OpenLDAPAuthenticatorMBean


Overview  |   Related MBeans  |   Attributes  |   Operations

Overview

This MBean specifies the LDAP schema definitions for the Open LDAP Authentication provider.

   
Fully Qualified Interface NameIf you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.security.providers.authentication.OpenLDAPAuthenticatorMBean
Factory Methods No factory methods. Instances of this MBean are created automatically.
Access Points Inherited from AuthenticationProviderMBean Because this MBean extends or implements AuthenticationProviderMBean, you can also access this MBean by retrieving AuthenticationProviderMBeans. The following attributes contain AuthenticationProviderMBeans and its subtypes:


    Related MBeans

    This section describes attributes that provide access to other MBeans.


      Realm

      Returns the realm that contains this security provider. Returns null if this security provider is not contained by a realm.

             
      Privileges Read only
      TypeRealmMBean
      Relationship type: Reference.


      Attributes

      This section describes the following attributes:


      AllGroupsFilter

      An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.

             
      Privileges Read/Write
      Typejava.lang.String

      AllUsersFilter

      An LDAP search filter for finding all users beneath the base user distinguished name (DN). If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

             
      Privileges Read/Write
      Typejava.lang.String

      BindAnonymouslyOnReferrals

      Returns whether to anonymously bind when following referrals within the LDAP directory. If set to false, then the current Principal and Credential will be used.

             
      Privileges Read/Write
      Typeboolean

      CacheEnabled

      Returns whether to cache LDAP requests with the LDAP server.

             
      Privileges Read/Write
      Typeboolean
      Default Valuetrue

      CacheSize

      Returns the size of the cache in K.

             
      Privileges Read/Write
      Typeint
      Default Value32
      Minimum value0

      CacheTTL

      Returns the time-to-live (TTL) of the cache in seconds.

             
      Privileges Read/Write
      Typeint
      Default Value60
      Minimum value0

      ConnectionPoolSize

      The LDAP connection pool size. Default is 6.

             
      Privileges Read/Write
      Typeint
      Default Value6

      ConnectionRetryLimit

      Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.

             
      Privileges Read/Write
      Typeint
      Default Value1

      ConnectTimeout

      Returns the maximum number of seconds to wait for the LDAP connection to be established. If set to 0, there is no maximum time limit.

             
      Privileges Read/Write
      Typeint
      Default Value0

      ControlFlag

      Returns how the login sequence uses the Authentication provider.

      A REQUIRED value specifies this LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

      A REQUISITE value specifies this LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is return to the application.

      A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

      An OPTIONAL value specifies this LoginModule need not succeed. Whether it succeeds or fails, authentication proceeds down the LoginModule list.

             
      Privileges Read/Write
      Typejava.lang.String
      Default ValueREQUIRED
      Legal Values
      • REQUIRED
      • REQUISITE
      • SUFFICIENT
      • OPTIONAL

      Credential

      The credential (generally a password) used to authenticate the LDAP user that is defined in the Principal attribute.

             
      Privileges Read/Write
      Typejava.lang.String
      Encryptedtrue

      CredentialEncrypted

             
      Privileges Read/Write
      Typebyte[]
      Encryptedtrue

      Description

      A short description of the LDAP Authentication provider.

             
      Privileges Read only
      Typejava.lang.String
      Default ValueProvider that performs LDAP authentication
      Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

      DynamicGroupNameAttribute

      The attribute of a dynamic LDAP group object that specifies the name of the group.

             
      Privileges Read/Write
      Typejava.lang.String

      DynamicGroupObjectClass

      The LDAP object class that stores dynamic groups.

             
      Privileges Read/Write
      Typejava.lang.String

      DynamicMemberURLAttribute

      The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.

             
      Privileges Read/Write
      Typejava.lang.String

      EnableGroupMembershipLookupHierarchyCaching

      Sets whether to cache group membership hierarchies found during recursive membership lookup. If true, each subtree found will be cached. This overwrites the default value defined in GroupMembershipHierarchyCacheMBean.

             
      Privileges Read/Write
      Typejava.lang.Boolean
      Default Valuetrue

      FollowReferrals

      Returns whether referrals will automatically be followed within the LDAP Directory. If set to false, then a Referral exception will be thrown when referrals are encountered during LDAP requests.

             
      Privileges Read/Write
      Typeboolean
      Default Valuetrue

      GroupBaseDN

      The base distinguished name (DN) of the tree in the LDAP directory that contains groups.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valueou=groups, dc=example, dc=com

      GroupFromNameFilter

      An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Value(&(cn=%g)(objectclass=groupofnames))

      GroupHierarchyCacheTTL

      Returns the maximum number of seconds a group membership hierarchy entry is valid in the LRU cache.

