Examples with CursorException org.apache.directory.api.ldap.model.cursor.CursorException used on opensource projects

Example 1 with CursorException

use of org.apache.directory.api.ldap.model.cursor.CursorException in project graylog2-server by Graylog2.

the class LdapResource method testLdapConfiguration.

@POST
@Timed
@RequiresPermissions(RestPermissions.LDAP_EDIT)
@ApiOperation("Test LDAP Configuration")
@Path("/test")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@NoAuditEvent("only used to test LDAP configuration")
public LdapTestConfigResponse testLdapConfiguration(@ApiParam(name = "Configuration to test", required = true) @Valid @NotNull LdapTestConfigRequest request) {
    final LdapConnectionConfig config = new LdapConnectionConfig();
    final URI ldapUri = request.ldapUri();
    config.setLdapHost(ldapUri.getHost());
    config.setLdapPort(ldapUri.getPort());
    config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
    config.setUseTls(request.useStartTls());
    if (request.trustAllCertificates()) {
        config.setTrustManagers(new TrustAllX509TrustManager());
    }
    if (!isNullOrEmpty(request.systemUsername()) && !isNullOrEmpty(request.systemPassword())) {
        config.setName(request.systemUsername());
        config.setCredentials(request.systemPassword());
    }
    LdapNetworkConnection connection = null;
    try {
        try {
            connection = ldapConnector.connect(config);
        } catch (LdapException e) {
            return LdapTestConfigResponse.create(false, false, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet(), e.getMessage());
        }
        if (null == connection) {
            return LdapTestConfigResponse.create(false, false, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet(), "Could not connect to LDAP server");
        }
        boolean connected = connection.isConnected();
        boolean systemAuthenticated = connection.isAuthenticated();
        // the web interface allows testing the connection only, in that case we can bail out early.
        if (request.testConnectOnly()) {
            return LdapTestConfigResponse.create(connected, systemAuthenticated, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet());
        }
        String userPrincipalName = null;
        boolean loginAuthenticated = false;
        Map<String, String> entryMap = Collections.emptyMap();
        String exception = null;
        Set<String> groups = Collections.emptySet();
        try {
            final LdapEntry entry = ldapConnector.search(connection, request.searchBase(), request.searchPattern(), "*", request.principal(), request.activeDirectory(), request.groupSearchBase(), request.groupIdAttribute(), request.groupSearchPattern());
            if (entry != null) {
                userPrincipalName = entry.getBindPrincipal();
                entryMap = entry.getAttributes();
                groups = entry.getGroups();
            }
        } catch (CursorException | LdapException e) {
            exception = e.getMessage();
        }
        try {
            loginAuthenticated = ldapConnector.authenticate(connection, userPrincipalName, request.password());
        } catch (Exception e) {
            exception = e.getMessage();
        }
        return LdapTestConfigResponse.create(connected, systemAuthenticated, loginAuthenticated, entryMap, groups, exception);
    } finally {
        if (connection != null) {
            try {
                connection.close();
            } catch (IOException e) {
                LOG.warn("Unable to close LDAP connection.", e);
            }
        }
    }
}

Example 2 with CursorException

use of org.apache.directory.api.ldap.model.cursor.CursorException in project graylog2-server by Graylog2.

the class LdapConnector method search.

