001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2008 Sun Microsystems, Inc. 025 */ 026package org.opends.server.admin.std.server; 027 028 029 030import java.net.InetAddress; 031import java.util.SortedSet; 032import org.opends.server.admin.server.ConfigurationChangeListener; 033import org.opends.server.admin.std.meta.LDAPPassThroughAuthenticationPolicyCfgDefn.MappingPolicy; 034import org.opends.server.types.AttributeType; 035import org.opends.server.types.DN; 036 037 038 039/** 040 * A server-side interface for querying LDAP Pass Through 041 * Authentication Policy settings. 042 * <p> 043 * An authentication policy for users whose credentials are managed by 044 * a remote LDAP directory service. 045 */ 046public interface LDAPPassThroughAuthenticationPolicyCfg extends AuthenticationPolicyCfg { 047 048 /** 049 * Gets the configuration class associated with this LDAP Pass Through Authentication Policy. 050 * 051 * @return Returns the configuration class associated with this LDAP Pass Through Authentication Policy. 052 */ 053 Class<? extends LDAPPassThroughAuthenticationPolicyCfg> configurationClass(); 054 055 056 057 /** 058 * Register to be notified when this LDAP Pass Through Authentication Policy is changed. 059 * 060 * @param listener 061 * The LDAP Pass Through Authentication Policy configuration change listener. 062 */ 063 void addLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener); 064 065 066 067 /** 068 * Deregister an existing LDAP Pass Through Authentication Policy configuration change listener. 069 * 070 * @param listener 071 * The LDAP Pass Through Authentication Policy configuration change listener. 072 */ 073 void removeLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener); 074 075 076 077 /** 078 * Gets the "cached-password-storage-scheme" property. 079 * <p> 080 * Specifies the name of a password storage scheme which should be 081 * used for encoding cached passwords. 082 * <p> 083 * Changing the password storage scheme will cause all existing 084 * cached passwords to be discarded. 085 * 086 * @return Returns the value of the "cached-password-storage-scheme" property. 087 */ 088 String getCachedPasswordStorageScheme(); 089 090 091 092 /** 093 * Gets the "cached-password-storage-scheme" property as a DN. 094 * <p> 095 * Specifies the name of a password storage scheme which should be 096 * used for encoding cached passwords. 097 * <p> 098 * Changing the password storage scheme will cause all existing 099 * cached passwords to be discarded. 100 * 101 * @return Returns the DN value of the 102 * "cached-password-storage-scheme" property. 103 */ 104 DN getCachedPasswordStorageSchemeDN(); 105 106 107 108 /** 109 * Gets the "cached-password-ttl" property. 110 * <p> 111 * Specifies the maximum length of time that a locally cached 112 * password may be used for authentication before it is refreshed 113 * from the remote LDAP service. 114 * <p> 115 * This property represents a cache timeout. Increasing the timeout 116 * period decreases the frequency that bind operations are delegated 117 * to the remote LDAP service, but increases the risk of users 118 * authenticating using stale passwords. Note that authentication 119 * attempts which fail because the provided password does not match 120 * the locally cached password will always be retried against the 121 * remote LDAP service. 122 * 123 * @return Returns the value of the "cached-password-ttl" property. 124 */ 125 long getCachedPasswordTTL(); 126 127 128 129 /** 130 * Gets the "connection-timeout" property. 131 * <p> 132 * Specifies the timeout used when connecting to remote LDAP 133 * directory servers, performing SSL negotiation, and for individual 134 * search and bind requests. 135 * <p> 136 * If the timeout expires then the current operation will be aborted 137 * and retried against another LDAP server if one is available. 138 * 139 * @return Returns the value of the "connection-timeout" property. 140 */ 141 long getConnectionTimeout(); 142 143 144 145 /** 146 * Gets the "java-class" property. 147 * <p> 148 * Specifies the fully-qualified name of the Java class which 149 * provides the LDAP Pass Through Authentication Policy 150 * implementation. 151 * 152 * @return Returns the value of the "java-class" property. 153 */ 154 String getJavaClass(); 155 156 157 158 /** 159 * Gets the "mapped-attribute" property. 