             
      Privileges Read/Write
      Typejava.lang.Integer
      Default Value60

      GroupMembershipSearching

      Specifies whether group searches into nested groups are unlimited or limited. Valid values are unlimited and limited.

      For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group. If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.

      Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valueunlimited
      Legal Values
      • unlimited
      • limited

      GroupSearchScope

      Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuesubtree
      Legal Values
      • subtree
      • onelevel

      GuidAttribute

      Specifies the name of the GUID attribute defined in the OpenLDAP Directory Services LDAP server. The default value is entryuuid.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valueentryuuid

      Host

      Returns the host name or IP address of the LDAP server.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuelocalhost

      IgnoreDuplicateMembership

      Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.

             
      Privileges Read/Write
      Typejava.lang.Boolean

      KeepAliveEnabled

      Specifies whether to prevent LDAP connections from timing out.

             
      Privileges Read/Write
      Typeboolean

      MaxGroupHierarchiesInCache

      Returns the maximum size of the LRU cache for holding group membership hierarchies if caching is enabled.

             
      Privileges Read/Write
      Typejava.lang.Integer
      Default Value100

      MaxGroupMembershipSearchLevel

      Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set to limited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.

      Possible values are:

      0 - Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.

      Any positive number - Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.

      Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

             
      Privileges Read/Write
      Typejava.lang.Integer
      Default Value0

      Name

             
      Privileges Read only
      Typejava.lang.String
      Default ValueOpenLDAPAuthenticator
      Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

      ParallelConnectDelay

      Returns the number of seconds to delay when making concurrent attempts to connect to multiple servers.

      If set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This might cause your application to block for unacceptably long time if a host is down. If set to greater than 0, another connection setup thread is started after this number of delay seconds has passed.

             
      Privileges Read/Write
      Typeint
      Default Value0

      Port

      Returns the port number on which the LDAP server is listening.

             
      Privileges Read/Write
      Typeint
      Default Value389
      Minimum value1
      Maximum value65534

      Principal

      Returns the Distinguished Name (DN) of the LDAP user that is used by WebLogic Server to connect to the LDAP server.

             
      Privileges Read/Write
      Typejava.lang.String

      PropagateCauseForLoginException

      No description provided.

             
      Privileges Read/Write
      Typeboolean

      ProviderClassName

      The name of the Java class used to load the LDAP Authentication provider.

             
      Privileges Read only
      Typejava.lang.String
      Default Valueweblogic.security.providers.authentication.LDAPAuthenticationProviderImpl
      Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

      ResultsTimeLimit

      Returns the maximum number of milliseconds to wait for results before timing out. If set to 0, there is no maximum time limit.

             
      Privileges Read/Write
      Typeint
      Default Value0

      SSLEnabled

      Returns whether SSL will be used to connect to the LDAP server.

             
      Privileges Read/Write
      Typeboolean

      StaticGroupDNsfromMemberDNFilter

      An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP broups that contain that member.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Value(&(member=%M)(objectclass=groupofnames))

      StaticGroupNameAttribute

      The attribute of a static LDAP group object that specifies the name of the group.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuecn

      StaticGroupObjectClass

      The name of the LDAP object class that stores static groups.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuegroupofnames

      StaticMemberDNAttribute

      The attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuemember

      UserBaseDN

      The base distinguished name (DN) of the tree in the LDAP directory that contains users.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valueou=people, dc=example, dc=com

      UserDynamicGroupDNAttribute

      The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendents (indicates parent relationship) of the group.

             
      Privileges Read/Write
      Typejava.lang.String

      UseRetrievedUserNameAsPrincipal

      Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.

             
      Privileges Read/Write
      Typejava.lang.Boolean

      UserFromNameFilter

      An LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Value(&(cn=%u)(objectclass=person))

      UserNameAttribute

      The attribute of an LDAP user object that specifies the name of the user.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuecn

      UserObjectClass

      The LDAP object class that stores users.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valueperson

      UserSearchScope

      Specifies how deep in the LDAP directory tree to search for Users. Valid values are subtree and onelevel.

             
      Privileges Read/Write
      Typejava.lang.String
      Default Valuesubtree
      Legal Values
      • subtree
      • onelevel

      Version

      The version number of the LDAP Authentication provider.

             
      Privileges Read only
      Typejava.lang.String
      Default Value1.0
      Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.


      Operations

      This section describes the following operations:


      advance

      Advances the list to the next element in the list.

         
      Operation Name"advance"
      ParametersObject [] {  cursor }

      where:

      • cursor is an object of type java.lang.String that specifies:

        - The cursor returned from a previous list method.

