IPlanetAuthenticatorMBean


Overview  |   Related MBeans  |   Attributes  |   Operations

Overview

This MBean represents LDAP schema definitions for the iPlanet LDAP provider.

   
Fully Qualified Interface NameIf you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.security.providers.authentication.IPlanetAuthenticatorMBean
Factory Methods No factory methods. Instances of this MBean are created automatically.


Related MBeans

This section describes attributes that provide access to other MBeans.


    Realm

    Returns the realm that contains this security provider. Returns null if this security provider is not contained by a realm.

           
    Privileges Read only
    TypeRealmMBean
    Relationship type: Reference.


    Attributes

    This section describes the following attributes:


    AllGroupsFilter

    An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.

           
    Privileges Read/Write
    Typejava.lang.String

    AllUsersFilter

    An LDAP search filter for finding all users beneath the base user distinguished name (DN). If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

           
    Privileges Read/Write
    Typejava.lang.String

    BindAnonymouslyOnReferrals

    Returns whether to anonymously bind when following referrals within the LDAP directory. If set to false, then the current Principal and Credential will be used.

           
    Privileges Read/Write
    Typeboolean

    CacheEnabled

    Returns whether to cache LDAP requests with the LDAP server.

           
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    CacheSize

    Returns the size of the cache in K.

           
    Privileges Read/Write
    Typeint
    Default Value32
    Minimum value0

    CacheTTL

    Returns the time-to-live (TTL) of the cache in seconds.

           
    Privileges Read/Write
    Typeint
    Default Value60
    Minimum value0

    ConnectionPoolSize

    The LDAP connection pool size. Default is 6.

           
    Privileges Read/Write
    Typeint
    Default Value6

    ConnectionRetryLimit

    Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.

           
    Privileges Read/Write
    Typeint
    Default Value1

    ConnectTimeout

    Returns the maximum number of seconds to wait for the LDAP connection to be established. If set to 0, there is no maximum time limit.

           
    Privileges Read/Write
    Typeint
    Default Value0

    ControlFlag

    Returns how the login sequence uses the Authentication provider.

    A REQUIRED value specifies this LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

    A REQUISITE value specifies this LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is return to the application.

    A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

    An OPTIONAL value specifies this LoginModule need not succeed. Whether it succeeds or fails, authentication proceeds down the LoginModule list.

           
    Privileges Read/Write
    Typejava.lang.String
    Default ValueREQUIRED
    Legal Values
    • REQUIRED
    • REQUISITE
    • SUFFICIENT
    • OPTIONAL

    Credential

    The credential (generally a password) used to authenticate the LDAP user that is defined in the Principal attribute.

           
    Privileges Read/Write
    Typejava.lang.String
    Encryptedtrue

    CredentialEncrypted

           
    Privileges Read/Write
    Typebyte[]
    Encryptedtrue

    Description

    A short description of the LDAP Authentication provider.

           
    Privileges Read only
    Typejava.lang.String
    Default ValueProvider that performs LDAP authentication
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    DynamicGroupNameAttribute

    The attribute of the dynamic LDAP group object that specifies the name of the group.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuecn

    DynamicGroupObjectClass

    The LDAP object class that stores dynamic groups.

           
    Privileges Read/Write
    Typejava.lang.String
    Default ValuegroupofURLs

    DynamicMemberURLAttribute

    The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.

           
    Privileges Read/Write
    Typejava.lang.String
    Default ValuememberURL

    EnableGroupMembershipLookupHierarchyCaching

    Sets whether to cache group membership hierarchies found during recursive membership lookup. If true, each subtree found will be cached. This overwrites the default value defined in GroupMembershipHierarchyCacheMBean.

           
    Privileges Read/Write
    Typejava.lang.Boolean
    Default Valuetrue

    FollowReferrals

    Returns whether referrals will automatically be followed within the LDAP Directory. If set to false, then a Referral exception will be thrown when referrals are encountered during LDAP requests.

           
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    GroupBaseDN

    The base distinguished name (DN) of the tree in the LDAP directory that contains groups.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueou=groups, o=example.com

    GroupFromNameFilter

    An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Value(|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))

    GroupHierarchyCacheTTL

    Returns the maximum number of seconds a group membership hierarchy entry is valid in the LRU cache.

           
    Privileges Read/Write
    Typejava.lang.Integer
    Default Value60

    GroupMembershipSearching

    Specifies whether group searches into nested groups are unlimited or limited. Valid values are unlimited and limited.