160 * <p> 161 * Specifies one or more attributes in the user's entry whose 162 * value(s) will determine the bind DN used when authenticating to 163 * the remote LDAP directory service. This property is mandatory when 164 * using the "mapped-bind" or "mapped-search" mapping policies. 165 * <p> 166 * At least one value must be provided. All values must refer to the 167 * name or OID of an attribute type defined in the directory server 168 * schema. At least one of the named attributes must exist in a 169 * user's local entry in order for authentication to proceed. When 170 * multiple attributes or values are found in the user's entry then 171 * the behavior is determined by the mapping policy. 172 * 173 * @return Returns an unmodifiable set containing the values of the "mapped-attribute" property. 174 */ 175 SortedSet<AttributeType> getMappedAttribute(); 176 177 178 179 /** 180 * Gets the "mapped-search-base-dn" property. 181 * <p> 182 * Specifies the set of base DNs below which to search for users in 183 * the remote LDAP directory service. This property is mandatory when 184 * using the "mapped-search" mapping policy. 185 * <p> 186 * If multiple values are given, searches are performed below all 187 * specified base DNs. 188 * 189 * @return Returns an unmodifiable set containing the values of the "mapped-search-base-dn" property. 190 */ 191 SortedSet<DN> getMappedSearchBaseDN(); 192 193 194 195 /** 196 * Gets the "mapped-search-bind-dn" property. 197 * <p> 198 * Specifies the bind DN which should be used to perform user 199 * searches in the remote LDAP directory service. 200 * 201 * @return Returns the value of the "mapped-search-bind-dn" property. 202 */ 203 DN getMappedSearchBindDN(); 204 205 206 207 /** 208 * Gets the "mapped-search-bind-password" property. 209 * <p> 210 * Specifies the bind password which should be used to perform user 211 * searches in the remote LDAP directory service. 212 * 213 * @return Returns the value of the "mapped-search-bind-password" property. 214 */ 215 String getMappedSearchBindPassword(); 216 217 218 219 /** 220 * Gets the "mapped-search-bind-password-environment-variable" property. 221 * <p> 222 * Specifies the name of an environment variable containing the bind 223 * password which should be used to perform user searches in the 224 * remote LDAP directory service. 225 * 226 * @return Returns the value of the "mapped-search-bind-password-environment-variable" property. 227 */ 228 String getMappedSearchBindPasswordEnvironmentVariable(); 229 230 231 232 /** 233 * Gets the "mapped-search-bind-password-file" property. 234 * <p> 235 * Specifies the name of a file containing the bind password which 236 * should be used to perform user searches in the remote LDAP 237 * directory service. 238 * 239 * @return Returns the value of the "mapped-search-bind-password-file" property. 240 */ 241 String getMappedSearchBindPasswordFile(); 242 243 244 245 /** 246 * Gets the "mapped-search-bind-password-property" property. 247 * <p> 248 * Specifies the name of a Java property containing the bind 249 * password which should be used to perform user searches in the 250 * remote LDAP directory service. 251 * 252 * @return Returns the value of the "mapped-search-bind-password-property" property. 253 */ 254 String getMappedSearchBindPasswordProperty(); 255 256 257 258 /** 259 * Gets the "mapping-policy" property. 260 * <p> 261 * Specifies the mapping algorithm for obtaining the bind DN from 262 * the user's entry. 263 * 264 * @return Returns the value of the "mapping-policy" property. 265 */ 266 MappingPolicy getMappingPolicy(); 267 268 269 270 /** 271 * Gets the "primary-remote-ldap-server" property. 272 * <p> 273 * Specifies the primary list of remote LDAP servers which should be 274 * used for pass through authentication. 275 * <p> 276 * If more than one LDAP server is specified then operations may be 277 * distributed across them. If all of the primary LDAP servers are 278 * unavailable then operations will fail-over to the set of secondary 279 * LDAP servers, if defined. 280 * 281 * @return Returns an unmodifiable set containing the values of the "primary-remote-ldap-server" property. 282 */ 283 SortedSet<String> getPrimaryRemoteLDAPServer(); 284 285 286 287 /** 288 * Gets the "secondary-remote-ldap-server" property. 289 * <p> 290 * Specifies the secondary list of remote LDAP servers which should 291 * be used for pass through authentication in the event that the 292 * primary LDAP servers are unavailable. 