Package com.ibm.security.access.user

Class UserLookupHelper

java.lang.Object
com.ibm.security.access.user.UserLookupHelper
public class UserLookupHelper extends Object
Performs lookups on users based on username

If search filter is not provided, will use the default search filter of: 

 (|(objectClass=ePerson)(objectClass=Person))


This class will attempt to cache configurations, shutdown does not need to be called per request. Init will not initialize a configuration which is already running. However since it is a common cache there could be a race condition occassionally which is not able to differentiate different init search options. This means that if if you have infomap1 that does an init with search option1, and then infomap2 does it’s init with search option 2, when infomap1 tries to use it’s cached infomap it will get the search option 2 instead of the one it expected. The result of this is that if you have multiple infomaps running with multiple different inits, we cannot guarantee that the userLookupHelper operation is 100% threadsafe. An option is to do the init, then use it and then do the shutdown after usage away to minimize this rare mix up chances of issues.

The configuration for the ldap client can be sourced from 3 different places:
1. The Verify Identity Access RTE. This is the Runtime configuration under the menu:
Secure Web Settings -> Runtime Component. To use this configuration method, the [bind-credentials] stanza must be populated in the ldap.conf configuration file. If basic user support is enabled, then federated directories will be used.

2. Username Password Authentication mechanism: The username password mechanism houses configuration for connecting to an ldap. This can also be used by this lookup util. Federated directories can be used with this method - depending on the module configuration. For details on how to configure this mechanism see: http://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2/com.ibm.isam.doc/config/task/configuringusernamepwd.html

3. A server connection. The server connection can be retireved with the ServerConnectionFactory class. Basic users / federated directories are not supported with this configuration.
Since:
9.0.2.1

  • Field Details

  • Constructor Details

    • UserLookupHelper

      public UserLookupHelper()
      Create a lookup helper. The helper should not be used before init is called.

  • Method Details

    • isReady

      public boolean isReady()
      Check if this helper is ready and has had init() called

    • init

      public boolean init()
      Using this initializer will use the configuration of this appliances Verify Identity Access RTE. The values in ldap.conf will be used. This calls equivalent to calling init(false, null);
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(Properties overrideProperties)
      Using this initializer will use the configuration of this appliances Verify Identity Access RTE. The values in ldap.conf will be used.
      Parameters:
      overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored. This calls equivalent to calling init(false, properties);
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(boolean useAuthService)
      Initialize a UserLookupHelper which will use either the configuration in the Verify Identity Access RTE, or the configuration in the Username Password authentication mechanism.
      Parameters:
      userAuthService - if true then the username password configuration will be used, if false then the call is the same as using
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(boolean useAuthService, Properties overrideProperties)
      Initialize a UserLookupHelper which will use either the configuration in the Verify Identity Access RTE, or the configuration in the Username Password authentication mechanism.
      Parameters:
      overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored. If provided, the UserLookupHelper will cache the configuration based on the supplied properties.
      userAuthService - if true then the username password configuration will be used, if false then the call is the same as using
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(LdapServerConnection connection, String mgmtDomain)
      Initialize this lookup with a server connection. Only uses the first host in the connection loginFailuresPersistent will be defaulted to false.
      Parameters:
      connection - the server connection to use
      mgmtDomain - secure domain to use
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(LdapServerConnection connection, String searchFilter, String mgmtDomain)
      Initialize this lookup util with a server connection. Only uses the first host in the connection. loginFailuresPersistent will be defaulted to false.
      Parameters:
      connection - the server connection to use.
      mgmtDomain - secure domain to use
      custom - search filter to use.
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(LdapServerConnection connection, String searchFilter, String mgmtDomain, boolean loginFailuresPersistent)
      Initialize this lookup util with a server connection. Only uses the first host in the connection
      Parameters:
      connection - the server connection to use.
      mgmtDomain - secure domain to use
      loginFailuresPersistent - will failures to login be persisted.
      custom - search filter to use.
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(LdapServerConnection connection, String searchFilter, String mgmtDomain, boolean loginFailuresPersistent, Properties overrideProperties)
      Initialize this lookup util with a server connection. Only uses the first host in the connection
      Parameters:
      connection - the server connection to use.
      mgmtDomain - secure domain to use
      loginFailuresPersistent - will failures to login be persisted.
      overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored.
      custom - search filter to use.
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(String hostname, int port, String bindDn, String bindDnPwd, String mgmtDomain, int connectionTimeout)
      Basic initialize. Uses the default search filter. login failures will not be persisted.
      Parameters:
      hostname - to connect to.
      port - port to connect to.
      bindDn - user to bind as.
      mgmtDomain - Verify Identity Access domain to use.
      connectionTimeout - time in seconds that an inactive connection should be held
      BindDnPwd - used to bind.
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(String hostname, int port, String bindDn, String bindDnPwd, String keystore, String mgmtDomain, int connectionTimeout)
      Basic initialize with TLS. Uses the default search filter. login failures will no be persisted.
      Parameters:
      hostname - to connect to
      port - port to connect to
      bindDn - user to bind as
      keystore - to be used as ssl trust store
      mgmtDomain - Verify Identity Access domain to use.
      connectionTimeout - time in seconds that an inactive connection should be held
      BindDnPwd - used to bind
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(String hostname, int port, String bindDn, String bindDnPwd, String keystore, String clientCertLabel, String searchFilter, String mgmtDomain, int connectionTimeout)
      Full initialize with options for client cert authentication and custom search filter. login failures will not be persisted. Its ok to pass null for keystore and client cert
      Parameters:
      hostname - to connect to
      port - port to connect to
      bindDn - user to bind as
      keystore - to be used as ssl trust store
      clientCertLabel - certificate to use for client cert auth. Sourced from the specified keystore
      searchFilter - to use for user lookups
      mgmtDomain - Verify Identity Access domain to use.
      connectionTimeout - time in seconds that an inactive connection should be held
      BindDnPwd - used to bind
      loginFailuresPersistent - should login failures be persisted
      Returns:
      true if LDAP connection initialization was successful, else false.

