org.jivesoftware.openfire.ldap
Class LdapManager

java.lang.Object
  org.jivesoftware.openfire.ldap.LdapManager

public class LdapManager
extends Object

Centralized administration of LDAP connections. The getInstance() method should be used to get an instace. The following properties configure this manager:

• ldap.host
• ldap.port
• ldap.baseDN
• ldap.alternateBaseDN
• ldap.adminDN
• ldap.adminPassword
• ldap.usernameField -- default value is "uid".
• ldap.usernameSuffix -- default value is "".
• ldap.nameField -- default value is "cn".
• ldap.emailField -- default value is "mail".
• ldap.searchFilter -- the filter used to load the list of users. When defined, it will be used with the default filter, which is "([usernameField]={0})" where [usernameField] is the value of ldap.usernameField.
• ldap.groupNameField
• ldap.groupMemberField
• ldap.groupDescriptionField
• ldap.posixMode
• ldap.groupSearchFilter
• ldap.debugEnabled
• ldap.sslEnabled
• ldap.autoFollowReferrals
• ldap.initialContextFactory -- if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used.
• ldap.connectionPoolEnabled -- true if an LDAP connection pool should be used. False if not set.

Author:

Matt Tucker

Constructor Summary

LdapManager(Map<String,String> properties)
Constructs a new LdapManager instance.

Method Summary

boolean	checkAuthentication(String userDN, String password) Returns true if the user is able to successfully authenticate against the LDAP server.
String	findUserDN(String username) Finds a user's dn using their username.
String	findUserDN(String username, String baseDN) Finds a user's dn using their username in the specified baseDN.
String	getAdminDN() Returns the starting admin DN that searches for admins will performed with.
String	getAdminPassword() Returns the starting admin DN that searches for admins will performed with.
String	getAlternateBaseDN() Returns the alternate starting DN that searches for users will performed with.
String	getBaseDN() Returns the starting DN that searches for users will performed with.
LdapContext	getContext() Returns a DirContext for the LDAP server that can be used to perform lookups and searches using the default base DN.
LdapContext	getContext(String baseDN) Returns a DirContext for the LDAP server that can be used to perform lookups and searches using the specified base DN.
String	getEmailField() Returns the LDAP field name that the user's email address is stored in.
String	getGroupDescriptionField() Return the field used to describe a group.
String	getGroupMemberField() Return the field used to list members within a group.
String	getGroupNameField() Returns the field name used for groups.
String	getGroupSearchFilter() Returns the filter used for searching the directory for groups, which includes the default filter plus any custom-defined search filter.
Collection<String>	getHosts() Returns the LDAP servers hosts; e.g.
static LdapManager	getInstance() Provides singleton access to an instance of the LdapManager class.
String	getNameField() Returns the LDAP field name that the user's name is stored in.
int	getPort() Returns the LDAP server port number.
String	getSearchFilter() Returns the filter used for searching the directory for users, which includes the default filter (username field search) plus any custom-defined search filter.
String	getUsernameField() Returns the LDAP field name that the username lookup will be performed on.
String	getUsernameSuffix() Returns the suffix appended to the username when LDAP lookups are performed.
String	getUsersBaseDN(String username) Returns the BaseDN for the given username.
boolean	isConnectionPoolEnabled() Returns whether an LDAP connection pool should be used or not.
boolean	isDebugEnabled() Returns true if LDAP connection debugging is turned on.
boolean	isFollowReferralsEnabled() Returns true if LDAP referrals will automatically be followed when found.
boolean	isPosixMode() Return true if the LDAP server is operating in Posix mode.
boolean	isSslEnabled() Returns true if LDAP connection is via SSL or not.
boolean	isSubTreeSearch() Returns true if the entire tree under the base DN will be searched (recursive search) when doing LDAP queries (finding users, groups, etc).
void	setAdminDN(String adminDN) Sets the starting admin DN that searches for admins will performed with.
void	setAdminPassword(String adminPassword) Sets the admin password for the LDAP server we're connecting to.
void	setAlternateBaseDN(String alternateBaseDN) Sets the alternate starting DN that searches for users will performed with.
void	setBaseDN(String baseDN) Sets the starting DN that searches for users will performed with.
void	setConnectionPoolEnabled(boolean connectionPoolEnabled) Sets whether an LDAP connection pool should be used or not.
void	setDebugEnabled(boolean debugEnabled) Sets whether LDAP connection debugging is turned on.
void	setEmailField(String emailField) Sets the LDAP field name that the user's email address is stored in.
void	setFollowReferralsEnabled(boolean followReferrals) Sets whether LDAP referrals should be automatically followed.
void	setGroupDescriptionField(String groupDescriptionField) Sets the field used to describe a group.
void	setGroupMemberField(String groupMemberField) Sets the field used to list members within a group.
void	setGroupNameField(String groupNameField) Sets the field name used for groups.
void	setGroupSearchFilter(String groupSearchFilter) Sets the search filter appended to the default filter when searching for groups.
void	setHosts(Collection<String> hosts) Sets the list of LDAP servers host; e.g., localhost or machine.example.com, etc.
void	setNameField(String nameField) Sets the LDAP field name that the user's name is stored in.
void	setPort(int port) Sets the LDAP server port number.
void	setPosixMode(boolean posixMode) Sets whether the LDAP server is operating in Posix mode.
void	setSearchFilter(String searchFilter) Sets the search filter appended to the default filter when searching for users.
void	setSslEnabled(boolean sslEnabled) Sets whether the connection to the LDAP server should be made via ssl or not.
void	setSubTreeSearch(boolean subTreeSearch) Sets whether the entire tree under the base DN will be searched (recursive search) when doing LDAP queries (finding users, groups, etc).
void	setUsernameField(String usernameField) Sets the LDAP field name that the username lookup will be performed on.
void	setUsernameSuffix(String usernameSuffix) Set the suffix appended to the username whenever LDAP lookups are performed.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

