use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class DirectoryServicesImpl method validateAttributeUniqueness.
/**
* Validate attribute uniqueness
*
* @param newEntry
* true if create a new user
* @throws AMException
* if attribute uniqueness is violated
*/
void validateAttributeUniqueness(String entryDN, int profileType, boolean newEntry, Map modMap) throws AMException {
boolean attrExists = false;
if (modMap == null || modMap.isEmpty()) {
return;
}
try {
if (profileType == AMTemplate.DYNAMIC_TEMPLATE || profileType == AMTemplate.ORGANIZATION_TEMPLATE || profileType == AMTemplate.POLICY_TEMPLATE) {
// no namespace validation for these objects
return;
}
DN dn = DN.valueOf(entryDN);
int size = dn.size();
if (size < 2) {
return;
}
List<RDN> rdns = new ArrayList<>();
for (Iterator<RDN> iter = dn.iterator(); iter.hasNext(); ) {
rdns.add(iter.next());
}
String orgDN = rdns.get(rdns.size() - 1).toString();
AMStoreConnection amsc = new AMStoreConnection(CommonUtils.getInternalToken());
DN rootDN = DN.valueOf(AMStoreConnection.getAMSdkBaseDN());
DN thisDN = DN.valueOf(orgDN);
for (int i = size - 2; i >= 0; i--) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl.validateAttributeUniqueness: " + "try DN = " + orgDN);
}
int type = -1;
if (!rootDN.isInScopeOf(thisDN, SearchScope.SUBORDINATES)) {
try {
type = amsc.getAMObjectType(orgDN);
} catch (AMException ame) {
if (debug.warningEnabled()) {
debug.warning("AMObjectImpl." + "validateAttributeUniqueness: " + "Unable to determine object type of " + orgDN + " :Attribute uniqueness check aborted..", ame);
}
return;
}
}
Set list = null;
AMObject amobj = null;
if (type == AMObject.ORGANIZATION) {
AMOrganization amorg = amsc.getOrganization(orgDN);
list = amorg.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorg;
} else if (type == AMObject.ORGANIZATIONAL_UNIT) {
AMOrganizationalUnit amorgu = amsc.getOrganizationalUnit(orgDN);
list = amorgu.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorgu;
}
if ((list != null) && !list.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: list =" + list);
}
/*
* After adding the uniquness attributes 'ou,cn' to the
* list, creating a role with the same name as the existing
* user say 'amadmin' fails with 'Attribute uniqueness
* violation' The filter (|(cn='attrname')) is used for all
* objects. Fixed the code to look for 'Role' profile types
* and set the filter as
* (&(objectclass=ldapsubentry)
* (objectclass=nsroledefinition)
* (cn='attrname'))
*
* The same issue happens when a group is created with
* existing user name. Fixed the code to look for 'Group'
* profile types and set the filter as
* (&(objectClass=groupofuniquenames)
* (objectClass=iplanet-am-managed-group)(cn='attrname'))
* The logic in the while loop is iterate through the
* attribute unique list and check if the list contains the
* naming attribute of the object we are trying to create.
* If the naming attribute is in the list,then look if the
* profile type of the object we are trying to create is
* 'role' or 'group', add appropriate objectclasses and the
* entry rdn to the search filter. This filter is used to
* search the iDS and determine the attribute uniqueness
* violation. The boolean variable 'attrExists' is set to
* false initially. This variable is set to true when the
* profile type is 'role' or 'group'. The check for this
* boolean variable decides the number of matching closing
* parens of the three different types of filters.
