Class AbstractLdapProperties
java.lang.Object
org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
- All Implemented Interfaces:
Serializable
,CasFeatureModule
- Direct Known Subclasses:
AbstractLdapSearchProperties
,LdapMonitorProperties
@RequiresModule(name="cas-server-support-ldap-core")
public abstract class AbstractLdapProperties
extends Object
implements Serializable, CasFeatureModule
This is
AbstractLdapProperties
.- Since:
- 5.0.0
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
The ldap connection pool passivator.static enum
Describe ldap connection strategies.static enum
Describe hostname verification strategies.static enum
Describe trust manager strategies.static enum
The ldap type used to handle specific ops.Nested classes/interfaces inherited from interface org.apereo.cas.configuration.features.CasFeatureModule
CasFeatureModule.FeatureCatalog
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionIndicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.The bind credential to use when connecting to LDAP.The bind DN to use when connecting to LDAP.The length of time the pool will block.If multiple URLs are provided as the ldapURL this describes how each URL will be processed.Sets the maximum amount of time that connects will block.Hostname verification options.Removes connections from the pool based on how long they have been idle in the available queue.Path to the keystore used for SSL connections.Keystore password.The type of keystore.The LDAP url to the server.int
Maximum LDAP connection pool size which the pool can use to grow.int
Minimum LDAP connection pool size.getName()
Name of the LDAP handler.You may receive unexpected LDAP failures, when CAS is configured to authenticate usingDIRECT
orAUTHENTICATED
types and LDAP is locked down to not allow anonymous binds/searches.Removes connections from the pool based on how long they have been idle in the available queue.Duration of time to wait for responses.SASL authorization id.The SASL mechanism.SASL mutual auth is enabled?SASL quality of protected.The SASL realm.SASL security strength.Path of the trust certificates to use for the SSL connection.Trust Manager options.Path to the keystore used to determine which certificates or certificate authorities should be trusted.Password needed to open the truststore.The type of trust keystore that determines which certificates or certificate authorities are trusted.Period at which pool should be validated.Period at which validation operations may time out.LDAP connection validator settings.boolean
Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.boolean
Set if multiple Entries are allowed.boolean
Whether to use a pooled connection factory in components.boolean
Attempt to populate the connection pool early on startup and fail quickly if something goes wrong.boolean
Set if search referrals should be followed.boolean
Whether TLS should be used and enabled when establishing the connection.boolean
Whether connections should be validated when loaned out from the pool.boolean
Whether connections should be validated periodically when the pool is idle.setAllowMultipleDns
(boolean allowMultipleDns) Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.setAllowMultipleEntries
(boolean allowMultipleEntries) Set if multiple Entries are allowed.setBinaryAttributes
(List<String> binaryAttributes) Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.setBindCredential
(String bindCredential) The bind credential to use when connecting to LDAP.The bind DN to use when connecting to LDAP.setBlockWaitTime
(String blockWaitTime) The length of time the pool will block.setConnectionStrategy
(String connectionStrategy) If multiple URLs are provided as the ldapURL this describes how each URL will be processed.setConnectTimeout
(String connectTimeout) Sets the maximum amount of time that connects will block.setDisablePooling
(boolean disablePooling) Whether to use a pooled connection factory in components.setFailFast
(boolean failFast) Attempt to populate the connection pool early on startup and fail quickly if something goes wrong.setFollowReferrals
(boolean followReferrals) Set if search referrals should be followed.setHostnameVerifier
(AbstractLdapProperties.LdapHostnameVerifierOptions hostnameVerifier) Hostname verification options.setIdleTime
(String idleTime) Removes connections from the pool based on how long they have been idle in the available queue.setKeystore
(String keystore) Path to the keystore used for SSL connections.setKeystorePassword
(String keystorePassword) Keystore password.setKeystoreType
(String keystoreType) The type of keystore.setLdapUrl
(String ldapUrl) The LDAP url to the server.setMaxPoolSize
(int maxPoolSize) Maximum LDAP connection pool size which the pool can use to grow.setMinPoolSize
(int minPoolSize) Minimum LDAP connection pool size.Name of the LDAP handler.setPoolPassivator
(String poolPassivator) You may receive unexpected LDAP failures, when CAS is configured to authenticate usingDIRECT
orAUTHENTICATED
types and LDAP is locked down to not allow anonymous binds/searches.setPrunePeriod
