Examples with BindRequest org.forgerock.opendj.ldap.requests.BindRequest used on opensource projects
Example 1 with BindRequest
use of org.forgerock.opendj.ldap.requests.BindRequest in project OpenAM by OpenRock.
the class LDAPAuthUtils method authenticate.
/**
* Connect to LDAP server using parameters specified in
* constructor and/or by setting properties attempt to authenticate.
* checks for the password controls and sets to the appropriate states
*/
private void authenticate() throws LDAPUtilException {
Connection conn = null;
List<Control> controls = null;
try {
try {
BindRequest bindRequest = LDAPRequests.newSimpleBindRequest(userDN, userPassword.toCharArray());
if (beheraEnabled) {
bindRequest.addControl(PasswordPolicyRequestControl.newControl(false));
}
conn = getConnection();
BindResult bindResult = conn.bind(bindRequest);
controls = processControls(bindResult);
} finally {
if (conn != null) {
conn.close();
}
}
// Were there any password policy controls returned?
PasswordPolicyResult result = checkControls(controls);
if (result == null) {
if (debug.messageEnabled()) {
debug.message("No controls returned");
}
setState(ModuleState.SUCCESS);
} else {
processPasswordPolicyControls(result);
}
} catch (LdapException ere) {
if (ere.getResult().getResultCode().equals(ResultCode.INVALID_CREDENTIALS)) {
if (!isAd) {
controls = processControls(ere.getResult());
PasswordPolicyResult result = checkControls(controls);
if (result != null && result.getPasswordPolicyErrorType() != null && result.getPasswordPolicyErrorType().equals(PasswordPolicyErrorType.PASSWORD_EXPIRED)) {
if (result.getPasswordPolicyWarningType() != null) {
//this case the credential was actually wrong
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
} else {
if (debug.messageEnabled()) {
debug.message("Password expired and must be reset");
}
setState(ModuleState.PASSWORD_EXPIRED_STATE);
}
} else if (result != null && result.getPasswordPolicyErrorType() != null && result.getPasswordPolicyErrorType().equals(PasswordPolicyErrorType.ACCOUNT_LOCKED)) {
if (debug.messageEnabled()) {
debug.message("Account Locked");
}
processPasswordPolicyControls(result);
} else {
if (debug.messageEnabled()) {
debug.message("Failed auth due to invalid credentials");
}
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
}
} else {
PasswordPolicyResult result = checkADResult(ere.getResult().getDiagnosticMessage());
if (result != null) {
processPasswordPolicyControls(result);
} else {
if (debug.messageEnabled()) {
debug.message("Failed auth due to invalid credentials");
}
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
}
}
} else if (ere.getResult().getResultCode().equals(ResultCode.NO_SUCH_OBJECT)) {
if (debug.messageEnabled()) {
debug.message("user does not exist");
}
throw new LDAPUtilException("UsrNotExist", ResultCode.NO_SUCH_OBJECT, null);
} else if (ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_CONNECT_ERROR) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_SERVER_DOWN) || ere.getResult().getResultCode().equals(ResultCode.UNAVAILABLE) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_TIMEOUT)) {
if (debug.messageEnabled()) {
debug.message("Cannot connect to " + servers, ere);
}
setState(ModuleState.SERVER_DOWN);
} else if (ere.getResult().getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
if (debug.messageEnabled()) {
debug.message(servers + " unwilling to perform auth request");
}
// cases for err=53
// - disconnect in progress
// - backend unavailable (read-only, etc)
// - server locked down
// - reject unauthenticated requests
// - low disk space (updates only)
// - bind with no password (binds only)
String[] args = { ere.getMessage() };
throw new LDAPUtilException("FConnect", ResultCode.UNWILLING_TO_PERFORM, args);
} else if (ere.getResult().getResultCode().equals(ResultCode.INAPPROPRIATE_AUTHENTICATION)) {
if (debug.messageEnabled()) {
debug.message("Failed auth due to inappropriate authentication");
}
throw new LDAPUtilException("amAuth", "InappAuth", ResultCode.INAPPROPRIATE_AUTHENTICATION, null);
} else if (ere.getResult().getResultCode().equals(ResultCode.CONSTRAINT_VIOLATION)) {
if (debug.messageEnabled()) {
debug.message("Exceed password retry limit.");
}
throw new LDAPUtilException(ISAuthConstants.EXCEED_RETRY_LIMIT, ResultCode.CONSTRAINT_VIOLATION, null);
} else {
if (debug.messageEnabled()) {
debug.message("Cannot authenticate to " + servers, ere);
}
throw new LDAPUtilException("amAuth", "FAuth", null, null);
}
}
}
Also used :
PasswordExpiringResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiringResponseControl)
PasswordExpiredResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiredResponseControl)
PasswordPolicyRequestControl(org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl)
Control(org.forgerock.opendj.ldap.controls.Control)
PasswordPolicyResponseControl(org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl)
Connection(org.forgerock.opendj.ldap.Connection)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
ByteString(org.forgerock.opendj.ldap.ByteString)
LdapException(org.forgerock.opendj.ldap.LdapException)
Example 2 with BindRequest
use of org.forgerock.opendj.ldap.requests.BindRequest in project OpenAM by OpenRock.
