Search in sources :

Example 6 with ChaiException

use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.

the class LDAPAuthenticationRequest method testCredentials.

private void testCredentials(final UserIdentity userIdentity, final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    log(PwmLogLevel.TRACE, "beginning testCredentials process");
    if (userIdentity == null || userIdentity.getUserDN() == null || userIdentity.getUserDN().length() < 1) {
        final String errorMsg = "attempt to authenticate with null userDN";
        log(PwmLogLevel.DEBUG, errorMsg);
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }
    if (password == null) {
        final String errorMsg = "attempt to authenticate with null password";
        log(PwmLogLevel.DEBUG, errorMsg);
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }
    // try authenticating the user using a normal ldap BIND operation.
    log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");
    boolean bindSucceeded = false;
    try {
        // read a provider using the user's DN and password.
        userProvider = LdapOperationsHelper.createChaiProvider(pwmApplication, sessionLabel, userIdentity.getLdapProfile(pwmApplication.getConfig()), pwmApplication.getConfig(), userIdentity.getUserDN(), password);
        // issue a read operation to trigger a bind.
        userProvider.readStringAttribute(userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);
        bindSucceeded = true;
    } catch (ChaiException e) {
        if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
            final String errorMsg = "intruder lockout detected for user " + userIdentity + " marking session as locked out: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
            log(PwmLogLevel.WARN, errorInformation.toDebugStr());
            throw new PwmUnrecoverableException(errorInformation);
        }
        final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
        final ErrorInformation errorInformation;
        if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
            errorInformation = new ErrorInformation(pwmError, e.getMessage());
        } else {
            errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, "ldap error during password check: " + e.getMessage());
        }
        log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
        throw new PwmOperationalException(errorInformation);
    } finally {
        if (!bindSucceeded && userProvider != null) {
            try {
                userProvider.close();
                userProvider = null;
            } catch (Throwable e) {
                log(PwmLogLevel.ERROR, "unexpected error closing invalid ldap connection after failed login attempt: " + e.getMessage());
            }
        }
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmError(password.pwm.error.PwmError) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiException(com.novell.ldapchai.exception.ChaiException) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 7 with ChaiException

use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.

the class LdapPermissionTester method testGroupMatch.

public static boolean testGroupMatch(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final String groupDN) throws PwmUnrecoverableException {
    final Instant startTime = Instant.now();
    if (userIdentity == null) {
        return false;
    }
    LOGGER.trace(pwmSession, "begin check for ldapGroup match for " + userIdentity + " using queryMatch: " + groupDN);
    boolean result = false;
    if (groupDN == null || groupDN.length() < 1) {
        LOGGER.trace(pwmSession, "missing groupDN value, skipping check");
    } else {
        final LdapProfile ldapProfile = userIdentity.getLdapProfile(pwmApplication.getConfig());
        final String filterString = "(" + ldapProfile.readSettingAsString(PwmSetting.LDAP_USER_GROUP_ATTRIBUTE) + "=" + groupDN + ")";
        try {
            LOGGER.trace(pwmSession, "checking ldap to see if " + userIdentity + " matches group '" + groupDN + "' using filter '" + filterString + "'");
            final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
            final Map<String, Map<String, String>> results = theUser.getChaiProvider().search(theUser.getEntryDN(), filterString, Collections.<String>emptySet(), SearchScope.BASE);
            if (results.size() == 1 && results.keySet().contains(theUser.getEntryDN())) {
                result = true;
            }
        } catch (ChaiException e) {
            LOGGER.warn(pwmSession, "LDAP error during group for " + userIdentity + " using " + filterString + ", error:" + e.getMessage());
        }
    }
    final String logMsg = "user " + userIdentity.toDisplayString() + " is " + (result ? "" : "not ") + "a match for group '" + groupDN + "'" + " (" + TimeDuration.fromCurrent(startTime).asCompactString() + ")";
    LOGGER.debug(pwmSession, logMsg);
    return result;
}
Also used : ChaiUser(com.novell.ldapchai.ChaiUser) Instant(java.time.Instant) LdapProfile(password.pwm.config.profile.LdapProfile) ChaiException(com.novell.ldapchai.exception.ChaiException) TreeMap(java.util.TreeMap) Map(java.util.Map)

