001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2008 Sun Microsystems, Inc.
025 */
026package org.opends.server.admin.std.server;
027
028
029
030import java.net.InetAddress;
031import java.util.SortedSet;
032import org.opends.server.admin.server.ConfigurationChangeListener;
033import org.opends.server.admin.std.meta.LDAPPassThroughAuthenticationPolicyCfgDefn.MappingPolicy;
034import org.opends.server.types.AttributeType;
035import org.opends.server.types.DN;
036
037
038
039/**
040 * A server-side interface for querying LDAP Pass Through
041 * Authentication Policy settings.
042 * <p>
043 * An authentication policy for users whose credentials are managed by
044 * a remote LDAP directory service.
045 */
046public interface LDAPPassThroughAuthenticationPolicyCfg extends AuthenticationPolicyCfg {
047
048  /**
049   * Gets the configuration class associated with this LDAP Pass Through Authentication Policy.
050   *
051   * @return Returns the configuration class associated with this LDAP Pass Through Authentication Policy.
052   */
053  Class<? extends LDAPPassThroughAuthenticationPolicyCfg> configurationClass();
054
055
056
057  /**
058   * Register to be notified when this LDAP Pass Through Authentication Policy is changed.
059   *
060   * @param listener
061   *          The LDAP Pass Through Authentication Policy configuration change listener.
062   */
063  void addLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener);
064
065
066
067  /**
068   * Deregister an existing LDAP Pass Through Authentication Policy configuration change listener.
069   *
070   * @param listener
071   *          The LDAP Pass Through Authentication Policy configuration change listener.
072   */
073  void removeLDAPPassThroughChangeListener(ConfigurationChangeListener<LDAPPassThroughAuthenticationPolicyCfg> listener);
074
075
076
077  /**
078   * Gets the "cached-password-storage-scheme" property.
079   * <p>
080   * Specifies the name of a password storage scheme which should be
081   * used for encoding cached passwords.
082   * <p>
083   * Changing the password storage scheme will cause all existing
084   * cached passwords to be discarded.
085   *
086   * @return Returns the value of the "cached-password-storage-scheme" property.
087   */
088  String getCachedPasswordStorageScheme();
089
090
091
092  /**
093   * Gets the "cached-password-storage-scheme" property as a DN.
094   * <p>
095   * Specifies the name of a password storage scheme which should be
096   * used for encoding cached passwords.
097   * <p>
098   * Changing the password storage scheme will cause all existing
099   * cached passwords to be discarded.
100   *
101   * @return Returns the DN value of the
102   *         "cached-password-storage-scheme" property.
103   */
104  DN getCachedPasswordStorageSchemeDN();
105
106
107
108  /**
109   * Gets the "cached-password-ttl" property.
110   * <p>
111   * Specifies the maximum length of time that a locally cached
112   * password may be used for authentication before it is refreshed
113   * from the remote LDAP service.
114   * <p>
115   * This property represents a cache timeout. Increasing the timeout
116   * period decreases the frequency that bind operations are delegated
117   * to the remote LDAP service, but increases the risk of users
118   * authenticating using stale passwords. Note that authentication
119   * attempts which fail because the provided password does not match
120   * the locally cached password will always be retried against the
121   * remote LDAP service.
122   *
123   * @return Returns the value of the "cached-password-ttl" property.
124   */
125  long getCachedPasswordTTL();
126
127
128
129  /**
130   * Gets the "connection-timeout" property.
131   * <p>
132   * Specifies the timeout used when connecting to remote LDAP
133   * directory servers, performing SSL negotiation, and for individual
134   * search and bind requests.
135   * <p>
136   * If the timeout expires then the current operation will be aborted
137   * and retried against another LDAP server if one is available.
138   *
139   * @return Returns the value of the "connection-timeout" property.
140   */
141  long getConnectionTimeout();
142
143
144
145  /**
146   * Gets the "java-class" property.
147   * <p>
148   * Specifies the fully-qualified name of the Java class which
149   * provides the LDAP Pass Through Authentication Policy
150   * implementation.
151   *
152   * @return Returns the value of the "java-class" property.
153   */
154  String getJavaClass();
155
156
157
158  /**
159   * Gets the "mapped-attribute" property.
