Example 21 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class DirectoryServicesImpl method validateAttributeUniqueness.
/**
* Validate attribute uniqueness
*
* @param newEntry
* true if create a new user
* @throws AMException
* if attribute uniqueness is violated
*/
void validateAttributeUniqueness(String entryDN, int profileType, boolean newEntry, Map modMap) throws AMException {
boolean attrExists = false;
if (modMap == null || modMap.isEmpty()) {
return;
}
try {
if (profileType == AMTemplate.DYNAMIC_TEMPLATE || profileType == AMTemplate.ORGANIZATION_TEMPLATE || profileType == AMTemplate.POLICY_TEMPLATE) {
// no namespace validation for these objects
return;
}
DN dn = DN.valueOf(entryDN);
int size = dn.size();
if (size < 2) {
return;
}
List<RDN> rdns = new ArrayList<>();
for (Iterator<RDN> iter = dn.iterator(); iter.hasNext(); ) {
rdns.add(iter.next());
}
String orgDN = rdns.get(rdns.size() - 1).toString();
AMStoreConnection amsc = new AMStoreConnection(CommonUtils.getInternalToken());
DN rootDN = DN.valueOf(AMStoreConnection.getAMSdkBaseDN());
DN thisDN = DN.valueOf(orgDN);
for (int i = size - 2; i >= 0; i--) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl.validateAttributeUniqueness: " + "try DN = " + orgDN);
}
int type = -1;
if (!rootDN.isInScopeOf(thisDN, SearchScope.SUBORDINATES)) {
try {
type = amsc.getAMObjectType(orgDN);
} catch (AMException ame) {
if (debug.warningEnabled()) {
debug.warning("AMObjectImpl." + "validateAttributeUniqueness: " + "Unable to determine object type of " + orgDN + " :Attribute uniqueness check aborted..", ame);
}
return;
}
}
Set list = null;
AMObject amobj = null;
if (type == AMObject.ORGANIZATION) {
AMOrganization amorg = amsc.getOrganization(orgDN);
list = amorg.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorg;
} else if (type == AMObject.ORGANIZATIONAL_UNIT) {
AMOrganizationalUnit amorgu = amsc.getOrganizationalUnit(orgDN);
list = amorgu.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorgu;
}
if ((list != null) && !list.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: list =" + list);
}
/*
* After adding the uniquness attributes 'ou,cn' to the
* list, creating a role with the same name as the existing
* user say 'amadmin' fails with 'Attribute uniqueness
* violation' The filter (|(cn='attrname')) is used for all
* objects. Fixed the code to look for 'Role' profile types
* and set the filter as
* (&(objectclass=ldapsubentry)
* (objectclass=nsroledefinition)
* (cn='attrname'))
*
* The same issue happens when a group is created with
* existing user name. Fixed the code to look for 'Group'
* profile types and set the filter as
* (&(objectClass=groupofuniquenames)
* (objectClass=iplanet-am-managed-group)(cn='attrname'))
* The logic in the while loop is iterate through the
* attribute unique list and check if the list contains the
* naming attribute of the object we are trying to create.
* If the naming attribute is in the list,then look if the
* profile type of the object we are trying to create is
* 'role' or 'group', add appropriate objectclasses and the
* entry rdn to the search filter. This filter is used to
* search the iDS and determine the attribute uniqueness
* violation. The boolean variable 'attrExists' is set to
* false initially. This variable is set to true when the
* profile type is 'role' or 'group'. The check for this
* boolean variable decides the number of matching closing
* parens of the three different types of filters.
