UnboundID Server SDK

Ping Identity
UnboundID Server SDK Documentation

InternalOperationAttachmentSASLMechanismHandler.java

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * docs/licenses/cddl.txt
 * or http://www.opensource.org/licenses/cddl1.php.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * docs/licenses/cddl.txt.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Portions Copyright 2019-2024 Ping Identity Corporation
 */
package com.unboundid.directory.sdk.examples;



import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import com.unboundid.asn1.ASN1OctetString;
import com.unboundid.directory.sdk.common.operation.SASLBindRequest;
import com.unboundid.directory.sdk.common.operation.UpdatableSASLBindRequest;
import com.unboundid.directory.sdk.common.operation.UpdatableSimpleBindRequest;
import com.unboundid.directory.sdk.common.types.LogSeverity;
import com.unboundid.directory.sdk.common.types.OperationContext;
import com.unboundid.directory.sdk.common.types.ServerContext;
import com.unboundid.directory.sdk.ds.api.SASLMechanismHandler;
import com.unboundid.directory.sdk.ds.config.SASLMechanismHandlerConfig;
import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
import com.unboundid.directory.sdk.ds.types.SASLBindResult;
import com.unboundid.directory.sdk.ds.types.SASLBindResultFactory;
import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.ByteString;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.Validator;
import com.unboundid.util.args.ArgumentParser;



/**
 * This class provides a Server SDK SASL mechanism handler implementation that
 * uses attachments on the associated bind operation to specify the behavior
 * that the server should exhibit when processing the bind operation.  This is
 * only intended to be used internally within the server and should not be
 * directly requested by an external client.  It is primarily expected to be
 * used in conjunction with a pre-parse bind plugin that performs all of the
 * authentication processing itself, but then converts the bind request to this
 * mechanism to use the information provided in attachments to define the result
 * of the operation processing.
 * <BR><BR>
 * This SASL mechanism handler actually implements support for four related SASL
 * mechanisms:
 * <BR>
 * <UL>
 *   <LI>
 *      PING-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT:  Indicates
 *      that the authentication used a password provided by the client, and that
 *      the password and any other associated credentials were provided in a
 *      secure manner (that is, in a manner that is not vulnerable to
 *      eavesdropping, replay, or alteration attacks).
 *   </LI>
 *   <LI>
 *      PING-NON-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT:  Indicates
 *      that the authentication used a password provided by the client, and that
 *      the password or any other associated credentials were provided in a
 *      non-secure manner (that is, in a manner that may be vulnerable to
 *      eavesdropping, replay, or alteration attacks).
 *   </LI>
 *   <LI>
 *      PING-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT:  Indicates
 *      that the authentication did not use a password provided by the client,
 *      and that any credentials used were provided in a secure manner (that is,
 *      in a manner that is not vulnerable to eavesdropping, replay, or
 *      alteration attacks).
 *   </LI>
 *   <LI>
 *      PING-NON-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT:
 *      Indicates that the authentication did not use a password provided by the
 *      client, but that it did use credentials that were provided in a
 *      non-secure manner (that is, in a manner that may be vulnerable to
 *      eavesdropping, replay, or alteration attacks).
 *   </LI>
 * </UL>
 * <BR><BR>
 * All four SASL mechanisms implemented by this handler implement support for
 * the same set of operation attachments.  Supported attachments include:
 * <BR>
 * <UL>
 *   <LI>
 *     {@code internal-op-sasl-handler-authentication-succeeded} --  indicates
 *     whether the authentication attempt was successful.  This attachment is
 *     required, and its value must be a {@code java.lang.Boolean}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-diagnostic-message} -- a diagnostic
 *     message that should be included in the bind response to the client.  This
 *     attachment is optional and may be included regardless of whether the
 *     authentication attempt succeeded or failed.  If it is provided, then its
 *     value must be an instance of {@code java.lang.CharSequence}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-matched-dn} -- the matched DN value that
 *     should be included in the bind response to the client to indicate that a
 *     provided bind DN did not refer to an entry that exists in the server, and
 *     to provide the DN of its closest ancestor that does exist.  This
 *     attachment is optional and should only be used if the authentication
 *     attempt failed.  If it is provided, then its value must be an instance of
 *     {@code com.unboundid.ldap.sdk.DN}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-server-sasl-credentials} -- an encoded
 *     set of server SASL credentials that should be included in the bind
 *     response to the client.  This attachment is optional and should only be
 *     set if the original bind request was itself a SASL bind request and
 *     server SASL credentials are appropriate for that request.  If provided,
 *     the value of the attachment must be an instance of
 *     {@code com.unboundid.asn1.ASN1OctetString}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-response-controls} -- a set of controls
 *     that should be included in the bind response to the client.  This
 *     attachment is optional, and if it is not set, then the SASL mechanism
 *     handler will not add any controls to the response (although other
 *     components of the server may add response controls if appropriate for the
 *     operation).  If provided, the value of the attachment must be an instance
 *     of {@code com.unboundid.ldap.sdk.Control[]}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-bind-dn} -- the DN of the user
 *     attempting to authenticate.  This attachment must be set if the
 *     authentication is successful, and it will be set as the authentication
 *     identity for the associated connection (unless the bind request also
 *     included the retain identity request control).  Even if the bind attempt
 *     failed, this attachment should be set if it is possible to determine the
 *     identity of the user that was trying to authenticate so that any
 *     appropriate password policy state updates can be applied to that account.
 *     If provided, the value of the attachment must be an instance of
 *     {@code com.unboundid.ldap.sdk.DN}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-authentication-failure-reason} -- a
 *     message that will not appear in the bind response to the client, but will
 *     be included in the server's access log to provide additional information
 *     about the reason that the authentication attempt failed.  This attachment
 *     is optional and should only be used if the authentication attempt failed.
 *     If it is provided, then its value must be an instance of
 *     {@code java.lang.CharSequence}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-authorization-dn} -- the DN of the user
 *     that is the alternate authorization identity for the bind operation.
 *     This should only be set if the bind attempt succeeded and requested an
 *     alternate authorization identity.  If provided, the value of the
 *     attachment must be an instance of {@code com.unboundid.ldap.sdk.DN}.
 *   </LI>
 *   <LI>
 *     {@code internal-op-sasl-handler-password-used} -- the password that the
 *     client provided during the authentication attempt.  This attachment is
 *     optional and should only be used if the authentication attempt was
 *     successful and used a password.  If provided, the value of the attachment
 *     must be an instance of {@code com.unboundid.asn1.ASN1OctetString}.
 *   </LI>
 * </UL>
 */
public final class InternalOperationAttachmentSASLMechanismHandler
       extends SASLMechanismHandler
{
  /**
   * The name for the SASL mechanism that indicates that the authentication used
   * a password provided by the client, and that the password and any other
   * associated credentials were provided in a secure manner (that is, in a
   * manner that is not vulnerable to eavesdropping, replay, or alteration
   * attacks).
   */
  public static final String SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME =
       "PING-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";