160   * <p>
161   * Specifies one or more attributes in the user's entry whose
162   * value(s) will determine the bind DN used when authenticating to
163   * the remote LDAP directory service. This property is mandatory when
164   * using the "mapped-bind" or "mapped-search" mapping policies.
165   * <p>
166   * At least one value must be provided. All values must refer to the
167   * name or OID of an attribute type defined in the directory server
168   * schema. At least one of the named attributes must exist in a
169   * user's local entry in order for authentication to proceed. When
170   * multiple attributes or values are found in the user's entry then
171   * the behavior is determined by the mapping policy.
172   *
173   * @return Returns an unmodifiable set containing the values of the "mapped-attribute" property.
174   */
175  SortedSet<AttributeType> getMappedAttribute();
176
177
178
179  /**
180   * Gets the "mapped-search-base-dn" property.
181   * <p>
182   * Specifies the set of base DNs below which to search for users in
183   * the remote LDAP directory service. This property is mandatory when
184   * using the "mapped-search" mapping policy.
185   * <p>
186   * If multiple values are given, searches are performed below all
187   * specified base DNs.
188   *
189   * @return Returns an unmodifiable set containing the values of the "mapped-search-base-dn" property.
190   */
191  SortedSet<DN> getMappedSearchBaseDN();
192
193
194
195  /**
196   * Gets the "mapped-search-bind-dn" property.
197   * <p>
198   * Specifies the bind DN which should be used to perform user
199   * searches in the remote LDAP directory service.
200   *
201   * @return Returns the value of the "mapped-search-bind-dn" property.
202   */
203  DN getMappedSearchBindDN();
204
205
206
207  /**
208   * Gets the "mapped-search-bind-password" property.
209   * <p>
210   * Specifies the bind password which should be used to perform user
211   * searches in the remote LDAP directory service.
212   *
213   * @return Returns the value of the "mapped-search-bind-password" property.
214   */
215  String getMappedSearchBindPassword();
216
217
218
219  /**
220   * Gets the "mapped-search-bind-password-environment-variable" property.
221   * <p>
222   * Specifies the name of an environment variable containing the bind
223   * password which should be used to perform user searches in the
224   * remote LDAP directory service.
225   *
226   * @return Returns the value of the "mapped-search-bind-password-environment-variable" property.
227   */
228  String getMappedSearchBindPasswordEnvironmentVariable();
229
230
231
232  /**
233   * Gets the "mapped-search-bind-password-file" property.
234   * <p>
235   * Specifies the name of a file containing the bind password which
236   * should be used to perform user searches in the remote LDAP
237   * directory service.
238   *
239   * @return Returns the value of the "mapped-search-bind-password-file" property.
240   */
241  String getMappedSearchBindPasswordFile();
242
243
244
245  /**
246   * Gets the "mapped-search-bind-password-property" property.
247   * <p>
248   * Specifies the name of a Java property containing the bind
249   * password which should be used to perform user searches in the
250   * remote LDAP directory service.
251   *
252   * @return Returns the value of the "mapped-search-bind-password-property" property.
253   */
254  String getMappedSearchBindPasswordProperty();
255
256
257
258  /**
259   * Gets the "mapping-policy" property.
260   * <p>
261   * Specifies the mapping algorithm for obtaining the bind DN from
262   * the user's entry.
263   *
264   * @return Returns the value of the "mapping-policy" property.
265   */
266  MappingPolicy getMappingPolicy();
267
268
269
270  /**
271   * Gets the "primary-remote-ldap-server" property.
272   * <p>
273   * Specifies the primary list of remote LDAP servers which should be
274   * used for pass through authentication.
275   * <p>
276   * If more than one LDAP server is specified then operations may be
277   * distributed across them. If all of the primary LDAP servers are
278   * unavailable then operations will fail-over to the set of secondary
279   * LDAP servers, if defined.
280   *
281   * @return Returns an unmodifiable set containing the values of the "primary-remote-ldap-server" property.
282   */
283  SortedSet<String> getPrimaryRemoteLDAPServer();
284
285
286
287  /**
288   * Gets the "secondary-remote-ldap-server" property.
289   * <p>
290   * Specifies the secondary list of remote LDAP servers which should
291   * be used for pass through authentication in the event that the
292   * primary LDAP servers are unavailable.