(String prunePeriod) Removes connections from the pool based on how long they have been idle in the available queue.setResponseTimeout
(String responseTimeout) Duration of time to wait for responses.setSaslAuthorizationId
(String saslAuthorizationId) SASL authorization id.setSaslMechanism
(String saslMechanism) The SASL mechanism.setSaslMutualAuth
(Boolean saslMutualAuth) SASL mutual auth is enabled?setSaslQualityOfProtection
(String saslQualityOfProtection) SASL quality of protected.setSaslRealm
(String saslRealm) The SASL realm.setSaslSecurityStrength
(String saslSecurityStrength) SASL security strength.setTrustCertificates
(String trustCertificates) Path of the trust certificates to use for the SSL connection.setTrustManager
(String trustManager) Trust Manager options.setTrustStore
(String trustStore) Path to the keystore used to determine which certificates or certificate authorities should be trusted.setTrustStorePassword
(String trustStorePassword) Password needed to open the truststore.setTrustStoreType
(String trustStoreType) The type of trust keystore that determines which certificates or certificate authorities are trusted.setUseStartTls
(boolean useStartTls) Whether TLS should be used and enabled when establishing the connection.setValidateOnCheckout
(boolean validateOnCheckout) Whether connections should be validated when loaned out from the pool.setValidatePeriod
(String validatePeriod) Period at which pool should be validated.setValidatePeriodically
(boolean validatePeriodically) Whether connections should be validated periodically when the pool is idle.setValidateTimeout
(String validateTimeout) Period at which validation operations may time out.setValidator
(LdapValidatorProperties validator) LDAP connection validator settings.Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apereo.cas.configuration.features.CasFeatureModule
isDefined, isUndefined
-
Constructor Details
-
AbstractLdapProperties
public AbstractLdapProperties()
-
-
Method Details
-
getTrustCertificates
Path of the trust certificates to use for the SSL connection. Ignores keystore-related settings when activated and used. -
getKeystore
Path to the keystore used for SSL connections. Typically contains SSL certificates for the LDAP server. -
getKeystorePassword
Keystore password. -
getKeystoreType
The type of keystore.PKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform. -
getTrustStore
Path to the keystore used to determine which certificates or certificate authorities should be trusted. Used when connecting to an LDAP server via LDAPS or startTLS connection. If left blank, the default truststore for the Java runtime is used. -
getTrustStorePassword
Password needed to open the truststore. -
getTrustStoreType
The type of trust keystore that determines which certificates or certificate authorities are trusted. Types depend on underlying java platform, typicallyPKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform. -
isDisablePooling
public boolean isDisablePooling()Whether to use a pooled connection factory in components. -
getMinPoolSize
public int getMinPoolSize()Minimum LDAP connection pool size. Size the pool should be initialized to and pruned to -
getMaxPoolSize
public int getMaxPoolSize()Maximum LDAP connection pool size which the pool can use to grow. -
getPoolPassivator
You may receive unexpected LDAP failures, when CAS is configured to authenticate usingDIRECT
orAUTHENTICATED
types and LDAP is locked down to not allow anonymous binds/searches. Every second attempt with a given LDAP connection from the pool would fail if it was on the same connection as a failed login attempt, and the regular connection validator would similarly fail. When a connection is returned back to a pool, it still may contain the principal and credentials from the previous attempt. Before the next bind attempt using that connection, the validator tries to validate the connection again but fails because it’s no longer trying with the configured bind credentials but with whatever user DN was used in the previous step. Given the validation failure, the connection is closed and CAS would deny access by default. Passivators attempt to reconnect to LDAP with the configured bind credentials, effectively resetting the connection to what it should be after each bind request. Furthermore if you are seeing errors in the logs that resemble a 'Operation exception encountered, reopening connection' type of message, this usually is an indication that the connection pool’s validation timeout established and created by CAS is greater than the timeout configured in the LDAP server, or more likely, in the load balancer in front of the LDAP servers. You can adjust the LDAP server session’s timeout for connections, or you can teach CAS to use a validity period that is equal or less than the LDAP server session’s timeout. Accepted values are:NONE
: No passivation takes place.BIND
: The default behavior which passivates a connection by performing a bind operation on it. This option requires the availability of bind credentials when establishing connections to LDAP.