    • init

      public boolean init(String hostname, int port, String bindDn, String bindDnPwd, String keystore, String clientCertLabel, String searchFilter, String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent)

    • init

      public boolean init(String hostname, int port, String bindDn, String bindDnPwd, String keystore, String clientCertLabel, String searchFilter, String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent, Properties overrideProperties)

    • shutdown

      public void shutdown()
      Close any connections held by this lookup helper. Will remove the helper from the cache. Does not need to be called per request.

    • getUser

      public User getUser(String username)
      Retrieve a user from the registry
      Parameters:
      username - to retrieve
      Returns:
      the user found / null if the user was not found or an error occured

    • getUserWithDomain

      public User getUserWithDomain(String username, String domain)
      Retrieve a user from the registry
      Parameters:
      username - to retrieve
      domain - to retrieve from
      Returns:
      the user found / null if the user was not found or an error occured

    • getUserByNativeId

      public User getUserByNativeId(String nativeId)
      Retrieve a user from the registry using their native Id
      Parameters:
      native - id of the user to retrieve
      Returns:
      the user found / null if the user was not found or an error occured

    • getUserByNativeIdWithDomain

      public User getUserByNativeIdWithDomain(String domain, String nativeId)
      Retrieve a user from the registry using their native Id
      Parameters:
      domain - domain to get the user from
      nativeId - of the user to retrieve
      Returns:
      the user found / null if the user was not found or an error occured

    • createUser

      public User createUser(String username, String dn, String password, boolean bypassPasswordPolicy, String firstName, String lastName, boolean accountValid, boolean passwordValid)
      Create a user in the registry. Only supported when using an Verify Identity Access user registry.
      Parameters:
      username - userid for the user to create.
      dn - the registry id for the user to create.
      password - the password for the user.
      bypassPasswordPolicy - if password policy should be enforced when creating this user.
      accountValid - is this account valid.
      passwordValid - is the password valid.
      Returns:
      the created user object

    • createUserWithDomain

      public User createUserWithDomain(String domain, String username, String dn, String password, boolean bypassPasswordPolicy, String firstName, String lastName, boolean accountValid, boolean passwordValid)
      Create a user in the registry with domain. Only supported when using an Verify Identity Access user registry.
      Parameters:
      domain - domain where to create.
      username - userid for the user to create.
      dn - the registry id for the user to create.
      password - the password for the user.
      bypassPasswordPolicy - if password policy should be enforced when creating this user.
      accountValid - is this account valid.
      passwordValid - is the password valid.
      Returns:
      the created user object or null if any exception

    • deleteUser

      public boolean deleteUser(String username, boolean removeNativeUser)
      Remove a user.
      Parameters:
      username - of the user to remove
      removeNativeUser - if the user should be removed from the directory instead of just the secure domain.
      Returns:
      true if the user was removed / false if the user was not removed.

    • deleteUserWithDomain

      public boolean deleteUserWithDomain(String domain, String username, boolean removeNativeUser)
      Remove a user.
      Parameters:
      domain - of the user to remove
      username - of the user to remove
      removeNativeUser - if the user should be removed from the directory instead of just the secure domain.
      Returns:
      true if the user was removed / false if the user was not removed.

    • search

      public String[] search(String searchAttr, String attrPattern, int maxReturned)
      Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.
      Parameters:
      searchAttr - the attribute to search on
      attrPattern - the pattern the provided attribute must match. Wildcards('*') are allowed.
      maxReturned - Limit on search results

    • search

      public String[] search(String searchAttr, String attrPattern, int maxReturned, int pageSize)
      Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.
      Parameters:
      searchAttr - the attribute to search on
      attrPattern - the pattern the provided attribute must match. Wildcards('*') are allowed.
      maxReturned - Limit on search results
      pageSize - indicates to the registry the pagesize to be used. Will be ignored if value passed in is not a positive integer.