@Extensible @DirectoryServerExtension @DirectoryProxyServerExtension(appliesToLocalContent=true, appliesToRemoteContent=false) @SynchronizationServerExtension(appliesToLocalContent=true, appliesToSynchronizedContent=false) @ThreadSafety(level=INTERFACE_THREADSAFE) public abstract class EnhancedPasswordStorageScheme extends java.lang.Object implements UnboundIDExtension, Reconfigurable<PasswordStorageSchemeConfig>, ExampleUsageProvider
PasswordStorageScheme
API is still supported, this enhanced version
is both simpler and provides additional functionality, including providing
access to the user entry (which may be useful, for example, if salt or
encryption information is to be derived from other content in the entry, or
from another repository that can be accessed based on content in the entry).
However, this API is generally simpler than the PasswordStorageScheme
API, so it may be desirable for all new implementations to implement this API
instead.
dsconfig create-password-storage-scheme \ --scheme-name "{scheme-name}" \ --type third-party-enhanced \ --set enabled:true \ --set "extension-class:{class-name}" \ --set "extension-argument:{name=value}"where "{scheme-name}" is the name to use for the password storage scheme instance, "{class-name}" is the fully-qualified name of the Java class that extends
com.unboundid.directory.sdk.ds.api.PasswordStorageScheme
, and
"{name=value}" represents name-value pairs for any arguments to
provide to the password storage scheme. If multiple arguments should be
provided to the password storage scheme, then the
"--set extension-argument:{name=value}
" option should be
provided multiple times.PasswordStorageScheme
Constructor and Description |
---|
EnhancedPasswordStorageScheme()
Creates a new instance of this password storage scheme.
|
Modifier and Type | Method and Description |
---|---|
ResultCode |
applyConfiguration(PasswordStorageSchemeConfig config,
ArgumentParser parser,
java.util.List<java.lang.String> adminActionsRequired,
java.util.List<java.lang.String> messages)
Attempts to apply the configuration from the provided argument parser to
this extension.
|
boolean |
authPasswordMatches(ByteString plaintextPassword,
java.lang.String authInfo,
java.lang.String authValue,
Entry userEntry)
Indicates whether the provided plaintext password may be used to generate
an encoded password with the given authInfo and authValue elements when
using the authentication password syntax as defined in RFC 3112.
|
void |
defineConfigArguments(ArgumentParser parser)
Updates the provided argument parser to define any configuration arguments
which may be used by this extension.
|
ByteString |
encodeAuthPassword(ByteString plaintext,
Entry userEntry,
java.util.List<Modification> modifications,
boolean deterministic)
Encodes the provided plaintext password using the authentication password
syntax as defined in RFC 3112.
|
abstract ByteString |
encodePassword(ByteString plaintext,
Entry userEntry,
java.util.List<Modification> modifications,
boolean deterministic,
boolean includeScheme)
Encodes the provided plaintext password for this storage scheme,
without the name of the associated scheme.
|
void |
finalizePasswordStorageScheme()
Performs any cleanup which may be necessary when this password storage
scheme is to be taken out of service.
|
ByteString |
getAuthPasswordPlaintextValue(java.lang.String authInfo,
java.lang.String authValue,
Entry userEntry)
Obtains the plaintext password that was used to generate an encoded
password with the given authInfo and authValue elements when using the
authentication password syntax as described in RFC 3112.
|
java.lang.String |
getAuthPasswordSchemeName()
Retrieves the name that should be used to identify this password storage
scheme when encoding passwords using the authentication password syntax as
described in RFC 3112.
|
java.util.Map<java.util.List<java.lang.String>,java.lang.String> |
getExamplesArgumentSets()
Retrieves a map containing examples of configurations that may be used for
this extension.
|
abstract java.lang.String[] |
getExtensionDescription()
Retrieves a human-readable description for this extension.
|
abstract java.lang.String |
getExtensionName()
Retrieves a human-readable name for this extension.
|
abstract ByteString |
getPlaintextValue(ByteString storedPassword,
Entry userEntry)
Attempts to determine the plaintext password used to generate the provided
encoded password.
|
abstract java.lang.String |
getStorageSchemeName()
Retrieves the name for this password storage scheme.
|
void |
initializePasswordStorageScheme(DirectoryServerContext serverContext,
PasswordStorageSchemeConfig config,
ArgumentParser parser)
Initializes this password storage scheme.
|
boolean |
isConfigurationAcceptable(PasswordStorageSchemeConfig config,
ArgumentParser parser,
java.util.List<java.lang.String> unacceptableReasons)
Indicates whether the configuration represented by the provided argument
parser is acceptable for use by this extension.