-
isValidateOnCheckout
public boolean isValidateOnCheckout()Whether connections should be validated when loaned out from the pool. -
isValidatePeriodically
public boolean isValidatePeriodically()Whether connections should be validated periodically when the pool is idle. -
getValidateTimeout
Period at which validation operations may time out. -
getValidatePeriod
Period at which pool should be validated. -
isFailFast
public boolean isFailFast()Attempt to populate the connection pool early on startup and fail quickly if something goes wrong. -
getIdleTime
Removes connections from the pool based on how long they have been idle in the available queue. Prunes connections that have been idle for more than the indicated amount. -
getPrunePeriod
Removes connections from the pool based on how long they have been idle in the available queue. Run the pruning process at the indicated interval. -
getBlockWaitTime
The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created -
getConnectionStrategy
If multiple URLs are provided as the ldapURL this describes how each URL will be processed.ACTIVE_PASSIVE
First LDAP will be used for every request unless it fails and then the next shall be used.ROUND_ROBIN
For each new connection the next url in the list will be used.RANDOM
For each new connection a random LDAP url will be selected.DNS_SRV
LDAP urls based on DNS SRV records of the configured/given LDAP url will be used.
-
getLdapUrl
The LDAP url to the server. More than one may be specified, separated by space and/or comma. -
isUseStartTls
public boolean isUseStartTls()Whether TLS should be used and enabled when establishing the connection. -
getConnectTimeout
Sets the maximum amount of time that connects will block. -
getResponseTimeout
Duration of time to wait for responses. -
isAllowMultipleDns
public boolean isAllowMultipleDns()Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result. -
getBindDn
The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:bindDn/bindCredential
provided - Use the provided credentials to bind when initializing connections.bindDn/bindCredential
set to*
- Use a fast-bind strategy to initialize the pool.bindDn/bindCredential
set to blank - Skip connection initializing; perform operations anonymously.- SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.
-
getBindCredential
The bind credential to use when connecting to LDAP. -
getSaslRealm
The SASL realm. -
getSaslMechanism
The SASL mechanism. -
getSaslAuthorizationId
SASL authorization id. -
getSaslSecurityStrength
SASL security strength. -
getSaslMutualAuth
SASL mutual auth is enabled? -
getSaslQualityOfProtection
SASL quality of protected. -
getValidator
LDAP connection validator settings. -
getHostnameVerifier
Hostname verification options. -
getTrustManager
Trust Manager options. Trust managers are responsible for managing the trust material that is used when making LDAP trust decisions, and for deciding whether credentials presented by a peer should be accepted. Accepted values are: *DEFAULT
: Enable and force the default JVM trust managers.ANY
: Trust any client or server.
-
getName
Name of the LDAP handler. -
isAllowMultipleEntries
public boolean isAllowMultipleEntries()Set if multiple Entries are allowed. -
isFollowReferrals
public boolean isFollowReferrals()Set if search referrals should be followed. -
getBinaryAttributes
Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver. -
setTrustCertificates
Path of the trust certificates to use for the SSL connection. Ignores keystore-related settings when activated and used.- Returns:
this
.
-
setKeystore
Path to the keystore used for SSL connections. Typically contains SSL certificates for the LDAP server.- Returns:
this
.
-
setKeystorePassword
Keystore password.- Returns:
this
.
-
setKeystoreType
The type of keystore.PKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform.- Returns:
this
.
-
setTrustStore
Path to the keystore used to determine which certificates or certificate authorities should be trusted. Used when connecting to an LDAP server via LDAPS or startTLS connection. If left blank, the default truststore for the Java runtime is used.- Returns:
this
.
-
setTrustStorePassword
Password needed to open the truststore.- Returns:
this
.
-
setTrustStoreType
The type of trust keystore that determines which certificates or certificate authorities are trusted. Types depend on underlying java platform, typicallyPKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform.- Returns:
this
.
-
setDisablePooling
Whether to use a pooled connection factory in components.- Returns:
this
.
-
setMinPoolSize
Minimum LDAP connection pool size. Size the pool should be initialized to and pruned to- Returns:
this
.
-
setMaxPoolSize
Maximum LDAP connection pool size which the pool can use to grow.- Returns:
this
.
