Class ActiveDirectoryConnectionImpl
- All Implemented Interfaces:
LDAPConnection
INTERNAL NOTES (hr):
PAGE RETRIEVAL: --------------- Problems that come across are queries that return either a large number of results, or query that returns a multi-valued attribute that contains a large number of values. Active Directory incorporates a number of controls, that are designed to ensure optimim performance of the server and to mitigate denial of service attacks. First of all paging. By default, Active Directory restricts the total number of results that are returned from a LDAP Search to 1000. While this limit can be changed by modifying the LDAP Query policy, the recomended approach is to use paged results. Note that this ample, which queries for all users that have a value for the mail attribute. uses a page size of 10, not really an optimal use of either the server or of the network, but merely just to demonstrate paging. Also, the usual security comments apply, you shouldn't hardcode credentials in an application, authentication should either use Kerberos (JAAS & GSSAPI) or if using simple authentication, secured using SSL or TLS, and and any sensitive information communicated between the client and the server should also take place over SSL or TLS.
ATTRIBUTE RANGE RETRIEVAL
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/attribute_range_retrieval.asp):
------------------------- A multi-valued attribute can have almost any number of values. In many cases, it may be
advantageous, or even necessary, to limit the range of values that are retrieved by a query. Range retrieval involves
requesting a limited number of attribute values in a single query. The number of values requested must be less than,
or equal to, the maximum number of values supported by the server. To reduce the number of times the query must
contact the server, the number of values requested should be as close to this maximum as possible. To enable an
application to work correctly with all Windows servers, a maximum number of 1000 should be used. The range specifiers
for a property query require the following form: range=
Example Description
----------------------------------------------------------------------------------------------------------- range=0-*
Retrieve all property values. This is subject to limits imposed by the server. range=0-500 Retrieve from 1st to 501st
values inclusively. range=2-3 Retrieve 3rd and 4th values. range=501-* Retrieve the 502nd and all remaining values.
This is subject to limits imposed by the server.
OPTIMIZING THE LOGIN PROCESS ---------------------------- Ordinarily when Active Directory authenticates a user, it
assembles all of the authorization data and builds a Windows security token containing all of the user's security
identifiers (group membership, privileges etc.). While this is appropriate for authenticating user's into a Windows
network, it may incur additional performance overhead and may not be appropriate for many Intranet or Extranet
application scenarios, where all that is required is a simple verification of a user's name & password. In order to
support this simple scenario, Windows Server 2003 introduced a LDAP Connection Control that does not incur the
overhead of assembling all of the user's Windows authorization information during the LDAP bind operation. This
control is described at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_fast_bind_oid.asp To use the
Active Directory LDAP Fast Bind Control in Java & JNDI, simply request the control during the connection request. In
checkPassword( ...) the LdapContext is initialized with the connection control and subsequent authentication checks
are performed by invoking the Context.reconnect method.
USED CONTROLS:
--------------- range retrieval control: 1.2.840.113556.1.4.802 fast bind connection control: 1.2.840.113556.1.4.1781
-
Field Summary
Fields inherited from class de.hybris.platform.ldap.connection.JNDIConnectionImpl
connectionData, connectionManager, LDAP_RETRY_ERROR, ldapConnection, maxRetries -
Method Summary
Modifier and TypeMethodDescriptionvoidchangePassword(DirContext ctx, String argRDN, String oldPassword, String newPassword) changes the user passwordbooleancheckPassword(String searchbase, String login, char[] plainPassword) content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)protected byte[]parseControls(Control[] controls) protected Collection<LDAPGenericObject>rawSearchSubTree(String searchbase, String filter, int limit, int timeout, String[] returnAttributes) TODO parameter searchscope && followReferral !!!protected Collection<LDAPGenericObject>rawSearchSubTree_UsingRangeRetrieval(String searchbase, String filter, int limit, int timeout, String[] returnAttributes) Methods inherited from class de.hybris.platform.ldap.connection.JNDIConnectionImpl
appendRootDN, close, encodePassword, getConnectionManager, getCurrentInitialLdapContext, getNameFromSearchResult, getNameFromString, list, rawSearchBaseEntry, rawSearchOneLevel, read, read, retryConnection, searchBaseEntry, searchBaseEntry, searchOneLevel, searchOneLevel, searchSubTree, searchSubTree, sendingEmptyBaseDNsearchQueries, wipePassword
-
Method Details
-
rawSearchSubTree
protected Collection<LDAPGenericObject> rawSearchSubTree(String searchbase, String filter, int limit, int timeout, String[] returnAttributes) throws LDAPOperationException, LDAPUnavailableException, NamingException Description copied from class:JNDIConnectionImplTODO parameter searchscope && followReferral !!!- Overrides:
rawSearchSubTreein classJNDIConnectionImpl- Parameters:
searchbase- content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)- Throws:
LDAPOperationExceptionLDAPUnavailableExceptionNamingException
-
rawSearchSubTree_UsingRangeRetrieval
protected Collection<LDAPGenericObject> rawSearchSubTree_UsingRangeRetrieval(String searchbase, String filter, int limit, int timeout, String[] returnAttributes) throws LDAPOperationException, LDAPUnavailableException, NamingException - Parameters:
searchbase- content of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)filter-limit-timeout-returnAttributes-- Returns:
- result
- Throws:
LDAPOperationExceptionLDAPUnavailableExceptionNamingException
-
checkPassword
Description copied from class:JNDIConnectionImplcontent of 'searchbase' will be filtered by the configured implementation of LDAPInputFilter (@see ldap-spring.xml)- Specified by:
checkPasswordin interfaceLDAPConnection- Overrides:
checkPasswordin classJNDIConnectionImpl
-
parseControls
- Throws:
NamingException
-
changePassword
public void changePassword(DirContext ctx, String argRDN, String oldPassword, String newPassword) throws NamingException changes the user passwordCAUTION: In order to change/modify password attr. in AD you MUST use SSL (LDAPS) to do so
- Specified by:
changePasswordin interfaceLDAPConnection- Overrides:
changePasswordin classJNDIConnectionImpl- Parameters:
ctx- directory contextargRDN- the name of the object whose attributes will be updatedoldPassword-newPassword-- Throws:
NamingException
-