  /**
   * The name for the SASL mechanism that indicates that the authentication used
   * a password provided by the client, and that the password or any other
   * associated credentials were provided in a non-secure manner (that is, in a
   * manner that may be vulnerable to eavesdropping, replay, or alteration
   * attacks).
   */
  public static final String NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME =
       "PING-NON-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";



  /**
   * The name for the SASL mechanism that indicates that the authentication did
   * not use a password provided by the client, and that any credentials used
   * were provided in a secure manner (that is, in a manner that is not
   * vulnerable to eavesdropping, replay, or alteration attacks).
   */
  public static final String SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME =
       "PING-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";



  /**
   * The name for the SASL mechanism that indicates that the authentication did
   * not use a password provided by the client, but that it did use credentials
   * that were provided in a non-secure manner (that is, in a manner that may be
   * vulnerable to eavesdropping, replay, or alteration attacks).
   */
  public static final String NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME =
       "PING-NON_SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";



  /**
   * The name of the attachment used to indicate whether the authentication
   * attempt was successful.  This attachment is required, and its value must be
   * a {@code java.lang.Boolean}.
   */
  public static final String ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED =
       "internal-op-sasl-handler-authentication-succeeded";



  /**
   * The name of the attachment used to hold a diagnostic message that should be
   * included in the bind response to the client.  This attachment is optional
   * and may be included regardless of whether the authentication attempt
   * succeeded or failed.  If it is provided, then its value must be an instance
   * of {@code java.lang.CharSequence}.
   */
  public static final String ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE =
       "internal-op-sasl-handler-diagnostic-message";



  /**
   * The name of the attachment used to hold the matched DN value that should be
   * included in the bind response to the client to indicate that a provided
   * bind DN did not refer to an entry that exists in the server, and to provide
   * the DN of its closest ancestor that does exist.  This attachment is
   * optional and should only be used if the authentication attempt failed.  If
   * it is provided, then its value must be an instance of
   * {@code com.unboundid.ldap.sdk.DN}.
   */
  public static final String ATTACHMENT_NAME_MATCHED_DN =
       "internal-op-sasl-handler-matched-dn";



  /**
   * The name of the attachment used to hold an encoded set of server SASL
   * credentials that should be included in the bind response to the client.
   * This attachment is optional and should only be set if the original bind
   * request was itself a SASL bind request and server SASL credentials are
   * appropriate for that request.  If provided, the value of the attachment
   * must be an instance of {@code com.unboundid.asn1.ASN1OctetString}.
   */
  public static final String ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS =
       "internal-op-sasl-handler-server-sasl-credentials";



  /**
   * The name of the attachment used to hold a set of controls that should be
   * included in the bind response to the client.  This attachment is optional,
   * and if it is not set, then the SASL mechanism handler will not add any
   * controls to the response (although other components of the server may add
   * response controls if appropriate for the operation).  If provided, the
   * value of the attachment must be an instance of
   * {@code com.unboundid.ldap.sdk.Control[]}.
   */
  public static final String ATTACHMENT_NAME_RESPONSE_CONTROLS =
       "internal-op-sasl-handler-response-controls";



  /**
   * The name of the attachment used to hold the DN of the user attempting to
   * authenticate.  This attachment must be set if the authentication is
   * successful, and it will be set as the authentication identity for the
   * associated connection (unless the bind request also included the retain
   * identity request control).  Even if the bind attempt failed, this
   * attachment should be set if it is possible to determine the identity of the
   * user that was trying to authenticate so that any appropriate password
   * policy state updates can be applied to that account.  If provided, the
   * value of the attachment must be an instance of
   * {@code com.unboundid.ldap.sdk.DN}.
   */
  public static final String ATTACHMENT_NAME_BIND_DN =
       "internal-op-sasl-handler-bind-dn";



  /**
   * The name of the attachment used to hold a message that will not appear in
   * the bind response to the client, but will be included in the server's
   * access log to provide additional information about the reason that the
   * authentication attempt failed.  This attachment is optional and should only
   * be used if the authentication attempt failed.  If it is provided, then its
   * value must be an instance of {@code java.lang.CharSequence}.
   */
  public static final String ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON =
       "internal-op-sasl-handler-authentication-failure-reason";



  /**
   * The name of the attachment used to hold the DN of the user that is the
   * alternate authorization identity for the bind operation.  This should only
   * be set if the bind attempt succeeded and requested an alternate
   * authorization identity.  If provided, the value of the attachment must be
   * an instance of {@code com.unboundid.ldap.sdk.DN}.
   */
  public static final String ATTACHMENT_NAME_AUTHORIZATION_DN =
       "internal-op-sasl-handler-authorization-dn";



  /**
   * The name of the attachment used to hold the password that the client
   * provided during the authentication attempt.  This attachment is optional
   * and should only be used if the authentication attempt was successful and
   * used a password.  If provided, the value of the attachment must be an
   * instance of {@code com.unboundid.asn1.ASN1OctetString}.
   */
  public static final String ATTACHMENT_NAME_PASSWORD_USED =
       "internal-op-sasl-handler-password-used";



  // A handle to the server context in which this extension is running.
  private volatile DirectoryServerContext serverContext = null;



