Example 1 with ManagedRole
use of com.iplanet.ums.ManagedRole in project OpenAM by OpenRock.
the class DirectoryServicesImpl method getMembers.
/**
* Get members for roles, dynamic group or static group
*
* @param token
* SSOToken
* @param entryDN
* DN of the role or group
* @param objectType
* objectType of the target object, AMObject.ROLE or
* AMObject.GROUP
* @return Set Member DNs
*/
public Set getMembers(SSOToken token, String entryDN, int objectType) throws AMException {
try {
SearchResults results;
switch(objectType) {
case AMObject.ROLE:
case AMObject.MANAGED_ROLE:
ManagedRole role = (ManagedRole) UMSObject.getObject(token, new Guid(entryDN));
results = role.getMemberIDs();
return searchResultsToSet(results);
case AMObject.FILTERED_ROLE:
FilteredRole filteredRole = (FilteredRole) UMSObject.getObject(token, new Guid(entryDN));
results = filteredRole.getMemberIDs();
return searchResultsToSet(results);
case AMObject.GROUP:
case AMObject.STATIC_GROUP:
StaticGroup group = (StaticGroup) UMSObject.getObject(token, new Guid(entryDN));
results = group.getMemberIDs();
return searchResultsToSet(results);
case AMObject.DYNAMIC_GROUP:
DynamicGroup dynamicGroup = (DynamicGroup) UMSObject.getObject(token, new Guid(entryDN));
results = dynamicGroup.getMemberIDs();
return searchResultsToSet(results);
case AMObject.ASSIGNABLE_DYNAMIC_GROUP:
// TODO: See if it works after removing this workaround
// fake object to get around UMS problem.
// UMS AssignableDynamicGroup has a class resolver, it is
// added to resolver list in static block. So I need to
// construct a dummy AssignableDynamicGroup
AssignableDynamicGroup adgroup = (AssignableDynamicGroup) UMSObject.getObject(token, new Guid(entryDN));
results = adgroup.getMemberIDs();
return searchResultsToSet(results);
default:
throw new AMException(token, "114");
}
} catch (EntryNotFoundException e) {
debug.error("DirectoryServicesImpl.getMembers() entryDN " + entryDN + " objectType: " + objectType + " Unable to get members: ", e);
String msgid = getEntryNotFoundMsgID(objectType);
String entryName = getEntryName(e);
Object[] args = { entryName };
throw new AMException(AMSDKBundle.getString(msgid, args), msgid, args);
} catch (UMSException e) {
debug.error("DirectoryServicesImpl.getMembers() entryDN " + entryDN + " objectType: " + objectType + " Unable to get members: ", e);
LdapException le = (LdapException) e.getRootCause();
if (le != null) {
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode) || ResultCode.ADMIN_LIMIT_EXCEEDED.equals(resultCode)) {
throw new AMException(token, "505", e);
}
}
throw new AMException(token, "454", e);
}
}
Also used :
DynamicGroup(com.iplanet.ums.DynamicGroup)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
UMSException(com.iplanet.ums.UMSException)
AMException(com.iplanet.am.sdk.AMException)
Guid(com.iplanet.ums.Guid)
AMSearchResults(com.iplanet.am.sdk.AMSearchResults)
SearchResults(com.iplanet.ums.SearchResults)
StaticGroup(com.iplanet.ums.StaticGroup)
ManagedRole(com.iplanet.ums.ManagedRole)
FilteredRole(com.iplanet.ums.FilteredRole)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
LdapException(org.forgerock.opendj.ldap.LdapException)
AssignableDynamicGroup(com.iplanet.ums.AssignableDynamicGroup)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
Example 2 with ManagedRole
use of com.iplanet.ums.ManagedRole in project OpenAM by OpenRock.
the class ComplianceServicesImpl method verifyAndLinkGroupToRole.
/**
* Method which verifies if the <code>groupDN</code> corresponds to an
* administrative role. If true then the members listed in
* <Code>membersGuid</Code> are added to the admin role.
