The project used to create the plug-in must include the NAMCommon.jar file shipped with Access Manager. This JAR file is located in the following directory:
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
Windows: C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\lib
To create an LDAP Server plug-in, you need to create a public class that extends the abstract the com.novell.nam.common.ldap.jndi.LDAPStorePlugin class.
In your public class, you need to implement the following methods:
|
Method |
Description |
|---|---|
|
getDirectoryName() |
Needs to return the name you want displayed for your directory type. For eDirectory, this method returns “Novell eDirectory” for this string. |
|
getGUIDAttributeName() |
Needs to return the name of the globally unique ID attribute that uniquely identifies all objects in this type of directory. For eDirectory, this is the GUID attribute. |
|
getMemberAttributeName() |
Needs to return the name of the attribute that is used to identity an object as a member of a group. For eDirectory, this is the member attribute. |
|
getUserClassName() |
Needs to return the name of the class that is used to create users. For eDirectory, this is the User class. |
|
getUserNameNamingAttrName() |
Needs to return the name of the attribute that is used to name users. For eDirectory, this in the cn attribute. |
|
preUserAccountCreation() |
Needs to return an attributes object that contains an array of attributes, with each member contain the name of an attribute and its value. This attributes object needs to contain all the attributes that are required to create a user in the LDAP directory. This usually consists of the name of the object class, the naming attribute, and a password. For eDirectory, this also includes the sn attribute. |
The following methods can be implemented, and might be required for your LDAP directory:
|
Method |
Description |
|---|---|
|
postUserAccountCreation() |
Modifies a user’s attributes after the user has been created. Some LDAP directories do not let you set a password until after the user account has been created. The method contains a strCorrelationId parameter that you can use to match the user with the user in the preUserAccountCreation() method. |
|
onCreateConnection() |
Allows the plug-in to check the connection creation parameters and modify them, if needed. This method is called just before a connection is created with the LDAP directory. |
|
onCreateConnectionException() |
Allows you to customize the exception that is thrown when the process to create an LDAP connection fails and throws an authentication exception. This method is overloaded and requires an AuthenticationException parameter. |
|
onCreateConnectionException() |
Allows you to customize the exception that is thrown when the process to create an LDAP connection fails and throws a connection exception. This method is overloaded and requires an OperationNotSupportedException parameter. |
|
getFailedLoginCountAttributeName() |
Allows you to enable the reCAPTCHA feature. When the reCAPTCHA feature is enabled, the login page shows the Google reCAPTCHA box, so that the user trying to log in can confirm I am not a robot. The reCAPTCHA box does not appear unless the failed login count exceeds a specific number. This method returns the name of the attribute that is used to retrieve the bad password count or login intruder attempts. This method returns loginIntruderAttempts for eDirectory and badPwdCount for Active Directory. |
If you are upgrading from Access Manager 4.2.x or earlier, add the following lines to the LDAP plug-in to avoid errors:
/**
* Returns the schema name of the Failed Login Attempts attribute for this directory type. This is the attribute that indicates the attribute name for the Failed Login Count. For example, for eDirectory, this method might return 'loginIntruderAttempts'.
*
* @return The schema name of the Failed Login Attempts attribute.
*/
public abstract String getFailedLoginCountAttributeName();
/**
public String getFailedLoginCountAttributeName(){
return "<name of the attribute>”
}
For Active Directory, replace <name of the attribute> with badPwdCount. For eDirectory, replace <name of the attribute> with loginIntruderAttempts.
For details about the LDAPStorePlugin class and methods, see the Javadoc API Reference.
For an example plug-in that extends the LDAPStorePlugin class and implements the required methods and some of the optional methods, see Section 3.3, eDirectory Plug-In.