Example 8 with ChaiException

use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.

the class PasswordUtility method isPasswordWithinMinimumLifetimeImpl.

public static boolean isPasswordWithinMinimumLifetimeImpl(final ChaiUser chaiUser, final SessionLabel sessionLabel, final PwmPasswordPolicy passwordPolicy, final Instant lastModified, final PasswordStatus passwordStatus) throws PwmUnrecoverableException {
    // for oracle DS; this check is also handled in UserAuthenticator.
    try {
        if (DirectoryVendor.ORACLE_DS == chaiUser.getChaiProvider().getDirectoryVendor()) {
            final String oracleDSPrePasswordAllowChangeTime = chaiUser.readStringAttribute("passwordAllowChangeTime");
            if (oracleDSPrePasswordAllowChangeTime != null && !oracleDSPrePasswordAllowChangeTime.isEmpty()) {
                final Instant date = OracleDSEntries.convertZuluToDate(oracleDSPrePasswordAllowChangeTime);
                if (Instant.now().isBefore(date)) {
                    LOGGER.debug("discovered oracleds allowed change time is set to: " + JavaHelper.toIsoDate(date) + ", won't permit password change");
                    final String errorMsg = "change not permitted until " + JavaHelper.toIsoDate(date);
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg);
                    throw new PwmUnrecoverableException(errorInformation);
                }
            }
            return false;
        }
    } catch (ChaiException e) {
        LOGGER.debug(sessionLabel, "unexpected error reading OracleDS password allow modification time: " + e.getMessage());
    }
    final TimeDuration minimumLifetime;
    {
        final int minimumLifetimeSeconds = passwordPolicy.getRuleHelper().readIntValue(PwmPasswordRule.MinimumLifetime);
        if (minimumLifetimeSeconds < 1) {
            return false;
        }
        if (lastModified == null) {
            LOGGER.debug(sessionLabel, "skipping minimum lifetime check, password last set time is unknown");
            return false;
        }
        minimumLifetime = new TimeDuration(minimumLifetimeSeconds, TimeUnit.SECONDS);
    }
    final TimeDuration passwordAge = TimeDuration.fromCurrent(lastModified);
    LOGGER.trace(sessionLabel, "beginning check for minimum lifetime, lastModified=" + JavaHelper.toIsoDate(lastModified) + ", minimumLifetimeSeconds=" + minimumLifetime.asCompactString() + ", passwordAge=" + passwordAge.asCompactString());
    if (lastModified.isAfter(Instant.now())) {
        LOGGER.debug(sessionLabel, "skipping minimum lifetime check, password lastModified time is in the future");
        return false;
    }
    final boolean passwordTooSoon = passwordAge.isShorterThan(minimumLifetime);
    if (!passwordTooSoon) {
        LOGGER.trace(sessionLabel, "minimum lifetime check passed, password age ");
        return false;
    }
    if (passwordStatus.isExpired() || passwordStatus.isPreExpired() || passwordStatus.isWarnPeriod()) {
        LOGGER.debug(sessionLabel, "current password is too young, but skipping enforcement of minimum lifetime check because current password is expired");
        return false;
    }
    return true;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) Instant(java.time.Instant) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) TimeDuration(password.pwm.util.java.TimeDuration) ChaiException(com.novell.ldapchai.exception.ChaiException)

Example 9 with ChaiException

use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.

the class DbCrOperator method writeResponses.