*
* @param token
* SSO Token
* @param membersGuid
* Guid array of members to be operated on
* @param groupDN
* DN of the role
*
* @exception AMException
* if unsuccessful in adding the members to the corresponding
* admin group. As a result of which the memberOf and
* adminRole attributes are also not updated.
*/
protected void verifyAndLinkGroupToRole(SSOToken token, Guid[] membersGuid, String groupDN) throws AMException {
// Obtain the role corresponding to groupDN
DN dn = DN.valueOf(groupDN);
String roleName = getRoleFromGroupDN(dn);
if (roleName != null) {
// roleDN corresponds to an admin role
String orgDN = dn.parent().parent().toString();
String roleDN = NamingAttributeManager.getNamingAttribute(AMObject.ROLE) + "=" + roleName + "," + orgDN;
if (debug.messageEnabled()) {
debug.message("Compliance.verifyAndLinkGroupToRole" + " Linking group: " + groupDN + " to role :" + roleDN);
}
try {
// Add the members to corresponding group.
ManagedRole role = (ManagedRole) UMSObject.getObject(token, new Guid(roleDN));
role.addMembers(membersGuid);
} catch (EntryNotFoundException ex) {
debug.error("Compliance.verifyAndLinkGroupToRole: Admin " + "groups are missing");
} catch (UMSException ue) {
debug.error("Compliance.verifyAndLinkGroupToRole():", ue);
Object[] args = { roleDN };
throw new AMException(AMSDKBundle.getString("972", args), "771", args);
}
}
}
Also used :
UMSException(com.iplanet.ums.UMSException)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
Guid(com.iplanet.ums.Guid)
ManagedRole(com.iplanet.ums.ManagedRole)
Example 3 with ManagedRole
use of com.iplanet.ums.ManagedRole in project OpenAM by OpenRock.
the class ComplianceServicesImpl method verifyAndUnLinkGroupToRole.
/**
* Method which verifies if the groupDN corresponds to an admin role. If
* true then the <Code> members </Code> are removed from the admin role.
*
* @param token Single Sign On Token.
* @param members Set of member DNs to be operated.
* @param groupDN Distinguished Name of the group.
* @throws AMException if unsuccessful in removing the members from the
* corresponding admin groups and updating the <code>memberOf</code>
* and <code>adminRole</code> attribute values to null.
*/
protected void verifyAndUnLinkGroupToRole(SSOToken token, Set members, String groupDN) throws AMException {
// Obtain the group corresponding to roleDN
DN dn = DN.valueOf(groupDN);
String roleName = getRoleFromGroupDN(dn);
if (roleName != null) {
String orgDN = dn.parent().parent().toString();
String roleDN = NamingAttributeManager.getNamingAttribute(AMObject.ROLE) + "=" + roleName + "," + orgDN;
if (debug.messageEnabled()) {
debug.message("Compliance.verifyAndUnlinkGroupToRole(): " + "Unlinking group: " + groupDN + " to role :" + roleDN);
}
// Remove the members from the admin role
Iterator itr = members.iterator();
try {
ManagedRole role = (ManagedRole) UMSObject.getObject(token, new Guid(roleDN));
while (itr.hasNext()) {
String memberDN = (String) itr.next();
role.removeMember(new Guid(memberDN));
}
} catch (EntryNotFoundException ex) {
debug.error("Compliance.verifyAndUnLinkGroupToRole: Admin " + "groups are missing");
} catch (UMSException ue) {
debug.error("Compliance.verifyAndUnLinkGroupToRole(): ", ue);
Object[] args = { roleDN };
throw new AMException(AMSDKBundle.getString("972", args), "772", args);
}
}
}
Also used :
UMSException(com.iplanet.ums.UMSException)
Iterator(java.util.Iterator)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
AMException(com.iplanet.am.sdk.AMException)
DN(org.forgerock.opendj.ldap.DN)
Guid(com.iplanet.ums.Guid)
ManagedRole(com.iplanet.ums.ManagedRole)
Example 4 with ManagedRole
use of com.iplanet.ums.ManagedRole in project OpenAM by OpenRock.
the class DirectoryServicesImpl method modifyRoleMembership.
