tessl/maven-com-unboundid--unboundid-ldapsdk
Comprehensive Java LDAP SDK providing full LDAPv3 protocol support, connection pooling, schema handling, and persistence framework for LDAP directory operations.
—
Pending
authentication.mddocs/
Authentication and Security
Comprehensive authentication mechanisms including simple bind, SASL authentication, SSL/TLS support, and security configuration for LDAP connections.
Capabilities
Basic Authentication
Simple Bind
Standard username/password authentication using simple bind.
/**
* Simple authentication with username and password
*/
public class SimpleBindRequest extends BindRequest {
public SimpleBindRequest(String bindDN, String password);
public SimpleBindRequest(String bindDN, byte[] password);
public SimpleBindRequest(String bindDN, String password, Control... controls);
public String getBindDN();
public ASN1OctetString getPassword();
}
/**
* Perform simple bind authentication
* @param bindDN The DN to bind as
* @param password The password
* @return Bind result
* @throws LDAPException if authentication fails
*/
public BindResult bind(String bindDN, String password) throws LDAPException;
/**
* Perform bind with bind request object
* @param bindRequest Complete bind request
* @return Bind result
* @throws LDAPException if authentication fails
*/
public BindResult bind(BindRequest bindRequest) throws LDAPException;Anonymous Bind
/**
* Anonymous authentication (no credentials)
* @return Bind result
* @throws LDAPException if bind fails
*/
public BindResult bind() throws LDAPException;
/**
* Explicit anonymous bind request
*/
public class ANONYMOUSBindRequest extends SASLBindRequest {
public ANONYMOUSBindRequest();
public ANONYMOUSBindRequest(String trace);
public ANONYMOUSBindRequest(Control... controls);
}SASL Authentication
Base SASL Framework
/**
* Base class for SASL authentication mechanisms
*/
public abstract class SASLBindRequest extends BindRequest {
public abstract String getSASLMechanismName();
public SASLQualityOfProtection getAllowedQoP();
public void setAllowedQoP(SASLQualityOfProtection... allowedQoP);
}
/**
* SASL Quality of Protection levels
*/
public enum SASLQualityOfProtection {
AUTH("auth"),
AUTH_INT("auth-int"),
AUTH_CONF("auth-conf");
}CRAM-MD5 Authentication
/**
* CRAM-MD5 SASL authentication mechanism
*/
public class CRAMMD5BindRequest extends SASLBindRequest {
public CRAMMD5BindRequest(String authenticationID, String password);
public CRAMMD5BindRequest(String authenticationID, byte[] password);
public CRAMMD5BindRequest(String authenticationID, String password, Control... controls);
public String getAuthenticationID();
public String getSASLMechanismName(); // Returns "CRAM-MD5"
}DIGEST-MD5 Authentication
/**
* DIGEST-MD5 SASL authentication mechanism
*/
public class DIGESTMD5BindRequest extends SASLBindRequest {
public DIGESTMD5BindRequest(String authenticationID, String password);
public DIGESTMD5BindRequest(String authenticationID, String authorizationID, String password);
public DIGESTMD5BindRequest(String authenticationID, String authorizationID, byte[] password, String realm);
public String getAuthenticationID();
public String getAuthorizationID();
public String getRealm();
public String getSASLMechanismName(); // Returns "DIGEST-MD5"
}GSSAPI/Kerberos Authentication
/**
* GSSAPI/Kerberos SASL authentication mechanism
*/
public class GSSAPIBindRequest extends SASLBindRequest {
public GSSAPIBindRequest(String authenticationID);
public GSSAPIBindRequest(String authenticationID, String authorizationID);
public GSSAPIBindRequest(String authenticationID, String authorizationID, String kdcAddress);
public GSSAPIBindRequest(String authenticationID, String authorizationID, String password, String realm, String kdcAddress);
public String getAuthenticationID();
public String getAuthorizationID();
public String getRealm();
public String getKDCAddress();
public String getSASLMechanismName(); // Returns "GSSAPI"
// Kerberos-specific configuration
public void setConfigFilePath(String configFilePath);
public void setJAASClientName(String jaasClientName);
public void setServicePrincipalProtocol(String protocol);
public void setTicketCachePath(String ticketCachePath);
public void setUseKeyTab(boolean useKeyTab);
public void setKeyTabPath(String keyTabPath);
