com.unboundid.directory.sdk.ds.api
Class CertificateMapper

java.lang.Object
  extended by com.unboundid.directory.sdk.ds.api.CertificateMapper
All Implemented Interfaces:
Configurable, ExampleUsageProvider, Reconfigurable<CertificateMapperConfig>, UnboundIDExtension

@Extensible
@DirectoryServerExtension
@DirectoryProxyServerExtension(appliesToLocalContent=true,
                               appliesToRemoteContent=true)
@SynchronizationServerExtension(appliesToLocalContent=true,
                                appliesToSynchronizedContent=false)
@ThreadSafety(level=INTERFACE_THREADSAFE)
public abstract class CertificateMapper
extends java.lang.Object
implements UnboundIDExtension, Reconfigurable<CertificateMapperConfig>, ExampleUsageProvider

This class defines an API that must be implemented by extensions which attempt to map a certificate presented by a client (e.g., via SSL or StartTLS) to a user defined in the server. This is primarily used during the course of SASL EXTERNAL bind processing when a client uses a certificate to authenticate to the server. Any information contained in the provided certificate chain (including the subject, fingerprint, validity, extensions, etc. of the client certificate, as well as any information about any issuer certificates) may be used to map information in the provided certificate chain to exactly one user in the server. If the certificate cannot be mapped to any user, or if it is mapped to multiple users, then the authentication attempt must fail.

Configuring Certificate Mappers

In order to configure a certificate mapper created using this API, use a command like:
      dsconfig create-certificate-mapper \
           --mapper-name "{mapper-name}" \
           --type third-party \
           --set enabled:true \
           --set "extension-class:{class-name}" \
           --set "extension-argument:{name=value}"
 
where "{mapper-name}" is the name to use for the certificate mapper instance, "{class-name}" is the fully-qualified name of the Java class that extends com.unboundid.directory.sdk.ds.api.CertificateMapper, and "{name=value}" represents name-value pairs for any arguments to provide to the certificate mapper. If multiple arguments should be provided to the certificate mapper, then the "--set extension-argument:{name=value}" option should be provided multiple times.

See Also:
ScriptedCertificateMapper

Constructor Summary
CertificateMapper()
          Creates a new instance of this certificate mapper.
 
Method Summary
 com.unboundid.ldap.sdk.ResultCode applyConfiguration(CertificateMapperConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages)
          Attempts to apply the configuration from the provided argument parser to this extension.
 void defineConfigArguments(com.unboundid.util.args.ArgumentParser parser)
          Updates the provided argument parser to define any configuration arguments which may be used by this extension.
 void finalizeCertificateMapper()
          Performs any cleanup which may be necessary when this certificate mapper is to be taken out of service.
 java.util.Map<java.util.List<java.lang.String>,java.lang.String> getExamplesArgumentSets()
          Retrieves a map containing examples of configurations that may be used for this extension.
abstract  java.lang.String[] getExtensionDescription()
          Retrieves a human-readable description for this extension.
abstract  java.lang.String getExtensionName()
          Retrieves a human-readable name for this extension.
 void initializeCertificateMapper(DirectoryServerContext serverContext, CertificateMapperConfig config, com.unboundid.util.args.ArgumentParser parser)
          Initializes this certificate mapper.
 boolean isConfigurationAcceptable(CertificateMapperConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons)
          Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension.
abstract  java.lang.String mapCertificate(java.security.cert.Certificate[] certChain)
          Performs any processing which may be necessary to map the provided certificate chain to a user within the server.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertificateMapper

public CertificateMapper()
Creates a new instance of this certificate mapper. All certificate mapper implementations must include a default constructor, but any initialization should generally be done in the initializeCertificateMapper method.

Method Detail

getExtensionName

public abstract java.lang.String getExtensionName()
Retrieves a human-readable name for this extension.

Specified by:
getExtensionName in interface UnboundIDExtension
Returns:
A human-readable name for this extension.

getExtensionDescription

public abstract java.lang.String[] getExtensionDescription()
Retrieves a human-readable description for this extension. Each element of the array that is returned will be considered a separate paragraph in generated documentation.

