Class ActiveDirectoryConnectionImpl

java.lang.Object
de.hybris.platform.ldap.connection.JNDIConnectionImpl
de.hybris.platform.ldap.connection.ActiveDirectoryConnectionImpl
All Implemented Interfaces:
LDAPConnection

public class ActiveDirectoryConnectionImpl extends JNDIConnectionImpl
An ActiveDirectory specific LDAPConnection implementation

Supports fail-over to multiple servers.

This implementation will use the ordered list of servers in LDAPConfigProxyItem.

Ordered means that all requests will go the first server in the configured list as long as it is available.

If that server fails it will go to the next in the list until it finds an available server.

INTERNAL NOTES (hr):

PAGE RETRIEVAL: --------------- Problems that come across are queries that return either a large number of results, or query that returns a multi-valued attribute that contains a large number of values. Active Directory incorporates a number of controls, that are designed to ensure optimim performance of the server and to mitigate denial of service attacks. First of all paging. By default, Active Directory restricts the total number of results that are returned from a LDAP Search to 1000. While this limit can be changed by modifying the LDAP Query policy, the recomended approach is to use paged results. Note that this ample, which queries for all users that have a value for the mail attribute. uses a page size of 10, not really an optimal use of either the server or of the network, but merely just to demonstrate paging. Also, the usual security comments apply, you shouldn't hardcode credentials in an application, authentication should either use Kerberos (JAAS & GSSAPI) or if using simple authentication, secured using SSL or TLS, and and any sensitive information communicated between the client and the server should also take place over SSL or TLS.

ATTRIBUTE RANGE RETRIEVAL (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/attribute_range_retrieval.asp): ------------------------- A multi-valued attribute can have almost any number of values. In many cases, it may be advantageous, or even necessary, to limit the range of values that are retrieved by a query. Range retrieval involves requesting a limited number of attribute values in a single query. The number of values requested must be less than, or equal to, the maximum number of values supported by the server. To reduce the number of times the query must contact the server, the number of values requested should be as close to this maximum as possible. To enable an application to work correctly with all Windows servers, a maximum number of 1000 should be used. The range specifiers for a property query require the following form: range=- where "" is the zero-based index of the first property value to retrieve and "" is the zero-based index of the last property value to retrieve. Zero is used for "" to specify the first entry. The wildcard character (*) can be used for "" to specify all remaining entries. The following table lists examples of range specifiers.

Example Description ----------------------------------------------------------------------------------------------------------- range=0-* Retrieve all property values. This is subject to limits imposed by the server. range=0-500 Retrieve from 1st to 501st values inclusively. range=2-3 Retrieve 3rd and 4th values. range=501-* Retrieve the 502nd and all remaining values. This is subject to limits imposed by the server.

OPTIMIZING THE LOGIN PROCESS ---------------------------- Ordinarily when Active Directory authenticates a user, it assembles all of the authorization data and builds a Windows security token containing all of the user's security identifiers (group membership, privileges etc.). While this is appropriate for authenticating user's into a Windows network, it may incur additional performance overhead and may not be appropriate for many Intranet or Extranet application scenarios, where all that is required is a simple verification of a user's name & password. In order to support this simple scenario, Windows Server 2003 introduced a LDAP Connection Control that does not incur the overhead of assembling all of the user's Windows authorization information during the LDAP bind operation. This control is described at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_fast_bind_oid.asp To use the Active Directory LDAP Fast Bind Control in Java & JNDI, simply request the control during the connection request. In checkPassword( ...) the LdapContext is initialized with the connection control and subsequent authentication checks are performed by invoking the Context.reconnect method.

USED CONTROLS: --------------- range retrieval control: 1.2.840.113556.1.4.802 fast bind connection control: 1.2.840.113556.1.4.1781