Class SurrogateLdapAuthenticationProperties
java.lang.Object
org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
org.apereo.cas.configuration.model.support.ldap.AbstractLdapSearchProperties
org.apereo.cas.configuration.model.support.surrogate.SurrogateLdapAuthenticationProperties
- All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-surrogate-authentication-ldap")
public class SurrogateLdapAuthenticationProperties
extends AbstractLdapSearchProperties
- Since:
- 5.1.0
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
AbstractLdapProperties.LdapConnectionPoolPassivator, AbstractLdapProperties.LdapConnectionStrategy, AbstractLdapProperties.LdapHostnameVerifierOptions, AbstractLdapProperties.LdapTrustManagerOptions, AbstractLdapProperties.LdapType
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionAttribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation.A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation.LDAP search filter used to locate the surrogate account.An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted viagetSurrogateSearchFilter()
.setMemberAttributeName
(String memberAttributeName) Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation.setMemberAttributeValueRegex
(String memberAttributeValueRegex) A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation.setSurrogateSearchFilter
(String surrogateSearchFilter) LDAP search filter used to locate the surrogate account.setSurrogateValidationFilter
(String surrogateValidationFilter) An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted viagetSurrogateSearchFilter()
.Methods inherited from class org.apereo.cas.configuration.model.support.ldap.AbstractLdapSearchProperties
getBaseDn, getPageSize, getSearchEntryHandlers, getSearchFilter, isSubtreeSearch, setBaseDn, setPageSize, setSearchEntryHandlers, setSearchFilter, setSubtreeSearch
Methods inherited from class org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
getBinaryAttributes, getBindCredential, getBindDn, getBlockWaitTime, getConnectionStrategy, getConnectTimeout, getHostnameVerifier, getIdleTime, getKeystore, getKeystorePassword, getKeystoreType, getLdapUrl, getMaxPoolSize, getMinPoolSize, getName, getPoolPassivator, getPrunePeriod, getResponseTimeout, getSaslAuthorizationId, getSaslMechanism, getSaslMutualAuth, getSaslQualityOfProtection, getSaslRealm, getSaslSecurityStrength, getTrustCertificates, getTrustManager, getTrustStore, getTrustStorePassword, getTrustStoreType, getValidatePeriod, getValidateTimeout, getValidator, isAllowMultipleDns, isAllowMultipleEntries, isDisablePooling, isFailFast, isFollowReferrals, isUseStartTls, isValidateOnCheckout, isValidatePeriodically, setAllowMultipleDns, setAllowMultipleEntries, setBinaryAttributes, setBindCredential, setBindDn, setBlockWaitTime, setConnectionStrategy, setConnectTimeout, setDisablePooling, setFailFast, setFollowReferrals, setHostnameVerifier, setIdleTime, setKeystore, setKeystorePassword, setKeystoreType, setLdapUrl, setMaxPoolSize, setMinPoolSize, setName, setPoolPassivator, setPrunePeriod, setResponseTimeout, setSaslAuthorizationId, setSaslMechanism, setSaslMutualAuth, setSaslQualityOfProtection, setSaslRealm, setSaslSecurityStrength, setTrustCertificates, setTrustManager, setTrustStore, setTrustStorePassword, setTrustStoreType, setUseStartTls, setValidateOnCheckout, setValidatePeriod, setValidatePeriodically, setValidateTimeout, setValidator
-
Constructor Details
-
SurrogateLdapAuthenticationProperties
public SurrogateLdapAuthenticationProperties()
-
-
Method Details
-
getSurrogateSearchFilter
LDAP search filter used to locate the surrogate account. The query is expected to determine whether the primary user is authorized to impersonate the given account. These fields may be referred to in the LDAP search query via{user}
and{surrogate}
placeholders. If the query result yields a value that points to an LDAP entry, impersonation is authorized for the given accounts.An example might be
(invalid input: '&'(uid={user})(xyzMemberOf=actAs:{surrogate}))
-
getMemberAttributeName
Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation. All attribute values are then compared against the pattern you specify ingetMemberAttributeValueRegex()
. -
getMemberAttributeValueRegex
A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation. The regular expression pattern is expected to contain at least a single group whose value on a successful match indicates the qualified impersonated user by admin. -
getSurrogateValidationFilter
An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted viagetSurrogateSearchFilter()
. You can use this validation filter to ensure the surrogate/impersonatee does exist in LDAP. The LDAP filter may use{surrogate}
as a placeholder in the filter to locate the surrogate account.An example might be:
(invalid input: '&'(uid={surrogate})(authorized=TRUE))}
-
setSurrogateSearchFilter
LDAP search filter used to locate the surrogate account. The query is expected to determine whether the primary user is authorized to impersonate the given account. These fields may be referred to in the LDAP search query via{user}
and{surrogate}
placeholders. If the query result yields a value that points to an LDAP entry, impersonation is authorized for the given accounts.An example might be
(invalid input: '&'(uid={user})(xyzMemberOf=actAs:{surrogate}))
- Returns:
this
.
-
setMemberAttributeName
Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation. All attribute values are then compared against the pattern you specify ingetMemberAttributeValueRegex()
.- Returns:
this
.
-
setMemberAttributeValueRegex
public SurrogateLdapAuthenticationProperties setMemberAttributeValueRegex(String memberAttributeValueRegex) A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation. The regular expression pattern is expected to contain at least a single group whose value on a successful match indicates the qualified impersonated user by admin.- Returns:
this
.
-
setSurrogateValidationFilter
public SurrogateLdapAuthenticationProperties setSurrogateValidationFilter(String surrogateValidationFilter) An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted viagetSurrogateSearchFilter()
. You can use this validation filter to ensure the surrogate/impersonatee does exist in LDAP. The LDAP filter may use{surrogate}
as a placeholder in the filter to locate the surrogate account.An example might be:
(invalid input: '&'(uid={surrogate})(authorized=TRUE))}
- Returns:
this
.
-