Package org.apereo.cas.configuration.model.support.ldap

Class AbstractLdapProperties

java.lang.Object
org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
All Implemented Interfaces:
Serializable
Direct Known Subclasses:
AbstractLdapSearchProperties, LdapMonitorProperties
@RequiresModule(name="cas-server-support-ldap-core") public abstract class AbstractLdapProperties extends Object implements Serializable
This is AbstractLdapProperties.
Since:
5.0.0
See Also:

  • Constructor Details

    • AbstractLdapProperties

      public AbstractLdapProperties()

  • Method Details

    • getTrustCertificates

      public String getTrustCertificates()
      Path of the trust certificates to use for the SSL connection. Ignores keystore-related settings when activated and used.

    • getKeystore

      public String getKeystore()
      Path to the keystore used for SSL connections. Typically contains SSL certificates for the LDAP server.

    • getKeystorePassword

      public String getKeystorePassword()
      Keystore password.

    • getKeystoreType

      public String getKeystoreType()
      The type of keystore. PKCS12 or JKS. If left blank, defaults to the default keystore type indicated by the underlying Java platform.

    • getTrustStore

      public String getTrustStore()
      Path to the keystore used to determine which certificates or certificate authorities should be trusted. Used when connecting to an LDAP server via LDAPS or startTLS connection. If left blank, the default truststore for the Java runtime is used.

    • getTrustStorePassword

      public String getTrustStorePassword()
      Password needed to open the truststore.

    • getTrustStoreType

      public String getTrustStoreType()
      The type of trust keystore that determines which certificates or certificate authorities are trusted. Types depend on underlying java platform, typically PKCS12 or JKS. If left blank, defaults to the default keystore type indicated by the underlying Java platform.

    • isDisablePooling

      public boolean isDisablePooling()
      Whether to use a pooled connection factory in components.

    • getMinPoolSize

      public int getMinPoolSize()
      Minimum LDAP connection pool size. Size the pool should be initialized to and pruned to

    • getMaxPoolSize

      public int getMaxPoolSize()
      Maximum LDAP connection pool size which the pool can use to grow.

    • getPoolPassivator

      public String getPoolPassivator()
      You may receive unexpected LDAP failures, when CAS is configured to authenticate using DIRECT or AUTHENTICATED types and LDAP is locked down to not allow anonymous binds/searches. Every second attempt with a given LDAP connection from the pool would fail if it was on the same connection as a failed login attempt, and the regular connection validator would similarly fail. When a connection is returned back to a pool, it still may contain the principal and credentials from the previous attempt. Before the next bind attempt using that connection, the validator tries to validate the connection again but fails because it’s no longer trying with the configured bind credentials but with whatever user DN was used in the previous step. Given the validation failure, the connection is closed and CAS would deny access by default. Passivators attempt to reconnect to LDAP with the configured bind credentials, effectively resetting the connection to what it should be after each bind request. Furthermore if you are seeing errors in the logs that resemble a 'Operation exception encountered, reopening connection' type of message, this usually is an indication that the connection pool’s validation timeout established and created by CAS is greater than the timeout configured in the LDAP server, or more likely, in the load balancer in front of the LDAP servers. You can adjust the LDAP server session’s timeout for connections, or you can teach CAS to use a validity period that is equal or less than the LDAP server session’s timeout. Accepted values are:
      • NONE: No passivation takes place.
      • BIND: The default behavior which passivates a connection by performing a bind operation on it. This option requires the availability of bind credentials when establishing connections to LDAP.

    • isValidateOnCheckout

      public boolean isValidateOnCheckout()
      Whether connections should be validated when loaned out from the pool.

    • isValidatePeriodically

      public boolean isValidatePeriodically()
      Whether connections should be validated periodically when the pool is idle.

    • getValidateTimeout

      public String getValidateTimeout()
      Period at which validation operations may time out.

    • getValidatePeriod

      public String getValidatePeriod()
      Period at which pool should be validated.

    • isFailFast

      public boolean isFailFast()
      Attempt to populate the connection pool early on startup and fail quickly if something goes wrong.

    • getIdleTime

      public String getIdleTime()
      Removes connections from the pool based on how long they have been idle in the available queue. Prunes connections that have been idle for more than the indicated amount.