}OAuth Bearer Authentication
/**
* OAuth Bearer token SASL authentication mechanism
*/
public class OAUTHBEARERBindRequest extends SASLBindRequest {
public OAUTHBEARERBindRequest(String authenticationID, String accessToken);
public OAUTHBEARERBindRequest(String authenticationID, String authorizationID, String accessToken);
public OAUTHBEARERBindRequest(String authenticationID, String authorizationID, String accessToken, String authzID, Control... controls);
public String getAuthenticationID();
public String getAuthorizationID();
public String getAccessToken();
public String getSASLMechanismName(); // Returns "OAUTHBEARER"
}EXTERNAL Authentication
/**
* EXTERNAL SASL authentication mechanism (for client certificates)
*/
public class EXTERNALBindRequest extends SASLBindRequest {
public EXTERNALBindRequest();
public EXTERNALBindRequest(String authorizationID);
public EXTERNALBindRequest(String authorizationID, Control... controls);
public String getAuthorizationID();
public String getSASLMechanismName(); // Returns "EXTERNAL"
}PLAIN Authentication
/**
* PLAIN SASL authentication mechanism
*/
public class PLAINBindRequest extends SASLBindRequest {
public PLAINBindRequest(String authenticationID, String password);
public PLAINBindRequest(String authenticationID, String authorizationID, String password);
public PLAINBindRequest(String authenticationID, String authorizationID, byte[] password, Control... controls);
public String getAuthenticationID();
public String getAuthorizationID();
public String getSASLMechanismName(); // Returns "PLAIN"
}SCRAM Authentication
SCRAM (Salted Challenge Response Authentication Mechanism) family providing enhanced security.
/**
* Base class for SCRAM SASL authentication mechanisms
*/
public abstract class SCRAMBindRequest extends SASLBindRequest {
public SCRAMBindRequest(String authenticationID, String password);
public SCRAMBindRequest(String authenticationID, String authorizationID, String password);
public SCRAMBindRequest(String authenticationID, String authorizationID, byte[] password, Control... controls);
public String getAuthenticationID();
public String getAuthorizationID();
public abstract String getSASLMechanismName();
}
/**
* SCRAM-SHA-1 SASL authentication mechanism
*/
public class SCRAMSHA1BindRequest extends SCRAMBindRequest {
public SCRAMSHA1BindRequest(String authenticationID, String password);
public SCRAMSHA1BindRequest(String authenticationID, String authorizationID, String password);
public SCRAMSHA1BindRequest(String authenticationID, String authorizationID, byte[] password, Control... controls);
public String getSASLMechanismName(); // Returns "SCRAM-SHA-1"
}
/**
* SCRAM-SHA-256 SASL authentication mechanism
*/
public class SCRAMSHA256BindRequest extends SCRAMBindRequest {
public SCRAMSHA256BindRequest(String authenticationID, String password);
public SCRAMSHA256BindRequest(String authenticationID, String authorizationID, String password);
public SCRAMSHA256BindRequest(String authenticationID, String authorizationID, byte[] password, Control... controls);
public String getSASLMechanismName(); // Returns "SCRAM-SHA-256"
}
/**
* SCRAM-SHA-512 SASL authentication mechanism
*/
public class SCRAMSHA512BindRequest extends SCRAMBindRequest {
public SCRAMSHA512BindRequest(String authenticationID, String password);
public SCRAMSHA512BindRequest(String authenticationID, String authorizationID, String password);
public SCRAMSHA512BindRequest(String authenticationID, String authorizationID, byte[] password, Control... controls);
public String getSASLMechanismName(); // Returns "SCRAM-SHA-512"
}SSL/TLS Security
SSL Socket Factory Configuration
/**
* Create SSL connection with socket factory
* @param host LDAP server hostname
* @param port LDAP server port (typically 636 for LDAPS)
* @param socketFactory SSL socket factory
* @throws LDAPException if connection fails
*/
public LDAPConnection(String host, int port, SSLSocketFactory socketFactory) throws LDAPException;
/**
* SSL utilities for creating socket factories
*/
public class SSLUtil {
public SSLUtil();
public SSLUtil(TrustManager trustManager);
public SSLUtil(TrustManager[] trustManagers);
public SSLUtil(KeyManager keyManager, TrustManager trustManager);
public SSLUtil(KeyManager[] keyManagers, TrustManager[] trustManagers);