the class DJLDAPv3Repo method authenticate.
/**
* Tries to bind as the user with the credentials passed in via callbacks. This authentication mechanism does not
* handle password policies, nor password expiration.
*
* @param credentials The username/password combination.
* @return <code>true</code> if the bind operation was successful.
* @throws IdRepoException If the passed in username/password was null, or if the specified user cannot be found.
* @throws AuthLoginException If an LDAP error occurs during authentication.
* @throws InvalidPasswordException If the provided password is not valid, so Account Lockout can be triggered.
*/
@Override
public boolean authenticate(Callback[] credentials) throws IdRepoException, AuthLoginException {
if (DEBUG.messageEnabled()) {
DEBUG.message("authenticate invoked");
}
String userName = null;
char[] password = null;
for (Callback callback : credentials) {
if (callback instanceof NameCallback) {
userName = ((NameCallback) callback).getName();
} else if (callback instanceof PasswordCallback) {
password = ((PasswordCallback) callback).getPassword();
}
}
if (userName == null || password == null) {
throw newIdRepoException(IdRepoErrorCode.UNABLE_TO_AUTHENTICATE, CLASS_NAME);
}
String dn = findDNForAuth(IdType.USER, userName);
Connection conn = null;
try {
BindRequest bindRequest = LDAPRequests.newSimpleBindRequest(dn, password);
conn = bindConnectionFactory.getConnection();
BindResult bindResult = conn.bind(bindRequest);
return bindResult.isSuccess();
} catch (LdapException ere) {
ResultCode resultCode = ere.getResult().getResultCode();
if (DEBUG.messageEnabled()) {
DEBUG.message("An error occurred while trying to authenticate a user: " + ere.toString());
}
if (resultCode.equals(ResultCode.INVALID_CREDENTIALS)) {
throw new InvalidPasswordException(AM_AUTH, "InvalidUP", null, userName, null);
} else if (resultCode.equals(ResultCode.UNWILLING_TO_PERFORM) || resultCode.equals(ResultCode.CONSTRAINT_VIOLATION)) {
throw new AuthLoginException(AM_AUTH, "FAuth", null);
} else if (resultCode.equals(ResultCode.INAPPROPRIATE_AUTHENTICATION)) {
throw new AuthLoginException(AM_AUTH, "InappAuth", null);
} else {
throw new AuthLoginException(AM_AUTH, "LDAPex", null);
}
} finally {
IOUtils.closeIfNotNull(conn);
}
}
Also used :
PasswordCallback(javax.security.auth.callback.PasswordCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
NameCallback(javax.security.auth.callback.NameCallback)
Connection(org.forgerock.opendj.ldap.Connection)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
ByteString(org.forgerock.opendj.ldap.ByteString)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
Example 3 with BindRequest
use of org.forgerock.opendj.ldap.requests.BindRequest in project ddf by codice.
the class SslLdapLoginModule method doLogin.
protected boolean doLogin() throws LoginException {
//--------- EXTRACT USERNAME AND PASSWORD FOR LDAP LOOKUP -------------
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException ioException) {
throw new LoginException(ioException.getMessage());
} catch (UnsupportedCallbackException unsupportedCallbackException) {
boolean result;
throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
}
user = ((NameCallback) callbacks[0]).getName();
if (user == null) {
return false;
}
user = user.trim();
validateUsername(user);
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
// this method.
