Example 1 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class LdapAdapterTest method shouldUseConnectionForRead.
@Test
public void shouldUseConnectionForRead() throws Exception {
// Given
String tokenId = "badger";
DN testDN = DN.rootDN();
given(mockConversion.generateTokenDN(anyString())).willReturn(testDN);
// When
adapter.read(mockConnection, tokenId);
// Then
ArgumentCaptor<SearchRequest> captor = ArgumentCaptor.forClass(SearchRequest.class);
verify(mockConnection).searchSingleEntry(captor.capture());
assertEquals(testDN, captor.getValue().getName());
}
Also used :
SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest)
DN(org.forgerock.opendj.ldap.DN)
Test(org.testng.annotations.Test)
Example 2 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class IdUtils method getIdentity.
/**
* Returns an <code>AMIdentity</code> object, given the
* DN of an authenticated identity, realm name and identity type.
* This interface is mainly for authentication component to get
* back the identity of the user.
*
* @param token SSOToken of the administrator
* @param amsdkdn DN of the authenticated user
* @param realm realm name where the user was authenticated
* @return Identity object or <code>null</code>
* @throws IdRepoException if the underly components throws
* exception while obtaining the identity object
*/
public static AMIdentity getIdentity(SSOToken token, String amsdkdn, String realm) throws IdRepoException {
if (amsdkdn == null || !LDAPUtils.isDN(amsdkdn)) {
Object[] args = { amsdkdn };
throw (new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ILLEGAL_UNIVERSAL_IDENTIFIER, args));
}
DN amsdkdnObject = LDAPUtils.newDN(amsdkdn);
// Try constructing the identity object
if (amsdkdn.toLowerCase().startsWith("id=")) {
try {
return (new AMIdentity(amsdkdnObject, token));
} catch (IdRepoException ide) {
// this could be a AMSDK DN. Follow the AMSDK rules
if (debug.messageEnabled()) {
debug.message("IdUtils:getIdentity(token, " + amsdkdn + ") got exception: " + ide.getMessage() + "\n\tContinuing with AMSDK DN check");
}
}
}
// Check for Special Users
initializeSpecialUsers();
if (specialUsers.contains(DNUtils.normalizeDN(amsdkdn))) {
return new AMIdentity(amsdkdnObject, token, LDAPUtils.rdnValueFromDn(amsdkdnObject), IdType.USER, ROOT_SUFFIX);
}
// any of the realms.
try {
if (!ServiceManager.isAMSDKEnabled() || ((realm != null) && !OrgConfigViaAMSDK.isAMSDKConfigured(realm)) || (!ServiceManager.isAMSDKConfigured())) {
// Not configured for AMSDK, return
return (null);
}
} catch (SMSException smse) {
// Ignore the exception and continue
}
// Initialize root realm suffix, org and user naming attributes
initializeForGetIdentity();
// Determine if the amsdkdn is valid. Obtain name & type
String name = null;
IdType type = null;
try {
// Since we would using AMSDK, get AMDirectoryManager preload
// all the attributes and check if it exists
IDirectoryServices dsServices = AMDirectoryAccessFactory.getDirectoryServices();
// force multiple another directory lookup
try {
if (amsdkdn.startsWith(USER_NAMING_ATTR)) {
dsServices.getAttributes(token, amsdkdn, AMObject.USER);
}
} catch (Exception e) {
// Ignore the exception and continue since this for cache
}
// Getting object type would use the cached attributes
int sdkType = dsServices.getObjectType(token, amsdkdn);
// Convert the sdkType to IdRepo type
type = getType(AMStoreConnection.getObjectName(sdkType));
name = AMConstants.CONTAINER_DEFAULT_TEMPLATE_ROLE;
if (!type.equals(IdType.REALM)) {
name = LDAPUtils.rdnValueFromDn(amsdkdnObject);
}
} catch (AMException ame) {
// Debug the message and return null
if (debug.messageEnabled()) {
debug.message("IdUtils.getIdentity: Unable to resolve " + "AMSDK DN: " + amsdkdn, ame);
}
return (null);
} catch (SSOException ssoe) {
// Debug the message and return null
if (debug.messageEnabled()) {
debug.message("IdUtils.getIdentity: Unable to resolve " + "AMSDK DN. Got SSOException", ssoe);
}
return (null);
}
// Need to determine realm for amsdkdn
String srealm = ROOT_SUFFIX;
if (!amsdkdn.equals(ROOT_SUFFIX) && !amsdkdn.equals(SERVICES_SUFFIX)) {
// Need to get the object type and walk up the tree
int index = amsdkdn.indexOf(ORG_NAMING_ATTR);
if (index == 0) {
srealm = OrgConfigViaAMSDK.getRealmForAMSDK(amsdkdn, realm);
} else if (index > 0) {
srealm = OrgConfigViaAMSDK.getRealmForAMSDK(amsdkdn.substring(index), realm);
}
if (debug.messageEnabled()) {
debug.message("IdUtils.getIdentity:: amsdkdn=" + amsdkdn + " maps to realm=" + srealm);
}
} else if (amsdkdn.equals(SERVICES_SUFFIX)) {
// Since amsdkdn points to services node,
