Package org.forgerock.opendj.ldap.requests

Interface DigestMD5SASLBindRequest

All Superinterfaces:
BindRequest, Request, SASLBindRequest
public interface DigestMD5SASLBindRequest extends SASLBindRequest
The DIGEST-MD5 SASL bind request as defined in RFC 2831. This SASL mechanism allows a client to perform a challenge-response authentication method, similar to HTTP Digest Access Authentication. This mechanism can be used to negotiate integrity and/or privacy protection for the underlying connection.

Compared to CRAM-MD5, DIGEST-MD5 prevents chosen plain-text attacks, and permits the use of third party authentication servers, mutual authentication, and optimized re-authentication if a client has recently authenticated to a server.

The authentication and optional authorization identity is specified using an authorization ID, or authzId, as defined in RFC 4513 section 5.2.1.8.

See Also:

  • Field Details

    • CIPHER_3DES

      static final String CIPHER_3DES
      Indicates that the client will accept connection encryption using the high strength triple-DES cipher.
      See Also:

    • CIPHER_DES

      static final String CIPHER_DES
      Indicates that the client will accept connection encryption using the medium strength DES cipher.
      See Also:

    • CIPHER_HIGH

      static final String CIPHER_HIGH
      Indicates that the client will accept connection encryption using the strongest supported cipher, as long as the cipher is considered to be high strength.
      See Also:

    • CIPHER_LOW

      static final String CIPHER_LOW
      Indicates that the client will accept connection encryption using the strongest supported cipher, even if the strongest cipher is considered to be medium or low strength.
      See Also:

    • CIPHER_MEDIUM

      static final String CIPHER_MEDIUM
      Indicates that the client will accept connection encryption using the strongest supported cipher, as long as the cipher is considered to be high or medium strength.
      See Also:

    • CIPHER_RC4_128

      static final String CIPHER_RC4_128
      Indicates that the client will accept connection encryption using the high strength 128-bit RC4 cipher.
      See Also:

    • CIPHER_RC4_40

      static final String CIPHER_RC4_40
      Indicates that the client will accept connection encryption using the low strength 40-bit RC4 cipher.
      See Also:

    • CIPHER_RC4_56

      static final String CIPHER_RC4_56
      Indicates that the client will accept connection encryption using the medium strength 56-bit RC4 cipher.
      See Also:

    • QOP_AUTH

      static final String QOP_AUTH
      Indicates that the client will accept authentication only. More specifically, the underlying connection will not be protected using integrity protection or encryption, unless previously established using SSL/TLS. This is the default if no QOP option is present in the bind request.
      See Also:

    • QOP_AUTH_CONF

      static final String QOP_AUTH_CONF
      Indicates that the client will accept authentication with connection integrity protection and encryption.
      See Also:

    • QOP_AUTH_INT

      static final String QOP_AUTH_INT
      Indicates that the client will accept authentication with connection integrity protection. More specifically, the underlying connection will not be encrypted, unless previously established using SSL/TLS.
      See Also:

    • SASL_MECHANISM_NAME

      static final String SASL_MECHANISM_NAME
      The name of the SASL mechanism based on DIGEST-MD5 authentication.
      See Also:

  • Method Details

    • addAdditionalAuthParam

      DigestMD5SASLBindRequest addAdditionalAuthParam(String name, String value)
      Adds the provided additional authentication parameter to the list of parameters to be passed to the underlying mechanism implementation. This method is provided in order to allow for future extensions.
      Parameters:
      name - The name of the additional authentication parameter.
      value - The value of the additional authentication parameter.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit additional authentication parameters to be added.
      NullPointerException - If name or value was null.

    • addControl

      DigestMD5SASLBindRequest addControl(Control control)
      Description copied from interface: Request
      Adds the provided control to this request.
      Specified by:
      addControl in interface BindRequest
      Specified by:
      addControl in interface Request
      Specified by:
      addControl in interface SASLBindRequest
      Parameters:
      control - The control to be added to this request.
      Returns:
      This request.

    • addQOP

      DigestMD5SASLBindRequest addQOP(String... qopValues)
      Adds the provided quality of protection (QOP) values to the ordered list of QOP values that the client is willing to accept. The order of the list specifies the preference order, high to low. Authentication will fail if no QOP values are recognized or accepted by the server.

      By default the client will accept AUTH.