  /**
   * Creates a new instance of this SASL mechanism handler.  All SASL
   * mechanism handler implementations must include a default constructor, but
   * any initialization
   * should generally be done in the {@code initializeSASLMechanismHandler}
   * method.
   */
  public InternalOperationAttachmentSASLMechanismHandler()
  {
    // No implementation is required.
  }



  /**
   * Retrieves a human-readable name for this extension.
   *
   * @return  A human-readable name for this extension.
   */
  @Override()
  public String getExtensionName()
  {
    return "Internal Operation Attachment SASL Mechanism Handler";
  }



  /**
   * Retrieves a human-readable description for this extension.  Each element
   * of the array that is returned will be considered a separate paragraph in
   * generated documentation.
   *
   * @return  A human-readable description for this extension, or {@code null}
   *          or an empty array if no description should be available.
   */
  @Override()
  public String[] getExtensionDescription()
  {
    return new String[]
    {
      "Implements support for a number of related SASL mechanisms that use " +
           "operation attachments to define the behavior the server should " +
           "exhibit when processing the bind operation.  This is only " +
           "intended to be used internally within the server and should not " +
           "be directly requested by an external client.  It is primarily " +
           "expected to be used in conjunction with a pre-parse bind plugin " +
           "that performs all of the authentication processing itself, but " +
           "then converts the bind request to this mechanism to use the " +
           "information provided in attachments to define the result of the " +
           "operation processing.",

      "The " + SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
           "should be used if the authentication used a password provided by " +
           "the client, and that the password and any other associated " +
           "credentials were provided in a secure manner (that is, in a " +
           "manner that is not vulnerable to eavesdropping, replay, or " +
           "alteration attacks).",

      "The " + NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
           "should be used if the authentication used a password provided by " +
           "the client, and that the password or any other associated " +
           "credentials were provided in a non-secure manner (that is, in a " +
           "manner that may be vulnerable to eavesdropping, replay, or " +
           "alteration attacks).",

      "The " + SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
           "should be used if the authentication did not use a password " +
           "provided by the client, and that any credentials used were " +
           "provided in a secure manner (that is, in a manner that is not " +
           "vulnerable to eavesdropping, replay, or alteration attacks).",

      "The " + NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME +
           " mechanism should be used if the authentication did not use a " +
           "password provided by the client, but that it did use credentials " +
           "that were provided in a non-secure manner (that is, in a manner " +
           "that may be vulnerable to eavesdropping, replay, or alteration " +
           "attacks).",

      "All four SASL mechanisms implemented by this handler implement " +
           "support for the same set of operation attachments.  Supported " +
           "attachments include:",

      "internal-op-sasl-handler-authentication-succeeded -- indicates " +
           "whether the authentication attempt was successful.  This " +
           "attachment is required, and its value must be an instance of " +
           Boolean.class.getName() + '.',

      "internal-op-sasl-handler-diagnostic-message -- a diagnostic message " +
           "that should be included in the bind response to the client.  " +
           "This attachment is optional and may be included regardless of " +
           "whether the authentication attempt succeeded or failed.  If it " +
           "is provided, then its value must be an instance of " +
           CharSequence.class.getName() + '.',

      "internal-op-sasl-handler-matched-dn -- the matched DN value that " +
           "should be included in the bind response to the client to " +
           "indicate that a provided bind DN did not refer to an entry that " +
           "exists in the server, and to provide the DN of its closest " +
           "ancestor that does exist.  This attachment is optional and " +
           "should only be used if the authentication attempt failed.  If it " +
           "is provided, then its value must be an instance of " +
           DN.class.getName() + '.',

      "internal-op-sasl-handler-server-sasl-credentials -- an encoded set " +
           "of server SASL credentials that should be included in the bind " +
           "response to the client.  This attachment is optional and should " +
           "only be set if the original bind request was itself a SASL bind " +
           "request and server SASL credentials are appropriate for that " +
           "request.  If provided, the value of the attachment must be an " +
           "instance of " + ASN1OctetString.class.getName() + '.',

      "internal-op-sasl-handler-response-controls -- a set of controls that " +
           "should be included in the bind response to the client.  This " +
           "attachment is optional, and if it is not set, then the SASL " +
           "mechanism handler will not add any controls to the response " +
           "(although other components of the server may add response " +
           "controls if appropriate for the operation).  If provided, the " +
           "value of the attachment must be an instance of " +
           Control.class.getName() + "[].",

      "internal-op-sasl-handler-bind-dn -- the DN of the user attempting to " +
           "authenticate.  This attachment must be set if the " +
           "authentication is successful, and it will be set as the " +
           "authentication identity for the associated connection (unless " +
           "the bind request also included the retain identity request " +
           "control).  Even if the bind attempt failed, this attachment " +
           "should be set if it is possible to determine the identity of the " +
           "user that was trying to authenticate so that any appropriate " +
           "password policy state updates can be applied to that account.  " +
           "If provided, the value of the attachment must be an instance of " +
           DN.class.getName() + '.',

      "internal-op-sasl-handler-authentication-failure-reason -- a message " +
           "that will not appear in the bind response to the client, but " +
           "will be included in the server's access log to provide " +
           "additional information about the reason that the authentication " +
           "attempt failed.  This attachment is optional and should only be " +
           "used if the authentication attempt failed.  If it is provided, " +
           "then its value must be an instance of " +
           CharSequence.class.getName() + '.',

      "internal-op-sasl-handler-authorization-dn -- the DN of the user that " +
           "is the alternate authorization identity for the bind operation.  " +
           "This should only be set if the bind attempt succeeded and " +
           "requested an alternate authorization identity.  If provided, the " +
           "value of the attachment must be an instance of " +
           DN.class.getName() + '.',

      "internal-op-sasl-handler-password-used -- the password that the " +
           "client provided during the authentication attempt.  This " +
           "attachment is optional and should only be used if the " +
           "authentication attempt was successful and used a password.  If " +
           "provided, the value of the attachment must be an instance of " +
           ASN1OctetString.class.getName() + '.',
    };
  }