// it should be reset to root suffix
amsdkdn = ROOT_SUFFIX;
}
return (new AMIdentity(amsdkdnObject, token, name, type, srealm));
}
Also used :
SMSException(com.sun.identity.sm.SMSException)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
SSOException(com.iplanet.sso.SSOException)
SMSException(com.sun.identity.sm.SMSException)
AMException(com.iplanet.am.sdk.AMException)
SSOException(com.iplanet.sso.SSOException)
IDirectoryServices(com.iplanet.am.sdk.common.IDirectoryServices)
AMObject(com.iplanet.am.sdk.AMObject)
Example 3 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class LdapTokenAttributeConversionTest method shouldProduceDNWithTokenId.
@Test
public void shouldProduceDNWithTokenId() {
// Given
String tokenId = "badger";
LdapDataLayerConfiguration config = mock(LdapDataLayerConfiguration.class);
given(config.getTokenStoreRootSuffix()).willReturn(DN.rootDN());
LDAPDataConversion dataConversion = new LDAPDataConversion();
LdapTokenAttributeConversion conversion = new LdapTokenAttributeConversion(dataConversion, config);
// When
DN dn = conversion.generateTokenDN(tokenId);
// Then
verify(config).getTokenStoreRootSuffix();
assertTrue(dn.toString().contains(tokenId));
}
Also used :
LdapDataLayerConfiguration(org.forgerock.openam.sm.datalayer.impl.ldap.LdapDataLayerConfiguration)
DN(org.forgerock.opendj.ldap.DN)
Test(org.testng.annotations.Test)
Example 4 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class LDAPUsers method getUserDN.
/**
* Gets the DN for a user identified
* by the token. If the Directory server is locally installed to speed
* up the search, no directoty search is performed and the DN obtained
* from the token is returned. If the directory is remote
* a LDAP search is performed to get the user DN.
*/
private DN getUserDN(SSOToken token) throws SSOException, PolicyException {
Set<String> qualifiedUserDNs = new HashSet<>();
String userLocalDN = token.getPrincipal().getName();
DN userDN = null;
if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
userDN = DN.valueOf(userLocalDN);
} else {
// try to figure out the user name from the local user DN
int beginIndex = userLocalDN.indexOf("=");
int endIndex = userLocalDN.indexOf(",");
if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_invalid_local_user_dn", null, null));
}
String userName = userLocalDN.substring(beginIndex + 1, endIndex);
String searchFilter = null;
if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
} else {
searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
}
if (debug.messageEnabled()) {
debug.message("LDAPUsers.getUserDN(): search filter is: " + searchFilter);
}
String[] attrs = { userRDNAttrName };
// search the remote ldap and find out the user DN
try (Connection ld = connPool.getConnection()) {
ConnectionEntryReader res = search(searchFilter, ld, attrs);
while (res.hasNext()) {
try {
SearchResultEntry entry = res.readEntry();
qualifiedUserDNs.add(entry.getName().toString());
} catch (SearchResultReferenceIOException e) {
// ignore referrals
continue;
} catch (LdapException e) {
String[] objs = { orgName };
ResultCode resultCode = e.getResult().getResultCode();
if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getUserDN(): exceeded the size limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
} else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getUserDN(): exceeded the time limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
} else {
throw new PolicyException(e);
}
}
}
} catch (LdapException e) {
throw handleResultException(e);
} catch (Exception e) {
throw new PolicyException(e);
}
// check if the user belongs to any of the selected users
if (qualifiedUserDNs.size() > 0) {
debug.message("LDAPUsers.getUserDN(): qualified users={}", qualifiedUserDNs);
Iterator<String> iter = qualifiedUserDNs.iterator();
// we only take the first qualified DN
userDN = DN.valueOf(iter.next());
}
}
return userDN;
}
Also used :
Connection(org.forgerock.opendj.ldap.Connection)
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LdapException(org.forgerock.opendj.ldap.LdapException)
NameNotFoundException(com.sun.identity.policy.NameNotFoundException)
PolicyException(com.sun.identity.policy.PolicyException)
InvalidNameException(com.sun.identity.policy.InvalidNameException)
SSOException(com.iplanet.sso.SSOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
PolicyException(com.sun.identity.policy.PolicyException)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
HashSet(java.util.HashSet)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 5 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class LDAPUsers method isMember.