-
setPoolPassivator
You may receive unexpected LDAP failures, when CAS is configured to authenticate usingDIRECT
orAUTHENTICATED
types and LDAP is locked down to not allow anonymous binds/searches. Every second attempt with a given LDAP connection from the pool would fail if it was on the same connection as a failed login attempt, and the regular connection validator would similarly fail. When a connection is returned back to a pool, it still may contain the principal and credentials from the previous attempt. Before the next bind attempt using that connection, the validator tries to validate the connection again but fails because it’s no longer trying with the configured bind credentials but with whatever user DN was used in the previous step. Given the validation failure, the connection is closed and CAS would deny access by default. Passivators attempt to reconnect to LDAP with the configured bind credentials, effectively resetting the connection to what it should be after each bind request. Furthermore if you are seeing errors in the logs that resemble a 'Operation exception encountered, reopening connection' type of message, this usually is an indication that the connection pool’s validation timeout established and created by CAS is greater than the timeout configured in the LDAP server, or more likely, in the load balancer in front of the LDAP servers. You can adjust the LDAP server session’s timeout for connections, or you can teach CAS to use a validity period that is equal or less than the LDAP server session’s timeout. Accepted values are:NONE
: No passivation takes place.BIND
: The default behavior which passivates a connection by performing a bind operation on it. This option requires the availability of bind credentials when establishing connections to LDAP.
- Returns:
this
.
-
setValidateOnCheckout
Whether connections should be validated when loaned out from the pool.- Returns:
this
.
-
setValidatePeriodically
Whether connections should be validated periodically when the pool is idle.- Returns:
this
.
-
setValidateTimeout
Period at which validation operations may time out.- Returns:
this
.
-
setValidatePeriod
Period at which pool should be validated.- Returns:
this
.
-
setFailFast
Attempt to populate the connection pool early on startup and fail quickly if something goes wrong.- Returns:
this
.
-
setIdleTime
Removes connections from the pool based on how long they have been idle in the available queue. Prunes connections that have been idle for more than the indicated amount.- Returns:
this
.
-
setPrunePeriod
Removes connections from the pool based on how long they have been idle in the available queue. Run the pruning process at the indicated interval.- Returns:
this
.
-
setBlockWaitTime
The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created- Returns:
this
.
-
setConnectionStrategy
If multiple URLs are provided as the ldapURL this describes how each URL will be processed.ACTIVE_PASSIVE
First LDAP will be used for every request unless it fails and then the next shall be used.ROUND_ROBIN
For each new connection the next url in the list will be used.RANDOM
For each new connection a random LDAP url will be selected.DNS_SRV
LDAP urls based on DNS SRV records of the configured/given LDAP url will be used.
- Returns:
this
.
-
setLdapUrl
The LDAP url to the server. More than one may be specified, separated by space and/or comma.- Returns:
this
.
-
setUseStartTls
Whether TLS should be used and enabled when establishing the connection.- Returns:
this
.
-
setConnectTimeout
Sets the maximum amount of time that connects will block.- Returns:
this
.
-
setResponseTimeout
Duration of time to wait for responses.- Returns:
this
.
-
setAllowMultipleDns
Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.- Returns:
this
.
-
setBindDn
The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:bindDn/bindCredential
provided - Use the provided credentials to bind when initializing connections.bindDn/bindCredential
set to*
- Use a fast-bind strategy to initialize the pool.bindDn/bindCredential
set to blank - Skip connection initializing; perform operations anonymously.- SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.
- Returns:
this
.
-
setBindCredential
The bind credential to use when connecting to LDAP.- Returns:
this
.
-
setSaslRealm
The SASL realm.- Returns:
this
.
-
setSaslMechanism
The SASL mechanism.- Returns:
this
.
-
setSaslAuthorizationId
SASL authorization id.- Returns:
this
.
-
setSaslSecurityStrength
SASL security strength.- Returns:
this
.
-
setSaslMutualAuth
SASL mutual auth is enabled?- Returns:
this
.
-
setSaslQualityOfProtection
SASL quality of protected.- Returns:
this
.
-
setValidator
LDAP connection validator settings.- Returns:
this
.
-
setHostnameVerifier
public AbstractLdapProperties setHostnameVerifier(AbstractLdapProperties.LdapHostnameVerifierOptions hostnameVerifier) Hostname verification options.- Returns:
this
.
-
setTrustManager
Trust Manager options. Trust managers are responsible for managing the trust material that is used when making LDAP trust decisions, and for deciding whether credentials presented by a peer should be accepted. Accepted values are: *DEFAULT
: Enable and force the default JVM trust managers.ANY
: Trust any client or server.
- Returns:
this
.
-
setName
Name of the LDAP handler.- Returns:
this
.
-
setAllowMultipleEntries
Set if multiple Entries are allowed.- Returns:
this
.
-
setFollowReferrals
Set if search referrals should be followed.- Returns:
this
.
-
setBinaryAttributes
Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.- Returns:
this
.
-