    For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group. If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.

    Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueunlimited
    Legal Values
    • unlimited
    • limited

    GroupSearchScope

    Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuesubtree
    Legal Values
    • subtree
    • onelevel

    GuidAttribute

    Specifies the name of the GUID attribute defined in the Sun iPlanet Directory LDAP server. The default value is nsuniqueid.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuensuniqueid

    Host

    Returns the host name or IP address of the LDAP server.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuelocalhost

    IgnoreDuplicateMembership

    Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.

           
    Privileges Read/Write
    Typejava.lang.Boolean

    KeepAliveEnabled

    Specifies whether to prevent LDAP connections from timing out.

           
    Privileges Read/Write
    Typeboolean

    MaxGroupHierarchiesInCache

    Returns the maximum size of the LRU cache for holding group membership hierarchies if caching is enabled.

           
    Privileges Read/Write
    Typejava.lang.Integer
    Default Value100

    MaxGroupMembershipSearchLevel

    Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set to limited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.

    Possible values are:

    0 - Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.

    Any positive number - Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.

    Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

           
    Privileges Read/Write
    Typejava.lang.Integer
    Default Value0

    Name

           
    Privileges Read only
    Typejava.lang.String
    Default ValueIPlanetAuthenticator
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    ParallelConnectDelay

    Returns the number of seconds to delay when making concurrent attempts to connect to multiple servers.

    If set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This might cause your application to block for unacceptably long time if a host is down. If set to greater than 0, another connection setup thread is started after this number of delay seconds has passed.

           
    Privileges Read/Write
    Typeint
    Default Value0

    Port

    Returns the port number on which the LDAP server is listening.

           
    Privileges Read/Write
    Typeint
    Default Value389
    Minimum value1
    Maximum value65534

    Principal

    Returns the Distinguished Name (DN) of the LDAP user that is used by WebLogic Server to connect to the LDAP server.

           
    Privileges Read/Write
    Typejava.lang.String

    PropagateCauseForLoginException

    No description provided.

           
    Privileges Read/Write
    Typeboolean

    ProviderClassName

    The name of the Java class used to load the LDAP Authentication provider.

           
    Privileges Read only
    Typejava.lang.String
    Default Valueweblogic.security.providers.authentication.LDAPAuthenticationProviderImpl
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    ResultsTimeLimit

    Returns the maximum number of milliseconds to wait for results before timing out. If set to 0, there is no maximum time limit.

           
    Privileges Read/Write
    Typeint
    Default Value0

    SSLEnabled

    Returns whether SSL will be used to connect to the LDAP server.

           
    Privileges Read/Write
    Typeboolean

    StaticGroupDNsfromMemberDNFilter

    An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Value(&(uniquemember=%M)(objectclass=groupofuniquenames))

    StaticGroupNameAttribute

    The attribute of a static LDAP group object that specifies the name of the group.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuecn

    StaticGroupObjectClass

    The name of the LDAP object class that stores static groups.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuegroupofuniquenames

    StaticMemberDNAttribute

    The attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueuniquemember

    UserBaseDN

    The base distinguished name (DN) of the tree in the LDAP directory that contains users.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueou=people, o=example.com

    UserDynamicGroupDNAttribute

    The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendents (indicates parent relationship) of the group.

           
    Privileges Read/Write
    Typejava.lang.String

    UseRetrievedUserNameAsPrincipal

    Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.

           
    Privileges Read/Write
    Typejava.lang.Boolean

    UserFromNameFilter

    An LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Value(&(uid=%u)(objectclass=person))

    UserNameAttribute

    The attribute of an LDAP user object that specifies the name of the user.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueuid

    UserObjectClass

    The LDAP object class that stores users.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valueperson

    UserSearchScope

    Specifies how deep in the LDAP directory tree to search for Users. Valid values are subtree and onelevel.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuesubtree
    Legal Values
    • subtree
    • onelevel

    Version

    The version number of the LDAP Authentication provider.

           
    Privileges Read only
    Typejava.lang.String
    Default Value1.0
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.


    Operations

    This section describes the following operations:


    advance

    Advances the list to the next element in the list.

       
    Operation Name"advance"
    ParametersObject [] {  cursor }

    where:

    • cursor is an object of type java.lang.String that specifies:

      - The cursor returned from a previous list method.