/**
* @param token
* @param target
* @param members
* @param operation
* @param profileType
* @throws UMSException
* @throws AMException
*/
private void modifyRoleMembership(SSOToken token, String target, Set members, int operation, int profileType) throws UMSException, AMException {
ManagedRole role;
try {
role = (ManagedRole) UMSObject.getObject(token, new Guid(target));
} catch (ClassCastException e) {
debug.message("DirectoryServicesImpl.modifyRoleMembership() - Unable to " + "modify role membership", e);
throw new AMException(token, "350");
}
// Since this target cannot be an Org. Get the parent
String parentDN = role.getParentGuid().getDn();
String orgDN = getOrganizationDN(token, parentDN);
if (callBackHelper.isExistsPrePostPlugins(orgDN)) {
members = callBackHelper.preProcessModifyMemberShip(token, target, orgDN, members, operation, profileType);
if (members == null || members.isEmpty()) {
return;
}
}
switch(operation) {
case ADD_MEMBER:
Guid[] membersGuid = CommonUtils.toGuidArray(members);
role.addMembers(membersGuid);
// compilance related operations if needed.
if (ComplianceServicesImpl.isAdminGroupsEnabled(parentDN)) {
complianceImpl.verifyAndLinkRoleToGroup(token, membersGuid, target);
}
break;
case REMOVE_MEMBER:
// UMS does not have Role.removerMembers : TBD
Object[] entries = members.toArray();
for (int i = 0; i < entries.length; i++) {
role.removeMember(new Guid((String) entries[i]));
}
// compilance related operations if needed.
if (ComplianceServicesImpl.isAdminGroupsEnabled(parentDN)) {
complianceImpl.verifyAndUnLinkRoleToGroup(token, members, target);
}
break;
default:
throw new AMException(token, "114");
}
// role membership.
if (callBackHelper.isExistsPrePostPlugins(orgDN)) {
// Here the new members are just the ones added not the complete Set
callBackHelper.postProcessModifyMemberShip(token, target, orgDN, members, operation, profileType);
}
}
Also used :
AMException(com.iplanet.am.sdk.AMException)
AMObject(com.iplanet.am.sdk.AMObject)
UMSObject(com.iplanet.ums.UMSObject)
PersistentObject(com.iplanet.ums.PersistentObject)
Guid(com.iplanet.ums.Guid)
ManagedRole(com.iplanet.ums.ManagedRole)
Example 5 with ManagedRole
use of com.iplanet.ums.ManagedRole in project OpenAM by OpenRock.
the class DirectoryServicesImpl method removeAdminRole.
/**
* Remove group admin role
*
* @param token
* SSOToken of the caller
* @param dn
* group DN
* @param recursive
* true to delete all admin roles for all sub groups or sub
* people container
*/
public void removeAdminRole(SSOToken token, String dn, boolean recursive) throws SSOException, AMException {
SSOTokenManager.getInstance().validateToken(token);
if (debug.messageEnabled()) {
debug.message("DirectoryServicesImpl.removeAdminRole() dn: " + dn + " recursive: " + recursive);
}
// first find out the admin role dn for the group
DN ldapDN = DN.valueOf(dn);
String orgDN = getOrganizationDN(token, ldapDN.parent().toString());
String newdn = dn.replace(',', '_');
String roleNameAttr = getNamingAttribute(AMObject.ROLE);
String roleDN = new StringBuilder().append(roleNameAttr).append("=").append(newdn).append(",").append(orgDN).toString();
Set adminRoles = Collections.EMPTY_SET;
if (recursive) {
String roleSearchFilter = SearchFilterManager.getSearchFilter(AMObject.ROLE, orgDN);
StringBuilder sb = new StringBuilder();