@Nullable
public LdapEntry search(LdapNetworkConnection connection, String searchBase, String searchPattern, String displayNameAttribute, String principal, boolean activeDirectory, String groupSearchBase, String groupIdAttribute, String groupSearchPattern) throws LdapException, CursorException {
    final LdapEntry ldapEntry = new LdapEntry();
    final Set<String> groupDns = Sets.newHashSet();
    final String filter = new MessageFormat(searchPattern, Locale.ENGLISH).format(new Object[] { sanitizePrincipal(principal) });
    if (LOG.isTraceEnabled()) {
        LOG.trace("Search {} for {}, starting at {}", activeDirectory ? "ActiveDirectory" : "LDAP", filter, searchBase);
    }
    try (final EntryCursor entryCursor = connection.search(searchBase, filter, SearchScope.SUBTREE, groupIdAttribute, displayNameAttribute, "dn", "uid", "userPrincipalName", "mail", "rfc822Mailbox", "memberOf", "isMemberOf")) {
        final Iterator<Entry> it = entryCursor.iterator();
        if (it.hasNext()) {
            final Entry e = it.next();
            // always set the proper DN for the entry, we need it for group matching
            ldapEntry.setDn(e.getDn().getName());
            // for generic LDAP use the dn of the entry for the subsequent bind, active directory needs the userPrincipalName attribute (set below)
            if (!activeDirectory) {
                ldapEntry.setBindPrincipal(e.getDn().getName());
            }
            for (Attribute attribute : e.getAttributes()) {
                if (activeDirectory && "userPrincipalName".equalsIgnoreCase(attribute.getId())) {
                    ldapEntry.setBindPrincipal(attribute.getString());
                }
                if (attribute.isHumanReadable()) {
                    ldapEntry.put(attribute.getId(), Joiner.on(", ").join(attribute.iterator()));
                }
                // ActiveDirectory (memberOf) and Sun Directory Server (isMemberOf)
                if ("memberOf".equalsIgnoreCase(attribute.getId()) || "isMemberOf".equalsIgnoreCase(attribute.getId())) {
                    for (Value<?> group : attribute) {
                        groupDns.add(group.getString());
                    }
                }
            }
        } else {
            LOG.trace("No LDAP entry found for filter {}", filter);
            return null;
        }
        if (!groupDns.isEmpty() && !isNullOrEmpty(groupSearchBase) && !isNullOrEmpty(groupIdAttribute)) {
            // according to groupIdAttribute if present
            try {
                for (String groupDn : groupDns) {
                    LOG.trace("Looking up group {}", groupDn);
                    try {
                        Entry group = connection.lookup(groupDn, groupIdAttribute);
                        // See: https://github.com/Graylog2/graylog2-server/issues/1453
                        if (group != null) {
                            final Attribute groupId = group.get(groupIdAttribute);
                            LOG.trace("Resolved {} to group {}", groupDn, groupId);
                            if (groupId != null) {
                                final String string = groupId.getString();
                                ldapEntry.addGroups(Collections.singleton(string));
                            }
                        } else {
                            LOG.debug("Unable to lookup group: {}", groupDn);
                        }
                    } catch (LdapException e) {
                        LOG.warn("Error while looking up group " + groupDn, e);
                    }
                }
            } catch (Exception e) {
                LOG.error("Unexpected error during LDAP group resolution", e);
            }
        }
        if (ldapEntry.getGroups().isEmpty() && !isNullOrEmpty(groupSearchBase) && !isNullOrEmpty(groupIdAttribute) && !isNullOrEmpty(groupSearchPattern)) {
            ldapEntry.addGroups(findGroups(connection, groupSearchBase, groupSearchPattern, groupIdAttribute, ldapEntry));
            LOG.trace("LDAP search found entry for DN {} with search filter {}: {}", ldapEntry.getDn(), filter, ldapEntry);
        } else {
            if (groupDns.isEmpty()) {
                LOG.info("LDAP group search base, id attribute or object class missing, not iterating over LDAP groups.");
            }
        }
        return ldapEntry;
    } catch (IOException e) {
        LOG.debug("Error while closing cursor", e);
        return null;
    }
}

Example 3 with CursorException

use of org.apache.directory.api.ldap.model.cursor.CursorException in project jackrabbit-oak by apache.

the class LdapIdentityProvider method getGroup.

