Package com.atlassian.crowd.directory

Class DelegatedAuthenticationDirectory

java.lang.Object

com.atlassian.crowd.directory.AbstractForwardingDirectory

com.atlassian.crowd.directory.DelegatedAuthenticationDirectory

All Implemented Interfaces:

MultiValuesQueriesSupport, RemoteDirectory, Attributes

public class DelegatedAuthenticationDirectory
extends AbstractForwardingDirectory
implements RemoteDirectory, MultiValuesQueriesSupport

This implementation of a RemoteDirectory provides delegated authentication to an underlying remote LDAP implementation.

In essence this means that a User's groups and roles are managed internally to Crowd and only authentication is delegated to the LDAP directory.

Users, group and memberships exist in an internal directory and all query and mutation operations execute on the internal directory.

For a user to successfully authenticate, they must exist in LDAP and must authenticate against LDAP. Passwords are not stored internally.

If the ATTRIBUTE_CREATE_USER_ON_AUTH attribute is enabled, the delegated authentication directory will automatically create the user in the internal portion of this directory, once they successfully authenticate against LDAP. The initial user details, in this case, will be obtained from LDAP.

If the ATTRIBUTE_UPDATE_USER_ON_AUTH attribute is enabled, the delegated authentication directory will also update the user's details from LDAP automatically whenever they authenticate. The same behaviour will happen if the attribute is not enabled and the user is deleted internally and then re-authenticates.

If the create-on-auth option is not enabled, then users must always be manually created in this directory, before they can authenticate against LDAP. In this scenario, the user details will never be retrieved from LDAP. This is OSUser's default LDAP behaviour.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ATTRIBUTE_CREATE_USER_ON_AUTH
static final String	ATTRIBUTE_KEY_IMPORT_GROUPS
static final String	ATTRIBUTE_LDAP_DIRECTORY_CLASS
static final String	ATTRIBUTE_UPDATE_USER_ON_AUTH

Constructor Summary

Constructors

Constructor	Description
DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory, InternalRemoteDirectory internalDirectory, com.atlassian.event.api.EventPublisher eventPublisher, DirectoryDao directoryDao)

Method Summary

Modifier and Type	Method	Description
Group	addGroup(GroupTemplate group)
User	addOrUpdateLdapUser(String name)	Copies or updates a user in the internal directory from their counterpart in the LDAP directory.
User	authenticate(String name, PasswordCredential credential)	In addition to the normal authentication behaviour, following a successful authentication the following may occur: If the user does not exist in the internal directory and ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details will be added to the internal directory. If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details will be updated in the internal directory. If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and the username was changed in remote directory, the user's name will be updated in the internal directory. A user marked as inactive locally will not be authenticated, retrieved, renamed or updated from the LDAP server.
RemoteDirectory	getAuthoritativeDirectory()
protected InternalRemoteDirectory	getDelegate()
String	getDescriptiveName()
boolean	isRolesDisabled()
<T> Map<String,List<T>>	searchGroupRelationshipsGroupedByName(MembershipQuery<T> query)
void	setAttributes(Map<String,String> attributes)
void	setDirectoryId(long directoryId)
boolean	supportsNestedGroups()
boolean	supportsPasswordExpiration()
boolean	supportsSettingEncryptedCredential()	Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.
void	testConnection()
void	updateUserCredential(String username, PasswordCredential credential)
User	updateUserFromRemoteDirectory(User ldapUser)
User	userAuthenticated(String username)

Methods inherited from class com.atlassian.crowd.directory.AbstractForwardingDirectory

addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getKeys, getMemberships, getUserAvatarByName, getValue, getValues, isEmpty, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.atlassian.crowd.embedded.api.Attributes

getKeys, getValue, getValues, isEmpty

Methods inherited from interface com.atlassian.crowd.directory.MultiValuesQueriesSupport

searchGroupRelationships

Methods inherited from interface com.atlassian.crowd.directory.RemoteDirectory

addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getLocallyFilteredGroupNames, getMemberships, getUserAvatarByName, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUser

Field Details

ATTRIBUTE_CREATE_USER_ON_AUTH

public static final String ATTRIBUTE_CREATE_USER_ON_AUTH

See Also:

• Constant Field Values

ATTRIBUTE_UPDATE_USER_ON_AUTH

public static final String ATTRIBUTE_UPDATE_USER_ON_AUTH

See Also:

• Constant Field Values

ATTRIBUTE_LDAP_DIRECTORY_CLASS

public static final String ATTRIBUTE_LDAP_DIRECTORY_CLASS

See Also:

• Constant Field Values

ATTRIBUTE_KEY_IMPORT_GROUPS

public static final String ATTRIBUTE_KEY_IMPORT_GROUPS

See Also:

• Constant Field Values

Constructor Details

DelegatedAuthenticationDirectory

public DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory,
 InternalRemoteDirectory internalDirectory,
 com.atlassian.event.api.EventPublisher eventPublisher,
 DirectoryDao directoryDao)

Method Details

setDirectoryId

public void setDirectoryId(long directoryId)