sb.append("(&").append(roleSearchFilter).append("(");
sb.append(roleNameAttr).append("=*").append(newdn).append("))");
adminRoles = search(token, orgDN, sb.toString(), SearchControl.SCOPE_ONE);
} else {
adminRoles = new HashSet();
adminRoles.add(roleDN);
}
Iterator iter = adminRoles.iterator();
while (iter.hasNext()) {
String adminRoleDN = (String) iter.next();
// remove all members from the role
try {
ManagedRole roleObj = (ManagedRole) UMSObject.getObject(token, new Guid(adminRoleDN));
roleObj.removeAllMembers();
// removeEntry(token, adminRoleDN, AMObject.ROLE, false, false);
AMStoreConnection amsc = new AMStoreConnection(internalToken);
AMRole role = amsc.getRole(adminRoleDN);
role.delete(recursive);
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message("DirectoryServicesImpl.removeAdminRole() " + "Unable to admin roles:", e);
}
}
}
}
Also used :
Set(java.util.Set)
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
TreeSet(java.util.TreeSet)
HashSet(java.util.HashSet)
AttrSet(com.iplanet.services.ldap.AttrSet)
AMStoreConnection(com.iplanet.am.sdk.AMStoreConnection)
Iterator(java.util.Iterator)
RDN(org.forgerock.opendj.ldap.RDN)
DN(org.forgerock.opendj.ldap.DN)
Guid(com.iplanet.ums.Guid)
AMRole(com.iplanet.am.sdk.AMRole)
EntryAlreadyExistsException(com.iplanet.ums.EntryAlreadyExistsException)
UMSException(com.iplanet.ums.UMSException)
AMEventManagerException(com.iplanet.am.sdk.AMEventManagerException)
AMEntryExistsException(com.iplanet.am.sdk.AMEntryExistsException)
SizeLimitExceededException(com.iplanet.ums.SizeLimitExceededException)
AMInvalidDNException(com.iplanet.am.sdk.AMInvalidDNException)
TimeLimitExceededException(com.iplanet.ums.TimeLimitExceededException)
SSOException(com.iplanet.sso.SSOException)
AccessRightsException(com.iplanet.ums.AccessRightsException)
LdapException(org.forgerock.opendj.ldap.LdapException)
InvalidSearchFilterException(com.iplanet.ums.InvalidSearchFilterException)
SMSException(com.sun.identity.sm.SMSException)
AMException(com.iplanet.am.sdk.AMException)
AMPreCallBackException(com.iplanet.am.sdk.AMPreCallBackException)
EntryNotFoundException(com.iplanet.ums.EntryNotFoundException)
COSNotFoundException(com.iplanet.ums.cos.COSNotFoundException)
HashSet(java.util.HashSet)
ManagedRole(com.iplanet.ums.ManagedRole)
Aggregations
AMException (com.iplanet.am.sdk.AMException)5
Guid (com.iplanet.ums.Guid)5
ManagedRole (com.iplanet.ums.ManagedRole)5
EntryNotFoundException (com.iplanet.ums.EntryNotFoundException)4
UMSException (com.iplanet.ums.UMSException)4
DN (org.forgerock.opendj.ldap.DN)3
Iterator (java.util.Iterator)2
LdapException (org.forgerock.opendj.ldap.LdapException)2
AMEntryExistsException (com.iplanet.am.sdk.AMEntryExistsException)1
AMEventManagerException (com.iplanet.am.sdk.AMEventManagerException)1
AMInvalidDNException (com.iplanet.am.sdk.AMInvalidDNException)1
AMObject (com.iplanet.am.sdk.AMObject)1
AMPreCallBackException (com.iplanet.am.sdk.AMPreCallBackException)1
AMRole (com.iplanet.am.sdk.AMRole)1
AMSearchResults (com.iplanet.am.sdk.AMSearchResults)1
AMStoreConnection (com.iplanet.am.sdk.AMStoreConnection)1
AttrSet (com.iplanet.services.ldap.AttrSet)1
SSOException (com.iplanet.sso.SSOException)1
AccessRightsException (com.iplanet.ums.AccessRightsException)1
AssignableDynamicGroup (com.iplanet.ums.AssignableDynamicGroup)1