LdapManager

public LdapManager(Map<String,String> properties)

Constructs a new LdapManager instance. Typically, getInstance() should be called instead of this method. LdapManager instances should only be created directly for testing purposes.

Parameters:

properties - the Map that contains properties used by the LDAP manager, such as LDAP host and base DN.

Method Detail

getInstance

public static LdapManager getInstance()

Provides singleton access to an instance of the LdapManager class.

Returns:

an LdapManager instance.

getContext

public LdapContext getContext()
                       throws NamingException

Returns a DirContext for the LDAP server that can be used to perform lookups and searches using the default base DN. The alternate DN will be used in case there is a NamingException using base DN. The context uses the admin login that is defined by adminDN and adminPassword.

Returns:

a connection to the LDAP server.

Throws:

NamingException - if there is an error making the LDAP connection.

getContext

public LdapContext getContext(String baseDN)
                       throws NamingException

Returns a DirContext for the LDAP server that can be used to perform lookups and searches using the specified base DN. The context uses the admin login that is defined by adminDN and adminPassword.

Parameters:

baseDN - the base DN to use for the context.

Returns:

a connection to the LDAP server.

Throws:

NamingException - if there is an error making the LDAP connection.

checkAuthentication

public boolean checkAuthentication(String userDN,
                                   String password)

Returns true if the user is able to successfully authenticate against the LDAP server. The "simple" authentication protocol is used.

Parameters:

userDN - the user's dn to authenticate (relative to baseDN).

password - the user's password.

Returns:

true if the user successfully authenticates.

findUserDN

public String findUserDN(String username)
                  throws Exception

Finds a user's dn using their username. Normally, this search will be performed using the field "uid", but this can be changed by setting the usernameField property.

Searches are performed over all subtrees relative to the baseDN. If the search fails in the baseDN then another search will be performed in the alternateBaseDN. For example, if the baseDN is "o=jivesoftware, o=com" and we do a search for "mtucker", then we might find a userDN of "uid=mtucker,ou=People". This kind of searching is a good thing since it doesn't make the assumption that all user records are stored in a flat structure. However, it does add the requirement that "uid" field (or the other field specified) must be unique over the entire subtree from the baseDN. For example, it's entirely possible to create two dn's in your LDAP directory with the same uid: "uid=mtucker,ou=People" and "uid=mtucker,ou=Administrators". In such a case, it's not possible to uniquely identify a user, so this method will throw an error.

The dn that's returned is relative to the default baseDN.

Parameters:

username - the username to lookup the dn for.

Returns:

the dn associated with username.

Throws:

Exception - if the search for the dn fails.

findUserDN

public String findUserDN(String username,
                         String baseDN)
                  throws Exception

Finds a user's dn using their username in the specified baseDN. Normally, this search will be performed using the field "uid", but this can be changed by setting the usernameField property.

Searches are performed over all sub-trees relative to the baseDN unless sub-tree searching has been disabled. For example, if the baseDN is "o=jivesoftware, o=com" and we do a search for "mtucker", then we might find a userDN of "uid=mtucker,ou=People". This kind of searching is a good thing since it doesn't make the assumption that all user records are stored in a flat structure. However, it does add the requirement that "uid" field (or the other field specified) must be unique over the entire subtree from the baseDN. For example, it's entirely possible to create two dn's in your LDAP directory with the same uid: "uid=mtucker,ou=People" and "uid=mtucker,ou=Administrators". In such a case, it's not possible to uniquely identify a user, so this method will throw an error.

The DN that's returned is relative to the baseDN.

Parameters:

username - the username to lookup the dn for.

baseDN - the base DN to use for this search.

Returns:

the dn associated with username.

Throws:

Exception - if the search for the dn fails.