293 * <p> 294 * If more than one LDAP server is specified then operations may be 295 * distributed across them. Operations will be rerouted to the 296 * primary LDAP servers as soon as they are determined to be 297 * available. 298 * 299 * @return Returns an unmodifiable set containing the values of the "secondary-remote-ldap-server" property. 300 */ 301 SortedSet<String> getSecondaryRemoteLDAPServer(); 302 303 304 305 /** 306 * Gets the "source-address" property. 307 * <p> 308 * If specified, the server will bind to the address before 309 * connecting to the remote server. 310 * <p> 311 * The address must be one assigned to an existing network 312 * interface. 313 * 314 * @return Returns the value of the "source-address" property. 315 */ 316 InetAddress getSourceAddress(); 317 318 319 320 /** 321 * Gets the "ssl-cipher-suite" property. 322 * <p> 323 * Specifies the names of the SSL cipher suites that are allowed for 324 * use in SSL based LDAP connections. 325 * 326 * @return Returns an unmodifiable set containing the values of the "ssl-cipher-suite" property. 327 */ 328 SortedSet<String> getSSLCipherSuite(); 329 330 331 332 /** 333 * Gets the "ssl-protocol" property. 334 * <p> 335 * Specifies the names of the SSL protocols which are allowed for 336 * use in SSL based LDAP connections. 337 * 338 * @return Returns an unmodifiable set containing the values of the "ssl-protocol" property. 339 */ 340 SortedSet<String> getSSLProtocol(); 341 342 343 344 /** 345 * Gets the "trust-manager-provider" property. 346 * <p> 347 * Specifies the name of the trust manager that should be used when 348 * negotiating SSL connections with remote LDAP directory servers. 349 * 350 * @return Returns the value of the "trust-manager-provider" property. 351 */ 352 String getTrustManagerProvider(); 353 354 355 356 /** 357 * Gets the "trust-manager-provider" property as a DN. 358 * <p> 359 * Specifies the name of the trust manager that should be used when 360 * negotiating SSL connections with remote LDAP directory servers. 361 * 362 * @return Returns the DN value of the "trust-manager-provider" 363 * property. 364 */ 365 DN getTrustManagerProviderDN(); 366 367 368 369 /** 370 * Gets the "use-password-caching" property. 371 * <p> 372 * Indicates whether passwords should be cached locally within the 373 * user's entry. 374 * 375 * @return Returns the value of the "use-password-caching" property. 376 */ 377 boolean isUsePasswordCaching(); 378 379 380 381 /** 382 * Gets the "use-ssl" property. 383 * <p> 384 * Indicates whether the LDAP Pass Through Authentication Policy 385 * should use SSL. 386 * <p> 387 * If enabled, the LDAP Pass Through Authentication Policy will use 388 * SSL to encrypt communication with the clients. 389 * 390 * @return Returns the value of the "use-ssl" property. 391 */ 392 boolean isUseSSL(); 393 394 395 396 /** 397 * Gets the "use-tcp-keep-alive" property. 398 * <p> 399 * Indicates whether LDAP connections should use TCP keep-alive. 400 * <p> 401 * If enabled, the SO_KEEPALIVE socket option is used to indicate 402 * that TCP keepalive messages should periodically be sent to the 403 * client to verify that the associated connection is still valid. 404 * This may also help prevent cases in which intermediate network 405 * hardware could silently drop an otherwise idle client connection, 406 * provided that the keepalive interval configured in the underlying 407 * operating system is smaller than the timeout enforced by the 408 * network hardware. 409 * 410 * @return Returns the value of the "use-tcp-keep-alive" property. 411 */ 412 boolean isUseTCPKeepAlive(); 413 414 415 416 /** 417 * Gets the "use-tcp-no-delay" property. 418 * <p> 419 * Indicates whether LDAP connections should use TCP no-delay. 420 * <p> 421 * If enabled, the TCP_NODELAY socket option is used to ensure that 422 * response messages to the client are sent immediately rather than 423 * potentially waiting to determine whether additional response 424 * messages can be sent in the same packet. In most cases, using the 425 * TCP_NODELAY socket option provides better performance and lower 426 * response times, but disabling it may help for some cases in which 427 * the server sends a large number of entries to a client in response 428 * to a search request. 429 * 430 * @return Returns the value of the "use-tcp-no-delay" property. 431 */ 432 boolean isUseTCPNoDelay(); 433 434}