*/
Iterator iter = list.iterator();
StringBuffer filterSB = new StringBuffer();
StringBuffer newEntrySB = new StringBuffer();
filterSB.append("(|");
while (iter.hasNext()) {
String[] attrList = getAttrList((String) iter.next());
Set attr = getAttrValues(attrList, modMap);
for (int j = 0; j < attrList.length; j++) {
String attrName = attrList[j];
if (attrName.equals(getNamingAttribute(profileType)) && newEntry) {
if ((profileType == AMObject.ROLE) || (profileType == AMObject.MANAGED_ROLE) || (profileType == AMObject.FILTERED_ROLE)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=ldapsubentry)");
newEntrySB.append("(" + "objectclass=nsroledefinition)");
attrExists = true;
} else if ((profileType == AMObject.GROUP) || (profileType == AMObject.STATIC_GROUP) || (profileType == AMObject.ASSIGNABLE_DYNAMIC_GROUP) || (profileType == AMObject.DYNAMIC_GROUP)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=iplanet-am-managed-group)");
newEntrySB.append("(objectclass=groupofuniquenames)");
attrExists = true;
} else if (profileType == AMObject.ORGANIZATION) {
newEntrySB.append("(&(!");
newEntrySB.append("(objectclass=");
newEntrySB.append(SMSEntry.OC_REALM_SERVICE);
newEntrySB.append("))");
attrExists = true;
}
filterSB.append("(").append(rdns.get(0)).append(")");
}
if (attr != null && !attr.isEmpty()) {
Iterator itr = attr.iterator();
while (itr.hasNext()) {
filterSB.append("(").append(attrName);
filterSB.append("=").append(itr.next());
filterSB.append(")");
}
}
// if
}
}
if (filterSB.length() > 2) {
if (attrExists) {
// pre-pend the creation filter part to the filter
// This is being done so that the filter is
// correctly created as
// (&(<creation-filter)(|(<attr filter>)))
newEntrySB.append(filterSB.toString()).append("))");
filterSB = newEntrySB;
} else {
filterSB.append(")");
}
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: " + "filter = " + filterSB.toString());
}
Set users = amobj.search(AMConstants.SCOPE_SUB, filterSB.toString());
// In that case,ignore the violation
if (users != null && users.size() == 1) {
String userDN = (String) users.iterator().next();
DN dnObject = DN.valueOf(userDN);
if (dnObject.equals(DN.valueOf(entryDN))) {
return;
}
}
if ((users != null) && !users.isEmpty()) {
throw new AMException(AMSDKBundle.getString("162"), "162");
}
}
}
orgDN = rdns.get(i).toString() + "," + orgDN;
thisDN = DN.valueOf(orgDN);
}
} catch (SSOException ex) {
if (debug.warningEnabled()) {
debug.warning("Unable to validate attribute uniqneness", ex);
}
}
}
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class CachedRemoteServicesImpl method getOrganizationDN.
/**
* Gets the Organization DN for the specified entryDN. If the entry itself
* is an org, then same DN is returned.
* <p>
* <b>NOTE:</b> This method will involve serveral directory searches, hence
* be cautious of Performance hit.
*
* <p>
* This method does not call its base classes method unlike the rest of the
* overriden methods to obtain the organization DN, as it requires special
* processing requirements.
*
* @param token
* a valid SSOToken
* @param entryDN
* the entry whose parent Organization is to be obtained
* @return the DN String of the parent Organization
* @throws AMException
* if an error occured while obtaining the parent Organization
*/
public String getOrganizationDN(SSOToken token, String entryDN) throws AMException {
DN dnObject = DN.valueOf(entryDN);
if (entryDN.length() == 0 || dnObject.size() <= 0) {
getDebug().error("CachedRemoteServicesImpl.getOrganizationDN() " + "Invalid DN: " + entryDN);
throw new AMException(token, "157");
}
String organizationDN = "";
Set childDNSet = new HashSet();
boolean errorCondition = false;
boolean found = false;
while (!errorCondition && !found) {
boolean lookupDirectory = true;
String childDN = dnObject.toString().toLowerCase();
if (getDebug().messageEnabled()) {
getDebug().message("CachedRemoteServicesImpl." + "getOrganizationDN() - looping Organization DN for" + " entry: " + childDN);
}
CacheBlock cb = (CacheBlock) sdkCache.get(childDN);
if (cb != null) {
organizationDN = cb.getOrganizationDN();
if (organizationDN != null) {
if (getDebug().messageEnabled()) {
getDebug().message("CachedRemoteServicesImpl." + "getOrganizationDN(): found OrganizationDN: " + organizationDN + " for: " + childDN);
}
found = true;
setOrganizationDNs(organizationDN, childDNSet);
continue;
} else if (cb.getObjectType() == AMObject.ORGANIZATION || cb.getObjectType() == AMObject.ORGANIZATIONAL_UNIT) {
// Object type is organization
organizationDN = childDN;
found = true;
childDNSet.add(childDN);
setOrganizationDNs(organizationDN, childDNSet);
continue;
} else if (cb.getObjectType() != AMObject.UNDETERMINED_OBJECT_TYPE) {
// Don't lookup directory if the object type is unknown
lookupDirectory = false;
}
}
childDNSet.add(childDN);
if (lookupDirectory) {
organizationDN = super.verifyAndGetOrgDN(token, entryDN, childDN);
}
if (organizationDN != null && organizationDN.length() > 0) {
found = true;
setOrganizationDNs(organizationDN, childDNSet);
} else if (dnObject.size() == 1) {
// Reached topmost level
errorCondition = true;
getDebug().error("CachedRemoteServicesImpl." + "getOrganizationDN(): Reached root suffix. Unable to" + " get parent Org");
} else {
// Climb tree on level up
dnObject = dnObject.parent();
}
}
return organizationDN;
}
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class DomainComponentTree method mapDCToDomainName.