See Also:

to search using the default baseDN and alternateBaseDN.

getHosts

public Collection<String> getHosts()

Returns the LDAP servers hosts; e.g. localhost or machine.example.com, etc. This value is stored as the Jive Property ldap.host.

Returns:

the LDAP server host name.

setHosts

public void setHosts(Collection<String> hosts)

Sets the list of LDAP servers host; e.g., localhost or machine.example.com, etc. This value is store as the Jive Property ldap.host using a comma as a delimiter for each host.

Note that all LDAP servers have to share the same configuration.

Parameters:

hosts - the LDAP servers host names.

getPort

public int getPort()

Returns the LDAP server port number. The default is 389. This value is stored as the Jive Property ldap.port.

Returns:

the LDAP server port number.

setPort

public void setPort(int port)

Sets the LDAP server port number. The default is 389. This value is stored as the Jive property ldap.port.

Parameters:

port - the LDAP server port number.

isDebugEnabled

public boolean isDebugEnabled()

Returns true if LDAP connection debugging is turned on. When on, trace information about BER buffers sent and received by the LDAP provider is written to System.out. Debugging is turned off by default.

Returns:

true if LDAP debugging is turned on.

setDebugEnabled

public void setDebugEnabled(boolean debugEnabled)

Sets whether LDAP connection debugging is turned on. When on, trace information about BER buffers sent and received by the LDAP provider is written to System.out. Debugging is turned off by default.

Parameters:

debugEnabled - true if debugging should be turned on.

isSslEnabled

public boolean isSslEnabled()

Returns true if LDAP connection is via SSL or not. SSL is turned off by default.

Returns:

true if SSL connections are enabled or not.

setSslEnabled

public void setSslEnabled(boolean sslEnabled)

Sets whether the connection to the LDAP server should be made via ssl or not.

Parameters:

sslEnabled - true if ssl should be enabled, false otherwise.

getUsernameField

public String getUsernameField()

Returns the LDAP field name that the username lookup will be performed on. By default this is "uid".

Returns:

the LDAP field that the username lookup will be performed on.

getUsernameSuffix

public String getUsernameSuffix()

Returns the suffix appended to the username when LDAP lookups are performed. By default this is "".

setUsernameField

public void setUsernameField(String usernameField)

Sets the LDAP field name that the username lookup will be performed on. By default this is "uid".

Parameters:

usernameField - the LDAP field that the username lookup will be performed on.

setUsernameSuffix

public void setUsernameSuffix(String usernameSuffix)

Set the suffix appended to the username whenever LDAP lookups are performed.

Parameters:

usernameSuffix - the String to append to usernames for lookups

getNameField

public String getNameField()

Returns the LDAP field name that the user's name is stored in. By default this is "cn". Another common value is "displayName".

Returns:

the LDAP field that that corresponds to the user's name.

setNameField

public void setNameField(String nameField)

Sets the LDAP field name that the user's name is stored in. By default this is "cn". Another common value is "displayName".

Parameters:

nameField - the LDAP field that that corresponds to the user's name.

getEmailField

public String getEmailField()

Returns the LDAP field name that the user's email address is stored in. By default this is "mail".

Returns:

the LDAP field that that corresponds to the user's email address.

setEmailField

public void setEmailField(String emailField)

Sets the LDAP field name that the user's email address is stored in. By default this is "mail".

Parameters:

emailField - the LDAP field that that corresponds to the user's email address.

getBaseDN

public String getBaseDN()

Returns the starting DN that searches for users will performed with. Searches will performed on the entire sub-tree under the base DN.

Returns:

the starting DN used for performing searches.

setBaseDN

public void setBaseDN(String baseDN)

Sets the starting DN that searches for users will performed with. Searches will performed on the entire sub-tree under the base DN.

Parameters:

baseDN - the starting DN used for performing searches.

getAlternateBaseDN

public String getAlternateBaseDN()

Returns the alternate starting DN that searches for users will performed with. Searches will performed on the entire sub-tree under the alternate base DN after they are performed on the main base DN.

Returns:

the alternate starting DN used for performing searches. If no alternate DN is set, this method will return null.

setAlternateBaseDN

public void setAlternateBaseDN(String alternateBaseDN)

Sets the alternate starting DN that searches for users will performed with. Searches will performed on the entire sub-tree under the alternate base DN after they are performed on the main base dn.

Parameters:

alternateBaseDN - the alternate starting DN used for performing searches.

getUsersBaseDN

public String getUsersBaseDN(String username)

Returns the BaseDN for the given username.

Parameters:

username - username to return its base DN.

Returns:

the BaseDN for the given username. If no baseDN is found, this method will return null.

getAdminDN

public String getAdminDN()

Returns the starting admin DN that searches for admins will performed with. Searches will performed on the entire sub-tree under the admin DN.