|
abstract boolean |
isReversible()
Indicates whether this password storage scheme encodes passwords in a form
that allows the original plaintext value to be obtained from the encoded
representation.
|
abstract boolean |
isSecure()
Indicates whether this password storage scheme encodes passwords in a form
that may be considered secure.
|
abstract boolean |
passwordMatches(ByteString plaintextPassword,
ByteString storedPassword,
Entry userEntry)
Indicates whether the provided plaintext password could have been used to
generate the given encoded password.
|
boolean |
requiresUserEntry()
Indicates whether this password storage scheme requires access to the user
entry in order to perform processing.
|
boolean |
supportsAuthPasswordSyntax()
Indicates whether this password storage scheme provides the ability to
encode passwords in the authentication password syntax as described in RFC
3112.
|
public EnhancedPasswordStorageScheme()
initializePasswordStorageScheme
method.public abstract java.lang.String getExtensionName()
getExtensionName
in interface UnboundIDExtension
public abstract java.lang.String[] getExtensionDescription()
getExtensionDescription
in interface UnboundIDExtension
null
or an empty array if no description should be available.public void defineConfigArguments(ArgumentParser parser) throws ArgumentException
defineConfigArguments
in interface Configurable
parser
- The argument parser to be updated with the configuration
arguments which may be used by this extension.ArgumentException
- If a problem is encountered while updating the
provided argument parser.public void initializePasswordStorageScheme(DirectoryServerContext serverContext, PasswordStorageSchemeConfig config, ArgumentParser parser) throws LDAPException
serverContext
- A handle to the server context for the server in
which this extension is running.config
- The general configuration for this password storage
scheme.parser
- The argument parser which has been initialized from
the configuration for this password storage scheme.LDAPException
- If a problem occurs while initializing this
password storage scheme.public boolean isConfigurationAcceptable(PasswordStorageSchemeConfig config, ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons)
isConfigurationAcceptable
in interface Reconfigurable<PasswordStorageSchemeConfig>
config
- The general configuration for this extension.parser
- The argument parser that has been used to
parse the proposed configuration for this
extension.unacceptableReasons
- A list to which messages may be added to
provide additional information about why the
provided configuration is not acceptable.true
if the configuration in the provided argument parser
appears to be acceptable, or false
if not.public ResultCode applyConfiguration(PasswordStorageSchemeConfig config, ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages)
applyConfiguration
in interface Reconfigurable<PasswordStorageSchemeConfig>
config
- The general configuration for this extension.parser
- The argument parser that has been used to
parse the new configuration for this
extension.adminActionsRequired
- A list to which messages may be added to
provide additional information about any
additional administrative actions that may
be required to apply some of the
configuration changes.messages
- A list to which messages may be added to
provide additional information about the
processing performed by this method.SUCCESS
should be
used to indicate that all processing completed successfully. Any
other result will indicate that a problem occurred during
processing.public void finalizePasswordStorageScheme()
public abstract java.lang.String getStorageSchemeName()
public abstract boolean isReversible()
true
if the original plaintext password may be obtained
from the encoded password, or false
if not.public abstract boolean isSecure()
true
if this password storage scheme may be considered
secure, or false
if not.public boolean requiresUserEntry()
true
, then the server will never
provide a null
value for the userEntry
parameter to methods
that accept it. However, if this method returns false
, then there
may be some instances in which the server may invoke those methods with a
null
value for the userEntry
parameter (e.g., when invoked
by the encode-password tool or when targeting a password with an extensible
match search filter).true
if this password storage scheme requires access to
the user entry, or false
if not.public abstract ByteString encodePassword(ByteString plaintext, Entry userEntry, java.util.List<Modification> modifications, boolean deterministic, boolean includeScheme) throws LDAPException
plaintext
- The plaintext password to be encoded. It must not
be null
. Note that there is no guarantee
that password validators have yet been invoked for
this password, so this password storage scheme
implementation should not make any assumptions about
the format of the plaintext password or whether it
will actually be allowed for use in the entry.userEntry
- The complete entry for the user for whom the
password is to be encoded. This will not be
null
for schemes in which
requiresUserEntry()
returns true
.modifications
- The set of modifications to be applied to the user
entry. This will generally be non-null
only
for operations that use a modify to change the user
password. If a modification list is provided, then
it will contain the complete set of modifications
for the operation, some of which may have no
impact on password encoding.deterministic
- Indicates whether the password encoding should be
deterministic. If this is true
, then the
scheme should attempt to generate a consistent
encoding for the password (e.g., by determining the
salt from a normalized representation of the user's