  /**
   * Updates the provided argument parser to define any configuration arguments
   * which may be used by this extension.  The argument parser may also be
   * updated to define relationships between arguments (e.g., to specify
   * required, exclusive, or dependent argument sets).
   *
   * @param  parser  The argument parser to be updated with the configuration
   *                 arguments which may be used by this extension.
   */
  @Override()
  public void defineConfigArguments(final ArgumentParser parser)
  {
    // No arguments will be allowed by default.
  }



  /**
   * Initializes this SASL mechanism handler.
   *
   * @param  serverContext  A handle to the server context for the server in
   *                        which this extension is running.
   * @param  config         The general configuration for this SASL mechanism
   *                        handler.
   * @param  parser         The argument parser which has been initialized from
   *                        the configuration for this SASL mechanism handler.
   */
  @Override()
  public void initializeSASLMechanismHandler(
                   final DirectoryServerContext serverContext,
                   final SASLMechanismHandlerConfig config,
                   final ArgumentParser parser)
  {
    if (this.serverContext == null)
    {
      this.serverContext = serverContext;
    }
  }



  /**
   * Indicates whether the configuration represented by the provided argument
   * parser is acceptable for use by this extension.  The parser will have been
   * used to parse any configuration available for this extension, and any
   * automatic validation will have been performed.  This method may be used to
   * perform any more complex validation which cannot be performed automatically
   * by the argument parser.
   *
   * @param  config               The general configuration for this extension.
   * @param  parser               The argument parser that has been used to
   *                              parse the proposed configuration for this
   *                              extension.
   * @param  unacceptableReasons  A list to which messages may be added to
   *                              provide additional information about why the
   *                              provided configuration is not acceptable.
   *
   * @return  {@code true} if the configuration in the provided argument parser
   *          appears to be acceptable, or {@code false} if not.
   */
  @Override()
  public boolean isConfigurationAcceptable(
                      final SASLMechanismHandlerConfig config,
                      final ArgumentParser parser,
                      final List<String> unacceptableReasons)
  {
    if (serverContext == null)
    {
      serverContext = config.getServerContext();
    }

    // No validation is needed.
    return true;
  }



  /**
   * Attempts to apply the configuration from the provided argument parser to
   * this extension.
   *
   * @param  config                The general configuration for this extension.
   * @param  parser                The argument parser that has been used to
   *                               parse the new configuration for this
   *                               extension.
   * @param  adminActionsRequired  A list to which messages may be added to
   *                               provide additional information about any
   *                               additional administrative actions that may
   *                               be required to apply some of the
   *                               configuration changes.
   * @param  messages              A list to which messages may be added to
   *                               provide additional information about the
   *                               processing performed by this method.
   *
   * @return  A result code providing information about the result of applying
   *          the configuration change.  A result of {@code SUCCESS} should be
   *          used to indicate that all processing completed successfully.  Any
   *          other result will indicate that a problem occurred during
   *          processing.
   */
  @Override()
  public ResultCode applyConfiguration(final SASLMechanismHandlerConfig config,
                                       final ArgumentParser parser,
                                       final List<String> adminActionsRequired,
                                       final List<String> messages)
  {
    if (serverContext == null)
    {
      serverContext = config.getServerContext();
    }

    // There is no configuration to apply.
    return ResultCode.SUCCESS;
  }



  /**
   * Performs any cleanup which may be necessary when this SASL mechanism
   * handler is to be taken out of service.
   */
  @Override()
  public void finalizeSASLMechanismHandler()
  {
    // No finalization is needed.
  }



  /**
   * Retrieves a list of the names of the SASL mechanisms supported by this
   * SASL mechanism handler.  This method will be invoked only immediately after
   * the {@link #initializeSASLMechanismHandler} method is called.
   *
   * @return  A list of the names of the SASL mechanisms supported by this SASL
   *          mechanism handler.
   */
  @Override()
  public List<String> getSASLMechanismNames()
  {
    return Collections.unmodifiableList(Arrays.asList(
         SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME,
         NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME,
         SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME,
         NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME));
  }



  /**
   * Indicates whether the SASL authentication process using the specified
   * mechanism may be considered secure (i.e., that a third party able to
   * observe the communication, potentially over an insecure communication
   * channel, would not be able to reproduce the authentication process).
   *
   * @param  mechanism  The name of the mechanism for which to make the
   *                    determination.  This will only be invoked with names of
   *                    mechanisms returned by the
   *                    {@link #getSASLMechanismNames} method.
   *
   * @return  {@code true} if the specified SASL mechanism should be considered
   *          secure, or {@code false} if not.
   */
  @Override()
  public boolean isSecure(final String mechanism)
  {
    switch (mechanism)
    {
      case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
        // These mechanisms are considered secure.
        return true;

      case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
        // These mechanisms are considered non-secure.
        return false;

      default:
        // This should never happen.  Throw a RuntimeException to ensure that
        // this is more visible than other types of non-successful operations.
        final String message = getClass().getName() +
             ".isSecure called with an unsupported SASL mechanism of '" +
             mechanism + "'.";
        if (serverContext != null)
        {
          serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
        }
        throw new RuntimeException(message);
    }
  }



  /**
   * Indicates whether the SASL authentication process using the specified
   * mechanism involves the use of a password stored locally in the server
   * (optionally in combination with other forms of credentials).
   *
   * @param  mechanism  The name of the mechanism for which to make the
   *                    determination.  This will only be invoked with names of
   *                    mechanisms returned by the
   *                    {@link #getSASLMechanismNames} method.
   *
   * @return  {@code true} if the specified SASL mechanism makes use of a local
   *          password, or {@code false} if not.
   */
  @Override()
  public boolean isPasswordBased(final String mechanism)
  {
    switch (mechanism)
    {
      case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
        // These mechanisms are password-based.
        return true;

      case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
        // These mechanisms are not password-based.
        return false;

      default:
        // This should never happen.  Throw a RuntimeException to ensure that
        // this is more visible than other types of non-successful operations.
        final String message = getClass().getName() +
             ".isPasswordBased called with an unsupported SASL mechanism " +
             "of '" + mechanism + "'.";
        if (serverContext != null)
        {
          serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
        }
        throw new RuntimeException(message);
    }
  }



