapUserSearch)

    • updateUserDetails

      public org.springframework.security.core.userdetails.UserDetails updateUserDetails(org.springframework.security.core.userdetails.UserDetails userDetails, @CheckForNull org.springframework.security.ldap.search.LdapUserSearch ldapUserSearch)

    • updateUserDetails

      public hudson.security.LDAPSecurityRealm.DelegatedLdapUserDetails updateUserDetails(org.springframework.security.ldap.userdetails.LdapUserDetails d, @CheckForNull org.springframework.security.ldap.search.LdapUserSearch ldapUserSearch)

    • loadGroupByGroupname2

      public GroupDetails loadGroupByGroupname2(String groupname, boolean fetchMembers) throws org.springframework.security.core.userdetails.UsernameNotFoundException
      Overrides:
      loadGroupByGroupname2 in class AbstractPasswordBasedSecurityRealm
      Throws:
      org.springframework.security.core.userdetails.UsernameNotFoundException

    • getDescriptor

      public LDAPSecurityRealm.DescriptorImpl getDescriptor()
      Specified by:
      getDescriptor in interface Describable<SecurityRealm>
      Overrides:
      getDescriptor in class SecurityRealm