      Parameters:
      qopValues - The quality of protection values that the client is willing to accept.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit QOP values to be added.
      NullPointerException - If qopValues was null.
      See Also:

    • createBindClient

      BindClient createBindClient(String serverName) throws LdapException
      Description copied from interface: BindRequest
      Creates a new bind client which can be used to perform the authentication process. This method is called by protocol implementations and is not intended for use by applications.
      Specified by:
      createBindClient in interface BindRequest
      Specified by:
      createBindClient in interface SASLBindRequest
      Parameters:
      serverName - The non-null fully-qualified host name of the server to authenticate to.
      Returns:
      The new bind client.
      Throws:
      LdapException - If an error occurred while creating the bind client context.

    • getAdditionalAuthParams

      Map<String,String> getAdditionalAuthParams()
      Returns a map containing the provided additional authentication parameters to be passed to the underlying mechanism implementation. This method is provided in order to allow for future extensions.
      Returns:
      A map containing the provided additional authentication parameters to be passed to the underlying mechanism implementation.

    • getAuthenticationID

      String getAuthenticationID()
      Returns the authentication ID of the user. The authentication ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Returns:
      The authentication ID of the user.

    • getAuthenticationType

      byte getAuthenticationType()
      Returns the authentication mechanism identifier for this SASL bind request as defined by the LDAP protocol, which is always 0xA3.
      Specified by:
      getAuthenticationType in interface BindRequest
      Specified by:
      getAuthenticationType in interface SASLBindRequest
      Returns:
      The authentication mechanism identifier.

    • getAuthorizationID

      String getAuthorizationID()
      Returns the optional authorization ID of the user which represents an alternate authorization identity which should be used for subsequent operations performed on the connection. The authorization ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Returns:
      The authorization ID of the user, which may be null.

    • getCipher

      String getCipher()
      Returns the cipher name or strength that the client is willing to use when connection encryption quality of protection, AUTH-CONF, is requested.

      By default the client will accept connection encryption using the strongest supported cipher, even if the strongest cipher is considered to be medium or low strength. This is equivalent to CIPHER_LOW.

      Returns:
      The cipher that the client is willing to use if connection encryption QOP is negotiated. May be null, indicating that the default cipher should be used.

    • getControl

      <C extends Control> C getControl(ControlDecoder<C> decoder, DecodeOptions options) throws DecodeException
      Description copied from interface: Request
      Decodes and returns the first control in this request having an OID corresponding to the provided control decoder.
      Specified by:
      getControl in interface BindRequest
      Specified by:
      getControl in interface Request
      Specified by:
      getControl in interface SASLBindRequest
      Type Parameters:
      C - The type of control to be decoded and returned.
      Parameters:
      decoder - The control decoder.
      options - The set of decode options which should be used when decoding the control.
      Returns:
      The decoded control, or null if the control is not included with this request.
      Throws:
      DecodeException - If the control could not be decoded because it was malformed in some way (e.g. the control value was missing, or its content could not be decoded).

    • getControls

      List<Control> getControls()
      Description copied from interface: Request
      Returns a List containing the controls included with this request. The returned List may be modified if permitted by this request.
      Specified by:
      getControls in interface BindRequest
      Specified by:
      getControls in interface Request
      Specified by:
      getControls in interface SASLBindRequest
      Returns:
      A List containing the controls.

    • getMaxReceiveBufferSize

      int getMaxReceiveBufferSize()
      Returns the maximum size of the receive buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum send buffer size. The default size is 65536.
      Returns:
      The maximum size of the receive buffer in bytes.

    • getMaxSendBufferSize

      int getMaxSendBufferSize()
      Returns the maximum size of the send buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum receive buffer size. The default size is 65536.
      Returns:
      The maximum size of the send buffer in bytes.

    • getName

      String getName()
      Returns the name of the Directory object that the client wishes to bind as, which is always the empty string for SASL authentication.
      Specified by:
      getName in interface BindRequest
      Specified by:
      getName in interface SASLBindRequest
      Returns:
      The name of the Directory object that the client wishes to bind as.

    • getPassword

      byte[] getPassword()
      Returns the password of the user that the client wishes to bind as.

      Unless otherwise indicated, implementations will store a reference to the returned password byte array, allowing applications to overwrite the password after it has been used.

      Returns:
      The password of the user that the client wishes to bind as.