  /**
   * Performs the appropriate processing for the provided SASL bind request.
   *
   * @param  operationContext  The context for the bind operation.
   * @param  bindRequest       The SASL bind request to be processed.
   * @param  resultFactory     A factory object that will be used to construct
   *                           the result to return.
   *
   * @return  An object with information about the result of the SASL bind
   *          processing.
   */
  @Override()
  public SASLBindResult processSASLBind(final OperationContext operationContext,
                             final SASLBindRequest bindRequest,
                             final SASLBindResultFactory resultFactory)
  {
    final String mechanism = bindRequest.getSASLMechanism();

    boolean authenticationSucceeded;
    final Object authenticationSucceededObject = operationContext.getAttachment(
         ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED);
    if (authenticationSucceededObject == null)
    {
      authenticationSucceeded = false;
      operationContext.appendAdditionalLogMessage("Indicating that the " +
           "authentication was unsuccessful because the operation was " +
           "missing the " + ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED +
           " attachment required for use with the " + mechanism +
           " mechanism.");
    }
    else if (authenticationSucceededObject instanceof Boolean)
    {
      authenticationSucceeded =
           ((Boolean) authenticationSucceededObject).booleanValue();
    }
    else
    {
      authenticationSucceeded = false;
      operationContext.appendAdditionalLogMessage("Indicating that the " +
           "authentication was unsuccessful because the " +
           ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED +
           " attachment was an instance of " +
           authenticationSucceededObject.getClass().getName() +
           " instead of the required " + Boolean.class.getName() + '.');
    }


    final String diagnosticMessage;
    final Object diagnosticMessageObject =
         operationContext.getAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE);
    if (diagnosticMessageObject == null)
    {
      diagnosticMessage = null;
    }
    else if (diagnosticMessageObject instanceof CharSequence)
    {
      diagnosticMessage = String.valueOf(diagnosticMessageObject);
    }
    else
    {
      diagnosticMessage = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE +
           " attachment because it was an instance of " +
           diagnosticMessageObject.getClass().getName() +
           " instead of the required " + CharSequence.class.getName() + '.');
    }


    final String matchedDN;
    final Object matchedDNObject =
         operationContext.getAttachment(ATTACHMENT_NAME_MATCHED_DN);
    if (matchedDNObject == null)
    {
      matchedDN = null;
    }
    else if (matchedDNObject instanceof DN)
    {
      matchedDN = ((DN) matchedDNObject).toString();
    }
    else
    {
      matchedDN = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_MATCHED_DN +
           " attachment because it was an instance of " +
           matchedDNObject.getClass().getName() +
           " instead of the required " + DN.class.getName() + '.');
    }


    final ASN1OctetString serverSASLCredentials;
    final Object serverSASLCredentialsObject = operationContext.getAttachment(
         ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS);
    if (serverSASLCredentialsObject == null)
    {
      serverSASLCredentials = null;
    }
    else if (serverSASLCredentialsObject instanceof ASN1OctetString)
    {
      serverSASLCredentials = (ASN1OctetString) serverSASLCredentialsObject;
    }
    else
    {
      serverSASLCredentials = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS +
           " attachment because it was an instance of " +
           serverSASLCredentialsObject.getClass().getName() +
           " instead of the required " + ASN1OctetString.class.getName() + '.');
    }


    final List<Control> responseControls;
    final Object responseControlsObject =
         operationContext.getAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS);
    if (responseControlsObject == null)
    {
      responseControls = null;
    }
    else if (responseControlsObject instanceof Control[])
    {
      final Control[] responseControlArray = (Control[]) responseControlsObject;
      responseControls =
           Collections.unmodifiableList(Arrays.asList(responseControlArray));
    }
    else
    {
      responseControls = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_RESPONSE_CONTROLS +
           " attachment because it was an instance of " +
           responseControlsObject.getClass().getName() +
           " instead of the required " + Control.class.getName() + "[].");
    }


    String authenticationFailureReason;
    final Object authenticationFailureReasonObject =
         operationContext.getAttachment(
              ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON);
    if (authenticationFailureReasonObject == null)
    {
      authenticationFailureReason = null;
    }
    else if (authenticationFailureReasonObject instanceof CharSequence)
    {
      authenticationFailureReason =
           String.valueOf(authenticationFailureReasonObject);
    }
    else
    {
      authenticationFailureReason = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON +
           " attachment because it was an instance of " +
           authenticationFailureReasonObject.getClass().getName() +
           " instead of the required " + CharSequence.class.getName() + '.');
    }


    final String bindDN;
    final Object bindDNObject =
         operationContext.getAttachment(ATTACHMENT_NAME_BIND_DN);
    if (bindDNObject == null)
    {
      if (authenticationSucceeded)
      {
        bindDN = null;
        authenticationSucceeded = false;
        authenticationFailureReason = "The " + mechanism +
             " bind operation did not have the " +
             ATTACHMENT_NAME_BIND_DN + " attachment set, which is required " +
             "for a successful authentication.";
      }
      else
      {
        bindDN = null;
      }
    }
    else if (bindDNObject instanceof DN)
    {
      bindDN = ((DN) bindDNObject).toString();
    }
    else
    {
      bindDN = null;
      if (authenticationSucceeded)
      {
        authenticationSucceeded = false;
        authenticationFailureReason = "The " + ATTACHMENT_NAME_BIND_DN +
             " attachment was set in the " + mechanism +
             " bind operation, but its value was of type " +
             bindDNObject.getClass().getName() + " instead of the required " +
             "type of " + DN.class.getName() + '.';
      }
      else
      {
        operationContext.appendAdditionalLogMessage("Ignoring the value of " +
             "the " + ATTACHMENT_NAME_BIND_DN +
             " attachment because it was an instance of " +
             bindDNObject.getClass().getName() +
             " instead of the required " + DN.class.getName() + '.');
      }
    }