      SignatureString [] { "java.lang.String" }
      Returns void
      Exceptions
      • weblogic.management.utils.InvalidCursorException

      changeUserPassword

      Used by a user to change his or her password.

      Note: The user needs administrator privileges to change passwords. To devise a means to enable users without administrator privileges to change their own passwords, you can implement a servlet that uses the run-as deployment descriptor element to access the Administrator role for invoking the changeUserPassword operation via the MBean server. This servlet should be protected by a security policy and should require a login, and it can then be made available to end users for changing their passwords.

         
      Operation Name"changeUserPassword"
      ParametersObject [] {  userNameoldPasswordnewPassword }

      where:

      • userName is an object of type java.lang.String that specifies:

        - The name of an existing user.

      • oldPassword is an object of type java.lang.String that specifies:

        - The current password for the user.

      • newPassword is an object of type java.lang.String that specifies:

        - The new password for the user. The Authentication provider determines the syntax requirements for passwords.

      SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.String" }
      Returns void
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      close

      Indicates that the caller is finished using the list, and that the resources held on behalf of the list may be released. If the caller traverses through all the elements in the list, the caller need not call this method. In other words, it is used to let the caller close the list without reading each element that is returned.

         
      Operation Name"close"
      ParametersObject [] {  cursor }

      where:

      • cursor is an object of type java.lang.String that specifies:

        - The cursor returned from a previous list method.

      SignatureString [] { "java.lang.String" }
      Returns void
      Exceptions
      • weblogic.management.utils.InvalidCursorException

      getCurrentName

      The name of the current item in the list. Returns null if there is no current item.

         
      Operation Name"getCurrentName"
      ParametersObject [] {  cursor }

      where:

      • cursor is an object of type java.lang.String that specifies:

        - The cursor returned from a previous list method.

      SignatureString [] { "java.lang.String" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.InvalidCursorException

      getGroupDescription

      Gets a group's description.

         
      Operation Name"getGroupDescription"
      ParametersObject [] {  groupName }

      where:

      • groupName is an object of type java.lang.String that specifies:

        - The name of an existing group.

      SignatureString [] { "java.lang.String" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      getUserDescription

      Gets a user's description.

         
      Operation Name"getUserDescription"
      ParametersObject [] {  userName }

      where:

      • userName is an object of type java.lang.String that specifies:

        - The name of an existing user.

      SignatureString [] { "java.lang.String" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      groupExists

      Indicates whether the specified group exists.

         
      Operation Name"groupExists"
      ParametersObject [] {  groupName }

      where:

      • groupName is an object of type java.lang.String that specifies:

        - The name that this method evaluates.

      SignatureString [] { "java.lang.String" }
      Returns boolean
      Exceptions
      • weblogic.management.utils.InvalidParameterException

      haveCurrent

      Returns true if there are more objects in the list, and false otherwise.

         
      Operation Name"haveCurrent"
      ParametersObject [] {  cursor }

      where:

      • cursor is an object of type java.lang.String that specifies:

        - The cursor returned from a previous list method.

      SignatureString [] { "java.lang.String" }
      Returns boolean
      Exceptions
      • weblogic.management.utils.InvalidCursorException

      isMember

      Indicates whether a user or group is a member of the group that you specify. A recursive search returns true if the member belongs to the group that you specify or to any of the groups contained within that group."

         
      Operation Name"isMember"
      ParametersObject [] {  parentGroupNamememberUserOrGroupNamerecursive }

      where:

      • parentGroupName is an object of type java.lang.String that specifies:

        - The existing group within which this method searches for membership.

      • memberUserOrGroupName is an object of type java.lang.String that specifies:

        - The user or group name for which this method searches.

      • recursive is an object of type java.lang.Boolean that specifies:

        - If set to true, the criteria for membership extends to any groups within the group that is specified by parentGroupName.

        If this argument is set to false, then this method checks only for direct membership within the parentGroupName.

      SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.Boolean" }
      Returns boolean
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      isSet

      Returns true if the specified attribute has been set explicitly in this MBean instance.

         
      Operation Name"isSet"
      ParametersObject [] {  propertyName }

      where:

      • propertyName is an object of type java.lang.String that specifies:

        property to check

      SignatureString [] { "java.lang.String" }
      Returns boolean
      Exceptions
      • java.lang.IllegalArgumentException

      listGroupMembers

      Searches within a group for user and group (member) names that match a pattern. Returns a cursor (string). You can use methods from weblogic.management.utils.NameLister (which this MBean extends) to iterate through the returned list.

      This method does not sort the results or distinguish user and group names. You can use the groupExists method to determine whether a name refers to an existing group.

