de.hybris.platform.ldap.connection

Class ActiveDirectoryConnectionImpl

java.lang.Object

de.hybris.platform.ldap.connection.JNDIConnectionImpl

de.hybris.platform.ldap.connection.ActiveDirectoryConnectionImpl

All Implemented Interfaces:

LDAPConnection

public class ActiveDirectoryConnectionImpl
extends JNDIConnectionImpl

An ActiveDirectory specific LDAPConnection implementation

Supports fail-over to multiple servers.

This implementation will use the ordered list of servers in LDAPConfigProxyItem.

Ordered means that all requests will go the first server in the configured list as long as it is available.

If that server fails it will go to the next in the list until it finds an available server.

INTERNAL NOTES (hr): PAGE RETRIEVAL: --------------- Problems that come across are queries that return either a large number of results, or query that returns a multi-valued attribute that contains a large number of values. Active Directory incorporates a number of controls, that are designed to ensure optimim performance of the server and to mitigate denial of service attacks. First of all paging. By default, Active Directory restricts the total number of results that are returned from a LDAP Search to 1000. While this limit can be changed by modifying the LDAP Query policy, the recomended approach is to use paged results. Note that this ample, which queries for all users that have a value for the mail attribute. uses a page size of 10, not really an optimal use of either the server or of the network, but merely just to demonstrate paging. Also, the usual security comments apply, you shouldn't hardcode credentials in an application, authentication should either use Kerberos (JAAS & GSSAPI) or if using simple authentication, secured using SSL or TLS, and and any sensitive information communicated between the client and the server should also take place over SSL or TLS. ATTRIBUTE RANGE RETRIEVAL (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/attribute_range_retrieval.asp): ------------------------- A multi-valued attribute can have almost any number of values. In many cases, it may be advantageous, or even necessary, to limit the range of values that are retrieved by a query. Range retrieval involves requesting a limited number of attribute values in a single query. The number of values requested must be less than, or equal to, the maximum number of values supported by the server. To reduce the number of times the query must contact the server, the number of values requested should be as close to this maximum as possible. To enable an application to work correctly with all Windows servers, a maximum number of 1000 should be used. The range specifiers for a property query require the following form: range=- where "" is the zero-based index of the first property value to retrieve and "" is the zero-based index of the last property value to retrieve. Zero is used for "" to specify the first entry. The wildcard character (*) can be used for "" to specify all remaining entries. The following table lists examples of range specifiers. Example Description ----------------------------------------------------------------------------------------------------------- range=0-* Retrieve all property values. This is subject to limits imposed by the server. range=0-500 Retrieve from 1st to 501st values inclusively. range=2-3 Retrieve 3rd and 4th values. range=501-* Retrieve the 502nd and all remaining values. This is subject to limits imposed by the server. OPTIMIZING THE LOGIN PROCESS ---------------------------- Ordinarily when Active Directory authenticates a user, it assembles all of the authorization data and builds a Windows security token containing all of the user's security identifiers (group membership, privileges etc.). While this is appropriate for authenticating user's into a Windows network, it may incur additional performance overhead and may not be appropriate for many Intranet or Extranet application scenarios, where all that is required is a simple verification of a user's name & password. In order to support this simple scenario, Windows Server 2003 introduced a LDAP Connection Control that does not incur the overhead of assembling all of the user's Windows authorization information during the LDAP bind operation. This control is described at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_fast_bind_oid.asp To use the Active Directory LDAP Fast Bind Control in Java & JNDI, simply request the control during the connection request. In checkPassword( ...) the LdapContext is initialized with the connection control and subsequent authentication checks are performed by invoking the Context.reconnect method. USED CONTROLS: --------------- range retrieval control: 1.2.840.113556.1.4.802 fast bind connection control: 1.2.840.113556.1.4.1781

Field Summary

Fields inherited from class de.hybris.platform.ldap.connection.JNDIConnectionImpl

connectionData, connectionManager, LDAP_RETRY_ERROR, ldapConnection, maxRetries

Method Summary

Modifier and Type	Method and Description
void	changePassword(DirContext ctx, String argRDN, String oldPassword, String newPassword) changes the user password CAUTION: In order to change/modify password attr.
boolean	checkPassword(String searchbase, String login, char[] plainPassword) content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)
protected byte[]	parseControls(Control[] controls)
protected Collection<LDAPGenericObject>	rawSearchSubTree_UsingRangeRetrieval(String searchbase, String filter, int limit, int timeout, String[] returnAttributes)
protected Collection<LDAPGenericObject>	rawSearchSubTree(String searchbase, String filter, int limit, int timeout, String[] returnAttributes) TODO parameter searchscope && followReferral !!!

Methods inherited from class de.hybris.platform.ldap.connection.JNDIConnectionImpl

appendRootDN, close, encodePassword, getConnectionManager, getCurrentInitialLdapContext, getNameFromSearchResult, getNameFromString, list, rawSearchBaseEntry, rawSearchOneLevel, read, read, retryConnection, searchBaseEntry, searchBaseEntry, searchOneLevel, searchOneLevel, searchSubTree, searchSubTree, sendingEmptyBaseDNsearchQueries, wipePassword

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

rawSearchSubTree

protected Collection<LDAPGenericObject> rawSearchSubTree(String searchbase,
                                                         String filter,
                                                         int limit,
                                                         int timeout,
                                                         String[] returnAttributes)
                                                  throws LDAPOperationException,
                                                         LDAPUnavailableException,
                                                         NamingException

Description copied from class: JNDIConnectionImpl

TODO parameter searchscope && followReferral !!!

Overrides:

rawSearchSubTree in class JNDIConnectionImpl

Parameters:

searchbase - content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)

Throws:

LDAPOperationException

LDAPUnavailableException

NamingException

rawSearchSubTree_UsingRangeRetrieval

protected Collection<LDAPGenericObject> rawSearchSubTree_UsingRangeRetrieval(String searchbase,
                                                                             String filter,
                                                                             int limit,
                                                                             int timeout,
                                                                             String[] returnAttributes)
                                                                      throws LDAPOperationException,
                                                                             LDAPUnavailableException,
                                                                             NamingException

Parameters:

searchbase - content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)

filter -

limit -

timeout -

returnAttributes -

Returns:

result

Throws:

LDAPOperationException

LDAPUnavailableException

NamingException

checkPassword

public boolean checkPassword(String searchbase,
                             String login,
                             char[] plainPassword)

Description copied from class: JNDIConnectionImpl

content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)

Specified by:

checkPassword in interface LDAPConnection

Overrides:

checkPassword in class JNDIConnectionImpl

parseControls

protected byte[] parseControls(Control[] controls)
                        throws NamingException

Throws:

NamingException

changePassword

public void changePassword(DirContext ctx,
                           String argRDN,
                           String oldPassword,
                           String newPassword)
                    throws NamingException

changes the user password CAUTION: In order to change/modify password attr. in AD you MUST use SSL (LDAPS) to do so

Specified by:

changePassword in interface LDAPConnection

Overrides:

changePassword in class JNDIConnectionImpl

Parameters:

ctx - directory context

argRDN - the name of the object whose attributes will be updated

oldPassword -

newPassword -

Throws:

NamingException