    final String authorizationDN;
    final Object authorizationDNObject =
         operationContext.getAttachment(ATTACHMENT_NAME_AUTHORIZATION_DN);
    if (authorizationDNObject == null)
    {
      authorizationDN = bindDN;
    }
    else if (authorizationDNObject instanceof DN)
    {
      authorizationDN = ((DN) authorizationDNObject).toString();
    }
    else
    {
      authorizationDN = null;
      if (authenticationSucceeded)
      {
        authenticationSucceeded = false;
        authenticationFailureReason = "The " +
             ATTACHMENT_NAME_AUTHORIZATION_DN + " attachment was set in the " +
             mechanism + " bind operation, but its value was of type " +
             bindDNObject.getClass().getName() + " instead of the required " +
             "type of " + DN.class.getName() + '.';
      }
      else
      {
        operationContext.appendAdditionalLogMessage("Ignoring the value of " +
             "the " + ATTACHMENT_NAME_AUTHORIZATION_DN +
             " attachment because it was an instance of " +
             authorizationDNObject.getClass().getName() +
             " instead of the required " + DN.class.getName() + '.');
      }
    }


    final ASN1OctetString passwordUsed;
    final Object passwordUsedObject =
         operationContext.getAttachment(ATTACHMENT_NAME_PASSWORD_USED);
    if (passwordUsedObject == null)
    {
      passwordUsed = null;
    }
    else if (passwordUsedObject instanceof ASN1OctetString)
    {
      passwordUsed = (ASN1OctetString) passwordUsedObject;
    }
    else
    {
      passwordUsed = null;
      operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
           ATTACHMENT_NAME_PASSWORD_USED +
           " attachment because it was an instance of " +
           passwordUsedObject.getClass().getName() +
           " instead of the required " + ASN1OctetString.class.getName() + '.');
    }


    if (authenticationSucceeded)
    {
      return resultFactory.createSuccessResult(bindDN, authorizationDN,
           diagnosticMessage, responseControls, serverSASLCredentials,
           passwordUsed);
    }
    else
    {
      return resultFactory.createFailureResult(authenticationFailureReason,
           diagnosticMessage, matchedDN, responseControls,
           serverSASLCredentials, bindDN);
    }
  }



  /**
   * Indicates whether the specified SASL mechanism may require multiple stages
   * to process.
   *
   * @param  mechanism  The mechanism for which to make the determination.
   *
   * @return  {@code true} if the specified SASL mechanism may require multiple
   *          stages to process, {@code false} if not, or {@code null} if the
   *          answer is not known for the specified mechanism.
   */
  @Override()
  public Boolean isMultiStageMechanism(final String mechanism)
  {
    switch (mechanism)
    {
      case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
      case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
        // None of these mechanisms involve multiple stages of authentication
        // processing.
        return false;

      default:
        // This should never happen.  Throw a RuntimeException to ensure that
        // this is more visible than other types of non-successful operations.
        final String message = getClass().getName() +
             ".isMultiStageMechanism called with an unsupported SASL " +
             "mechanism of '" + mechanism + "'.";
        if (serverContext != null)
        {
          serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
        }
        throw new RuntimeException(message);
    }
  }



  /**
   * Retrieves a map containing examples of configurations that may be used for
   * this extension.  The map key should be a list of sample arguments, and the
   * corresponding value should be a description of the behavior that will be
   * exhibited by the extension when used with that configuration.
   *
   * @return  A map containing examples of configurations that may be used for
   *          this extension.  It may be {@code null} or empty if there should
   *          not be any example argument sets.
   */
  @Override()
  public Map<List<String>,String> getExamplesArgumentSets()
  {
    return Collections.singletonMap(
         Collections.emptyList(),
         "This SASL mechanism handler does not take any arguments.");
  }



  /**
   * Converts the provided simple bind request to an
   * {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
   * mechanism handler to process a successful authentication as the specified
   * user.  All of the appropriate attachments for this SASL mechanism handler
   * will be set on the associated operation.  It will use the following
   * settings:
   * <UL>
   *   <LI>
   *     The authentication attempt will be considered successful.
   *   </LI>
   *   <LI>
   *     There will not be any diagnostic message, matched DN, response
   *     controls, or server SASL credentials.
   *   </LI>
   *   <LI>
   *     The bind DN from the simple bind request will be used as both the
   *     authentication and authorization identity for the SASL bind.
   *   </LI>
   *   <LI>
   *     The password used will be the password from the simple bind request.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered password-based.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered secure if and only if the simple bind
   *     request was received over a secure connection.
   *   </LI>
   * </UL>
   *
   * @param  simpleBindRequest  The simple bind request to use to create the
   *                            corresponding SASL bind request.  It must not
   *                            be {@code null}.
   * @param  operationContext   The operation context with which the provided
   *                            simple bind request is associated.  It must not
   *                            be {@code null}.
   *
   * @return  The {@code UpdatableSASLBindRequest} object created from the
   *          provided {@code UpdatableSimpleBindRequest} object.
   *
   * @throws  LDAPException  If a problem is encountered while trying to create
   *                         the SASL bind request.
   */
  public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
                     final UpdatableSimpleBindRequest simpleBindRequest,
                     final OperationContext operationContext)
         throws LDAPException
  {
    Validator.ensureNotNullWithMessage(simpleBindRequest,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
              "be null.");
    Validator.ensureNotNullWithMessage(operationContext,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.operationContext must not be " +
              "null.");

    final String diagnosticMessage = null;
    final List<Control> responseControls = Collections.emptyList();

    return convertToSuccessfulSASLBindRequest(simpleBindRequest,
         operationContext, diagnosticMessage, responseControls);
  }



