File: LdapSettings.cs
Web Access
Project: src\src\Security\Authentication\Negotiate\src\Microsoft.AspNetCore.Authentication.Negotiate.csproj (Microsoft.AspNetCore.Authentication.Negotiate)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
 
using System.DirectoryServices.Protocols;
using Microsoft.Extensions.Caching.Memory;
 
namespace Microsoft.AspNetCore.Authentication.Negotiate;
 
/// <summary>
/// Options class for configuring LDAP connections on Linux
/// </summary>
public class LdapSettings
{
    /// <summary>
    /// Configure whether LDAP connection should be used to resolve claims.
    /// This is mainly used on Linux.
    /// </summary>
    public bool EnableLdapClaimResolution { get; set; }
 
    /// <summary>
    /// The domain to use for the LDAP connection. This is a mandatory setting.
    /// </summary>
    /// <example>
    /// DOMAIN.com
    /// </example>
    public string Domain { get; set; } = default!;
 
    /// <summary>
    /// The machine account name to use when opening the LDAP connection.
    /// If this is not provided, the machine wide credentials of the
    /// domain joined machine will be used.
    /// </summary>
    public string? MachineAccountName { get; set; }
 
    /// <summary>
    /// The machine account password to use when opening the LDAP connection.
    /// This must be provided if a <see cref="MachineAccountName"/> is provided.
    /// </summary>
    public string? MachineAccountPassword { get; set; }
 
    /// <summary>
    /// This option indicates whether nested groups should be ignored when
    /// resolving Roles. The default is false.
    /// </summary>
    public bool IgnoreNestedGroups { get; set; }
 
    /// <summary>
    /// The <see cref="LdapConnection"/> to be used to retrieve role claims.
    /// If no explicit connection is provided, an LDAP connection will be
    /// automatically created based on the <see cref="Domain"/>,
    /// <see cref="MachineAccountName"/> and <see cref="MachineAccountPassword"/>
    /// options. If provided, this connection will be used and the
    /// <see cref="Domain"/>, <see cref="MachineAccountName"/> and
    /// <see cref="MachineAccountPassword"/>  options will not be used to create
    /// the <see cref="LdapConnection"/>.
    /// </summary>
    public LdapConnection? LdapConnection { get; set; }
 
    /// <summary>
    /// The sliding expiration that should be used for entries in the cache for user claims, defaults to 10 minutes.
    /// This is a sliding expiration that will extend each time claims for a user is retrieved.
    /// </summary>
    public TimeSpan ClaimsCacheSlidingExpiration { get; set; } = TimeSpan.FromMinutes(10);
 
    /// <summary>
    /// The absolute expiration that should be used for entries in the cache for user claims, defaults to 60 minutes.
    /// This is an absolute expiration that starts when a claims for a user is retrieved for the first time.
    /// </summary>
    public TimeSpan ClaimsCacheAbsoluteExpiration { get; set; } = TimeSpan.FromMinutes(60);
 
    /// <summary>
    /// The maximum size of the claim results cache, defaults to 100 MB.
    /// </summary>
    public int ClaimsCacheSize { get; set; } = 100 * 1024 * 1024;
 
    internal MemoryCache? ClaimsCache { get; set; }
 
    /// <summary>
    /// Validates the <see cref="LdapSettings"/>.
    /// </summary>
    public void Validate()
    {
        if (EnableLdapClaimResolution)
        {
            ArgumentException.ThrowIfNullOrEmpty(Domain);
 
            if (string.IsNullOrEmpty(MachineAccountName) && !string.IsNullOrEmpty(MachineAccountPassword))
            {
                throw new ArgumentException($"{nameof(MachineAccountPassword)} should only be specified when {nameof(MachineAccountName)} is configured.");
            }
        }
    }
}