Examples with LdapContext javax.naming.ldap.LdapContext used on opensource projects

Example 11 with LdapContext

use of javax.naming.ldap.LdapContext in project neo4j by neo4j.

the class LdapGroupHasUsersAuthPlugin method authenticateAndAuthorize.

@Override
public AuthInfo authenticateAndAuthorize(AuthToken authToken) throws AuthenticationException {
    try {
        String username = authToken.principal();
        char[] password = authToken.credentials();
        LdapContext ctx = authenticate(username, password);
        Set<String> roles = authorize(ctx, username);
        return AuthInfo.of(username, roles);
    } catch (NamingException e) {
        throw new AuthenticationException(e.getMessage());
    }
}

Example 12 with LdapContext

use of javax.naming.ldap.LdapContext in project neo4j by neo4j.

the class LdapRealm method queryForAuthorizationInfo.

@Override
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
    if (authorizationEnabled) {
        String username = getUsername(principals);
        if (username == null) {
            return null;
        }
        if (useSystemAccountForAuthorization) {
            // Perform context search using the system context
            LdapContext ldapContext = useStartTls ? getSystemLdapContextUsingStartTls(ldapContextFactory) : ldapContextFactory.getSystemLdapContext();
            Set<String> roleNames;
            try {
                roleNames = findRoleNamesForUser(username, ldapContext);
            } finally {
                LdapUtils.closeContext(ldapContext);
            }
            return new SimpleAuthorizationInfo(roleNames);
        } else {
            // Authorization info is cached during authentication
            Cache<Object, AuthorizationInfo> authorizationCache = getAuthorizationCache();
            AuthorizationInfo authorizationInfo = authorizationCache.get(username);
            if (authorizationInfo == null) {
                // so that the client can react by re-authenticating.
                throw new AuthorizationExpiredException("LDAP authorization info expired.");
            }
            return authorizationInfo;
        }
    }
    return null;
}

Example 13 with LdapContext

use of javax.naming.ldap.LdapContext in project neo4j by neo4j.

the class LdapRealm method getLdapContextUsingStartTls.

private LdapContext getLdapContextUsingStartTls(LdapContextFactory ldapContextFactory, Object principal, Object credentials) throws NamingException {
    JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) ldapContextFactory;
    Hashtable<String, Object> env = new Hashtable<>();
    env.put(Context.INITIAL_CONTEXT_FACTORY, jndiLdapContextFactory.getContextFactoryClassName());
    env.put(Context.PROVIDER_URL, jndiLdapContextFactory.getUrl());
    LdapContext ctx = null;
    try {
        ctx = new InitialLdapContext(env, null);
        StartTlsRequest startTlsRequest = new StartTlsRequest();
        StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(startTlsRequest);
        tls.negotiate();
        ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, jndiLdapContextFactory.getAuthenticationMechanism());
        ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, principal);
        ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);
        ctx.reconnect(ctx.getConnectControls());
        return ctx;
    } catch (IOException e) {
        LdapUtils.closeContext(ctx);
        securityLog.error(withRealm("Failed to negotiate TLS connection with '%s': ", server(jndiLdapContextFactory), e));
        throw new CommunicationException(e.getMessage());
    } catch (Throwable t) {
        LdapUtils.closeContext(ctx);
        securityLog.error(withRealm("Unexpected failure to negotiate TLS connection with '%s': ", server(jndiLdapContextFactory), t));
        throw t;
    }
}

Example 14 with LdapContext

use of javax.naming.ldap.LdapContext in project neo4j by neo4j.

the class LdapRealmTest method shouldWarnAboutAmbiguousUserSearch.

@Test
public void shouldWarnAboutAmbiguousUserSearch() throws NamingException {
    when(config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("{0}");
    LdapContext ldapContext = mock(LdapContext.class);
    NamingEnumeration result = mock(NamingEnumeration.class);
    SearchResult searchResult = mock(SearchResult.class);
    when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
    when(result.hasMoreElements()).thenReturn(true);
    when(result.next()).thenReturn(searchResult);
    when(searchResult.toString()).thenReturn("<ldap search result>");
    LdapRealm realm = new LdapRealm(config, securityLog, secureHasher);
    realm.findRoleNamesForUser("username", ldapContext);
    verify(securityLog).warn(contains("LDAP user search for user principal 'username' is ambiguous"));
}

Example 15 with LdapContext

use of javax.naming.ldap.LdapContext in project neo4j by neo4j.

the class LdapRealmTest method shouldWarnAboutUserSearchBaseBeingEmpty.

@Test
public void shouldWarnAboutUserSearchBaseBeingEmpty() throws Exception {
    when(config.get(SecuritySettings.ldap_authorization_user_search_base)).thenReturn("");
    LdapContext ldapContext = mock(LdapContext.class);
    NamingEnumeration result = mock(NamingEnumeration.class);
    when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
    when(result.hasMoreElements()).thenReturn(false);
    assertException(this::makeAndInit, IllegalArgumentException.class, "Illegal LDAP user search settings, see security log for details.");
    verify(securityLog).error(contains("LDAP user search base is empty."));
}