Package org.forgerock.opendj.ldap.requests

Interface GSSAPISASLBindRequest

All Superinterfaces:
BindRequest, Request, SASLBindRequest
public interface GSSAPISASLBindRequest extends SASLBindRequest
The GSSAPI SASL bind request as defined in RFC 2831. This SASL mechanism allows a client to use the Generic Security Service Application Program Interface (GSS-API) Kerberos V5 to authenticate to the server. This mechanism can be used to negotiate integrity and/or privacy protection for the underlying connection.

The optional authorization identity is specified using an authorization ID, or authzId, as defined in RFC 4513 section 5.2.1.8.

See Also:

  • Field Details

    • QOP_AUTH

      static final String QOP_AUTH
      Indicates that the client will accept authentication only. More specifically, the underlying connection will not be protected using integrity protection or encryption, unless previously established using SSL/TLS. This is the default if no QOP option is present in the bind request.
      See Also:

    • QOP_AUTH_CONF

      static final String QOP_AUTH_CONF
      Indicates that the client will accept authentication with connection integrity protection and encryption.
      See Also:

    • QOP_AUTH_INT

      static final String QOP_AUTH_INT
      Indicates that the client will accept authentication with connection integrity protection. More specifically, the underlying connection will not be encrypted, unless previously established using SSL/TLS.
      See Also:

    • SASL_MECHANISM_NAME

      static final String SASL_MECHANISM_NAME
      The name of the SASL mechanism based on GSS-API authentication.
      See Also:

  • Method Details

    • addAdditionalAuthParam

      GSSAPISASLBindRequest addAdditionalAuthParam(String name, String value)
      Adds the provided additional authentication parameter to the list of parameters to be passed to the underlying mechanism implementation. This method is provided in order to allow for future extensions.
      Parameters:
      name - The name of the additional authentication parameter.
      value - The value of the additional authentication parameter.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit additional authentication parameters to be added.
      NullPointerException - If name or value was null.

    • addControl

      GSSAPISASLBindRequest addControl(Control control)
      Description copied from interface: Request
      Adds the provided control to this request.
      Specified by:
      addControl in interface BindRequest
      Specified by:
      addControl in interface Request
      Specified by:
      addControl in interface SASLBindRequest
      Parameters:
      control - The control to be added to this request.
      Returns:
      This request.

    • addQOP

      GSSAPISASLBindRequest addQOP(String... qopValues)
      Adds the provided quality of protection (QOP) values to the ordered list of QOP values that the client is willing to accept. The order of the list specifies the preference order, high to low. Authentication will fail if no QOP values are recognized or accepted by the server.

      By default the client will accept AUTH.

      Parameters:
      qopValues - The quality of protection values that the client is willing to accept.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit QOP values to be added.
      NullPointerException - If qopValues was null.
      See Also:

    • createBindClient

      BindClient createBindClient(String serverName) throws LdapException
      Description copied from interface: BindRequest
      Creates a new bind client which can be used to perform the authentication process. This method is called by protocol implementations and is not intended for use by applications.
      Specified by:
      createBindClient in interface BindRequest
      Specified by:
      createBindClient in interface SASLBindRequest
      Parameters:
      serverName - The non-null fully-qualified host name of the server to authenticate to.
      Returns:
      The new bind client.
      Throws:
      LdapException - If an error occurred while creating the bind client context.

    • getAdditionalAuthParams

      Map<String,String> getAdditionalAuthParams()
      Returns a map containing the provided additional authentication parameters to be passed to the underlying mechanism implementation. This method is provided in order to allow for future extensions.
      Returns:
      A map containing the provided additional authentication parameters to be passed to the underlying mechanism implementation.

    • getAuthenticationID

      String getAuthenticationID()
      Returns the authentication ID of the user, which should be the user's Kerberos principal. The authentication ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.

      NOTE: this will not be used if a Subject is specified.

      Returns:
      The authentication ID of the user.

    • getAuthenticationType

      byte getAuthenticationType()
      Returns the authentication mechanism identifier for this SASL bind request as defined by the LDAP protocol, which is always 0xA3.
      Specified by:
      getAuthenticationType in interface BindRequest
      Specified by:
      getAuthenticationType in interface SASLBindRequest
      Returns:
      The authentication mechanism identifier.