public SSLSocketFactory createSSLSocketFactory() throws GeneralSecurityException;
public SSLSocketFactory createSSLSocketFactory(String protocol) throws GeneralSecurityException;
public SSLContext createSSLContext() throws GeneralSecurityException;
public SSLContext createSSLContext(String protocol) throws GeneralSecurityException;
}Trust Management
/**
* Trust all certificates (for testing only)
*/
public class TrustAllTrustManager implements X509TrustManager {
public TrustAllTrustManager();
public void checkClientTrusted(X509Certificate[] chain, String authType);
public void checkServerTrusted(X509Certificate[] chain, String authType);
public X509Certificate[] getAcceptedIssuers();
}
/**
* Trust manager that validates against specific certificates
*/
public class TrustStoreTrustManager implements X509TrustManager {
public TrustStoreTrustManager(String trustStorePath);
public TrustStoreTrustManager(String trustStorePath, char[] trustStorePassword);
public TrustStoreTrustManager(File trustStoreFile, char[] trustStorePassword, String trustStoreFormat);
}
/**
* Prompt user to accept certificates
*/
public class PromptTrustManager implements X509TrustManager {
public PromptTrustManager();
public PromptTrustManager(String acceptedCertificatesFile);
}Start TLS
/**
* Start TLS extended operation for upgrading plain connection to SSL/TLS
*/
public class StartTLSExtendedRequest extends ExtendedRequest {
public StartTLSExtendedRequest();
public StartTLSExtendedRequest(SSLContext sslContext);
public StartTLSExtendedRequest(SSLSocketFactory socketFactory);
public StartTLSExtendedRequest(Control... controls);
}
/**
* Process Start TLS extended operation
* @param request Start TLS request
* @return Extended result
* @throws LDAPException if TLS negotiation fails
*/
public ExtendedResult processExtendedOperation(StartTLSExtendedRequest request) throws LDAPException;Bind Results and Status
BindResult
/**
* Result of a bind operation
*/
public class BindResult extends LDAPResult {
public String getBindDN();
public ASN1OctetString getServerSASLCredentials();
}Security Configuration
Connection Security Options
/**
* Security-related connection options
*/
public class LDAPConnectionOptions {
// SSL/TLS verification
public void setSSLSocketVerifier(SSLSocketVerifier sslSocketVerifier);
public SSLSocketVerifier getSSLSocketVerifier();
// Certificate validation
public void setUseSynchronousMode(boolean useSynchronousMode);
public boolean useSynchronousMode();
// Connection security
public void setUsePooledSchema(boolean usePooledSchema);
public boolean usePooledSchema();
// Authentication requirements
public void setBindWithDNRequiresPassword(boolean bindWithDNRequiresPassword);
public boolean bindWithDNRequiresPassword();
}
/**
* SSL socket verification interface
*/
public interface SSLSocketVerifier {
void verifySSLSocket(String host, int port, SSLSocket sslSocket) throws LDAPException;
}
/**
* Hostname verification for SSL certificates
*/
public class HostNameSSLSocketVerifier implements SSLSocketVerifier {
public HostNameSSLSocketVerifier(boolean allowWildcards);
public void verifySSLSocket(String host, int port, SSLSocket sslSocket) throws LDAPException;
}Usage Examples
Simple Authentication
import com.unboundid.ldap.sdk.*;
// Basic username/password authentication
LDAPConnection connection = new LDAPConnection("ldap.example.com", 389);
try {
// Simple bind
BindResult bindResult = connection.bind("cn=admin,dc=example,dc=com", "password");
if (bindResult.getResultCode() == ResultCode.SUCCESS) {
System.out.println("Authentication successful");
System.out.println("Bound as: " + bindResult.getBindDN());
}
} catch (LDAPException e) {
if (e.getResultCode() == ResultCode.INVALID_CREDENTIALS) {
System.err.println("Invalid username or password");
} else {
System.err.println("Authentication failed: " + e.getMessage());
}
} finally {
connection.close();
}SASL CRAM-MD5 Authentication
import com.unboundid.ldap.sdk.*;
LDAPConnection connection = new LDAPConnection("ldap.example.com", 389);
try {
// CRAM-MD5 SASL authentication
CRAMMD5BindRequest bindRequest = new CRAMMD5BindRequest("john.doe", "password");
BindResult bindResult = connection.bind(bindRequest);
System.out.println("CRAM-MD5 authentication successful");
} catch (LDAPException e) {