    SignatureString [] { "java.lang.String" }
    Returns void
    Exceptions
    • weblogic.management.utils.InvalidCursorException

    changeUserPassword

    Used by a user to change his or her password.

    Note: The user needs administrator privileges to change passwords. To devise a means to enable users without administrator privileges to change their own passwords, you can implement a servlet that uses the run-as deployment descriptor element to access the Administrator role for invoking the changeUserPassword operation via the MBean server. This servlet should be protected by a security policy and should require a login, and it can then be made available to end users for changing their passwords.

       
    Operation Name"changeUserPassword"
    ParametersObject [] {  userNameoldPasswordnewPassword }

    where:

    • userName is an object of type java.lang.String that specifies:

      - The name of an existing user.

    • oldPassword is an object of type java.lang.String that specifies:

      - The current password for the user.

    • newPassword is an object of type java.lang.String that specifies:

      - The new password for the user. The Authentication provider determines the syntax requirements for passwords.

    SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.String" }
    Returns void
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    close

    Indicates that the caller is finished using the list, and that the resources held on behalf of the list may be released. If the caller traverses through all the elements in the list, the caller need not call this method. In other words, it is used to let the caller close the list without reading each element that is returned.

       
    Operation Name"close"
    ParametersObject [] {  cursor }

    where:

    • cursor is an object of type java.lang.String that specifies:

      - The cursor returned from a previous list method.

    SignatureString [] { "java.lang.String" }
    Returns void
    Exceptions
    • weblogic.management.utils.InvalidCursorException

    getCurrentName

    The name of the current item in the list. Returns null if there is no current item.

       
    Operation Name"getCurrentName"
    ParametersObject [] {  cursor }

    where:

    • cursor is an object of type java.lang.String that specifies:

      - The cursor returned from a previous list method.

    SignatureString [] { "java.lang.String" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.InvalidCursorException

    getGroupDescription

    Gets a group's description.

       
    Operation Name"getGroupDescription"
    ParametersObject [] {  groupName }

    where:

    • groupName is an object of type java.lang.String that specifies:

      - The name of an existing group.

    SignatureString [] { "java.lang.String" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    getUserDescription

    Gets a user's description.

       
    Operation Name"getUserDescription"
    ParametersObject [] {  userName }

    where:

    • userName is an object of type java.lang.String that specifies:

      - The name of an existing user.

    SignatureString [] { "java.lang.String" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    groupExists

    Indicates whether the specified group exists.

       
    Operation Name"groupExists"
    ParametersObject [] {  groupName }

    where:

    • groupName is an object of type java.lang.String that specifies:

      - The name that this method evaluates.

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • weblogic.management.utils.InvalidParameterException

    haveCurrent

    Returns true if there are more objects in the list, and false otherwise.

       
    Operation Name"haveCurrent"
    ParametersObject [] {  cursor }

    where:

    • cursor is an object of type java.lang.String that specifies:

      - The cursor returned from a previous list method.

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • weblogic.management.utils.InvalidCursorException

    isMember

    Indicates whether a user or group is a member of the group that you specify. A recursive search returns true if the member belongs to the group that you specify or to any of the groups contained within that group."

       
    Operation Name"isMember"
    ParametersObject [] {  parentGroupNamememberUserOrGroupNamerecursive }

    where:

    • parentGroupName is an object of type java.lang.String that specifies:

      - The existing group within which this method searches for membership.

    • memberUserOrGroupName is an object of type java.lang.String that specifies:

      - The user or group name for which this method searches.

    • recursive is an object of type java.lang.Boolean that specifies:

      - If set to true, the criteria for membership extends to any groups within the group that is specified by parentGroupName.

      If this argument is set to false, then this method checks only for direct membership within the parentGroupName.

    SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.Boolean" }
    Returns boolean
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    isSet

    Returns true if the specified attribute has been set explicitly in this MBean instance.

       
    Operation Name"isSet"
    ParametersObject [] {  propertyName }

    where:

    • propertyName is an object of type java.lang.String that specifies:

      property to check

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • java.lang.IllegalArgumentException

    listGroupMembers

    Searches within a group for user and group (member) names that match a pattern. Returns a cursor (string). You can use methods from weblogic.management.utils.NameLister (which this MBean extends) to iterate through the returned list.

    This method does not sort the results or distinguish user and group names. You can use the groupExists method to determine whether a name refers to an existing group.

