LDAPSecurityRealm (LDAP Plugin 1.17 API)

java.lang.Object
- hudson.model.AbstractDescribableImpl<hudson.security.SecurityRealm>
- - hudson.security.SecurityRealm
  - - hudson.security.AbstractPasswordBasedSecurityRealm
    - - hudson.security.LDAPSecurityRealm

All Implemented Interfaces:: hudson.ExtensionPoint, hudson.model.Describable<hudson.security.SecurityRealm>, org.acegisecurity.userdetails.UserDetailsService

public class LDAPSecurityRealm
extends hudson.security.AbstractPasswordBasedSecurityRealm

SecurityRealm implementation that uses LDAP for authentication.

Key Object Classes

Group Membership

Two object classes seem to be relevant. These are in RFC 2256 and core.schema. These use DN for membership, so it can create a group of anything. I don't know what the difference between these two are.

   attributetype ( 2.5.4.31 NAME 'member'
     DESC 'RFC2256: member of a group'
     SUP distinguishedName )

   attributetype ( 2.5.4.50 NAME 'uniqueMember'
     DESC 'RFC2256: unique member of a group'
     EQUALITY uniqueMemberMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )

   objectclass ( 2.5.6.9 NAME 'groupOfNames'
     DESC 'RFC2256: a group of names (DNs)'
     SUP top STRUCTURAL
     MUST ( member $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

   objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
     DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
     SUP top STRUCTURAL
     MUST ( uniqueMember $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

This one is from nis.schema, and appears to model POSIX group/user thing more closely.

   objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
     DESC 'Abstraction of a group of accounts'
     SUP top STRUCTURAL
     MUST ( cn $ gidNumber )
     MAY ( userPassword $ memberUid $ description ) )

   attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
     EQUALITY caseExactIA5Match
     SUBSTR caseExactIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

   objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
     DESC 'Abstraction of an account with POSIX attributes'
     SUP top AUXILIARY
     MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
     MAY ( userPassword $ loginShell $ gecos $ description ) )

   attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
     DESC 'An integer uniquely identifying a user in an administrative domain'
     EQUALITY integerMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

   attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
     DESC 'An integer uniquely identifying a group in an administrative domain'
     EQUALITY integerMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

Active Directory specific schemas (from here).

   objectclass ( 1.2.840.113556.1.5.8
     NAME 'group'
     SUP top
     STRUCTURAL
     MUST (groupType )
     MAY (member $ nTGroupMembers $ operatorCount $ adminCount $
         groupAttributes $ groupMembershipSAM $ controlAccessRights $
         desktopProfile $ nonSecurityMember $ managedBy $
         primaryGroupToken $ mail ) )

   objectclass ( 1.2.840.113556.1.5.9
     NAME 'user'
     SUP organizationalPerson
     STRUCTURAL
     MAY (userCertificate $ networkAddress $ userAccountControl $
         badPwdCount $ codePage $ homeDirectory $ homeDrive $
         badPasswordTime $ lastLogoff $ lastLogon $ dBCSPwd $
         localeID $ scriptPath $ logonHours $ logonWorkstation $
         maxStorage $ userWorkstations $ unicodePwd $
         otherLoginWorkstations $ ntPwdHistory $ pwdLastSet $
         preferredOU $ primaryGroupID $ userParameters $
         profilePath $ operatorCount $ adminCount $ accountExpires $
         lmPwdHistory $ groupMembershipSAM $ logonCount $
         controlAccessRights $ defaultClassStore $ groupsToIgnore $
         groupPriority $ desktopProfile $ dynamicLDAPServer $
         userPrincipalName $ lockoutTime $ userSharedFolder $
         userSharedFolderOther $ servicePrincipalName $
         aCSPolicyName $ terminalServer $ mSMQSignCertificates $
         mSMQDigests $ mSMQDigestsMig $ mSMQSignCertificatesMig $
         msNPAllowDialin $ msNPCallingStationID $
         msNPSavedCallingStationID $ msRADIUSCallbackNumber $
         msRADIUSFramedIPAddress $ msRADIUSFramedRoute $
         msRADIUSServiceType $ msRASSavedCallbackNumber $
         msRASSavedFramedIPAddress $ msRASSavedFramedRoute $
         mS-DS-CreatorSID ) )

References

Standard Schemas: The downloadable distribution contains schemas that define the structure of LDAP entries. Because this is a standard, we expect most LDAP servers out there to use it, although there are different objectClasses that can be used for similar purposes, and apparently many deployments choose to use different objectClasses.
RFC 2256: Defines the meaning of several key datatypes used in the schemas with some explanations.
Active Directory schema: More navigable schema list, including core and MS extensions specific to Active Directory.

