Example 1 with AssignableDynamicGroup
use of com.iplanet.ums.AssignableDynamicGroup in project OpenAM by OpenRock.
the class DirectoryServicesImpl method getMembers.
/**
* Get members for roles, dynamic group or static group
*
* @param token
* SSOToken
* @param entryDN
* DN of the role or group
* @param objectType
* objectType of the target object, AMObject.ROLE or
* AMObject.GROUP
* @return Set Member DNs
*/
public Set getMembers(SSOToken token, String entryDN, int objectType) throws AMException {
try {
SearchResults results;
switch(objectType) {
case AMObject.ROLE:
case AMObject.MANAGED_ROLE:
ManagedRole role = (ManagedRole) UMSObject.getObject(token, new Guid(entryDN));
results = role.getMemberIDs();
return searchResultsToSet(results);
case AMObject.FILTERED_ROLE:
FilteredRole filteredRole = (FilteredRole) UMSObject.getObject(token, new Guid(entryDN));
results = filteredRole.getMemberIDs();
return searchResultsToSet(results);
case AMObject.GROUP:
case AMObject.STATIC_GROUP:
StaticGroup group = (StaticGroup) UMSObject.getObject(token, new Guid(entryDN));
results = group.getMemberIDs();
return searchResultsToSet(results);
case AMObject.DYNAMIC_GROUP:
DynamicGroup dynamicGroup = (DynamicGroup) UMSObject.getObject(token, new Guid(entryDN));
results = dynamicGroup.getMemberIDs();
return searchResultsToSet(results);
case AMObject.ASSIGNABLE_DYNAMIC_GROUP:
// TODO: See if it works after removing this workaround
// fake object to get around UMS problem.
// UMS AssignableDynamicGroup has a class resolver, it is
// added to resolver list in static block. So I need to
// construct a dummy AssignableDynamicGroup
AssignableDynamicGroup adgroup = (AssignableDynamicGroup) UMSObject.getObject(token, new Guid(entryDN));
results = adgroup.getMemberIDs();
return searchResultsToSet(results);
default:
throw new AMException(token, "114");
}
} catch (EntryNotFoundException e) {
debug.error("DirectoryServicesImpl.getMembers() entryDN " + entryDN + " objectType: " + objectType + " Unable to get members: ", e);
String msgid = getEntryNotFoundMsgID(objectType);
String entryName = getEntryName(e);
Object[] args = { entryName };
throw new AMException(AMSDKBundle.getString(msgid, args), msgid, args);
} catch (UMSException e) {
debug.error("DirectoryServicesImpl.getMembers() entryDN " + entryDN + " objectType: " + objectType + " Unable to get members: ", e);
LdapException le = (LdapException) e.getRootCause();
if (le != null) {
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode) || ResultCode.ADMIN_LIMIT_EXCEEDED.equals(resultCode)) {
throw new AMException(token, "505", e);
}
}
throw new AMException(token, "454", e);
}
}
Also used :
DynamicGroup(com.iplanet.ums.DynamicGroup)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
UMSException(com.iplanet.ums.UMSException)
AMException(com.iplanet.am.sdk.AMException)
Guid(com.iplanet.ums.Guid)
AMSearchResults(com.iplanet.am.sdk.AMSearchResults)
SearchResults(com.iplanet.ums.SearchResults)
StaticGroup(com.iplanet.ums.StaticGroup)
ManagedRole(com.iplanet.ums.ManagedRole)
FilteredRole(com.iplanet.ums.FilteredRole)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
LdapException(org.forgerock.opendj.ldap.LdapException)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
Example 2 with AssignableDynamicGroup
use of com.iplanet.ums.AssignableDynamicGroup in project OpenAM by OpenRock.
the class ComplianceServicesImpl method verifyAndUnLinkRoleToGroup.
/**
* Verifies if the <code>roleDN</code> corresponds to an admin role. If
* true the <code>memberOf</code> and <code>adminRole</code> attributes
* of each member/user are set to null. Each of the members/users are also
* removed to the corresponding admin group.
*
* @param token
* single sign on token.
* @param members
* Set of member distinguished name to be operated.
* @param roleDN
* distinguished name of the role.
* @exception AMException
* if unsuccessful in removing the members from the
* corresponding administrative groups and updating the
* <code>memberOf</code> and <code>adminRole</code>
* attribute values to null.
*/
protected void verifyAndUnLinkRoleToGroup(SSOToken token, Set members, String roleDN) throws AMException {
// Obtain the group corresponding to roleDN
DN dn = DN.valueOf(roleDN);
String groupName = getGroupFromRoleDN(dn);
if (groupName != null) {
String orgDN = dn.parent().toString();
String groupDN = NamingAttributeManager.getNamingAttribute(AMObject.GROUP) + "=" + groupName + ",ou=Groups," + orgDN;
String groupRDN = NamingAttributeManager.getNamingAttribute(AMObject.GROUP) + "=" + groupName;
// Delete the attributes memberOf & adminRole attribute values'
// corresponding to this groupDN.