*/
Iterator iter = list.iterator();
StringBuffer filterSB = new StringBuffer();
StringBuffer newEntrySB = new StringBuffer();
filterSB.append("(|");
while (iter.hasNext()) {
String[] attrList = getAttrList((String) iter.next());
Set attr = getAttrValues(attrList, modMap);
for (int j = 0; j < attrList.length; j++) {
String attrName = attrList[j];
if (attrName.equals(getNamingAttribute(profileType)) && newEntry) {
if ((profileType == AMObject.ROLE) || (profileType == AMObject.MANAGED_ROLE) || (profileType == AMObject.FILTERED_ROLE)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=ldapsubentry)");
newEntrySB.append("(" + "objectclass=nsroledefinition)");
attrExists = true;
} else if ((profileType == AMObject.GROUP) || (profileType == AMObject.STATIC_GROUP) || (profileType == AMObject.ASSIGNABLE_DYNAMIC_GROUP) || (profileType == AMObject.DYNAMIC_GROUP)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=iplanet-am-managed-group)");
newEntrySB.append("(objectclass=groupofuniquenames)");
attrExists = true;
} else if (profileType == AMObject.ORGANIZATION) {
newEntrySB.append("(&(!");
newEntrySB.append("(objectclass=");
newEntrySB.append(SMSEntry.OC_REALM_SERVICE);
newEntrySB.append("))");
attrExists = true;
}
filterSB.append("(").append(rdns.get(0)).append(")");
}
if (attr != null && !attr.isEmpty()) {
Iterator itr = attr.iterator();
while (itr.hasNext()) {
filterSB.append("(").append(attrName);
filterSB.append("=").append(itr.next());
filterSB.append(")");
}
}
// if
}
}
if (filterSB.length() > 2) {
if (attrExists) {
// pre-pend the creation filter part to the filter
// This is being done so that the filter is
// correctly created as
// (&(<creation-filter)(|(<attr filter>)))
newEntrySB.append(filterSB.toString()).append("))");
filterSB = newEntrySB;
} else {
filterSB.append(")");
}
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: " + "filter = " + filterSB.toString());
}
Set users = amobj.search(AMConstants.SCOPE_SUB, filterSB.toString());
// In that case,ignore the violation
if (users != null && users.size() == 1) {
String userDN = (String) users.iterator().next();
DN dnObject = DN.valueOf(userDN);
if (dnObject.equals(DN.valueOf(entryDN))) {
return;
}
}
if ((users != null) && !users.isEmpty()) {
throw new AMException(AMSDKBundle.getString("162"), "162");
}
}
}
orgDN = rdns.get(i).toString() + "," + orgDN;
thisDN = DN.valueOf(orgDN);
}
} catch (SSOException ex) {
if (debug.warningEnabled()) {
debug.warning("Unable to validate attribute uniqneness", ex);
}
}
}
Also used :
Set(java.util.Set)
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
TreeSet(java.util.TreeSet)
HashSet(java.util.HashSet)
AttrSet(com.iplanet.services.ldap.AttrSet)
ArrayList(java.util.ArrayList)
AMException(com.iplanet.am.sdk.AMException)
RDN(org.forgerock.opendj.ldap.RDN)
DN(org.forgerock.opendj.ldap.DN)
SSOException(com.iplanet.sso.SSOException)
AMStoreConnection(com.iplanet.am.sdk.AMStoreConnection)
AMOrganization(com.iplanet.am.sdk.AMOrganization)
Iterator(java.util.Iterator)
AMOrganizationalUnit(com.iplanet.am.sdk.AMOrganizationalUnit)
AMObject(com.iplanet.am.sdk.AMObject)
RDN(org.forgerock.opendj.ldap.RDN)
Example 22 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class CachedRemoteServicesImpl method getOrganizationDN.
/**
* Gets the Organization DN for the specified entryDN. If the entry itself
* is an org, then same DN is returned.
* <p>
* <b>NOTE:</b> This method will involve serveral directory searches, hence
* be cautious of Performance hit.
*
* <p>
* This method does not call its base classes method unlike the rest of the
* overriden methods to obtain the organization DN, as it requires special
* processing requirements.