System.err.println("SASL authentication failed: " + e.getMessage());
} finally {
connection.close();
}SSL/TLS Connection
import com.unboundid.ldap.sdk.*;
import com.unboundid.util.ssl.*;
try {
// Create SSL socket factory (trust all certificates - for testing only)
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
// Connect using SSL (LDAPS on port 636)
LDAPConnection connection = new LDAPConnection(socketFactory, "ldaps.example.com", 636);
// Authenticate
connection.bind("cn=admin,dc=example,dc=com", "password");
System.out.println("SSL connection established successfully");
connection.close();
} catch (Exception e) {
System.err.println("SSL connection failed: " + e.getMessage());
}Start TLS
import com.unboundid.ldap.sdk.*;
import com.unboundid.ldap.sdk.extensions.*;
import com.unboundid.util.ssl.*;
// Start with plain connection
LDAPConnection connection = new LDAPConnection("ldap.example.com", 389);
try {
// Create SSL context
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
// Start TLS to upgrade connection to SSL
StartTLSExtendedRequest startTLSRequest = new StartTLSExtendedRequest(sslUtil.createSSLContext());
ExtendedResult startTLSResult = connection.processExtendedOperation(startTLSRequest);
if (startTLSResult.getResultCode() == ResultCode.SUCCESS) {
System.out.println("TLS started successfully");
// Now authenticate over the encrypted connection
connection.bind("cn=admin,dc=example,dc=com", "password");
}
} catch (Exception e) {
System.err.println("Start TLS failed: " + e.getMessage());
} finally {
connection.close();
}GSSAPI/Kerberos Authentication
import com.unboundid.ldap.sdk.*;
LDAPConnection connection = new LDAPConnection("ldap.example.com", 389);
try {
// Configure GSSAPI authentication
GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(
"john.doe@EXAMPLE.COM", // authentication ID
null, // authorization ID (null = same as auth ID)
"password", // password
"EXAMPLE.COM", // realm
"kdc.example.com" // KDC address
);
// Configure Kerberos settings
bindRequest.setConfigFilePath("/etc/krb5.conf");
bindRequest.setServicePrincipalProtocol("ldap");
// Perform authentication
BindResult bindResult = connection.bind(bindRequest);
System.out.println("Kerberos authentication successful");
} catch (LDAPException e) {
System.err.println("Kerberos authentication failed: " + e.getMessage());
} finally {
connection.close();
}Connection Pool with Authentication
import com.unboundid.ldap.sdk.*;
// Create initial authenticated connection
LDAPConnection connection = new LDAPConnection("ldap.example.com", 389);
connection.bind("cn=admin,dc=example,dc=com", "password");
// Create connection pool with bind request for new connections
SimpleBindRequest bindRequest = new SimpleBindRequest("cn=admin,dc=example,dc=com", "password");
ServerSet serverSet = new SingleServerSet("ldap.example.com", 389);
LDAPConnectionPool pool = new LDAPConnectionPool(serverSet, bindRequest, 5, 10);
try {
// All connections in the pool will be authenticated
SearchResult result = pool.search("dc=example,dc=com", SearchScope.BASE, "(objectClass=*)");
System.out.println("Pool operation successful");
} finally {
pool.close();
}Client Certificate Authentication
import com.unboundid.ldap.sdk.*;
import com.unboundid.util.ssl.*;
import javax.net.ssl.*;
import java.security.KeyStore;
try {
// Load client certificate keystore
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("client-cert.p12"), "password".toCharArray());
// Create key manager with client certificate
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keyStore, "password".toCharArray());
// Create SSL configuration
SSLUtil sslUtil = new SSLUtil(kmf.getKeyManagers(), new TrustAllTrustManager());
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
// Connect with client certificate
LDAPConnection connection = new LDAPConnection(socketFactory, "ldaps.example.com", 636);
// Authenticate using EXTERNAL SASL (uses client certificate)
EXTERNALBindRequest bindRequest = new EXTERNALBindRequest();
BindResult bindResult = connection.bind(bindRequest);
System.out.println("Client certificate authentication successful");
connection.close();
} catch (Exception e) {
System.err.println("Client certificate authentication failed: " + e.getMessage());
}Install with Tessl CLI
npx tessl i tessl/maven-com-unboundid--unboundid-ldapsdk