Skip to main content
Version: 7.2405.x.x LTS

AttributeDelegater

Introduction and overview

The AttributeDelegater AuthState fetches data from any object in an LDAP directory.

Description

The following table and chapters describe the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.jndi.AttributeDelegater
LoggingJNDI
Auditingnone
Markernone
Methodsauthenticate

Properties

  • connection1, ..., connection9, searchSizeLimit, userBaseDN, userFilter, loginidField

    For a description of these properties, see UseridPasswordAuthenticateState - Description.

    This AuthState uses the LDAP protocol when it establishes a connection with an LDAP server. The AuthState is thus susceptible to SOCKS proxies, as described in the chapter Configuring proxies.

  • baseDN (DN, -)

    This property specifies the directory subtree where the queried object is located. This property is mandatory.

  • filter (JNDI filter, -)

    Specifying this property allows to customize the attribute filter used to query the user's profile attributes. The property is optional.

  • prefix (string, -)

    The string configured is used to prefix all attributes that are fetched from the directory. E.g., using dir. as a prefix results in LDAP attributes being named dir.cn, dir.uid, etc. This may collide with the definitions in the delegateMap.

  • delegateMap (string, -)

    The property defines a whitespace-separated list of mappings from LDAP attributes to delegate names. The specified LDAP attributes are queried and set as output arguments with the specified output argument name. If prefix is set, the map must be adapted accordingly because it is applied after prefixing the directory attributes. Delegation of all attributes is possible using the wildcard character "*". The output argument name will automatically be set to the attribute name in the directory. For example, cn will be mapped cn.

    "Record
    <attribute-name-in-directory>:<output-argument-name>
    <attribute-name-in-directory>:<output-argument-name>:<transformation-regex>
    *
    Example
    cn:cn sn:sn givenName:givenName mail:email dn:baseDN:^.?(ou=.*)$
    cn *
  • delegateMode (enum {single, multiple, list}, single)

    Defines if just the first delegate object should be used or if all results that match the delegateFilter are propagated:

    • single Consider only the first attribute of the first result.
    • multiple Concatenate all attributes with the same name using delegateSeparator and add a counter postfix for each result found.
    • list Same as "multiple", but only the first result is considered.
  • delegateEmptyFields (boolean, "false")

    Defines whether to delegate attributes that are not set in the LDAP.

  • delegateSeparator (string, ",")

    If delegateMode=multiple is set, this string allows to override the default attribute list separator (which is a comma).

  • delegateSearchScope (enum {subtree, onelevel, object}, subtree)

    Defines the search scope for the LDAP search of the delegation object. See the documentation of javax.naming.directory.SearchControls for more information.

  • propagationScope (enum {outargs, notes, session, inctx, inargs, roles}, outargs)

    Defines the scope of delegated variables.

Input

none

Transitions

  • notfound

    Selected if the object was found, but none of the configured attributes were found in the LDAP.

  • ok

    If attributes were found and no error happened.

  • default

    In case an error happened, e.g., if the object was not found.

Output

*: see delegateMap

Errors

  • lasterror=1

    lasterrorinfo=invalid input

Notes

none

Example

<AuthState name="OuAttribGetter" class="ch.nevis.esauth.auth.states.jndi.AttributeDelegater" final="false">
<ResultCond name="default" next="nextState"/>
<Response value="AUTH_ERROR" >
<Gui name="OuAttribErrorDialog"/>
</Response>
<property name="connection1" value="ldap://192.168.9.207:389"/>
<property name="baseDN" value="ou=DEPARTMENT,ou=USERS,o=COMPANY"/>
<property name="filter" value="(&(ou=${notes:department})(objectClass=group))"/>
<property name="delegateMap" value="postalAddress:dptAddress"/>
</AuthState>