org.apache.james.user.ldap
Class ReadOnlyUsersLDAPRepository

java.lang.Object
  org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository

All Implemented Interfaces:

Configurable, LogEnabled, UsersRepository

public class ReadOnlyUsersLDAPRepository
extends java.lang.Object
implements UsersRepository, Configurable, LogEnabled

This repository implementation serves as a bridge between Apache James and LDAP. It allows James to authenticate users against an LDAP compliant server such as Apache DS or Microsoft AD. It also enables role/group based access restriction based on LDAP groups.

It is intended for organisations that already have a user-authentication and authorisation mechanism in place, and want to leverage this when deploying James. The assumption inherent here is that such organisations would not want to manage user details via James, but will do so externally using whatever mechanism provided by, or built on top off, their LDAP implementation.

Based on this assumption, this repository is strictly read-only. As a consequence, user modification, deletion and creation requests will be ignored when using this repository.

The following fragment of XML provides an example configuration to enable this repository:

  <users-store>
      <repository name="LDAPUsers" 
      class="org.apache.james.userrepository.ReadOnlyUsersLDAPRepository" 
      ldapHost="ldap://myldapserver:389"
      principal="uid=ldapUser,ou=system"
      credentials="password"
      userBase="ou=People,o=myorg.com,ou=system"
      userIdAttribute="uid"/>
      userObjectClass="inetOrgPerson"/>
  </users-store>
 

Its constituent attributes are defined as follows:

• ldapHost: The URL of the LDAP server to connect to.
• principal: The name (DN) of the user with which to initially bind to the LDAP server.
• credentials: The password with which to initially bind to the LDAP server.
• userBase:The context within which to search for user entities.
• userIdAttribute:The name of the LDAP attribute which holds user ids. For example "uid" for Apache DS, or "sAMAccountName" for Microsoft Active Directory.
• userObjectClass:The objectClass value for user nodes below the userBase. For example "inetOrgPerson" for Apache DS, or "user" for Microsoft Active Directory.

In order to enable group/role based access restrictions, you can use the "<restriction>" configuration element. An example of this is shown below:

 <restriction
        memberAttribute="uniqueMember">
                <group>cn=PermanentStaff,ou=Groups,o=myorg.co.uk,ou=system</group>
                <group>cn=TemporaryStaff,ou=Groups,o=myorg.co.uk,ou=system</group>
 </restriction>

Its constituent attributes and elements are defined as follows:

• memberAttribute: The LDAP attribute whose values indicate the DNs of the users which belong to the group or role.
• group: A valid group or role DN. A user is only authenticated (permitted access) if they belong to at least one of the groups listed under the "<restriction>" sections.

See Also:

SimpleLDAPConnection, ReadOnlyLDAPUser, ReadOnlyLDAPGroupRestriction

Field Summary

Fields inherited from interface org.apache.james.user.api.UsersRepository

ROLE, USER

Constructor Summary

ReadOnlyUsersLDAPRepository()

Method Summary

void	addUser(java.lang.String name, java.lang.Object attributes)
boolean	addUser(java.lang.String username, java.lang.String password)
boolean	addUser(User user)
void	configure(org.apache.commons.configuration.HierarchicalConfiguration configuration) Extracts the parameters required by the repository instance from the James server configuration data.
boolean	contains(java.lang.String name)
boolean	containsCaseInsensitive(java.lang.String name)
int	countUsers()
java.lang.String	getRealName(java.lang.String name)
User	getUserByName(java.lang.String name)
User	getUserByNameCaseInsensitive(java.lang.String name)
void	init() Initialises the user-repository instance.
java.util.Iterator<java.lang.String>	list()
void	removeUser(java.lang.String name)
void	setLog(org.apache.commons.logging.Log log)
boolean	test(java.lang.String name, java.lang.String password)
boolean	updateUser(User user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ReadOnlyUsersLDAPRepository

public ReadOnlyUsersLDAPRepository()

Method Detail

configure

public void configure(org.apache.commons.configuration.HierarchicalConfiguration configuration)
               throws org.apache.commons.configuration.ConfigurationException

Extracts the parameters required by the repository instance from the James server configuration data. The fields extracted include ldapHost, userIdAttribute, userBase, principal, credentials and restriction.

Specified by:

configure in interface Configurable

Parameters:

configuration - An encapsulation of the James server configuration data.

Throws:

org.apache.commons.configuration.ConfigurationException

init

@PostConstruct
public void init()
          throws java.lang.Exception

Initialises the user-repository instance. It will create a connection to the LDAP host using the supplied configuration.

Throws:

java.lang.Exception - If an error occurs authenticating or connecting to the specified LDAP host.

contains

public boolean contains(java.lang.String name)

Specified by:

contains in interface UsersRepository

containsCaseInsensitive

public boolean containsCaseInsensitive(java.lang.String name)

Specified by:

containsCaseInsensitive in interface UsersRepository

countUsers

public int countUsers()

Specified by:

countUsers in interface UsersRepository

getRealName

public java.lang.String getRealName(java.lang.String name)

Specified by:

getRealName in interface UsersRepository

getUserByName

public User getUserByName(java.lang.String name)

Specified by:

getUserByName in interface UsersRepository

getUserByNameCaseInsensitive

public User getUserByNameCaseInsensitive(java.lang.String name)

Specified by:

getUserByNameCaseInsensitive in interface UsersRepository

list

public java.util.Iterator<java.lang.String> list()

Specified by:

list in interface UsersRepository

removeUser

public void removeUser(java.lang.String name)

Specified by:

removeUser in interface UsersRepository

test

public boolean test(java.lang.String name,
                    java.lang.String password)

Specified by:

test in interface UsersRepository

addUser

public boolean addUser(User user)

Specified by:

addUser in interface UsersRepository

addUser

public void addUser(java.lang.String name,
                    java.lang.Object attributes)

Specified by:

addUser in interface UsersRepository

addUser

public boolean addUser(java.lang.String username,
                       java.lang.String password)

Specified by:

addUser in interface UsersRepository

updateUser

public boolean updateUser(User user)

Specified by:

updateUser in interface UsersRepository

setLog

public void setLog(org.apache.commons.logging.Log log)

Specified by:

setLog in interface LogEnabled