    • getQOPs

      List<String> getQOPs()
      Returns the ordered list of quality of protection (QOP) values that the client is willing to accept. The order of the list specifies the preference order, high to low. Authentication will fail if no QOP values are recognized or accepted by the server.

      By default the client will accept AUTH.

      Returns:
      The list of quality of protection values that the client is willing to accept. The returned list may be empty indicating that the default QOP will be accepted.

    • getRealm

      String getRealm()
      Returns the optional realm containing the user's account.
      Returns:
      The name of the realm containing the user's account, which may be null.

    • getSASLMechanism

      String getSASLMechanism()
      Description copied from interface: SASLBindRequest
      Returns the SASL mechanism for this SASL bind request.
      Specified by:
      getSASLMechanism in interface SASLBindRequest
      Returns:
      The SASL mechanism for this bind request.

    • isServerAuth

      boolean isServerAuth()
      Returns true if the server must authenticate to the client. The default is false.
      Returns:
      true if the server must authenticate to the client.

    • setAuthenticationID

      DigestMD5SASLBindRequest setAuthenticationID(String authenticationID)
      Sets the authentication ID of the user. The authentication ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Parameters:
      authenticationID - The authentication ID of the user.
      Returns:
      This bind request.
      Throws:
      org.forgerock.i18n.LocalizedIllegalArgumentException - If authenticationID was non-empty and did not contain a valid authorization ID type.
      UnsupportedOperationException - If this bind request does not permit the authentication ID to be set.
      NullPointerException - If authenticationID was null.

    • setAuthorizationID

      DigestMD5SASLBindRequest setAuthorizationID(String authorizationID)
      Sets the optional authorization ID of the user which represents an alternate authorization identity which should be used for subsequent operations performed on the connection. The authorization ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Parameters:
      authorizationID - The authorization ID of the user, which may be null.
      Returns:
      This bind request.
      Throws:
      org.forgerock.i18n.LocalizedIllegalArgumentException - If authorizationID was non-empty and did not contain a valid authorization ID type.
      UnsupportedOperationException - If this bind request does not permit the authorization ID to be set.

    • setCipher

      DigestMD5SASLBindRequest setCipher(String cipher)
      Sets the cipher name or strength that the client is willing to use when connection encryption quality of protection, AUTH-CONF, is requested.

      By default the client will accept connection encryption using the strongest supported cipher, even if the strongest cipher is considered to be medium or low strength. This is equivalent to CIPHER_LOW.

      Parameters:
      cipher - The cipher that the client is willing to use if connection encryption QOP is negotiated. May be null, indicating that the default cipher should be used.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the cipher name or strength to be set.
      See Also:

    • setMaxReceiveBufferSize

      DigestMD5SASLBindRequest setMaxReceiveBufferSize(int size)
      Sets the maximum size of the receive buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum send buffer size. The default size is 65536.
      Parameters:
      size - The maximum size of the receive buffer in bytes.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the buffer size to be set.

    • setMaxSendBufferSize

      DigestMD5SASLBindRequest setMaxSendBufferSize(int size)
      Sets the maximum size of the send buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum receive buffer size. The default size is 65536.
      Parameters:
      size - The maximum size of the send buffer in bytes.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the buffer size to be set.

    • setPassword

      DigestMD5SASLBindRequest setPassword(byte[] password)
      Sets the password of the user that the client wishes to bind as.

      Unless otherwise indicated, implementations will store a reference to the provided password byte array, allowing applications to overwrite the password after it has been used.

      Parameters:
      password - The password of the user that the client wishes to bind as, which may be empty.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the password to be set.
      NullPointerException - If password was null.

    • setPassword

      DigestMD5SASLBindRequest setPassword(char[] password)
      Sets the password of the user that the client wishes to bind as. The password will be converted to a UTF-8 octet string.
      Parameters:
      password - The password of the user that the client wishes to bind as.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the password to be set.
      NullPointerException - If password was null.

    • setRealm

      DigestMD5SASLBindRequest setRealm(String realm)
      Sets the optional realm containing the user's account.
      Parameters:
      realm - The name of the realm containing the user's account, which may be null.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the realm to be set.
      NullPointerException - If realm was null.

    • setServerAuth

      DigestMD5SASLBindRequest setServerAuth(boolean serverAuth)
      Specifies whether the server must authenticate to the client. The default is false.
      Parameters:
      serverAuth - true if the server must authenticate to the client or false otherwise.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit server auth to be set.