    • getPrunePeriod

      public String getPrunePeriod()
      Removes connections from the pool based on how long they have been idle in the available queue. Run the pruning process at the indicated interval.

    • getBlockWaitTime

      public String getBlockWaitTime()
      The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created

    • getConnectionStrategy

      public String getConnectionStrategy()
      If multiple URLs are provided as the ldapURL this describes how each URL will be processed.
      • ACTIVE_PASSIVE First LDAP will be used for every request unless it fails and then the next shall be used.
      • ROUND_ROBIN For each new connection the next url in the list will be used.
      • RANDOM For each new connection a random LDAP url will be selected.
      • DNS_SRV LDAP urls based on DNS SRV records of the configured/given LDAP url will be used.

    • getLdapUrl

      public String getLdapUrl()
      The LDAP url to the server. More than one may be specified, separated by space and/or comma.

    • isUseStartTls

      public boolean isUseStartTls()
      Whether TLS should be used and enabled when establishing the connection.

    • getConnectTimeout

      public String getConnectTimeout()
      Sets the maximum amount of time that connects will block.

    • getResponseTimeout

      public String getResponseTimeout()
      Duration of time to wait for responses.

    • isAllowMultipleDns

      public boolean isAllowMultipleDns()
      Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.

    • getBindDn

      public String getBindDn()
      The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:
      • bindDn/bindCredential provided - Use the provided credentials to bind when initializing connections.
      • bindDn/bindCredential set to * - Use a fast-bind strategy to initialize the pool.
      • bindDn/bindCredential set to blank - Skip connection initializing; perform operations anonymously.
      • SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.

    • getBindCredential

      public String getBindCredential()
      The bind credential to use when connecting to LDAP.

    • getSaslRealm

      public String getSaslRealm()
      The SASL realm.

    • getSaslMechanism

      public String getSaslMechanism()
      The SASL mechanism.

    • getSaslAuthorizationId

      public String getSaslAuthorizationId()
      SASL authorization id.

    • getSaslSecurityStrength

      public String getSaslSecurityStrength()
      SASL security strength.

    • getSaslMutualAuth

      public Boolean getSaslMutualAuth()
      SASL mutual auth is enabled?

    • getSaslQualityOfProtection

      public String getSaslQualityOfProtection()
      SASL quality of protected.

    • getValidator

      public LdapValidatorProperties getValidator()
      LDAP connection validator settings.

    • getHostnameVerifier

      public AbstractLdapProperties.LdapHostnameVerifierOptions getHostnameVerifier()
      Hostname verification options.

    • getTrustManager

      public String getTrustManager()
      Trust Manager options. Trust managers are responsible for managing the trust material that is used when making LDAP trust decisions, and for deciding whether credentials presented by a peer should be accepted. Accepted values are: *
      • DEFAULT: Enable and force the default JVM trust managers.
      • ANY: Trust any client or server.

    • getName

      public String getName()
      Name of the LDAP handler.

    • isAllowMultipleEntries

      public boolean isAllowMultipleEntries()
      Set if multiple Entries are allowed.

    • isFollowReferrals

      public boolean isFollowReferrals()
      Set if search referrals should be followed.

    • getBinaryAttributes

      public List<String> getBinaryAttributes()
      Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.

    • setTrustCertificates

      public AbstractLdapProperties setTrustCertificates(String trustCertificates)
      Path of the trust certificates to use for the SSL connection. Ignores keystore-related settings when activated and used.
      Returns:
      this.

    • setKeystore

      public AbstractLdapProperties setKeystore(String keystore)
      Path to the keystore used for SSL connections. Typically contains SSL certificates for the LDAP server.
      Returns:
      this.

    • setKeystorePassword

      public AbstractLdapProperties setKeystorePassword(String keystorePassword)
      Keystore password.
      Returns:
      this.

    • setKeystoreType

      public AbstractLdapProperties setKeystoreType(String keystoreType)
      The type of keystore. PKCS12 or JKS. If left blank, defaults to the default keystore type indicated by the underlying Java platform.
      Returns:
      this.

    • setTrustStore

      public AbstractLdapProperties setTrustStore(String trustStore)
      Path to the keystore used to determine which certificates or certificate authorities should be trusted. Used when connecting to an LDAP server via LDAPS or startTLS connection. If left blank, the default truststore for the Java runtime is used.
      Returns:
      this.