         
      Operation Name"listGroupMembers"
      ParametersObject [] {  groupNamememberUserOrGroupNameWildcardmaximumToReturn }

      where:

      • groupName is an object of type java.lang.String that specifies:

        - The existing group within which this method searches for members.

      • memberUserOrGroupNameWildcard is an object of type java.lang.String that specifies:

        - The pattern for which this method searches The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters. ' *

        For example, a pattern of abc matches exactly one name that contains only abc, a pattern of ab* matches all user and group names that start with ab, and a pattern of * matches all user and group names.

      • maximumToReturn is an object of type java.lang.Integer that specifies:

        - The maximum number of user and group names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If this parameter is set to 0, all results are returned.

      SignatureString [] { "java.lang.String", "java.lang.String", "java.lang.Integer" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      listGroups

      Searches for a user name that matches a pattern.

      This method returns a cursor that you can pass to the methods from weblogic.management.utils.NameListerMBean (which this MBean extends) to iterate through the returned list.

      This method does not sort the results.

         
      Operation Name"listGroups"
      ParametersObject [] {  groupNameWildcardmaximumToReturn }

      where:

      • groupNameWildcard is an object of type java.lang.String that specifies:

        -

        The pattern for which this method searches. The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters.

        For example, a pattern of abc matches exactly one group name that contains only abc, a pattern of ab* matches all group names that start with ab, and a pattern of * matches all group names.

      • maximumToReturn is an object of type java.lang.Integer that specifies:

        - The maximum number of group names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If the parameter is set to 0 there is no maximum and all results are returned.

      SignatureString [] { "java.lang.String", "java.lang.Integer" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.InvalidParameterException

      listMemberGroups

      Lists the groups that directly contain a user or a group. Returns a cursor (string).You can use methods from weblogic.management.utils.NameLister (which this MBean extends) to iterate through the returned list.

         
      Operation Name"listMemberGroups"
      ParametersObject [] {  memberUserOrGroupName }

      where:

      • memberUserOrGroupName is an object of type java.lang.String that specifies:

        - The name of an existing user or group.

      SignatureString [] { "java.lang.String" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      listUsers

      Searches for a user name that matches a pattern.

      This method returns a cursor that you can pass to the methods from weblogic.management.utils.NameListerMBean (which this MBean extends) to iterate through the returned list.

      This method does not sort the results.

         
      Operation Name"listUsers"
      ParametersObject [] {  userNameWildcardmaximumToReturn }

      where:

      • userNameWildcard is an object of type java.lang.String that specifies:

        - The pattern for which this method searches. The pattern can end with an * (asterisk) as a wildcard, which matches any string of characters.

        For example, a pattern of abc matches exactly one user name that contains only abc, a pattern of ab* matches all user names that start with ab, and a pattern of * matches all user names.

      • maximumToReturn is an object of type java.lang.Integer that specifies:

        - The maximum number of user names that this method returns. If there are more matches than this maximum, then the returned results are arbitrary because this method does not sort results. If the parameter is set to 0 there is no maximum and all results are returned.

      SignatureString [] { "java.lang.String", "java.lang.Integer" }
      ReturnsString
      Exceptions
      • weblogic.management.utils.InvalidParameterException

      resetUserPassword

      Used by an administrator to change a user's password.

         
      Operation Name"resetUserPassword"
      ParametersObject [] {  userNamenewPassword }

      where:

      • userName is an object of type java.lang.String that specifies:

        - The name of an existing user.

      • newPassword is an object of type java.lang.String that specifies:

        - The new password for the user. The Authentication provider determines the syntax requirements for passwords.

      SignatureString [] { "java.lang.String", "java.lang.String" }
      Returns void
      Exceptions
      • weblogic.management.utils.NotFoundException
      • weblogic.management.utils.InvalidParameterException

      unSet

      Restore the given property to its default value.

         
      Operation Name"unSet"
      ParametersObject [] {  propertyName }

      where:

      • propertyName is an object of type java.lang.String that specifies:

        property to restore

      SignatureString [] { "java.lang.String" }
      Returns void
      Exceptions
      • java.lang.IllegalArgumentException
        UnsupportedOperationException if called on a runtime implementation.

      userExists

      Indicates whether the specified user exists.

         
      Operation Name"userExists"
      ParametersObject [] {  userName }

      where:

      • userName is an object of type java.lang.String that specifies:

        - The name that this method evaluates.

      SignatureString [] { "java.lang.String" }
      Returns boolean
      Exceptions
      • weblogic.management.utils.InvalidParameterException

      wls_getDisplayName

      Returns the display name of an MBean.

      Deprecated 9.0.0.0

         
      Operation Name"wls_getDisplayName"
      Parametersnull
      Signaturenull
      ReturnsString