/**
* Given a domain component in a dctree, maps it to a
* virtual domain name
*
* @param dc
* A domain component that lives in the dctree
* @return Fully qualified domain name
* @supported.api
*/
public String mapDCToDomainName(DomainComponent dc) {
if (m_dcRoot == null) {
return null;
}
DN rootDN = DN.valueOf(m_dcRoot.getDN());
DN dcDN = DN.valueOf(dc.getDN());
Iterator<AVA> iterator = dcDN.rename(rootDN, DN.rootDN()).rdn().iterator();
String domainName = iterator.next().getAttributeValue().toString();
// Compose the fully qualified domain name with the "." character
while (iterator.hasNext()) {
domainName += "." + iterator.next().getAttributeValue().toString();
}
return domainName;
}
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class AMObjectImpl method setAciForRole.
/**
* Gets set of DN:ACI in attribute "iplanet-am-role-aci-list" in the role
* and sets aci accordingly.
*
* @param role
* Role
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
void setAciForRole(AMRole role) throws AMException, SSOException {
Set aciSet = new TreeSet(role.getAttribute("iplanet-am-role-aci-list"));
Iterator iter = aciSet.iterator();
DN targetDN = null;
Set acis = new HashSet();
Set newAcis = new HashSet();
boolean needUpdate = false;
boolean denied = false;
AMObjectImpl targetObj = null;
while (iter.hasNext()) {
String aci = (String) iter.next();
int index = aci.indexOf(":aci:");
if (index != -1) {
DN tmpDN = DN.valueOf(aci.substring(0, index));
String newAci = aci.substring(index + 5).trim();
if (targetDN == null) {
targetDN = tmpDN;
try {
targetObj = new AMObjectImpl(token, targetDN.toString(), UNKNOWN_OBJECT_TYPE);
acis = targetObj.getAttribute("aci");
if (!acis.contains(newAci)) {
needUpdate = true;
newAcis.add(newAci);
}
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " read access denied." + ex);
}
denied = true;
}
} else if (tmpDN.equals(targetDN)) {
if (!(denied || acis.contains(newAci))) {
needUpdate = true;
newAcis.add(newAci);
}
} else {
if ((!denied) && needUpdate) {
try {
targetObj.setAttribute("aci", newAcis);
targetObj.store(true);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " write access denied." + ex);
}
}
}
needUpdate = false;
denied = false;
targetDN = tmpDN;
try {
targetObj = new AMObjectImpl(token, targetDN.toString(), UNKNOWN_OBJECT_TYPE);
acis = targetObj.getAttribute("aci");
if (!acis.contains(newAci)) {
needUpdate = true;
newAcis.add(newAci);
}
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " read access denied." + ex);
}
denied = true;
}
}
}
}
if (needUpdate) {
targetObj.setAttribute("aci", newAcis);
targetObj.store(true);
}
}
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class AMObjectImpl method createAdminRole.
void createAdminRole() throws SSOException, AMException {
if (debug.messageEnabled()) {
debug.message("AMObject.createAdminRole : dn=" + entryDN);
}
DN ldapDN = DN.valueOf(entryDN);
String orgDN = dsServices.getOrganizationDN(token, ldapDN.parent().toString());
String permission;
String roleDN;
if (profileType == PEOPLE_CONTAINER) {
permission = "People Container Admin";
roleDN = AMNamingAttrManager.getNamingAttr(ROLE) + "=" + ldapDN.toString().replace(',', '_') + "," + orgDN;
createAdminRole(permission, orgDN, roleDN);
} else {
permission = "Group Admin";
roleDN = AMNamingAttrManager.getNamingAttr(ROLE) + "=" + ldapDN.toString().replace(',', '_') + "," + orgDN;
createAdminRole(permission, orgDN, roleDN);
}
}
Aggregations