@Override
public ExternalGroup getGroup(@Nonnull String name) throws ExternalIdentityException {
    DebugTimer timer = new DebugTimer();
    LdapConnection connection = connect();
    timer.mark("connect");
    try {
        Entry entry = getEntry(connection, config.getGroupConfig(), name, config.getCustomAttributes());
        timer.mark("lookup");
        if (log.isDebugEnabled()) {
            log.debug("getGroup({}) {}", name, timer.getString());
        }
        if (entry != null) {
            return createGroup(entry, name);
        } else {
            return null;
        }
    } catch (LdapException e) {
        throw lookupFailedException(e, timer);
    } catch (CursorException e) {
        throw lookupFailedException(e, timer);
    } finally {
        disconnect(connection);
    }
}

Example 4 with CursorException

use of org.apache.directory.api.ldap.model.cursor.CursorException in project graylog2-server by Graylog2.

the class LdapUserAuthenticator method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
    // safe, we only handle this type
    final UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
    final LdapSettings ldapSettings = ldapSettingsService.load();
    if (ldapSettings == null || !ldapSettings.isEnabled()) {
        LOG.trace("LDAP is disabled, skipping");
        return null;
    }
    final LdapConnectionConfig config = new LdapConnectionConfig();
    config.setLdapHost(ldapSettings.getUri().getHost());
    config.setLdapPort(ldapSettings.getUri().getPort());
    config.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
    config.setUseTls(ldapSettings.isUseStartTls());
    if (ldapSettings.isTrustAllCertificates()) {
        config.setTrustManagers(new TrustAllX509TrustManager());
    }
    config.setName(ldapSettings.getSystemUserName());
    config.setCredentials(ldapSettings.getSystemPassword());
    final String principal = (String) token.getPrincipal();
    final char[] tokenPassword = firstNonNull(token.getPassword(), new char[0]);
    final String password = String.valueOf(tokenPassword);
    // do not try to look a token up in LDAP if there is no principal or password
    if (isNullOrEmpty(principal) || isNullOrEmpty(password)) {
        LOG.debug("Principal or password were empty. Not trying to look up a token in LDAP.");
        return null;
    }
    try (final LdapNetworkConnection connection = ldapConnector.connect(config)) {
        if (null == connection) {
            LOG.error("Couldn't connect to LDAP directory");
            return null;
        }
        final LdapEntry userEntry = ldapConnector.search(connection, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), ldapSettings.getDisplayNameAttribute(), principal, ldapSettings.isActiveDirectory(), ldapSettings.getGroupSearchBase(), ldapSettings.getGroupIdAttribute(), ldapSettings.getGroupSearchPattern());
        if (userEntry == null) {
            LOG.debug("User {} not found in LDAP", principal);
            return null;
        }
        // needs to use the DN of the entry, not the parameter for the lookup filter we used to find the entry!
        final boolean authenticated = ldapConnector.authenticate(connection, userEntry.getDn(), password);
        if (!authenticated) {
            LOG.info("Invalid credentials for user {} (DN {})", principal, userEntry.getDn());
            return null;
        }
        // user found and authenticated, sync the user entry with mongodb
        final User user = syncFromLdapEntry(userEntry, ldapSettings, principal);
        if (user == null) {
            // in case there was an error reading, creating or modifying the user in mongodb, we do not authenticate the user.
            LOG.error("Unable to sync LDAP user {} (DN {})", userEntry.getBindPrincipal(), userEntry.getDn());
            return null;
        }
        return new SimpleAccount(principal, null, "ldap realm");
    } catch (LdapException e) {
        LOG.error("LDAP error", e);
    } catch (CursorException e) {
        LOG.error("Unable to read LDAP entry", e);
    } catch (Exception e) {
        LOG.error("Error during LDAP user account sync. Cannot log in user {}", principal, e);
    }
    // Return null by default to ensure a login failure if anything goes wrong.
    return null;
}

Example 5 with CursorException

use of org.apache.directory.api.ldap.model.cursor.CursorException in project midpoint by Evolveum.

the class AbstractLdapTest method addLdapAccount.

protected Entry addLdapAccount(String uid, String cn, String givenName, String sn) throws LdapException, IOException, CursorException {
    LdapNetworkConnection connection = ldapConnect();
    Entry entry = createAccountEntry(uid, cn, givenName, sn);
    try {
        connection.add(entry);
        display("Added LDAP account:\n" + entry);
    } catch (Exception e) {
        display("Error adding entry:\n" + entry + "\nError: " + e.getMessage());
        ldapDisconnect(connection);
        throw e;
    }
    ldapDisconnect(connection);
    return entry;
}