@Override
public void writeResponses(final UserIdentity userIdentity, final ChaiUser theUser, final String userGUID, final ResponseInfoBean responseInfoBean) throws PwmUnrecoverableException {
    if (userGUID == null || userGUID.length() < 1) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_MISSING_GUID, "cannot save responses to remote database, user " + theUser.getEntryDN() + " does not have a guid"));
    }
    LOGGER.trace("attempting to save responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")");
    try {
        final ChaiResponseSet responseSet = ChaiCrFactory.newChaiResponseSet(responseInfoBean.getCrMap(), responseInfoBean.getHelpdeskCrMap(), responseInfoBean.getLocale(), responseInfoBean.getMinRandoms(), theUser.getChaiProvider().getChaiConfiguration(), responseInfoBean.getCsIdentifier());
        final DatabaseAccessor databaseAccessor = pwmApplication.getDatabaseService().getAccessor();
        databaseAccessor.put(DatabaseTable.PWM_RESPONSES, userGUID, responseSet.stringValue());
        LOGGER.info("saved responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")");
    } catch (ChaiException e) {
        throw PwmUnrecoverableException.fromChaiException(e);
    } catch (DatabaseException e) {
        final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, "unexpected error saving responses for " + theUser.getEntryDN() + " in remote database: " + e.getMessage());
        final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
        LOGGER.error(errorInfo.toDebugStr());
        pwmOE.initCause(e);
        throw pwmOE;
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChaiResponseSet(com.novell.ldapchai.cr.ChaiResponseSet) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) DatabaseAccessor(password.pwm.util.db.DatabaseAccessor) ChaiException(com.novell.ldapchai.exception.ChaiException) DatabaseException(password.pwm.util.db.DatabaseException)

Example 10 with ChaiException

use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.

the class NMASCrOperator method readResponseInfo.

@Override
public ResponseInfoBean readResponseInfo(final ChaiUser theUser, final UserIdentity userIdentity, final String userGUID) throws PwmUnrecoverableException {
    try {
        if (theUser.getChaiProvider().getDirectoryVendor() != DirectoryVendor.EDIRECTORY) {
            LOGGER.debug("skipping request to read NMAS responses for " + userIdentity + ", directory type is not eDirectory");
            return null;
        }
        final ResponseSet responseSet = NmasCrFactory.readNmasResponseSet(theUser);
        if (responseSet == null) {
            return null;
        }
        final ResponseInfoBean responseInfoBean = CrOperators.convertToNoAnswerInfoBean(responseSet, DataStorageMethod.NMAS);
        responseInfoBean.setTimestamp(null);
        return responseInfoBean;
    } catch (ChaiException e) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_RESPONSES_NORESPONSES, "unexpected error reading response info " + e.getMessage()));
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ResponseSet(com.novell.ldapchai.cr.ResponseSet) NmasResponseSet(com.novell.ldapchai.impl.edir.NmasResponseSet) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ResponseInfoBean(password.pwm.bean.ResponseInfoBean) ChaiException(com.novell.ldapchai.exception.ChaiException)

Aggregations

ChaiException (com.novell.ldapchai.exception.ChaiException)33 ErrorInformation (password.pwm.error.ErrorInformation)18 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)16 ChaiUser (com.novell.ldapchai.ChaiUser)15 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)9 ChaiProvider (com.novell.ldapchai.provider.ChaiProvider)6 UserIdentity (password.pwm.bean.UserIdentity)6 PwmOperationalException (password.pwm.error.PwmOperationalException)6 Instant (java.time.Instant)5 ChaiResponseSet (com.novell.ldapchai.cr.ChaiResponseSet)4 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)4 ArrayList (java.util.ArrayList)4 FormConfiguration (password.pwm.config.value.data.FormConfiguration)4 PasswordData (password.pwm.util.PasswordData)4 ResponseSet (com.novell.ldapchai.cr.ResponseSet)3 List (java.util.List)3 Map (java.util.Map)3 PwmApplication (password.pwm.PwmApplication)3 ChallengeSet (com.novell.ldapchai.cr.ChallengeSet)2 NmasResponseSet (com.novell.ldapchai.impl.edir.NmasResponseSet)2