AttributeDelegater
Introduction and overview
The AttributeDelegater AuthState fetches data from any object in an LDAP directory.
Description
The following table and chapters describe the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.jndi.AttributeDelegater |
| Logging | JNDI |
| Auditing | none |
| Marker | none |
| Methods | authenticate |
Properties
connection1, ..., connection9, searchSizeLimit, userBaseDN, userFilter, loginidFieldFor a description of these properties, see UseridPasswordAuthenticateState - Description.
This AuthState uses the LDAP protocol when it establishes a connection with an LDAP server. The AuthState is thus susceptible to SOCKS proxies, as described in the chapter Configuring proxies.
baseDN(DN, -)This property specifies the directory subtree where the queried object is located. This property is mandatory.
filter(JNDI filter, -)Specifying this property allows to customize the attribute filter used to query the user's profile attributes. The property is optional.
prefix(string, -)The string configured is used to prefix all attributes that are fetched from the directory. E.g., using dir. as a prefix results in LDAP attributes being named
dir.cn,dir.uid, etc. This may collide with the definitions in thedelegateMap.delegateMap(string, -)The property defines a whitespace-separated list of mappings from LDAP attributes to delegate names. The specified LDAP attributes are queried and set as output arguments with the specified output argument name. If prefix is set, the map must be adapted accordingly because it is applied after prefixing the directory attributes. Delegation of all attributes is possible using the wildcard character "*". The output argument name will automatically be set to the attribute name in the directory. For example, cn will be mapped cn.
"Record<attribute-name-in-directory>:<output-argument-name>
<attribute-name-in-directory>:<output-argument-name>:<transformation-regex>
*Examplecn:cn sn:sn givenName:givenName mail:email dn:baseDN:^.?(ou=.*)$
cn *delegateMode(enum {single, multiple, list}, single)Defines if just the first delegate object should be used or if all results that match the delegateFilter are propagated:
singleConsider only the first attribute of the first result.multipleConcatenate all attributes with the same name using delegateSeparator and add a counter postfix for each result found.listSame as "multiple", but only the first result is considered.
delegateEmptyFields(boolean, "false")Defines whether to delegate attributes that are not set in the LDAP.
delegateSeparator(string, ",")If
delegateMode=multipleis set, this string allows to override the default attribute list separator (which is a comma).delegateSearchScope(enum {subtree, onelevel, object}, subtree)Defines the search scope for the LDAP search of the delegation object. See the documentation of
javax.naming.directory.SearchControlsfor more information.propagationScope(enum {outargs, notes, session, inctx, inargs, roles}, outargs)Defines the scope of delegated variables.
Input
none
Transitions
notfoundSelected if the object was found, but none of the configured attributes were found in the LDAP.
okIf attributes were found and no error happened.
defaultIn case an error happened, e.g., if the object was not found.
Output
*: see delegateMap
Errors
lasterror=1lasterrorinfo=invalid input
Notes
none
Example
<AuthState name="OuAttribGetter" class="ch.nevis.esauth.auth.states.jndi.AttributeDelegater" final="false">
<ResultCond name="default" next="nextState"/>
<Response value="AUTH_ERROR" >
<Gui name="OuAttribErrorDialog"/>
</Response>
<property name="connection1" value="ldap://192.168.9.207:389"/>
<property name="baseDN" value="ou=DEPARTMENT,ou=USERS,o=COMPANY"/>
<property name="filter" value="(&(ou=${notes:department})(objectClass=group))"/>
<property name="delegateMap" value="postalAddress:dptAddress"/>
</AuthState>