  /**
   * Converts the provided simple bind request to an
   * {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
   * mechanism handler to process a successful authentication as the specified
   * user.  All of the appropriate attachments for this SASL mechanism handler
   * will be set on the associated operation.  It will use the following
   * settings:
   * <UL>
   *   <LI>
   *     The authentication attempt will be considered successful.
   *   </LI>
   *   <LI>
   *     There will not be any matched DN or server SASL credentials.
   *   </LI>
   *   <LI>
   *     The bind DN from the simple bind request will be used as both the
   *     authentication and authorization identity for the SASL bind.
   *   </LI>
   *   <LI>
   *     The password used will be the password from the simple bind request.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered password-based.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered secure if and only if the simple bind
   *     request was received over a secure connection.
   *   </LI>
   * </UL>
   *
   * @param  simpleBindRequest  The simple bind request to use to create the
   *                            corresponding SASL bind request.  It must not
   *                            be {@code null}.
   * @param  operationContext   The operation context with which the provided
   *                            simple bind request is associated.  It must not
   *                            be {@code null}.
   * @param  diagnosticMessage  A diagnostic message to include in the response
   *                            to the client.  It may be {@code null} if no
   *                            diagnostic message should be returned.
   * @param  responseControls   A set of controls to include in the response to
   *                            the client.  It may be {@code null} or empty if
   *                            no response controls should be returned.
   *
   * @return  The {@code UpdatableSASLBindRequest} object created from the
   *          provided information.
   *
   * @throws  LDAPException  If a problem is encountered while trying to create
   *                         the SASL bind request.
   */
  public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
                     final UpdatableSimpleBindRequest simpleBindRequest,
                     final OperationContext operationContext,
                     final String diagnosticMessage,
                     final List<Control> responseControls)
         throws LDAPException
  {
    Validator.ensureNotNullWithMessage(simpleBindRequest,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
              "be null.");
    Validator.ensureNotNullWithMessage(operationContext,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.operationContext must not be " +
              "null.");

    final ServerContext serverContext = operationContext.getServerContext();

    final boolean isPasswordBased = true;
    final boolean isSecure = operationContext.isSecure();

    final DN authenticationDN;
    try
    {
      authenticationDN = new DN(simpleBindRequest.getDN());
    }
    catch (final LDAPException e)
    {
      serverContext.debugCaught(e);
      throw new LDAPException(ResultCode.INVALID_DN_SYNTAX,
           "Unable to parse the bind DN from the provided simple bind " +
                "request:  " + StaticUtils.getExceptionMessage(e),
           e);
    }

    final DN authorizationDN = authenticationDN;
    final ByteString passwordUsed = simpleBindRequest.getPassword();

    return convertToSuccessfulSASLBindRequest(simpleBindRequest,
         operationContext, isPasswordBased, isSecure, authenticationDN,
         authorizationDN, diagnosticMessage, responseControls, passwordUsed);
  }



  /**
   * Converts the provided simple bind request to an
   * {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
   * mechanism handler to process a successful authentication using the provided
   * information.  All of the appropriate attachments for this SASL mechanism
   * will be set on the associated operation.
   *
   * @param  simpleBindRequest  The simple bind request to use to create the
   *                            corresponding SASL bind request.  It must not
   *                            be {@code null}.
   * @param  operationContext   The operation context with which the provided
   *                            simple bind request is associated.  It must not
   *                            be {@code null}.
   * @param  isPasswordBased    Indicates whether the resulting SASL bind should
   *                            be considered password based.
   * @param  isSecure           Indicates whether the resulting SASL bind should
   *                            be considered secure.
   * @param  authenticationDN   The DN of the authentication identity for the
   *                            resulting SASL bind operation.  It must not be
   *                            {@code null}, but may be {@code DN.NULL_DN} to
   *                            indicate an anonymous authentication identity.
   * @param  authorizationDN    The DN of the authorization identity for the
   *                            resulting SASL bind operation.  It must not be
   *                            {@code null}, but may be {@code DN.NULL_DN} to
   *                            indicate an anonymous authentication identity.
   *                            In most cases, this will be the same as the
   *                            authentication DN, but they may differ if
   *                            operations should be processed under the
   *                            authority of a different user than the
   *                            authentication identity.
   * @param  diagnosticMessage  A diagnostic message to include in the response
   *                            to the client.  It may be {@code null} if no
   *                            diagnostic message should be returned.
   * @param  responseControls   A set of controls to include in the response to
   *                            the client.  It may be {@code null} or empty if
   *                            no response controls should be returned.
   * @param  passwordUsed       The password used to authenticate the client.
   *                            It may be {@code null} if the authentication
   *                            was not password-based, or if the password used
   *                            is not known.
   *
   * @return  The {@code UpdatableSASLBindRequest} object created from the
   *          provided information.
   */
  public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
                     final UpdatableSimpleBindRequest simpleBindRequest,
                     final OperationContext operationContext,
                     final boolean isPasswordBased, final boolean isSecure,
                     final DN authenticationDN, final DN authorizationDN,
                     final String diagnosticMessage,
                     final List<Control> responseControls,
                     final ByteString passwordUsed)
  {
    Validator.ensureNotNullWithMessage(simpleBindRequest,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
              "be null.");
    Validator.ensureNotNullWithMessage(operationContext,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.operationContext must not be " +
              "null.");
    Validator.ensureNotNullWithMessage(authenticationDN,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.authenticationDN must not be " +
              "null.");
    Validator.ensureNotNullWithMessage(authorizationDN,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createSuccessfulSASLBindRequest.authorizationDN must not be " +
              "null.");

    final String saslMechanism;
    if (isPasswordBased)
    {
      if (isSecure)
      {
        saslMechanism = SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
      else
      {
        saslMechanism = NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
    }
    else
    {
      if (isSecure)
      {
        saslMechanism = SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
      else
      {
        saslMechanism = NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
    }

    operationContext.setAttachment(ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED,
         Boolean.TRUE);
    operationContext.setAttachment(ATTACHMENT_NAME_BIND_DN, authenticationDN);

    if (! authenticationDN.equals(authorizationDN))
    {
      operationContext.setAttachment(ATTACHMENT_NAME_AUTHORIZATION_DN,
           authorizationDN);
    }

    if (diagnosticMessage != null)
    {
      operationContext.setAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE,
           diagnosticMessage);
    }

    if ((responseControls != null) && (! responseControls.isEmpty()))
    {
      final Control[] responseControlArray =
           new Control[responseControls.size()];
      responseControls.toArray(responseControlArray);
      operationContext.setAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS,
           responseControlArray);
    }

    if (passwordUsed != null)
    {
      operationContext.setAttachment(ATTACHMENT_NAME_PASSWORD_USED,
           passwordUsed);
    }