Attr[] attrs = new Attr[1];
attrs[0] = new Attr("adminrole", groupRDN);
AttrSet attrSet = new AttrSet(attrs);
Iterator itr = members.iterator();
try {
AssignableDynamicGroup group = (AssignableDynamicGroup) UMSObject.getObject(token, new Guid(groupDN));
while (itr.hasNext()) {
String memberDN = (String) itr.next();
removeAttributesFromEntry(token, memberDN, attrSet);
group.removeMember(new Guid(memberDN));
}
} catch (EntryNotFoundException ex) {
debug.error("Compliance.verifyAndUnLinkRoleToGroup: " + "Admin groups are missing");
} catch (UMSException ue) {
debug.error("Compliance." + "verifyAndUnLinkRoleToGroup(): ", ue);
throw new AMException(AMSDKBundle.getString("772"), "772");
}
}
}
Also used :
UMSException(com.iplanet.ums.UMSException)
Iterator(java.util.Iterator)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
Guid(com.iplanet.ums.Guid)
Attr(com.iplanet.services.ldap.Attr)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
AttrSet(com.iplanet.services.ldap.AttrSet)
Example 3 with AssignableDynamicGroup
use of com.iplanet.ums.AssignableDynamicGroup in project OpenAM by OpenRock.
the class ComplianceServicesImpl method verifyAndLinkRoleToGroup.
/**
* Method which verifies if the <code>roleDN</code> corresponds to an
* admin role. If true the <code>memberOf</code> and
* <code>adminRole</code> attributes of each member/user are set to the
* corresponding administration <code>groupDN</code> and administration
* <code>groupRDN</code> respectively. Each of the members/users are also
* added to the corresponding admin group.
*
* @param token
* single sign on token.
* @param membersGuid
* Guid array of members to be operated on.
* @param roleDN
* distinguished name of the role.
*
* @exception AMException
* if unsuccessful in adding the members to the corresponding
* admin group. As a result of which the memberOf and
* adminRole attributes are also not updated.
*/
protected void verifyAndLinkRoleToGroup(SSOToken token, Guid[] membersGuid, String roleDN) throws AMException {
// Obtain the group corresponding to roleDN
DN dn = DN.valueOf(roleDN);
String groupName = getGroupFromRoleDN(dn);
if (groupName != null) {
// roleDN corresponds to an admin role
String orgDN = dn.parent().toString();
String groupDN = NamingAttributeManager.getNamingAttribute(AMObject.GROUP) + "=" + groupName + ",ou=Groups," + orgDN;
String groupRDN = NamingAttributeManager.getNamingAttribute(AMObject.GROUP) + "=" + groupName;
try {
// Add the members to corresponding group.
AssignableDynamicGroup group = (AssignableDynamicGroup) UMSObject.getObject(token, new Guid(groupDN));
group.addMembers(membersGuid);
Attr[] attrs = new Attr[1];
attrs[0] = new Attr("adminrole", groupRDN);
AttrSet attrSet = new AttrSet(attrs);
int numMembers = membersGuid.length;
for (int i = 0; i < numMembers; i++) {
addAttributesToEntry(token, membersGuid[i].getDn(), attrSet);
}
} catch (EntryNotFoundException ex) {
debug.error("Compliance.verifyAndLinkRoleToGroup: " + "Admin groups are missing");
} catch (UMSException ue) {
debug.error("Compliance." + "verifyAndLinkRoleToGroup(): ", ue);
throw new AMException(AMSDKBundle.getString("771"), "771");
}
}
}
Also used :
UMSException(com.iplanet.ums.UMSException)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
Guid(com.iplanet.ums.Guid)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
Attr(com.iplanet.services.ldap.Attr)
AttrSet(com.iplanet.services.ldap.AttrSet)
Example 4 with AssignableDynamicGroup
use of com.iplanet.ums.AssignableDynamicGroup in project OpenAM by OpenRock.
the class DirectoryServicesImpl method modifyAssignDynamicGroupMembership.
private void modifyAssignDynamicGroupMembership(SSOToken token, String target, Set members, int operation, int profileType) throws UMSException, AMException {
// fake object to get around UMS problem.
// UMS AssignableDynamicGroup has a class resolver, it is
// added to resolver list in static block. So I need to
// construct a dummy AssignableDynamicGroup
AssignableDynamicGroup tmpgroup = new AssignableDynamicGroup();
AssignableDynamicGroup adgroup = (AssignableDynamicGroup) UMSObject.getObject(token, new Guid(target));
// Make call backs to the plugins to let them know modification
// to role membership.
