Package org.apache.sshd.ldap

Class LdapPasswordAuthenticator

java.lang.Object

org.apache.sshd.common.util.logging.AbstractLoggingBean

org.apache.sshd.common.util.net.NetworkConnector

org.apache.sshd.ldap.LdapNetworkConnector<ServerSession>

org.apache.sshd.ldap.LdapAuthenticator

org.apache.sshd.ldap.LdapPasswordAuthenticator

All Implemented Interfaces:

PasswordAuthenticator

public class LdapPasswordAuthenticator
extends LdapAuthenticator
implements PasswordAuthenticator

Uses LDAP to authenticate a user and password. By default it can achieve this using 2 ways:

1. Comparing the provided password with the one stored in LDAP. In this case, the bind DN and password patterns can be either empty (if anonymous access allowed) or can contain the administrative username / password required to run the LDAP query. The search filter pattern should be set to require a match for both the username and password - e.g., "(&(user={0})(password={1}))". The set default (DEFAULT_SEARCH_FILTER_PATTERN) uses the most commonly encountered attributes names for this purpose.
2. Using the original username + password to access LDAP - in which case the very success of retrieving anything can be considered a successful authentication. In this case, the bind DN and password patterns should be set up to generate the correct credentials - the default is to "echo" the provided username and password as-is. E.g., if the username is always the alias part of a known e-mail, the bind DN should be set to "{0}@my.domain.com".

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DEFAULT_PASSWORD_ATTR_NAME
static java.lang.String	DEFAULT_SEARCH_FILTER_PATTERN

Fields inherited from class org.apache.sshd.ldap.LdapAuthenticator

DEFAULT_AUTHENTICATION_MODE, DEFAULT_USERNAME_ATTR_NAME

Fields inherited from class org.apache.sshd.ldap.LdapNetworkConnector

ALL_LDAP_ATTRIBUTES, baseDNPattern, bindDNPattern, bindPasswordPattern, DEFAULT_BINARY_ATTRIBUTES, DEFAULT_LDAP_ACCUMULATE_MULTIVALUES, DEFAULT_LDAP_BIND_DN_PATTERN, DEFAULT_LDAP_BIND_PASSWORD_PATTERN, DEFAULT_LDAP_COUNT_LIMIT, DEFAULT_LDAP_DEREF_ENABLED, DEFAULT_LDAP_FACTORY_PROPNAME, DEFAULT_LDAP_FACTORY_PROPVAL, DEFAULT_LDAP_PORT, DEFAULT_LDAP_PROTOCOL, DEFAULT_LDAP_REFERRAL_MODE, DEFAULT_LDAP_RETURN_OBJVALUE, DEFAULT_LDAP_SEARCH_SCOPE, DEFAULT_LDAP_TIME_LIMIT, ldapEnv, searchControls, searchFilterPattern

Fields inherited from class org.apache.sshd.common.util.net.NetworkConnector

DEFAULT_CONNECT_TIMEOUT, DEFAULT_HOST, DEFAULT_READ_TIMEOUT

Fields inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

log

Constructor Summary

Constructors

Constructor	Description
LdapPasswordAuthenticator()

Method Summary

Modifier and Type	Method	Description
boolean	authenticate(java.lang.String username, java.lang.String password, ServerSession session)	Check the validity of a password.
protected boolean	authenticate(java.lang.String username, java.lang.String password, ServerSession session, java.util.Map<java.lang.String,?> attrs)

Methods inherited from class org.apache.sshd.ldap.LdapNetworkConnector

accumulateAttributeValue, getAuthenticationMode, getBaseDN, getBinaryAttributes, getBindDNPattern, getBindPasswordPattern, getCountLimit, getLdapFactory, getProtocolVersion, getReferralMode, getRetrievedAttributes, getSearchFilterPattern, getSearchScope, getTimeLimit, initializeDirContext, isAccumulateMultiValues, isDerefLink, isReturningObjFlag, processResultAttributeValue, processSearchResult, queryAttributes, resolveAttributes, resolveBaseDN, resolveSearchFilter, setAccumulateMultiValues, setAuthenticationMode, setBaseDN, setBinaryAttributes, setBindDNPattern, setBindPasswordPattern, setConnectTimeout, setCountLimit, setDerefLink, setLdapFactory, setProtocolVersion, setReadTimeout, setReferralMode, setRetrievedAttributes, setReturningObjFlag, setSearchFilterPattern, setSearchScope, setTimeLimit, setupDirContextEnvironment, toString

Methods inherited from class org.apache.sshd.common.util.net.NetworkConnector

getConnectTimeout, getHost, getPort, getProtocol, getReadTimeout, setHost, setPort, setProtocol, toString

Methods inherited from class org.apache.sshd.common.util.logging.AbstractLoggingBean

debug, debug, debug, debug, debug, error, error, error, error, error, getSimplifiedLogger, info, info, warn, warn, warn, warn, warn, warn, warn, warn

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.sshd.server.auth.password.PasswordAuthenticator

handleClientPasswordChangeRequest

Field Detail

DEFAULT_PASSWORD_ATTR_NAME

public static final java.lang.String DEFAULT_PASSWORD_ATTR_NAME

See Also:

Constant Field Values

DEFAULT_SEARCH_FILTER_PATTERN

public static final java.lang.String DEFAULT_SEARCH_FILTER_PATTERN

See Also:

Constant Field Values

Constructor Detail

LdapPasswordAuthenticator

public LdapPasswordAuthenticator()

Method Detail

authenticate

public boolean authenticate(java.lang.String username,
                            java.lang.String password,
                            ServerSession session)
                     throws PasswordChangeRequiredException

Description copied from interface: PasswordAuthenticator

Check the validity of a password.

Specified by:

authenticate in interface PasswordAuthenticator

Parameters:

username - The username credential

password - The provided password

session - The ServerSession attempting the authentication

Returns:

true indicating if authentication succeeded

Throws:

PasswordChangeRequiredException - If the password is expired or not strong enough to suit the server's policy

authenticate

protected boolean authenticate(java.lang.String username,
                               java.lang.String password,
                               ServerSession session,
                               java.util.Map<java.lang.String,?> attrs)