    return simpleBindRequest.convertToSASLBindRequest(saslMechanism, null);
  }



  /**
   * Converts the provided simple bind request to an
   * {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
   * mechanism handler to process a failed authentication attempt .  All of the
   * appropriate attachments for this SASL mechanism handler will be set on the
   * associated operation.  It will use the following settings:
   * <UL>
   *   <LI>
   *     The authentication attempt will be considered a failure.
   *   </LI>
   *   <LI>
   *     There will not be any diagnostic message, authentication failure
   *     reason, matched DN, response controls, or server SASL credentials.
   *   </LI>
   *   <LI>
   *     The bind DN from the simple bind request will be used as both the
   *     target user DN for the SASL bind.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered password-based.
   *   </LI>
   *   <LI>
   *     The SASL bind will be considered secure if and only if the simple bind
   *     request was received over a secure connection.
   *   </LI>
   * </UL>
   *
   * @param  simpleBindRequest  The simple bind request to use to create the
   *                            corresponding SASL bind request.  It must not
   *                            be {@code null}.
   * @param  operationContext   The operation context with which the provided
   *                            simple bind request is associated.  It must not
   *                            be {@code null}.
   *
   * @return  The {@code UpdatableSASLBindRequest} object created from the
   *          provided information.
   *
   * @throws  LDAPException  If a problem is encountered while trying to create
   *                         the SASL bind request.
   */
  public static UpdatableSASLBindRequest convertToFailedSASLBindRequest(
                     final UpdatableSimpleBindRequest simpleBindRequest,
                     final OperationContext operationContext)
         throws LDAPException
  {
    Validator.ensureNotNullWithMessage(simpleBindRequest,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createFailedSASLBindRequest.simpleBindRequest must not " +
              "be null.");
    Validator.ensureNotNullWithMessage(operationContext,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createFailedSASLBindRequest.operationContext must not be " +
              "null.");

    final boolean isPasswordBased = true;
    final boolean isSecure = operationContext.isSecure();
    final String diagnosticMessage = null;
    final String authenticationFailureReason = null;
    final DN matchedDN = null;
    final DN targetUserDN = null;
    final List<Control> responseControls = Collections.emptyList();

    return convertToFailedSASLBindRequest(simpleBindRequest, operationContext,
         isPasswordBased, isSecure, diagnosticMessage,
         authenticationFailureReason, matchedDN, targetUserDN,
         responseControls);
  }



  /**
   * Converts the provided simple bind request to an
   * {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
   * mechanism handler to process a failed authentication attempt using the
   * provided information.  All of the appropriate attachments for this SASL
   * mechanism will be set on the associated operation.
   *
   * @param  simpleBindRequest            The simple bind request to use to
   *                                      create the corresponding SASL bind
   *                                      request.  It must not be {@code null}.
   * @param  operationContext             The operation context with which the
   *                                      provided simple bind request is
   *                                      associated.  It must not be
   *                                      {@code null}.
   * @param  isPasswordBased              Indicates whether the resulting SASL
   *                                      bind should be considered password
   *                                      based.
   * @param  isSecure                     Indicates whether the resulting SASL
   *                                      bind should be considered secure.
   * @param  diagnosticMessage            A diagnostic message to include in the
   *                                      response to the client.  It may be
   *                                      {@code null} if no diagnostic message
   *                                      should be returned.
   * @param  authenticationFailureReason  A message that describes the reason
   *                                      for the authentication failure.  This
   *                                      message will not be returned to the
   *                                      client, but will be included in the
   *                                      access log message for the operation
   *                                      so that administrators may better
   *                                      diagnose the failure.  It may be
   *                                      {@code null} if no authentication
   *                                      failure reason is available.
   * @param  matchedDN                    The matched DN to include in the
   *                                      response to the client.  It may be
   *                                      {@code null} if no matched DN should
   *                                      be included.
   * @param  targetUserDN                 The DN of the user that attempted to
   *                                      authenticate.  It may be {@code null}
   *                                      if the target user DN is not known.
   * @param  responseControls             A set of controls to include in the
   *                                      response to the client.  It may be
   *                                      {@code null} or empty if no response
   *                                      controls should be returned.
   *
   * @return  The {@code UpdatableSASLBindRequest} object created from the
   *          provided information.
   */
  public static UpdatableSASLBindRequest convertToFailedSASLBindRequest(
                     final UpdatableSimpleBindRequest simpleBindRequest,
                     final OperationContext operationContext,
                     final boolean isPasswordBased, final boolean isSecure,
                     final String diagnosticMessage,
                     final String authenticationFailureReason,
                     final DN matchedDN, final DN targetUserDN,
                     final List<Control> responseControls)
  {
    Validator.ensureNotNullWithMessage(simpleBindRequest,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createFailedSASLBindRequest.simpleBindRequest must not " +
              "be null.");
    Validator.ensureNotNullWithMessage(operationContext,
         InternalOperationAttachmentSASLMechanismHandler.class.getName() +
              ".createFailedSASLBindRequest.operationContext must not be " +
              "null.");

    final String saslMechanism;
    if (isPasswordBased)
    {
      if (isSecure)
      {
        saslMechanism = SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
      else
      {
        saslMechanism = NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
    }
    else
    {
      if (isSecure)
      {
        saslMechanism = SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
      else
      {
        saslMechanism = NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
      }
    }

    operationContext.setAttachment(ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED,
         Boolean.FALSE);

    if (diagnosticMessage != null)
    {
      operationContext.setAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE,
           diagnosticMessage);
    }

    if (authenticationFailureReason != null)
    {
      operationContext.setAttachment(
           ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON,
           authenticationFailureReason);
    }

    if (matchedDN != null)
    {
      operationContext.setAttachment(ATTACHMENT_NAME_MATCHED_DN, matchedDN);
    }

    if (targetUserDN != null)
    {
      operationContext.setAttachment(ATTACHMENT_NAME_BIND_DN, targetUserDN);
    }

    if ((responseControls != null) && (! responseControls.isEmpty()))
    {
      final Control[] responseControlArray =
           new Control[responseControls.size()];
      responseControls.toArray(responseControlArray);
      operationContext.setAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS,
           responseControlArray);
    }

    return simpleBindRequest.convertToSASLBindRequest(saslMechanism, null);
  }
}