    • getAuthorizationID

      String getAuthorizationID()
      Returns the optional authorization ID of the user which represents an alternate authorization identity which should be used for subsequent operations performed on the connection. The authorization ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Returns:
      The authorization ID of the user, which may be null.

    • getControl

      <C extends Control> C getControl(ControlDecoder<C> decoder, DecodeOptions options) throws DecodeException
      Description copied from interface: Request
      Decodes and returns the first control in this request having an OID corresponding to the provided control decoder.
      Specified by:
      getControl in interface BindRequest
      Specified by:
      getControl in interface Request
      Specified by:
      getControl in interface SASLBindRequest
      Type Parameters:
      C - The type of control to be decoded and returned.
      Parameters:
      decoder - The control decoder.
      options - The set of decode options which should be used when decoding the control.
      Returns:
      The decoded control, or null if the control is not included with this request.
      Throws:
      DecodeException - If the control could not be decoded because it was malformed in some way (e.g. the control value was missing, or its content could not be decoded).

    • getControls

      List<Control> getControls()
      Description copied from interface: Request
      Returns a List containing the controls included with this request. The returned List may be modified if permitted by this request.
      Specified by:
      getControls in interface BindRequest
      Specified by:
      getControls in interface Request
      Specified by:
      getControls in interface SASLBindRequest
      Returns:
      A List containing the controls.

    • getKDCAddress

      String getKDCAddress()
      Returns the optional address of the Kerberos KDC (Key Distribution Center).

      NOTE: this will not be used if a Subject is specified.

      Returns:
      The address of the Kerberos KDC (Key Distribution Center), which may be null.

    • getMaxReceiveBufferSize

      int getMaxReceiveBufferSize()
      Returns the maximum size of the receive buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum send buffer size. The default size is 65536.
      Returns:
      The maximum size of the receive buffer in bytes.

    • getMaxSendBufferSize

      int getMaxSendBufferSize()
      Returns the maximum size of the send buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum receive buffer size. The default size is 65536.
      Returns:
      The maximum size of the send buffer in bytes.

    • getName

      String getName()
      Returns the name of the Directory object that the client wishes to bind as, which is always the empty string for SASL authentication.
      Specified by:
      getName in interface BindRequest
      Specified by:
      getName in interface SASLBindRequest
      Returns:
      The name of the Directory object that the client wishes to bind as.

    • getPassword

      byte[] getPassword()
      Returns the password of the user that the client wishes to bind as.

      Unless otherwise indicated, implementations will store a reference to the returned password byte array, allowing applications to overwrite the password after it has been used.

      NOTE: this will not be used if a Subject is specified.

      Returns:
      The password of the user that the client wishes to bind as.

    • getQOPs

      List<String> getQOPs()
      Returns the ordered list of quality of protection (QOP) values that the client is willing to accept. The order of the list specifies the preference order, high to low. Authentication will fail if no QOP values are recognized or accepted by the server.

      By default the client will accept AUTH.

      Returns:
      The list of quality of protection values that the client is willing to accept. The returned list may be empty indicating that the default QOP will be accepted.

    • getRealm

      String getRealm()
      Returns the optional realm containing the user's account.

      NOTE: this will not be used if a Subject is specified.

      Returns:
      The name of the realm containing the user's account, which may be null.

    • getSASLMechanism

      String getSASLMechanism()
      Description copied from interface: SASLBindRequest
      Returns the SASL mechanism for this SASL bind request.
      Specified by:
      getSASLMechanism in interface SASLBindRequest
      Returns:
      The SASL mechanism for this bind request.

    • getSubject

      Subject getSubject()
      Returns the Kerberos subject of the user to be authenticated.

      NOTE: if a Subject is specified then the authentication ID, KDC address, password, and realm, will be ignored.

      Returns:
      The Kerberos subject of the user to be authenticated.

    • isServerAuth

      boolean isServerAuth()
      Returns true if the server must authenticate to the client. The default is false.
      Returns:
      true if the server must authenticate to the client.

