Callbackhandlers to get information from LDAP --------------------------------------------- Key: SECURITY-470 URL: https://issues.jboss.org/browse/SECURITY-470 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Feature Request Security Level: Public(Everyone can see) Components: PicketBox Reporter: Anil Saldhana Assignee: Anil Saldhana Fix For: PicketBox_v4_0_6.Beta1 A CallbackHandler using the LDAP to match the passed password. There are two callbacks that can be passed to this handler. PasswordCallback: Passing this callback will get the password for the user. The returned password will not be in clear text. It will be in the hashed form the ldap server has stored. VerifyPasswordCallback Passing this callback with a value will make the handler to do a ldap bind to verify the user password. The main method is #setConfiguration(Map) which takes in a map of String key/value pairs. The possible pairs are: passwordAttributeID : what is the name of the attribute where the password is stored. Default: userPassword bindDN : DN used to bind against the ldap server with read/write permissions for baseCtxDN. bindCredential : Password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified. baseCtxDN : The fixed DN of the context to start the user search from. baseFilter: A search filter used to locate the context of the user to authenticate. The input username/userDN as provided by the NameCallback will be substituted into the filter anywhere a "{0}" expression is seen. This substitution behavior comes from the standard. searchTimeLimit : The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds). jaasSecurityDomain : The JMX ObjectName of the JaasSecurityDomain to use to decrypt the java.naming.security.principal. The encrypted form of the password is that returned by the JaasSecurityDomain#encrypt64(byte[]) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form. distinguishedNameAttribute : Used in ldap servers such as Active Directory where the ldap provider has a property (distinguishedName) to return the relative CN of the user. Default: distinguishedName Example Usages: LdapCallbackHandler cbh = new LdapCallbackHandler(); Map map = new HashMap(); map.put("bindDN", "cn=Directory Manager"); map.put("bindCredential", "password"); map.put("baseFilter", "(uid={0})"); map.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); map.put("java.naming.provider.url", "ldap://localhost:10389"); map.put("baseCtxDN", "ou=People,dc=jboss,dc=org"); cbh.setConfiguration(map); NameCallback ncb = new NameCallback("Enter"); ncb.setName("jduke"); VerifyPasswordCallback vpc = new VerifyPasswordCallback(); vpc.setValue("theduke"); cbh.handle(new Callback[] {ncb,vpc} ); assertTrue(vpc.isVerified());