Returns:

the starting DN used for performing searches.

setAdminDN

public void setAdminDN(String adminDN)

Sets the starting admin DN that searches for admins will performed with. Searches will performed on the entire sub-tree under the admins DN.

Parameters:

adminDN - the starting DN used for performing admin searches.

getAdminPassword

public String getAdminPassword()

Returns the starting admin DN that searches for admins will performed with. Searches will performed on the entire sub-tree under the admin DN.

Returns:

the starting DN used for performing searches.

setAdminPassword

public void setAdminPassword(String adminPassword)

Sets the admin password for the LDAP server we're connecting to.

Parameters:

adminPassword - the admin password for the LDAP server we're connecting to.

setConnectionPoolEnabled

public void setConnectionPoolEnabled(boolean connectionPoolEnabled)

Sets whether an LDAP connection pool should be used or not.

Parameters:

connectionPoolEnabled - true if an LDAP connection pool should be used.

isConnectionPoolEnabled

public boolean isConnectionPoolEnabled()

Returns whether an LDAP connection pool should be used or not.

Returns:

true if an LDAP connection pool should be used.

getSearchFilter

public String getSearchFilter()

Returns the filter used for searching the directory for users, which includes the default filter (username field search) plus any custom-defined search filter.

Returns:

the search filter.

setSearchFilter

public void setSearchFilter(String searchFilter)

Sets the search filter appended to the default filter when searching for users.

Parameters:

searchFilter - the search filter appended to the default filter when searching for users.

isSubTreeSearch

public boolean isSubTreeSearch()

Returns true if the entire tree under the base DN will be searched (recursive search) when doing LDAP queries (finding users, groups, etc). When false, only a single level under the base DN will be searched. The default is true which is the best option for most LDAP setups. In only a few cases will the directory be setup in such a way that it's better to do single level searching.

Returns:

true if the entire tree under the base DN will be searched.

setSubTreeSearch

public void setSubTreeSearch(boolean subTreeSearch)

Sets whether the entire tree under the base DN will be searched (recursive search) when doing LDAP queries (finding users, groups, etc). When false, only a single level under the base DN will be searched. The default is true which is the best option for most LDAP setups. In only a few cases will the directory be setup in such a way that it's better to do single level searching.

Parameters:

subTreeSearch - true if the entire tree under the base DN will be searched.

isFollowReferralsEnabled

public boolean isFollowReferralsEnabled()

Returns true if LDAP referrals will automatically be followed when found.

Returns:

true if LDAP referrals are automatically followed.

setFollowReferralsEnabled

public void setFollowReferralsEnabled(boolean followReferrals)

Sets whether LDAP referrals should be automatically followed.

Parameters:

followReferrals - true if LDAP referrals should be automatically followed.

getGroupNameField

public String getGroupNameField()

Returns the field name used for groups. Value of groupNameField defaults to "cn".

Returns:

the field used for groups.

setGroupNameField

public void setGroupNameField(String groupNameField)

Sets the field name used for groups.

Parameters:

groupNameField - the field used for groups.

getGroupMemberField

public String getGroupMemberField()

Return the field used to list members within a group. Value of groupMemberField defaults to "member".

Returns:

the field used to list members within a group.

setGroupMemberField

public void setGroupMemberField(String groupMemberField)

Sets the field used to list members within a group. Value of groupMemberField defaults to "member".

Parameters:

groupMemberField - the field used to list members within a group.

getGroupDescriptionField

public String getGroupDescriptionField()

Return the field used to describe a group. Value of groupDescriptionField defaults to "description".

Returns:

the field used to describe a group.

setGroupDescriptionField

public void setGroupDescriptionField(String groupDescriptionField)

Sets the field used to describe a group. Value of groupDescriptionField defaults to "description".

Parameters:

groupDescriptionField - the field used to describe a group.

isPosixMode

public boolean isPosixMode()

Return true if the LDAP server is operating in Posix mode. By default false is returned. When in Posix mode, users are stored within a group by their username alone. When not enabled, users are stored in a group using their entire DN.

Returns:

true if posix mode is being used by the LDAP server.

setPosixMode

public void setPosixMode(boolean posixMode)

Sets whether the LDAP server is operating in Posix mode. When in Posix mode, users are stored within a group by their username alone. When not enabled, users are stored in a group using their entire DN.

Parameters:

posixMode - true if posix mode is being used by the LDAP server.

getGroupSearchFilter

public String getGroupSearchFilter()

Returns the filter used for searching the directory for groups, which includes the default filter plus any custom-defined search filter.

Returns:

the search filter when searching for groups.

setGroupSearchFilter

public void setGroupSearchFilter(String groupSearchFilter)

Sets the search filter appended to the default filter when searching for groups.

Parameters:

groupSearchFilter - the search filter appended to the default filter when searching for groups.