Since:: 1.166
Author:: Kohsuke Kawaguchi

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`static class`	`LDAPSecurityRealm.AuthoritiesPopulatorImpl` `LdapAuthoritiesPopulator` that adds the automatic 'authenticated' role.
`static class`	`LDAPSecurityRealm.CacheConfiguration`
`static class`	`LDAPSecurityRealm.DescriptorImpl`
`static class`	`LDAPSecurityRealm.EnvironmentProperty`
`static class`	`LDAPSecurityRealm.LdapAuthenticationProviderImpl`
`static class`	`LDAPSecurityRealm.LDAPUserDetailsService`
`static class`	`LDAPSecurityRealm.MailAdressResolverImpl` If the security realm is LDAP, try to pick up e-mail address from LDAP.

Nested classes/interfaces inherited from class hudson.security.SecurityRealm
hudson.security.SecurityRealm.SecurityComponents

Nested classes/interfaces inherited from interface hudson.ExtensionPoint
hudson.ExtensionPoint.LegacyInstancesAreScopedToHudson

Field Summary

Fields
Modifier and Type	Field and Description
`boolean`	`disableMailAddressResolver`
`static String`	`GROUP_SEARCH` LDAP filter to look for groups by their names.
`String`	`groupMembershipFilter` Deprecated. use `groupMembershipStrategy`
`LDAPGroupMembershipStrategy`	`groupMembershipStrategy` Deprecated.
`String`	`groupSearchBase` Deprecated.
`String`	`groupSearchFilter` Deprecated.
`boolean`	`inhibitInferRootDN` Deprecated.
`static Logger`	`LOGGER`
`String`	`managerDN` Deprecated.
`String`	`rootDN` Deprecated.
`String`	`server` Deprecated.
`String`	`userSearch` Deprecated.
`String`	`userSearchBase` Deprecated.

Fields inherited from class hudson.security.SecurityRealm
AUTHENTICATED_AUTHORITY, LIST, NO_AUTHENTICATION

Constructor Summary

Constructors
Constructor and Description
`LDAPSecurityRealm(List<LDAPConfiguration> configurations, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, jenkins.model.IdStrategy userIdStrategy, jenkins.model.IdStrategy groupIdStrategy)`
LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, LDAPGroupMembershipStrategy groupMembershipStrategy, String managerDN, hudson.util.Secret managerPasswordSecret, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, LDAPSecurityRealm.EnvironmentProperty[] environmentProperties, String displayNameAttributeName, String mailAddressAttributeName) Deprecated. retained for backwards binary compatibility.
LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, LDAPGroupMembershipStrategy groupMembershipStrategy, String managerDN, hudson.util.Secret managerPasswordSecret, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, LDAPSecurityRealm.EnvironmentProperty[] environmentProperties, String displayNameAttributeName, String mailAddressAttributeName, jenkins.model.IdStrategy userIdStrategy, jenkins.model.IdStrategy groupIdStrategy) Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String managerDN, String managerPassword, boolean inhibitInferRootDN)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String managerDN, String managerPassword, boolean inhibitInferRootDN, boolean disableMailAddressResolver)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String managerDN, String managerPassword, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, String groupMembershipFilter, String managerDN, hudson.util.Secret managerPasswordSecret, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, LDAPSecurityRealm.EnvironmentProperty[] environmentProperties, String displayNameAttributeName, String mailAddressAttributeName)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, String groupMembershipFilter, String managerDN, String managerPassword, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, String groupMembershipFilter, String managerDN, String managerPassword, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, LDAPSecurityRealm.EnvironmentProperty[] environmentProperties)` Deprecated. retained for backwards binary compatibility.
`LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String groupSearchFilter, String groupMembershipFilter, String managerDN, String managerPassword, boolean inhibitInferRootDN, boolean disableMailAddressResolver, LDAPSecurityRealm.CacheConfiguration cache, LDAPSecurityRealm.EnvironmentProperty[] environmentProperties, String displayNameAttributeName, String mailAddressAttributeName)` Deprecated. retained for backwards binary compatibility.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`protected org.acegisecurity.userdetails.UserDetails`	`authenticate(String username, String password)`
`hudson.security.SecurityRealm.SecurityComponents`	`createSecurityComponents()` Creates security components.
`LDAPSecurityRealm.CacheConfiguration`	`getCache()`
`Integer`	`getCacheSize()`
`Integer`	`getCacheTTL()`
`LDAPConfiguration`	`getConfigurationFor(org.acegisecurity.userdetails.ldap.LdapUserDetails d)`
`LDAPConfiguration`	`getConfigurationFor(String configurationId)`
`List<LDAPConfiguration>`	`getConfigurations()`
`LDAPSecurityRealm.DescriptorImpl`	`getDescriptor()`
`String`	`getDisplayNameAttributeName()` Deprecated.
`LDAPSecurityRealm.EnvironmentProperty[]`	`getEnvironmentProperties()` Deprecated.
`Map<String,String>`	`getExtraEnvVars()` Deprecated.
`jenkins.model.IdStrategy`	`getGroupIdStrategy()`
`String`	`getGroupMembershipFilter()` Deprecated.
`LDAPGroupMembershipStrategy`	`getGroupMembershipStrategy()` Deprecated.
`String`	`getGroupSearchFilter()` Deprecated.
`String`	`getLDAPURL()` Deprecated.
`String`	`getMailAddressAttributeName()` Deprecated.
`String`	`getManagerPassword()` Deprecated.
`hudson.util.Secret`	`getManagerPasswordSecret()` Deprecated.
`String`	`getServerUrl()` Deprecated.
`jenkins.model.IdStrategy`	`getUserIdStrategy()`
`boolean`	`hasMultiConfiguration()`
`boolean`	`isDisableRolePrefixing()`
`hudson.security.GroupDetails`	`loadGroupByGroupname(String groupname)`
`org.acegisecurity.userdetails.UserDetails`	`loadUserByUsername(String username)`
`void`	`setDisableRolePrefixing(boolean disableRolePrefixing)`
`static String`	`toProviderUrl(String serverUrl, String rootDN)`
`org.acegisecurity.Authentication`	`updateUserDetails(org.acegisecurity.Authentication authentication)`
`org.acegisecurity.userdetails.ldap.LdapUserDetails`	`updateUserDetails(org.acegisecurity.userdetails.ldap.LdapUserDetails d)`
`org.acegisecurity.userdetails.UserDetails`	`updateUserDetails(org.acegisecurity.userdetails.UserDetails userDetails)`