// Since this target cannot be an Org. Get the parent
String parentDN = adgroup.getParentGuid().getDn();
String orgDN = getOrganizationDN(token, parentDN);
if (callBackHelper.isExistsPrePostPlugins(orgDN)) {
members = callBackHelper.preProcessModifyMemberShip(token, target, orgDN, members, operation, profileType);
if (members == null || members.isEmpty()) {
return;
}
}
switch(operation) {
case ADD_MEMBER:
Guid[] membersGuid = CommonUtils.toGuidArray(members);
adgroup.addMembers(CommonUtils.toGuidArray(members));
if (ComplianceServicesImpl.isAdminGroupsEnabled(AMStoreConnection.getAMSdkBaseDN())) {
complianceImpl.verifyAndLinkGroupToRole(token, membersGuid, target);
}
break;
case REMOVE_MEMBER:
Object[] entries = members.toArray();
for (int i = 0; i < entries.length; i++) {
adgroup.removeMember(new Guid((String) entries[i]));
}
// compliance related operations if needed.
if (ComplianceServicesImpl.isAdminGroupsEnabled(AMStoreConnection.getAMSdkBaseDN())) {
complianceImpl.verifyAndUnLinkGroupToRole(token, members, target);
}
break;
default:
throw new AMException(token, "114");
}
// role membership.
if (callBackHelper.isExistsPrePostPlugins(orgDN)) {
// Here the new members are just the ones added not the complete Set
callBackHelper.postProcessModifyMemberShip(token, target, orgDN, members, operation, profileType);
}
}
Also used :
AMException(com.iplanet.am.sdk.AMException)
AMObject(com.iplanet.am.sdk.AMObject)
UMSObject(com.iplanet.ums.UMSObject)
PersistentObject(com.iplanet.ums.PersistentObject)
Guid(com.iplanet.ums.Guid)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
Example 5 with AssignableDynamicGroup
use of com.iplanet.ums.AssignableDynamicGroup in project OpenAM by OpenRock.
the class DirectoryServicesImpl method createAssignDynamicGroup.
private void createAssignDynamicGroup(SSOToken token, PersistentObject parentObj, Map attributes, String profileName) throws UMSException, AMException {
// Invoke the Pre Processing plugin
String orgDN = getOrganizationDN(internalToken, parentObj.getDN());
String entryDN = getNamingAttribute(AMObject.GROUP) + "=" + profileName + "," + parentObj.getDN();
attributes = callBackHelper.preProcess(token, entryDN, orgDN, null, attributes, CallBackHelper.CREATE, AMObject.ASSIGNABLE_DYNAMIC_GROUP, false);
AttrSet attrSet = CommonUtils.mapToAttrSet(attributes);
makeNamingFirst(attrSet, getNamingAttribute(AMObject.ASSIGNABLE_DYNAMIC_GROUP), profileName);
TemplateManager tempMgr = TemplateManager.getTemplateManager();
CreationTemplate creationTemp = tempMgr.getCreationTemplate("BasicAssignableDynamicGroup", new Guid(orgDN), TemplateManager.SCOPE_ANCESTORS);
attrSet = combineOCs(creationTemp, attrSet);
AssignableDynamicGroup adgroup = new AssignableDynamicGroup(creationTemp, attrSet);
adgroup.setSearchFilter("(memberof=" + entryDN + ")");
adgroup.setSearchScope(SearchScope.WHOLE_SUBTREE.intValue());
adgroup.setSearchBase(new Guid(orgDN));
parentObj.addChild(adgroup);
// Invoke Post processing impls
callBackHelper.postProcess(token, adgroup.getDN(), orgDN, null, attributes, CallBackHelper.CREATE, AMObject.ASSIGNABLE_DYNAMIC_GROUP, false);
}
Also used :
CreationTemplate(com.iplanet.ums.CreationTemplate)
TemplateManager(com.iplanet.ums.TemplateManager)
Guid(com.iplanet.ums.Guid)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
AttrSet(com.iplanet.services.ldap.AttrSet)
Aggregations
AssignableDynamicGroup (com.iplanet.ums.AssignableDynamicGroup)5
Guid (com.iplanet.ums.Guid)5
AMException (com.iplanet.am.sdk.AMException)4
AttrSet (com.iplanet.services.ldap.AttrSet)3
EntryNotFoundException (com.iplanet.ums.EntryNotFoundException)3
UMSException (com.iplanet.ums.UMSException)3
Attr (com.iplanet.services.ldap.Attr)2
DN (org.forgerock.opendj.ldap.DN)2
AMObject (com.iplanet.am.sdk.AMObject)1
AMSearchResults (com.iplanet.am.sdk.AMSearchResults)1
CreationTemplate (com.iplanet.ums.CreationTemplate)1
DynamicGroup (com.iplanet.ums.DynamicGroup)1
FilteredRole (com.iplanet.ums.FilteredRole)1
ManagedRole (com.iplanet.ums.ManagedRole)1
PersistentObject (com.iplanet.ums.PersistentObject)1
SearchResults (com.iplanet.ums.SearchResults)1
StaticGroup (com.iplanet.ums.StaticGroup)1
TemplateManager (com.iplanet.ums.TemplateManager)1
UMSObject (com.iplanet.ums.UMSObject)1
Iterator (java.util.Iterator)1