    • setAuthenticationID

      GSSAPISASLBindRequest setAuthenticationID(String authenticationID)
      Sets the authentication ID of the user, which should be the user's Kerberos principal. The authentication ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.

      NOTE: this will not be used if a Subject is specified.

      Parameters:
      authenticationID - The authentication ID of the user.
      Returns:
      This bind request.
      Throws:
      org.forgerock.i18n.LocalizedIllegalArgumentException - If authenticationID was non-empty and did not contain a valid authorization ID type.
      NullPointerException - If authenticationID was null.

    • setAuthorizationID

      GSSAPISASLBindRequest setAuthorizationID(String authorizationID)
      Sets the optional authorization ID of the user which represents an alternate authorization identity which should be used for subsequent operations performed on the connection. The authorization ID usually has the form "dn:" immediately followed by the distinguished name of the user, or "u:" followed by a user ID string, but other forms are permitted.
      Parameters:
      authorizationID - The authorization ID of the user, which may be null.
      Returns:
      This bind request.
      Throws:
      org.forgerock.i18n.LocalizedIllegalArgumentException - If authorizationID was non-empty and did not contain a valid authorization ID type.

    • setKDCAddress

      GSSAPISASLBindRequest setKDCAddress(String address)
      Sets the optional address of the Kerberos KDC (Key Distribution Center).

      NOTE: this will not be used if a Subject is specified.

      Parameters:
      address - The address of the Kerberos KDC (Key Distribution Center), which may be null.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the KDC address to be set.
      NullPointerException - If address was null.

    • setMaxReceiveBufferSize

      GSSAPISASLBindRequest setMaxReceiveBufferSize(int size)
      Sets the maximum size of the receive buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum send buffer size. The default size is 65536.
      Parameters:
      size - The maximum size of the receive buffer in bytes.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the buffer size to be set.

    • setMaxSendBufferSize

      GSSAPISASLBindRequest setMaxSendBufferSize(int size)
      Sets the maximum size of the send buffer in bytes. The actual maximum number of bytes will be the minimum of this number and the peer's maximum receive buffer size. The default size is 65536.
      Parameters:
      size - The maximum size of the send buffer in bytes.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the buffer size to be set.

    • setPassword

      GSSAPISASLBindRequest setPassword(byte[] password)
      Sets the password of the user that the client wishes to bind as.

      Unless otherwise indicated, implementations will store a reference to the provided password byte array, allowing applications to overwrite the password after it has been used.

      NOTE: this will not be used if a Subject is specified.

      Parameters:
      password - The password of the user that the client wishes to bind as, which may be empty.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the password to be set.
      NullPointerException - If password was null.

    • setPassword

      GSSAPISASLBindRequest setPassword(char[] password)
      Sets the password of the user that the client wishes to bind as. The password will be converted to a UTF-8 octet string.

      NOTE: this will not be used if a Subject is specified.

      Parameters:
      password - The password of the user that the client wishes to bind as.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the password to be set.
      NullPointerException - If password was null.

    • setRealm

      GSSAPISASLBindRequest setRealm(String realm)
      Sets the optional realm containing the user's account.

      NOTE: this will not be used if a Subject is specified.

      Parameters:
      realm - The name of the realm containing the user's account, which may be null.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the realm to be set.
      NullPointerException - If realm was null.

    • setServerAuth

      GSSAPISASLBindRequest setServerAuth(boolean serverAuth)
      Specifies whether the server must authenticate to the client. The default is false.
      Parameters:
      serverAuth - true if the server must authenticate to the client or false otherwise.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit server auth to be set.

    • setSubject

      GSSAPISASLBindRequest setSubject(Subject subject)
      Sets the Kerberos subject of the user to be authenticated.

      NOTE: if a Subject is specified then the authentication ID, KDC address, password, and realm, will be ignored.

      Parameters:
      subject - The Kerberos subject of the user to be authenticated.
      Returns:
      This bind request.
      Throws:
      UnsupportedOperationException - If this bind request does not permit the Kerberos subject to be set.
      NullPointerException - If subject was null.