Methods inherited from class hudson.security.AbstractPasswordBasedSecurityRealm
createCliAuthenticator

Methods inherited from class hudson.security.SecurityRealm
all, allowsSignup, canLogOut, commenceSignup, createFilter, doCaptcha, doLogout, findBean, getAuthenticationGatewayUrl, getCaptchaSupport, getCaptchaSupportDescriptors, getLoginUrl, getPostLogOutUrl, getSecurityComponents, loadGroupByGroupname, setCaptchaSupport, validateCaptcha

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- server
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String server
```
  Deprecated.
  
  LDAP server name(s) separated by spaces, optionally with TCP port number, like "ldap.acme.org" or "ldap.acme.org:389" and/or with protcol, like "ldap://ldap.acme.org".
- rootDN
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String rootDN
```
  Deprecated.
  
  The root DN to connect to. Normally something like "dc=sun,dc=com" How do I infer this?
- inhibitInferRootDN
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient boolean inhibitInferRootDN
```
  Deprecated.
  
  Allow the rootDN to be inferred? Default is false. If true, allow rootDN to be blank.
- userSearchBase
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String userSearchBase
```
  Deprecated.
  
  Specifies the relative DN from the root DN. This is used to narrow down the search space when doing user search. Something like "ou=people" but can be empty.
- userSearch
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String userSearch
```
  Deprecated.
  
  Query to locate an entry that identifies the user, given the user name string. Normally "uid={0}"
  
  See Also:
  
  FilterBasedLdapUserSearch
- groupSearchBase
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String groupSearchBase
```
  Deprecated.
  
  This defines the organizational unit that contains groups. Normally "" to indicate the full LDAP search, but can be often narrowed down to something like "ou=groups"
  
  See Also:
  
  FilterBasedLdapUserSearch
- groupSearchFilter
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String groupSearchFilter
```
  Deprecated.
  
  Query to locate an entry that identifies the group, given the group name string. If non-null it will override the default specified by GROUP_SEARCH
  
  Since:
  
  1.5
- groupMembershipFilter
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String groupMembershipFilter
```
  Deprecated. use groupMembershipStrategy
  
  Query to locate the group entries that a user belongs to, given the user object. {0} is the user's full DN while {1} is the username. If non-null it will override the default specified in LDAPBindSecurityRealm.groovy
  
  Since:
  
  1.5
- groupMembershipStrategy
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient LDAPGroupMembershipStrategy groupMembershipStrategy
```
  Deprecated.
  
  Since:
  
  2.0
- managerDN
```
@Deprecated
 @Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public transient String managerDN
```
  Deprecated.
  
  If non-null, we use this and managerPasswordSecret when binding to LDAP. This is necessary when LDAP doesn't support anonymous access.
- disableMailAddressResolver
```
public final boolean disableMailAddressResolver
```
  Since:
  
  1.2
- LOGGER
```
@Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final Logger LOGGER
```
- GROUP_SEARCH
```
public static final String GROUP_SEARCH
```
  LDAP filter to look for groups by their names. "{0}" is the group name as given by the user. See http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx for the syntax by example. WANTED: The specification of the syntax.