    • setTrustStorePassword

      public AbstractLdapProperties setTrustStorePassword(String trustStorePassword)
      Password needed to open the truststore.
      Returns:
      this.

    • setTrustStoreType

      public AbstractLdapProperties setTrustStoreType(String trustStoreType)
      The type of trust keystore that determines which certificates or certificate authorities are trusted. Types depend on underlying java platform, typically PKCS12 or JKS. If left blank, defaults to the default keystore type indicated by the underlying Java platform.
      Returns:
      this.

    • setDisablePooling

      public AbstractLdapProperties setDisablePooling(boolean disablePooling)
      Whether to use a pooled connection factory in components.
      Returns:
      this.

    • setMinPoolSize

      public AbstractLdapProperties setMinPoolSize(int minPoolSize)
      Minimum LDAP connection pool size. Size the pool should be initialized to and pruned to
      Returns:
      this.

    • setMaxPoolSize

      public AbstractLdapProperties setMaxPoolSize(int maxPoolSize)
      Maximum LDAP connection pool size which the pool can use to grow.
      Returns:
      this.

    • setPoolPassivator

      public AbstractLdapProperties setPoolPassivator(String poolPassivator)
      You may receive unexpected LDAP failures, when CAS is configured to authenticate using DIRECT or AUTHENTICATED types and LDAP is locked down to not allow anonymous binds/searches. Every second attempt with a given LDAP connection from the pool would fail if it was on the same connection as a failed login attempt, and the regular connection validator would similarly fail. When a connection is returned back to a pool, it still may contain the principal and credentials from the previous attempt. Before the next bind attempt using that connection, the validator tries to validate the connection again but fails because it’s no longer trying with the configured bind credentials but with whatever user DN was used in the previous step. Given the validation failure, the connection is closed and CAS would deny access by default. Passivators attempt to reconnect to LDAP with the configured bind credentials, effectively resetting the connection to what it should be after each bind request. Furthermore if you are seeing errors in the logs that resemble a 'Operation exception encountered, reopening connection' type of message, this usually is an indication that the connection pool’s validation timeout established and created by CAS is greater than the timeout configured in the LDAP server, or more likely, in the load balancer in front of the LDAP servers. You can adjust the LDAP server session’s timeout for connections, or you can teach CAS to use a validity period that is equal or less than the LDAP server session’s timeout. Accepted values are:
      • NONE: No passivation takes place.
      • BIND: The default behavior which passivates a connection by performing a bind operation on it. This option requires the availability of bind credentials when establishing connections to LDAP.
      Returns:
      this.

    • setValidateOnCheckout

      public AbstractLdapProperties setValidateOnCheckout(boolean validateOnCheckout)
      Whether connections should be validated when loaned out from the pool.
      Returns:
      this.

    • setValidatePeriodically

      public AbstractLdapProperties setValidatePeriodically(boolean validatePeriodically)
      Whether connections should be validated periodically when the pool is idle.
      Returns:
      this.

    • setValidateTimeout

      public AbstractLdapProperties setValidateTimeout(String validateTimeout)
      Period at which validation operations may time out.
      Returns:
      this.

    • setValidatePeriod

      public AbstractLdapProperties setValidatePeriod(String validatePeriod)
      Period at which pool should be validated.
      Returns:
      this.

    • setFailFast

      public AbstractLdapProperties setFailFast(boolean failFast)
      Attempt to populate the connection pool early on startup and fail quickly if something goes wrong.
      Returns:
      this.

    • setIdleTime

      public AbstractLdapProperties setIdleTime(String idleTime)
      Removes connections from the pool based on how long they have been idle in the available queue. Prunes connections that have been idle for more than the indicated amount.
      Returns:
      this.

    • setPrunePeriod

      public AbstractLdapProperties setPrunePeriod(String prunePeriod)
      Removes connections from the pool based on how long they have been idle in the available queue. Run the pruning process at the indicated interval.
      Returns:
      this.

    • setBlockWaitTime

      public AbstractLdapProperties setBlockWaitTime(String blockWaitTime)
      The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created
      Returns:
      this.