Specified by:

setDirectoryId in interface RemoteDirectory

Overrides:

setDirectoryId in class AbstractForwardingDirectory

getDescriptiveName

public String getDescriptiveName()

Specified by:

getDescriptiveName in interface RemoteDirectory

Overrides:

getDescriptiveName in class AbstractForwardingDirectory

setAttributes

public void setAttributes(Map<String,String> attributes)

Specified by:

setAttributes in interface RemoteDirectory

Overrides:

setAttributes in class AbstractForwardingDirectory

authenticate

public User authenticate(String name,
 PasswordCredential credential)
                  throws UserNotFoundException,
InactiveAccountException,
InvalidAuthenticationException,
ExpiredCredentialException,
OperationFailedException

In addition to the normal authentication behaviour, following a successful authentication the following may occur:

• If the user does not exist in the internal directory and ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details will be added to the internal directory.
• If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details will be updated in the internal directory.
• If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and the username was changed in remote directory, the user's name will be updated in the internal directory.

A user marked as inactive locally will not be authenticated, retrieved, renamed or updated from the LDAP server.

Specified by:

authenticate in interface RemoteDirectory

Overrides:

authenticate in class AbstractForwardingDirectory

Throws:

OperationFailedException - when user rename is not possible

UserNotFoundException

InactiveAccountException

InvalidAuthenticationException

ExpiredCredentialException

See Also:

• RemoteDirectory.authenticate(String, PasswordCredential)

userAuthenticated

public User userAuthenticated(String username)
                       throws OperationFailedException,
UserNotFoundException,
InactiveAccountException

Specified by:

userAuthenticated in interface RemoteDirectory

Throws:

OperationFailedException

UserNotFoundException

InactiveAccountException

updateUserFromRemoteDirectory

public User updateUserFromRemoteDirectory(@Nonnull
 User ldapUser)
                                   throws OperationFailedException,
UserNotFoundException

Specified by:

updateUserFromRemoteDirectory in interface RemoteDirectory

Overrides:

updateUserFromRemoteDirectory in class AbstractForwardingDirectory

Throws:

OperationFailedException

UserNotFoundException

addOrUpdateLdapUser

public User addOrUpdateLdapUser(String name)
                         throws UserNotFoundException,
OperationFailedException

Copies or updates a user in the internal directory from their counterpart in the LDAP directory. Used by custom authenticators to ensure users exist when external authentication mechanisms just provide us with just a username.

Parameters:

name - the username of the user to copy

Returns:

the newly updated internal user

Throws:

UserNotFoundException - if no user with the given username exists in LDAP

OperationFailedException - if there was a problem communicating with the LDAP server or the user could not be cloned to the internal directory

updateUserCredential

public void updateUserCredential(String username,
 PasswordCredential credential)
                          throws UserNotFoundException,
InvalidCredentialException,
OperationFailedException

Specified by:

updateUserCredential in interface RemoteDirectory

Overrides:

updateUserCredential in class AbstractForwardingDirectory

Throws:

UserNotFoundException

InvalidCredentialException

OperationFailedException

addGroup

public Group addGroup(GroupTemplate group)
               throws InvalidGroupException,
OperationFailedException

Specified by:

addGroup in interface RemoteDirectory

Overrides:

addGroup in class AbstractForwardingDirectory

Throws:

InvalidGroupException

OperationFailedException

testConnection

public void testConnection()
                    throws OperationFailedException

Specified by:

testConnection in interface RemoteDirectory

Overrides:

testConnection in class AbstractForwardingDirectory

Throws:

OperationFailedException

supportsNestedGroups

public boolean supportsNestedGroups()

Specified by:

supportsNestedGroups in interface RemoteDirectory

Overrides:

supportsNestedGroups in class AbstractForwardingDirectory

supportsPasswordExpiration

public boolean supportsPasswordExpiration()

Specified by:

supportsPasswordExpiration in interface RemoteDirectory

Overrides:

supportsPasswordExpiration in class AbstractForwardingDirectory

supportsSettingEncryptedCredential

public boolean supportsSettingEncryptedCredential()

Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.

Specified by:

supportsSettingEncryptedCredential in interface RemoteDirectory

Overrides:

supportsSettingEncryptedCredential in class AbstractForwardingDirectory

Returns:

false, always.

isRolesDisabled

public boolean isRolesDisabled()

Specified by:

isRolesDisabled in interface RemoteDirectory

Overrides:

isRolesDisabled in class AbstractForwardingDirectory

getAuthoritativeDirectory

public RemoteDirectory getAuthoritativeDirectory()

Specified by:

getAuthoritativeDirectory in interface RemoteDirectory

Overrides:

getAuthoritativeDirectory in class AbstractForwardingDirectory

getDelegate

protected InternalRemoteDirectory getDelegate()

Specified by:

getDelegate in class AbstractForwardingDirectory

Returns:

the directory to delegate method calls to

searchGroupRelationshipsGroupedByName

public <T> Map<String,List<T>> searchGroupRelationshipsGroupedByName(MembershipQuery<T> query)

Specified by:

searchGroupRelationshipsGroupedByName in interface MultiValuesQueriesSupport