       
    Operation Name"listGroupMembers"
    ParametersObject [] {  groupNamememberUserOrGroupNameWildcardmaximumToReturn }

    where:

    • groupName is an object of type java.lang.String that specifies:

      - The existing group within which this method searches for members.

    • memberUserOrGroupNameWildcard is an object of type java.lang.String that specifies:

      - The pattern for which this method searches The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters. ' *

      For example, a pattern of abc matches exactly one name that contains only abc, a pattern of ab* matches all user and group names that start with ab, and a pattern of * matches all user and group names.

    • maximumToReturn is an object of type java.lang.Integer that specifies:

      - The maximum number of user and group names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If this parameter is set to 0, all results are returned.

    SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.Integer" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    listGroups

    Searches for a user name that matches a pattern.

    This method returns a cursor that you can pass to the methods from weblogic.management.utils.NameListerMBean (which this MBean extends) to iterate through the returned list.

    This method does not sort the results.

       
    Operation Name"listGroups"
    ParametersObject [] {  groupNameWildcardmaximumToReturn }

    where:

    • groupNameWildcard is an object of type java.lang.String that specifies:

      -

      The pattern for which this method searches. The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters.

      For example, a pattern of abc matches exactly one group name that contains only abc, a pattern of ab* matches all group names that start with ab, and a pattern of * matches all group names.

    • maximumToReturn is an object of type java.lang.Integer that specifies:

      - The maximum number of group names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If the parameter is set to 0 there is no maximum and all results are returned.

    SignatureString [] { "java.lang.String", "java.lang.Integer" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.InvalidParameterException

    listMemberGroups

    Lists the groups that directly contain a user or a group. Returns a cursor (string).You can use methods from weblogic.management.utils.NameLister (which this MBean extends) to iterate through the returned list.

       
    Operation Name"listMemberGroups"
    ParametersObject [] {  memberUserOrGroupName }

    where:

    • memberUserOrGroupName is an object of type java.lang.String that specifies:

      - The name of an existing user or group.

    SignatureString [] { "java.lang.String" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    listUsers

    Searches for a user name that matches a pattern.

    This method returns a cursor that you can pass to the methods from weblogic.management.utils.NameListerMBean (which this MBean extends) to iterate through the returned list.

    This method does not sort the results.

       
    Operation Name"listUsers"
    ParametersObject [] {  userNameWildcardmaximumToReturn }

    where:

    • userNameWildcard is an object of type java.lang.String that specifies:

      - The pattern for which this method searches. The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters.

      For example, a pattern of abc matches exactly one user name that contains only abc, a pattern of ab* matches all user names that start with ab, and a pattern of * matches all user names.

    • maximumToReturn is an object of type java.lang.Integer that specifies:

      - The maximum number of user names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If the parameter is set to 0 there is no maximum and all results are returned.

    SignatureString [] { "java.lang.String", "java.lang.Integer" }
    ReturnsString
    Exceptions
    • weblogic.management.utils.InvalidParameterException

    resetUserPassword

    Used by an administrator to change a user's password.

       
    Operation Name"resetUserPassword"
    ParametersObject [] {  userNamenewPassword }

    where:

    • userName is an object of type java.lang.String that specifies:

      - The name of an existing user.

    • newPassword is an object of type java.lang.String that specifies:

      - The new password for the user. The Authentication provider determines the syntax requirements for passwords.

    SignatureString [] { "java.lang.String", "java.lang.String" }
    Returns void
    Exceptions
    • weblogic.management.utils.NotFoundException
    • weblogic.management.utils.InvalidParameterException

    unSet

    Restore the given property to its default value.

       
    Operation Name"unSet"
    ParametersObject [] {  propertyName }

    where:

    • propertyName is an object of type java.lang.String that specifies:

      property to restore

    SignatureString [] { "java.lang.String" }
    Returns void
    Exceptions
    • java.lang.IllegalArgumentException
      UnsupportedOperationException if called on a runtime implementation.

    userExists

    Indicates whether the specified user exists.

       
    Operation Name"userExists"
    ParametersObject [] {  userName }

    where:

    • userName is an object of type java.lang.String that specifies:

      - The name that this method evaluates.

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • weblogic.management.utils.InvalidParameterException

    wls_getDisplayName

    Returns the display name of an MBean.

    Deprecated 9.0.0.0

       
    Operation Name"wls_getDisplayName"
    Parametersnull
    Signaturenull
    ReturnsString