DN). This will be used during LDIF import
processing (and potentially at other times) to help
ensure that if the LDIF file is imported into
multiple servers, any clear-text password
encountered in the LDIF file will have the same
encoded representation on all servers. Some
password storage schemes may choose to ignore this
property if it does not apply or is not possible to
achieve.includeScheme
- Indicates whether to include the name of the scheme
in curly braces before the encoded password.LDAPException
- If a problem occurs while attempting to encode the
password.public abstract boolean passwordMatches(ByteString plaintextPassword, ByteString storedPassword, Entry userEntry)
plaintextPassword
- The plaintext password provided by the user as
part of a simple bind attempt.storedPassword
- The stored password to compare against the
provided plaintext password. It will not
include the scheme name in curly braces.userEntry
- The complete entry for the user for whom the
password is to be validated. This will not be
null
for schemes in which
requiresUserEntry()
returns true
.true
if the provided clear-text password could have been
used to generate the encoded password, or false
if not.public abstract ByteString getPlaintextValue(ByteString storedPassword, Entry userEntry) throws LDAPException
isReversible()
method returns true
.storedPassword
- The password for which to obtain the plaintext
value. It should not include the scheme name in
curly braces.userEntry
- The complete entry for the user for whom the
password is to be validated. This will not be
null
for schemes in which
requiresUserEntry()
returns true
.LDAPException
- If this password storage scheme is not reversible,
or if the provided value could not be decoded to
its plaintext representation.public boolean supportsAuthPasswordSyntax()
true
if this password storage scheme supports the
authentication password syntax, or false
if not.public java.lang.String getAuthPasswordSchemeName()
supportsAuthPasswordSyntax()
method returns true
.public ByteString encodeAuthPassword(ByteString plaintext, Entry userEntry, java.util.List<Modification> modifications, boolean deterministic) throws LDAPException
supportsAuthPasswordSyntax()
method returns true
.plaintext
- The plaintext password to be encoded. It must not
be null
. Note that there is no guarantee
that password validators have yet been invoked for
this password, so this password storage scheme
implementation should not make any assumptions about
the format of the plaintext password or whether it
will actually be allowed for use in the entry.userEntry
- The complete entry for the user for whom the
password is to be encoded. This will not be
null
for schemes in which
requiresUserEntry()
returns true
.modifications
- The set of modifications to be applied to the user
entry. This will generally be non-null
only
for operations that use a modify to change the user
password. If a modification list is provided, then
it will contain the complete set of modifications
for the operation, some of which may have no
impact on password encoding.deterministic
- Indicates whether the password encoding should be
deterministic. If this is true
, then the
scheme should attempt to generate a consistent
encoding for the password (e.g., by determining the
salt from a normalized representation of the user's
DN). This will be used during LDIF import
processing (and potentially at other times) to help
ensure that if the LDIF file is imported into
multiple servers, any clear-text password
encountered in the LDIF file will have the same
encoded representation on all servers. Some
password storage schemes may choose to ignore this
property if it does not apply or is not possible to
achieve.LDAPException
- If a problem occurs while encoding the provided
password, or if this password storage scheme does
not support the authentication password syntax.public boolean authPasswordMatches(ByteString plaintextPassword, java.lang.String authInfo, java.lang.String authValue, Entry userEntry)
supportsAuthPasswordSyntax()
method
returns true
.plaintextPassword
- The plaintext password provided by the user.authInfo
- The authInfo component of the password encoded
in the authentication password syntax.authValue
- The authValue component of the password encoded
in the authentication password syntax.userEntry
- The complete entry for the user for whom the
password is to be validated. This will not be
null
for schemes in which
requiresUserEntry()
returns true
.true
if the provided plaintext password could be used to
generate an encoded password with the given authInfo and authValue
portions, or false
if not.public ByteString getAuthPasswordPlaintextValue(java.lang.String authInfo, java.lang.String authValue, Entry userEntry) throws LDAPException
supportsAuthPasswordSyntax()
and
isReversible()
methods return true
.authInfo
- The authInfo component of the password encoded in the
authentication password syntax.authValue
- The authValue component of the password encoded in the
authentication password syntax.userEntry
- The complete entry for the user for whom the password is
to be validated. This will not be null
for
schemes in which requiresUserEntry()
returns
true
. The entry should not be altered in any
way by this password storage scheme.LDAPException
- If this password storage scheme is not reversible,
if this password storage scheme does not support
the authentication password syntax, or if some
other problem is encountered while attempting to
determine the plaintext password.public java.util.Map<java.util.List<java.lang.String>,java.lang.String> getExamplesArgumentSets()
getExamplesArgumentSets
in interface ExampleUsageProvider
null
or empty if there should
not be any example argument sets.