/**
* Determines if the user belongs to this instance
* of the <code>LDAPUsers</code> object.
*
* @param token single-sign-on token of the user
*
* @return <code>true</code> if the user is memeber of the
* given subject; <code>false</code> otherwise.
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if an error occured while
* checking if the user is a member of this subject
*/
public boolean isMember(SSOToken token) throws SSOException, PolicyException {
boolean userMatch = false;
boolean listenerAdded = false;
DN userDN = null;
String userLocalDN = token.getPrincipal().getName();
String tokenID = token.getTokenID().toString();
if (debug.messageEnabled()) {
debug.message("LDAPUsers.isMember(): user local DN is " + userLocalDN);
}
for (String valueDN : selectedRFCUserDNs) {
Boolean matchFound = SubjectEvaluationCache.isMember(tokenID, ldapServer, valueDN);
if (matchFound != null) {
debug.message("LDAPUsers.isMember():Got membership from cache of {} in subject user {} : {}", userLocalDN, valueDN, matchFound);
if (matchFound) {
return true;
} else {
continue;
}
}
// got here so entry not in subject evalauation cache
if (debug.messageEnabled()) {
debug.message("LDAPUsers:isMember():entry for " + valueDN + " not in subject evaluation cache, fetching from " + "directory server.");
}
if (userDN == null) {
userDN = getUserDN(token);
if (userDN == null) {
if (debug.messageEnabled()) {
debug.message("LDAPUsers.isMember(): User {} is not found in the directory", token.getPrincipal().getName());
}
return false;
}
}
if (userDN.equals(DN.valueOf(valueDN))) {
userMatch = true;
}
if (debug.messageEnabled()) {
debug.message("LDAPUsers.isMember:adding entry " + tokenID + " " + ldapServer + " " + valueDN + " " + userMatch + " in subject evaluation cache.");
}
SubjectEvaluationCache.addEntry(tokenID, ldapServer, valueDN, userMatch);
if (!listenerAdded && !PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
token.addSSOTokenListener(PolicyEvaluator.ssoListener);
PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
debug.message("LDAPUsers.isMember(): sso listener added");
listenerAdded = true;
}
if (userMatch) {
break;
}
}
if (!userMatch) {
debug.message("LDAPUsers.isMember(): User {} is not a member of this LDAPUsers object", userLocalDN);
} else {
debug.message("LDAPUsers.isMember(): User {} is a member of this LDAPUsers object", userLocalDN);
}
return userMatch;
}
Also used :
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
Aggregations
DN (org.forgerock.opendj.ldap.DN)113
RDN (org.forgerock.opendj.ldap.RDN)36
HashSet (java.util.HashSet)34
Set (java.util.Set)28
Iterator (java.util.Iterator)27
SSOException (com.iplanet.sso.SSOException)16
HashMap (java.util.HashMap)14
ByteString (org.forgerock.opendj.ldap.ByteString)14
AMException (com.iplanet.am.sdk.AMException)13
LdapException (org.forgerock.opendj.ldap.LdapException)13
Map (java.util.Map)12
Connection (org.forgerock.opendj.ldap.Connection)11
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)11
ArrayList (java.util.ArrayList)10
TreeSet (java.util.TreeSet)10
SMSException (com.sun.identity.sm.SMSException)9
SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)8
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)8
Test (org.testng.annotations.Test)8
AttrSet (com.iplanet.services.ldap.AttrSet)7
