AttributeDelegater
Introduction and overview
The AttributeDelegater AuthState fetches data from any object in an LDAP directory.
Description
The following table describes the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.jndi.AttributeDelegater |
| Logging | JNDI |
| Auditing | none |
| Properties | connection1, ..., connection9, searchSizeLimit, userBaseDN, userFilter, loginidFieldFor a description of these properties, see the tablein UseridPasswordAuthenticateState. |
| baseDN (DN, -)This property specifies the directory subtree where the queried object is located. This property is mandatory. | |
| filter (JNDI filter, -)Specifying this property allows to customize the attribute filter used to query the user's profile attributes. The property is optional. | |
| prefix (string, -)The string configured is used to prefix all attributes that are fetched from the directory. E.g., using dir. as a prefix results in LDAP attributes being named dir.cn, dir.uid, etc. This may collide with the definitions in the delegateMap. | |
| Properties | delegateMap (string, -)The property defines a whitespace-separated list of mappings from LDAP attributes to delegate names. The specified LDAP attributes are queried and set as output arguments with the specified output argument name. If prefix is set, the map must be adapted accordingly because it is applied after prefixing the directory attributes. Delegation of all attributes is possible using the wildcard character "". The output argument name will automatically be set to the attribute name in the directory. For example,cnwill be mappedcn*. |
Record syntax
<attribute-name-in-directory>:<output-argument-name>
<attribute-name-in-directory>:<output-argument-name>:<transformation-regex>
Example
cn:cn sn:sn givenName:givenName mail:email dn:baseDN:^.?(ou=.*)$
cn *
| Topic | Description |
|---|---|
| delegateMode (enum {single, multiple, list}, single)Defines if just the first delegate object should be used or if all results that match the delegateFilter are propagated: single: Consider only the first attribute of the first result. multiple: Concatenate all attributes with the same name using delegateSeparator and add a counter postfix for each result found. list: Same as "multiple",* but only the first result is considered. | |
| delegateEmptyFields (boolean, "false")Defines whether to delegate attributes that are not set in the LDAP. | |
| delegateSeparator (string, ",")If delegateMode=multiple is set, this string allows to override the default attribute list separator (which is a comma). | |
| delegateSearchScope (enum {subtree, onelevel, object}, subtree)Defines the search scope for the LDAP search of the delegation object. See the documentation of javax.naming.directory.SearchControls for more information. | |
| propagationScope (enum {outargs, notes, session, inctx, inargs, roles}, outargs)Defines the scope of delegated variables. | |
| Methods | authenticate |
| Input | - |
| Transitions | notfound: Selected if the object was found, but none of the configured attributes were found in the LDAP. ok: If attributes were found and no error happened. default: In case an error happened, e.g., if the object was not found. |
| Output | : seedelegateMap* in this table |
| Errors | 1: invalid input |
| Notes | - |
Example
<AuthState name="OuAttribGetter" class="ch.nevis.esauth.auth.states.jndi.AttributeDelegater" final="false">
<ResultCond name="default" next="nextState"/>
<Response value="AUTH_ERROR" >
<Gui name="OuAttribErrorDialog"/>
</Response>
<property name="connection1" value="ldap://192.168.9.207:389"/>
<property name="baseDN" value="ou=DEPARTMENT,ou=USERS,o=COMPANY"/>
<property name="filter" value="(&(ou=${notes:department})(objectClass=group))"/>
<property name="delegateMap" value="postalAddress:dptAddress"/>
</AuthState>