Specified by:
getExtensionDescription in interface UnboundIDExtension
Returns:
A human-readable description for this extension, or null or an empty array if no description should be available.

defineConfigArguments

public void defineConfigArguments(com.unboundid.util.args.ArgumentParser parser)
                           throws com.unboundid.util.args.ArgumentException
Updates the provided argument parser to define any configuration arguments which may be used by this extension. The argument parser may also be updated to define relationships between arguments (e.g., to specify required, exclusive, or dependent argument sets).

Specified by:
defineConfigArguments in interface Configurable
Parameters:
parser - The argument parser to be updated with the configuration arguments which may be used by this extension.
Throws:
com.unboundid.util.args.ArgumentException - If a problem is encountered while updating the provided argument parser.

initializeCertificateMapper

public void initializeCertificateMapper(DirectoryServerContext serverContext,
                                        CertificateMapperConfig config,
                                        com.unboundid.util.args.ArgumentParser parser)
                                 throws com.unboundid.ldap.sdk.LDAPException
Initializes this certificate mapper.

Parameters:
serverContext - A handle to the server context for the server in which this extension is running.
config - The general configuration for this certificate mapper.
parser - The argument parser which has been initialized from the configuration for this certificate mapper.
Throws:
com.unboundid.ldap.sdk.LDAPException - If a problem occurs while initializing this certificate mapper.

isConfigurationAcceptable

public boolean isConfigurationAcceptable(CertificateMapperConfig config,
                                         com.unboundid.util.args.ArgumentParser parser,
                                         java.util.List<java.lang.String> unacceptableReasons)
Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension. The parser will have been used to parse any configuration available for this extension, and any automatic validation will have been performed. This method may be used to perform any more complex validation which cannot be performed automatically by the argument parser.

Specified by:
isConfigurationAcceptable in interface Reconfigurable<CertificateMapperConfig>
Parameters:
config - The general configuration for this extension.
parser - The argument parser that has been used to parse the proposed configuration for this extension.
unacceptableReasons - A list to which messages may be added to provide additional information about why the provided configuration is not acceptable.
Returns:
true if the configuration in the provided argument parser appears to be acceptable, or false if not.

applyConfiguration

public com.unboundid.ldap.sdk.ResultCode applyConfiguration(CertificateMapperConfig config,
                                                            com.unboundid.util.args.ArgumentParser parser,
                                                            java.util.List<java.lang.String> adminActionsRequired,
                                                            java.util.List<java.lang.String> messages)
Attempts to apply the configuration from the provided argument parser to this extension.

Specified by:
applyConfiguration in interface Reconfigurable<CertificateMapperConfig>
Parameters:
config - The general configuration for this extension.
parser - The argument parser that has been used to parse the new configuration for this extension.
adminActionsRequired - A list to which messages may be added to provide additional information about any additional administrative actions that may be required to apply some of the configuration changes.
messages - A list to which messages may be added to provide additional information about the processing performed by this method.
Returns:
A result code providing information about the result of applying the configuration change. A result of SUCCESS should be used to indicate that all processing completed successfully. Any other result will indicate that a problem occurred during processing.

finalizeCertificateMapper

public void finalizeCertificateMapper()
Performs any cleanup which may be necessary when this certificate mapper is to be taken out of service.


mapCertificate

public abstract java.lang.String mapCertificate(java.security.cert.Certificate[] certChain)
                                         throws com.unboundid.ldap.sdk.LDAPException
Performs any processing which may be necessary to map the provided certificate chain to a user within the server.

Parameters:
certChain - The certificate chain presented by the client.
Returns:
The DN of the user within the server to which the provided certificate corresponds.
Throws:
com.unboundid.ldap.sdk.LDAPException - If the presented certificate cannot be mapped to exactly one user in the server.

getExamplesArgumentSets

public java.util.Map<java.util.List<java.lang.String>,java.lang.String> getExamplesArgumentSets()
Retrieves a map containing examples of configurations that may be used for this extension. The map key should be a list of sample arguments, and the corresponding value should be a description of the behavior that will be exhibited by the extension when used with that configuration.

Specified by:
getExamplesArgumentSets in interface ExampleUsageProvider
Returns:
A map containing examples of configurations that may be used for this extension. It may be null or empty if there should not be any example argument sets.