*
* @param token
* a valid SSOToken
* @param entryDN
* the entry whose parent Organization is to be obtained
* @return the DN String of the parent Organization
* @throws AMException
* if an error occured while obtaining the parent Organization
*/
public String getOrganizationDN(SSOToken token, String entryDN) throws AMException {
DN dnObject = DN.valueOf(entryDN);
if (entryDN.length() == 0 || dnObject.size() <= 0) {
getDebug().error("CachedRemoteServicesImpl.getOrganizationDN() " + "Invalid DN: " + entryDN);
throw new AMException(token, "157");
}
String organizationDN = "";
Set childDNSet = new HashSet();
boolean errorCondition = false;
boolean found = false;
while (!errorCondition && !found) {
boolean lookupDirectory = true;
String childDN = dnObject.toString().toLowerCase();
if (getDebug().messageEnabled()) {
getDebug().message("CachedRemoteServicesImpl." + "getOrganizationDN() - looping Organization DN for" + " entry: " + childDN);
}
CacheBlock cb = (CacheBlock) sdkCache.get(childDN);
if (cb != null) {
organizationDN = cb.getOrganizationDN();
if (organizationDN != null) {
if (getDebug().messageEnabled()) {
getDebug().message("CachedRemoteServicesImpl." + "getOrganizationDN(): found OrganizationDN: " + organizationDN + " for: " + childDN);
}
found = true;
setOrganizationDNs(organizationDN, childDNSet);
continue;
} else if (cb.getObjectType() == AMObject.ORGANIZATION || cb.getObjectType() == AMObject.ORGANIZATIONAL_UNIT) {
// Object type is organization
organizationDN = childDN;
found = true;
childDNSet.add(childDN);
setOrganizationDNs(organizationDN, childDNSet);
continue;
} else if (cb.getObjectType() != AMObject.UNDETERMINED_OBJECT_TYPE) {
// Don't lookup directory if the object type is unknown
lookupDirectory = false;
}
}
childDNSet.add(childDN);
if (lookupDirectory) {
organizationDN = super.verifyAndGetOrgDN(token, entryDN, childDN);
}
if (organizationDN != null && organizationDN.length() > 0) {
found = true;
setOrganizationDNs(organizationDN, childDNSet);
} else if (dnObject.size() == 1) {
// Reached topmost level
errorCondition = true;
getDebug().error("CachedRemoteServicesImpl." + "getOrganizationDN(): Reached root suffix. Unable to" + " get parent Org");
} else {
// Climb tree on level up
dnObject = dnObject.parent();
}
}
return organizationDN;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
CacheBlock(com.iplanet.am.sdk.common.CacheBlock)
HashSet(java.util.HashSet)
Example 23 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class DomainComponentTree method mapDCToDomainName.
/**
* Given a domain component in a dctree, maps it to a
* virtual domain name
*
* @param dc
* A domain component that lives in the dctree
* @return Fully qualified domain name
* @supported.api
*/
public String mapDCToDomainName(DomainComponent dc) {
if (m_dcRoot == null) {
return null;
}
DN rootDN = DN.valueOf(m_dcRoot.getDN());
DN dcDN = DN.valueOf(dc.getDN());
Iterator<AVA> iterator = dcDN.rename(rootDN, DN.rootDN()).rdn().iterator();
String domainName = iterator.next().getAttributeValue().toString();
// Compose the fully qualified domain name with the "." character
while (iterator.hasNext()) {
domainName += "." + iterator.next().getAttributeValue().toString();
}
return domainName;
}Example 24 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class AMObjectImpl method setAciForRole.
/**
* Gets set of DN:ACI in attribute "iplanet-am-role-aci-list" in the role
* and sets aci accordingly.
*
* @param role
* Role
* @throws AMException
* if there is an internal problem with AM Store.
* @throws SSOException
* if the sign-on is no longer valid.