if ("none".equalsIgnoreCase(getBindMethod()) && (tmpPassword != null)) {
LOGGER.debug("Changing from authentication = none to simple since user or password was specified.");
// default to simple so that the provided user/password will get checked
setBindMethod(DEFAULT_AUTHENTICATION);
}
if (tmpPassword == null) {
tmpPassword = new char[0];
}
//---------------------------------------------------------------------
// RESET OBJECT STATE AND DECLARE LOCAL VARS
principals = new HashSet<>();
Connection connection;
String userDn;
//------------- CREATE CONNECTION #1 ----------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
try {
//------------- BIND #1 (CONNECTION USERNAME & PASSWORD) --------------
try {
BindRequest request;
switch(getBindMethod()) {
case "Simple":
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
case "SASL":
request = Requests.newPlainSASLBindRequest(connectionUsername, connectionPassword);
break;
case "GSSAPI SASL":
request = Requests.newGSSAPISASLBindRequest(connectionUsername, connectionPassword);
((GSSAPISASLBindRequest) request).setRealm(realm);
((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
break;
case "Digest MD5 SASL":
request = Requests.newDigestMD5SASLBindRequest(connectionUsername, connectionPassword);
((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
((DigestMD5SASLBindRequest) request).getQOPs().clear();
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
if (StringUtils.isNotEmpty(realm)) {
((DigestMD5SASLBindRequest) request).setRealm(realm);
}
break;
default:
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
}
BindResult bindResult = connection.bind(request);
if (!bindResult.isSuccess()) {
LOGGER.debug("Bind failed");
return false;
}
} catch (LdapException e) {
LOGGER.debug("Unable to bind to LDAP server.", e);
return false;
}
//--------- SEARCH #1, FIND USER DISTINGUISHED NAME -----------
SearchScope scope;
if (userSearchSubtree) {
scope = SearchScope.WHOLE_SUBTREE;
} else {
scope = SearchScope.SINGLE_LEVEL;
}
userFilter = userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
userFilter = userFilter.replace("\\", "\\\\");
ConnectionEntryReader entryReader = connection.search(userBaseDN, scope, userFilter);
try {
if (!entryReader.hasNext()) {
LOGGER.info("User {} not found in LDAP.", user);
return false;
}
SearchResultEntry searchResultEntry = entryReader.readEntry();
userDn = searchResultEntry.getName().toString();
} catch (LdapException | SearchResultReferenceIOException e) {
LOGGER.info("Unable to read contents of LDAP user search.", e);
return false;
}
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
} else {
return false;
}
//------------- CREATE CONNECTION #2 ----------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
// Validate user's credentials.
try {
BindResult bindResult = connection.bind(userDn, tmpPassword);
if (!bindResult.isSuccess()) {
LOGGER.info("Bind failed");
return false;
}
} catch (Exception e) {
LOGGER.info("Unable to bind user to LDAP server.", e);
return false;
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
//---------- ADD USER AS PRINCIPAL --------------------------------
principals.add(new UserPrincipal(user));
} else {
return false;
}
//-------------- CREATE CONNECTION #3 ---------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
try {
//----- BIND #3 (CONNECTION USERNAME & PASSWORD) --------------
try {
BindResult bindResult = connection.bind(connectionUsername, connectionPassword);
if (!bindResult.isSuccess()) {
LOGGER.info("Bind failed");
return false;
}
} catch (LdapException e) {
LOGGER.info("Unable to bind to LDAP server.", e);
return false;
}
//--------- SEARCH #3, GET ROLES ------------------------------
SearchScope scope;
if (roleSearchSubtree) {
scope = SearchScope.WHOLE_SUBTREE;
} else {
scope = SearchScope.SINGLE_LEVEL;
}
roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userBaseDN));
roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDn));
roleFilter = roleFilter.replace("\\", "\\\\");
ConnectionEntryReader entryReader = connection.search(roleBaseDN, scope, roleFilter, roleNameAttribute);
SearchResultEntry entry;
//------------- ADD ROLES AS NEW PRINCIPALS -------------------
try {
while (entryReader.hasNext()) {
entry = entryReader.readEntry();
Attribute attr = entry.getAttribute(roleNameAttribute);
for (ByteString role : attr) {
principals.add(new RolePrincipal(role.toString()));
}
}
} catch (Exception e) {
boolean result;
throw new LoginException("Can't get user " + user + " roles: " + e.getMessage());
}
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
} else {
return false;
}
return true;
}
Also used :
Attribute(org.forgerock.opendj.ldap.Attribute)
ByteString(org.forgerock.opendj.ldap.ByteString)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
ByteString(org.forgerock.opendj.ldap.ByteString)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
LdapException(org.forgerock.opendj.ldap.LdapException)
Connection(org.forgerock.opendj.ldap.Connection)
IOException(java.io.IOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
LdapException(org.forgerock.opendj.ldap.LdapException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
SearchScope(org.forgerock.opendj.ldap.SearchScope)
LoginException(javax.security.auth.login.LoginException)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 4 with BindRequest
use of org.forgerock.opendj.ldap.requests.BindRequest in project ddf by codice.
