com.sun.slamd.example
Class LDAPDigestMD5SocketFactory

java.lang.Object
  com.sun.slamd.example.LDAPDigestMD5SocketFactory

All Implemented Interfaces:

netscape.ldap.LDAPSocketFactory

public class LDAPDigestMD5SocketFactory
extends java.lang.Object
implements netscape.ldap.LDAPSocketFactory

This class provides an implementation of an LDAP socket factory that can be used to perform authentication to the directory server using the DIGEST-MD5 SASL mechanism. It is a relatively ugly hack because the LDAP SDK for Java does not provide very good support for SASL authentication.

There are several things that should be noted about this implementation:

• The setAuthenticationInfo method must be called to provide the identity and credentials of the user that is to be authenticated. This must be done before calling the connect method of the LDAPConnection object with which this socket factory is associated.
• When calling the connect method on the LDAPConnection object with which this socket factory is associated, you must only use the version that provides the host name and port number of the directory server. Do not use any version that specifies the LDAP protocol version or bind information because that will perform a bind using simple authentication and will negate the effect of the DIGEST-MD5 bind. Further, once the connection has been established, do not call any variants of the authenticate or bind methods.
• Because the DIGEST-MD5 authentication is performed outside of the LDAP SDK for Java, the SDK itself has no knowledge of that authentication. Therefore, methods like getAuthenticationDN, getAuthenticationMethod, getAuthenticationPassword, and isAuthenticated may not be used because they will provide an incorrect response.
• Because the authentication ID and credentials are provided outside the makeSocket method, this implementation is not threadsafe. Therefore, if it is expected that multiple threads may attempt to concurrently create connections using DIGEST-MD5 authentication, then they must each have their own instance of this socket factory. It is not sufficient to use synchronization in an attempt to prevent concurrent usage of the same instance.
• It is possible to use this socket factory in conjunction with another socket factory for additional functionality (e.g., DIGEST-MD5 authentication over an SSL-based connection). To use this socket factory in conjunction with another socket factory, call the setAdditionalSocketFactory method to provide the additional socket factory. The makeSocket method of that socket factory will be invoked as part of the makeSocket method of this socket factory. Note that some socket factory implementations may not behave as expected when used in this manner.

Author:

Neil A. Wilson

Field Summary

static char[]	CNONCE_ALPHABET The set of characters that will be used to generate the cnonce.
static java.lang.String	JCE_DIGEST_ALGORITHM The algorithm used by JCE to perform MD5 hashing.
static byte	LDAP_BIND_REQUEST_TYPE The ASN.1 type used to denote an LDAP bind request protocol op.
static byte	LDAP_BIND_RESPONSE_TYPE The ASN.1 type used to denote an LDAP bind response protocol op.
static byte	LDAP_SASL_CREDENTIALS_TYPE The ASN.1 type used to denote the SASL credentials in an LDAP bind request.
static byte	LDAP_SERVER_SASL_CREDENTIALS_TYPE The ASN.1 type used to denote the SASL credentials in an LDAP bind response.
static java.lang.String	QOP_AUTH The quality of protection that will be used for all authentications.
static java.lang.String	SASL_MECHANISM_NAME The name of the DIGEST-MD5 SASL mechanism as it must appear in LDAP bind requests.

Constructor Summary

LDAPDigestMD5SocketFactory()
Creates a new instance of this DIGEST-MD5 authenticator.

Method Summary

java.net.Socket	makeSocket(java.lang.String host, int port) Establishes a new connection to the directory server and performs a SASL bind using DIGEST-MD5 before handing the socket off to the Java SDK.
void	setAdditionalSocketFactory(netscape.ldap.LDAPSocketFactory socketFactory) Specifies an additional socket factory that should be used when creating connections to the directory server using this socket factory.
void	setAuthenticationInfo(java.lang.String authID, java.lang.String password) Specifies the authentication ID and password for use with the next connection.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CNONCE_ALPHABET

public static final char[] CNONCE_ALPHABET

The set of characters that will be used to generate the cnonce.

JCE_DIGEST_ALGORITHM

public static final java.lang.String JCE_DIGEST_ALGORITHM

The algorithm used by JCE to perform MD5 hashing.

See Also:

Constant Field Values

LDAP_BIND_REQUEST_TYPE

public static final byte LDAP_BIND_REQUEST_TYPE

The ASN.1 type used to denote an LDAP bind request protocol op.

See Also:

Constant Field Values

LDAP_BIND_RESPONSE_TYPE

public static final byte LDAP_BIND_RESPONSE_TYPE

The ASN.1 type used to denote an LDAP bind response protocol op.

See Also:

Constant Field Values

LDAP_SASL_CREDENTIALS_TYPE

public static final byte LDAP_SASL_CREDENTIALS_TYPE

The ASN.1 type used to denote the SASL credentials in an LDAP bind request.

See Also:

Constant Field Values

LDAP_SERVER_SASL_CREDENTIALS_TYPE

public static final byte LDAP_SERVER_SASL_CREDENTIALS_TYPE

The ASN.1 type used to denote the SASL credentials in an LDAP bind response.

See Also:

Constant Field Values

QOP_AUTH

public static final java.lang.String QOP_AUTH

The quality of protection that will be used for all authentications. This implementation does not support either integrity or confidentiality.

See Also:

Constant Field Values

SASL_MECHANISM_NAME

public static final java.lang.String SASL_MECHANISM_NAME

The name of the DIGEST-MD5 SASL mechanism as it must appear in LDAP bind requests.

See Also:

Constant Field Values

Constructor Detail

LDAPDigestMD5SocketFactory

public LDAPDigestMD5SocketFactory()
                           throws SLAMDException

Creates a new instance of this DIGEST-MD5 authenticator. Note that creating an instance of this class for the first time in the life of the JVM can take a few seconds because of the time required to initialize the entropy for the random number generator.

Throws:

SLAMDException - If a problem occurs while initializing this DIGEST-MD5 authenticator.

Method Detail

setAuthenticationInfo

public void setAuthenticationInfo(java.lang.String authID,
                                  java.lang.String password)

Specifies the authentication ID and password for use with the next connection.

Parameters:

authID - The authentication ID for use with the next connection.

password - The password for use with the next connection.

setAdditionalSocketFactory

public void setAdditionalSocketFactory(netscape.ldap.LDAPSocketFactory socketFactory)

Specifies an additional socket factory that should be used when creating connections to the directory server using this socket factory. This makes it possible to stack this socket factory on top of another one, which allows for things like using DIGEST-MD5 on top of an SSL-based connection.

Parameters:

socketFactory - The additional socket factory that should be used when creating connections to the directory server using this socket factory.

makeSocket

public java.net.Socket makeSocket(java.lang.String host,
                                  int port)
                           throws netscape.ldap.LDAPException

Establishes a new connection to the directory server and performs a SASL bind using DIGEST-MD5 before handing the socket off to the Java SDK.

Specified by:

makeSocket in interface netscape.ldap.LDAPSocketFactory

Parameters:

host - The address of the server to which the connection should be established.

port - The port number of the server to which the connection should be established.

Returns:

The socket that may be used to communicate with the directory server.

Throws:

netscape.ldap.LDAPException - If a problem occurs while creating the socket.