293   * <p>
294   * If more than one LDAP server is specified then operations may be
295   * distributed across them. Operations will be rerouted to the
296   * primary LDAP servers as soon as they are determined to be
297   * available.
298   *
299   * @return Returns an unmodifiable set containing the values of the "secondary-remote-ldap-server" property.
300   */
301  SortedSet<String> getSecondaryRemoteLDAPServer();
302
303
304
305  /**
306   * Gets the "source-address" property.
307   * <p>
308   * If specified, the server will bind to the address before
309   * connecting to the remote server.
310   * <p>
311   * The address must be one assigned to an existing network
312   * interface.
313   *
314   * @return Returns the value of the "source-address" property.
315   */
316  InetAddress getSourceAddress();
317
318
319
320  /**
321   * Gets the "ssl-cipher-suite" property.
322   * <p>
323   * Specifies the names of the SSL cipher suites that are allowed for
324   * use in SSL based LDAP connections.
325   *
326   * @return Returns an unmodifiable set containing the values of the "ssl-cipher-suite" property.
327   */
328  SortedSet<String> getSSLCipherSuite();
329
330
331
332  /**
333   * Gets the "ssl-protocol" property.
334   * <p>
335   * Specifies the names of the SSL protocols which are allowed for
336   * use in SSL based LDAP connections.
337   *
338   * @return Returns an unmodifiable set containing the values of the "ssl-protocol" property.
339   */
340  SortedSet<String> getSSLProtocol();
341
342
343
344  /**
345   * Gets the "trust-manager-provider" property.
346   * <p>
347   * Specifies the name of the trust manager that should be used when
348   * negotiating SSL connections with remote LDAP directory servers.
349   *
350   * @return Returns the value of the "trust-manager-provider" property.
351   */
352  String getTrustManagerProvider();
353
354
355
356  /**
357   * Gets the "trust-manager-provider" property as a DN.
358   * <p>
359   * Specifies the name of the trust manager that should be used when
360   * negotiating SSL connections with remote LDAP directory servers.
361   *
362   * @return Returns the DN value of the "trust-manager-provider"
363   *         property.
364   */
365  DN getTrustManagerProviderDN();
366
367
368
369  /**
370   * Gets the "use-password-caching" property.
371   * <p>
372   * Indicates whether passwords should be cached locally within the
373   * user's entry.
374   *
375   * @return Returns the value of the "use-password-caching" property.
376   */
377  boolean isUsePasswordCaching();
378
379
380
381  /**
382   * Gets the "use-ssl" property.
383   * <p>
384   * Indicates whether the LDAP Pass Through Authentication Policy
385   * should use SSL.
386   * <p>
387   * If enabled, the LDAP Pass Through Authentication Policy will use
388   * SSL to encrypt communication with the clients.
389   *
390   * @return Returns the value of the "use-ssl" property.
391   */
392  boolean isUseSSL();
393
394
395
396  /**
397   * Gets the "use-tcp-keep-alive" property.
398   * <p>
399   * Indicates whether LDAP connections should use TCP keep-alive.
400   * <p>
401   * If enabled, the SO_KEEPALIVE socket option is used to indicate
402   * that TCP keepalive messages should periodically be sent to the
403   * client to verify that the associated connection is still valid.
404   * This may also help prevent cases in which intermediate network
405   * hardware could silently drop an otherwise idle client connection,
406   * provided that the keepalive interval configured in the underlying
407   * operating system is smaller than the timeout enforced by the
408   * network hardware.
409   *
410   * @return Returns the value of the "use-tcp-keep-alive" property.
411   */
412  boolean isUseTCPKeepAlive();
413
414
415
416  /**
417   * Gets the "use-tcp-no-delay" property.
418   * <p>
419   * Indicates whether LDAP connections should use TCP no-delay.
420   * <p>
421   * If enabled, the TCP_NODELAY socket option is used to ensure that
422   * response messages to the client are sent immediately rather than
423   * potentially waiting to determine whether additional response
424   * messages can be sent in the same packet. In most cases, using the
425   * TCP_NODELAY socket option provides better performance and lower
426   * response times, but disabling it may help for some cases in which
427   * the server sends a large number of entries to a client in response
428   * to a search request.
429   *
430   * @return Returns the value of the "use-tcp-no-delay" property.
431   */
432  boolean isUseTCPNoDelay();
433
434}