the class BindMethodChooser method selectBindMethod.
public static BindRequest selectBindMethod(String bindMethod, String bindUserDN, String bindUserCredentials, String realm, String kdcAddress) {
BindRequest request;
switch(bindMethod) {
case "Simple":
request = Requests.newSimpleBindRequest(bindUserDN, bindUserCredentials.toCharArray());
break;
case "SASL":
request = Requests.newPlainSASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
break;
case "GSSAPI SASL":
request = Requests.newGSSAPISASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
((GSSAPISASLBindRequest) request).setRealm(realm);
((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
break;
case "Digest MD5 SASL":
request = Requests.newDigestMD5SASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
((DigestMD5SASLBindRequest) request).getQOPs().clear();
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
if (StringUtils.isNotEmpty(realm)) {
((DigestMD5SASLBindRequest) request).setRealm(realm);
}
break;
default:
request = Requests.newSimpleBindRequest(bindUserDN, bindUserCredentials.toCharArray());
break;
}
return request;
}
Also used :
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
Example 5 with BindRequest
use of org.forgerock.opendj.ldap.requests.BindRequest in project admin-console-beta by connexta.
the class LdapTestingUtils method bindUserToLdapConnection.
/**
* Binds the user to the LDAP connection.
*
* Possible message types: CANNOT_CONFIGURE, CANNOT_CONNECT, CANNOT_BIND
* @param connField
* @param bindInfo
* @return
*/
public LdapConnectionAttempt bindUserToLdapConnection(LdapConnectionField connField, LdapBindUserInfo bindInfo) {
LdapConnectionAttempt connectionAttempt = getLdapConnection(connField);
if (!connectionAttempt.connection().isPresent()) {
return connectionAttempt;
}
Connection connection = connectionAttempt.connection().get();
try {
BindRequest bindRequest = selectBindMethod(bindInfo.bindMethod(), bindInfo.credentials().username(), bindInfo.credentials().password(), bindInfo.realm(), null);
connection.bind(bindRequest);
} catch (Exception e) {
LOGGER.debug("Error binding to LDAP", e);
return new LdapConnectionAttempt(CANNOT_BIND);
}
return new LdapConnectionAttempt(connection);
}
Also used :
Connection(org.forgerock.opendj.ldap.Connection)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
IOException(java.io.IOException)
Aggregations
BindRequest (org.forgerock.opendj.ldap.requests.BindRequest)10
Connection (org.forgerock.opendj.ldap.Connection)7
ByteString (org.forgerock.opendj.ldap.ByteString)6
LdapException (org.forgerock.opendj.ldap.LdapException)6
BindResult (org.forgerock.opendj.ldap.responses.BindResult)5
DigestMD5SASLBindRequest (org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)4
Attribute (org.forgerock.opendj.ldap.Attribute)3
SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)3
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)3
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)3
IOException (java.io.IOException)2
Principal (java.security.Principal)2
Callback (javax.security.auth.callback.Callback)2
NameCallback (javax.security.auth.callback.NameCallback)2
PasswordCallback (javax.security.auth.callback.PasswordCallback)2
ProcessedClaim (org.apache.cxf.sts.claims.ProcessedClaim)2
ProcessedClaimCollection (org.apache.cxf.sts.claims.ProcessedClaimCollection)2
GSSAPISASLBindRequest (org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)2
AndFilter (org.springframework.ldap.filter.AndFilter)2
EqualsFilter (org.springframework.ldap.filter.EqualsFilter)2