    • setConnectionStrategy

      public AbstractLdapProperties setConnectionStrategy(String connectionStrategy)
      If multiple URLs are provided as the ldapURL this describes how each URL will be processed.
      • ACTIVE_PASSIVE First LDAP will be used for every request unless it fails and then the next shall be used.
      • ROUND_ROBIN For each new connection the next url in the list will be used.
      • RANDOM For each new connection a random LDAP url will be selected.
      • DNS_SRV LDAP urls based on DNS SRV records of the configured/given LDAP url will be used.
      Returns:
      this.

    • setLdapUrl

      public AbstractLdapProperties setLdapUrl(String ldapUrl)
      The LDAP url to the server. More than one may be specified, separated by space and/or comma.
      Returns:
      this.

    • setUseStartTls

      public AbstractLdapProperties setUseStartTls(boolean useStartTls)
      Whether TLS should be used and enabled when establishing the connection.
      Returns:
      this.

    • setConnectTimeout

      public AbstractLdapProperties setConnectTimeout(String connectTimeout)
      Sets the maximum amount of time that connects will block.
      Returns:
      this.

    • setResponseTimeout

      public AbstractLdapProperties setResponseTimeout(String responseTimeout)
      Duration of time to wait for responses.
      Returns:
      this.

    • setAllowMultipleDns

      public AbstractLdapProperties setAllowMultipleDns(boolean allowMultipleDns)
      Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.
      Returns:
      this.

    • setBindDn

      public AbstractLdapProperties setBindDn(String bindDn)
      The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:
      • bindDn/bindCredential provided - Use the provided credentials to bind when initializing connections.
      • bindDn/bindCredential set to * - Use a fast-bind strategy to initialize the pool.
      • bindDn/bindCredential set to blank - Skip connection initializing; perform operations anonymously.
      • SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.
      Returns:
      this.

    • setBindCredential

      public AbstractLdapProperties setBindCredential(String bindCredential)
      The bind credential to use when connecting to LDAP.
      Returns:
      this.

    • setSaslRealm

      public AbstractLdapProperties setSaslRealm(String saslRealm)
      The SASL realm.
      Returns:
      this.

    • setSaslMechanism

      public AbstractLdapProperties setSaslMechanism(String saslMechanism)
      The SASL mechanism.
      Returns:
      this.

    • setSaslAuthorizationId

      public AbstractLdapProperties setSaslAuthorizationId(String saslAuthorizationId)
      SASL authorization id.
      Returns:
      this.

    • setSaslSecurityStrength

      public AbstractLdapProperties setSaslSecurityStrength(String saslSecurityStrength)
      SASL security strength.
      Returns:
      this.

    • setSaslMutualAuth

      public AbstractLdapProperties setSaslMutualAuth(Boolean saslMutualAuth)
      SASL mutual auth is enabled?
      Returns:
      this.

    • setSaslQualityOfProtection

      public AbstractLdapProperties setSaslQualityOfProtection(String saslQualityOfProtection)
      SASL quality of protected.
      Returns:
      this.

    • setValidator

      public AbstractLdapProperties setValidator(LdapValidatorProperties validator)
      LDAP connection validator settings.
      Returns:
      this.

    • setHostnameVerifier

      public AbstractLdapProperties setHostnameVerifier(AbstractLdapProperties.LdapHostnameVerifierOptions hostnameVerifier)
      Hostname verification options.
      Returns:
      this.

    • setTrustManager

      public AbstractLdapProperties setTrustManager(String trustManager)
      Trust Manager options. Trust managers are responsible for managing the trust material that is used when making LDAP trust decisions, and for deciding whether credentials presented by a peer should be accepted. Accepted values are: *
      • DEFAULT: Enable and force the default JVM trust managers.
      • ANY: Trust any client or server.
      Returns:
      this.

    • setName

      public AbstractLdapProperties setName(String name)
      Name of the LDAP handler.
      Returns:
      this.

    • setAllowMultipleEntries

      public AbstractLdapProperties setAllowMultipleEntries(boolean allowMultipleEntries)
      Set if multiple Entries are allowed.
      Returns:
      this.

    • setFollowReferrals

      public AbstractLdapProperties setFollowReferrals(boolean followReferrals)
      Set if search referrals should be followed.
      Returns:
      this.

    • setBinaryAttributes

      public AbstractLdapProperties setBinaryAttributes(List<String> binaryAttributes)
      Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.
      Returns:
      this.