*/
void setAciForRole(AMRole role) throws AMException, SSOException {
Set aciSet = new TreeSet(role.getAttribute("iplanet-am-role-aci-list"));
Iterator iter = aciSet.iterator();
DN targetDN = null;
Set acis = new HashSet();
Set newAcis = new HashSet();
boolean needUpdate = false;
boolean denied = false;
AMObjectImpl targetObj = null;
while (iter.hasNext()) {
String aci = (String) iter.next();
int index = aci.indexOf(":aci:");
if (index != -1) {
DN tmpDN = DN.valueOf(aci.substring(0, index));
String newAci = aci.substring(index + 5).trim();
if (targetDN == null) {
targetDN = tmpDN;
try {
targetObj = new AMObjectImpl(token, targetDN.toString(), UNKNOWN_OBJECT_TYPE);
acis = targetObj.getAttribute("aci");
if (!acis.contains(newAci)) {
needUpdate = true;
newAcis.add(newAci);
}
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " read access denied." + ex);
}
denied = true;
}
} else if (tmpDN.equals(targetDN)) {
if (!(denied || acis.contains(newAci))) {
needUpdate = true;
newAcis.add(newAci);
}
} else {
if ((!denied) && needUpdate) {
try {
targetObj.setAttribute("aci", newAcis);
targetObj.store(true);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " write access denied." + ex);
}
}
}
needUpdate = false;
denied = false;
targetDN = tmpDN;
try {
targetObj = new AMObjectImpl(token, targetDN.toString(), UNKNOWN_OBJECT_TYPE);
acis = targetObj.getAttribute("aci");
if (!acis.contains(newAci)) {
needUpdate = true;
newAcis.add(newAci);
}
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("AMObject.setAciForRole :" + targetDN.toString() + " read access denied." + ex);
}
denied = true;
}
}
}
}
if (needUpdate) {
targetObj.setAttribute("aci", newAcis);
targetObj.store(true);
}
}
Also used :
TreeSet(java.util.TreeSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
TreeSet(java.util.TreeSet)
Iterator(java.util.Iterator)
DN(org.forgerock.opendj.ldap.DN)
SMSException(com.sun.identity.sm.SMSException)
SSOException(com.iplanet.sso.SSOException)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
HashSet(java.util.HashSet)
Example 25 with DN
use of org.forgerock.opendj.ldap.DN in project OpenAM by OpenRock.
the class AMObjectImpl method createAdminRole.
void createAdminRole() throws SSOException, AMException {
if (debug.messageEnabled()) {
debug.message("AMObject.createAdminRole : dn=" + entryDN);
}
DN ldapDN = DN.valueOf(entryDN);
String orgDN = dsServices.getOrganizationDN(token, ldapDN.parent().toString());
String permission;
String roleDN;
if (profileType == PEOPLE_CONTAINER) {
permission = "People Container Admin";
roleDN = AMNamingAttrManager.getNamingAttr(ROLE) + "=" + ldapDN.toString().replace(',', '_') + "," + orgDN;
createAdminRole(permission, orgDN, roleDN);
} else {
permission = "Group Admin";
roleDN = AMNamingAttrManager.getNamingAttr(ROLE) + "=" + ldapDN.toString().replace(',', '_') + "," + orgDN;
createAdminRole(permission, orgDN, roleDN);
}
}
Also used :
DN(org.forgerock.opendj.ldap.DN)
Aggregations
DN (org.forgerock.opendj.ldap.DN)109
RDN (org.forgerock.opendj.ldap.RDN)36
HashSet (java.util.HashSet)31
Set (java.util.Set)28
Iterator (java.util.Iterator)27
SSOException (com.iplanet.sso.SSOException)16
AMException (com.iplanet.am.sdk.AMException)13
Map (java.util.Map)12
ByteString (org.forgerock.opendj.ldap.ByteString)12
LdapException (org.forgerock.opendj.ldap.LdapException)12
HashMap (java.util.HashMap)11
ArrayList (java.util.ArrayList)10
SMSException (com.sun.identity.sm.SMSException)9
TreeSet (java.util.TreeSet)9
SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)8
Test (org.testng.annotations.Test)8
AttrSet (com.iplanet.services.ldap.AttrSet)7
UMSException (com.iplanet.ums.UMSException)7
Connection (org.forgerock.opendj.ldap.Connection)7
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)7
