use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.
the class LDAPAuthenticationRequest method testCredentials.
private void testCredentials(final UserIdentity userIdentity, final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
log(PwmLogLevel.TRACE, "beginning testCredentials process");
if (userIdentity == null || userIdentity.getUserDN() == null || userIdentity.getUserDN().length() < 1) {
final String errorMsg = "attempt to authenticate with null userDN";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
if (password == null) {
final String errorMsg = "attempt to authenticate with null password";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
// try authenticating the user using a normal ldap BIND operation.
log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");
boolean bindSucceeded = false;
try {
// read a provider using the user's DN and password.
userProvider = LdapOperationsHelper.createChaiProvider(pwmApplication, sessionLabel, userIdentity.getLdapProfile(pwmApplication.getConfig()), pwmApplication.getConfig(), userIdentity.getUserDN(), password);
// issue a read operation to trigger a bind.
userProvider.readStringAttribute(userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);
bindSucceeded = true;
} catch (ChaiException e) {
if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
final String errorMsg = "intruder lockout detected for user " + userIdentity + " marking session as locked out: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
log(PwmLogLevel.WARN, errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation errorInformation;
if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
errorInformation = new ErrorInformation(pwmError, e.getMessage());
} else {
errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, "ldap error during password check: " + e.getMessage());
}
log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
throw new PwmOperationalException(errorInformation);
} finally {
if (!bindSucceeded && userProvider != null) {
try {
userProvider.close();
userProvider = null;
} catch (Throwable e) {
log(PwmLogLevel.ERROR, "unexpected error closing invalid ldap connection after failed login attempt: " + e.getMessage());
}
}
}
}
use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.
the class LdapPermissionTester method testGroupMatch.
public static boolean testGroupMatch(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final String groupDN) throws PwmUnrecoverableException {
final Instant startTime = Instant.now();
if (userIdentity == null) {
return false;
}
LOGGER.trace(pwmSession, "begin check for ldapGroup match for " + userIdentity + " using queryMatch: " + groupDN);
boolean result = false;
if (groupDN == null || groupDN.length() < 1) {
LOGGER.trace(pwmSession, "missing groupDN value, skipping check");
} else {
final LdapProfile ldapProfile = userIdentity.getLdapProfile(pwmApplication.getConfig());
final String filterString = "(" + ldapProfile.readSettingAsString(PwmSetting.LDAP_USER_GROUP_ATTRIBUTE) + "=" + groupDN + ")";
try {
LOGGER.trace(pwmSession, "checking ldap to see if " + userIdentity + " matches group '" + groupDN + "' using filter '" + filterString + "'");
final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
final Map<String, Map<String, String>> results = theUser.getChaiProvider().search(theUser.getEntryDN(), filterString, Collections.<String>emptySet(), SearchScope.BASE);
if (results.size() == 1 && results.keySet().contains(theUser.getEntryDN())) {
result = true;
}
} catch (ChaiException e) {
LOGGER.warn(pwmSession, "LDAP error during group for " + userIdentity + " using " + filterString + ", error:" + e.getMessage());
}
}
final String logMsg = "user " + userIdentity.toDisplayString() + " is " + (result ? "" : "not ") + "a match for group '" + groupDN + "'" + " (" + TimeDuration.fromCurrent(startTime).asCompactString() + ")";
LOGGER.debug(pwmSession, logMsg);
return result;
}
use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.
the class PasswordUtility method isPasswordWithinMinimumLifetimeImpl.
public static boolean isPasswordWithinMinimumLifetimeImpl(final ChaiUser chaiUser, final SessionLabel sessionLabel, final PwmPasswordPolicy passwordPolicy, final Instant lastModified, final PasswordStatus passwordStatus) throws PwmUnrecoverableException {
// for oracle DS; this check is also handled in UserAuthenticator.
try {
if (DirectoryVendor.ORACLE_DS == chaiUser.getChaiProvider().getDirectoryVendor()) {
final String oracleDSPrePasswordAllowChangeTime = chaiUser.readStringAttribute("passwordAllowChangeTime");
if (oracleDSPrePasswordAllowChangeTime != null && !oracleDSPrePasswordAllowChangeTime.isEmpty()) {
final Instant date = OracleDSEntries.convertZuluToDate(oracleDSPrePasswordAllowChangeTime);
if (Instant.now().isBefore(date)) {
LOGGER.debug("discovered oracleds allowed change time is set to: " + JavaHelper.toIsoDate(date) + ", won't permit password change");
final String errorMsg = "change not permitted until " + JavaHelper.toIsoDate(date);
final ErrorInformation errorInformation = new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
return false;
}
} catch (ChaiException e) {
LOGGER.debug(sessionLabel, "unexpected error reading OracleDS password allow modification time: " + e.getMessage());
}
final TimeDuration minimumLifetime;
{
final int minimumLifetimeSeconds = passwordPolicy.getRuleHelper().readIntValue(PwmPasswordRule.MinimumLifetime);
if (minimumLifetimeSeconds < 1) {
return false;
}
if (lastModified == null) {
LOGGER.debug(sessionLabel, "skipping minimum lifetime check, password last set time is unknown");
return false;
}
minimumLifetime = new TimeDuration(minimumLifetimeSeconds, TimeUnit.SECONDS);
}
final TimeDuration passwordAge = TimeDuration.fromCurrent(lastModified);
LOGGER.trace(sessionLabel, "beginning check for minimum lifetime, lastModified=" + JavaHelper.toIsoDate(lastModified) + ", minimumLifetimeSeconds=" + minimumLifetime.asCompactString() + ", passwordAge=" + passwordAge.asCompactString());
if (lastModified.isAfter(Instant.now())) {
LOGGER.debug(sessionLabel, "skipping minimum lifetime check, password lastModified time is in the future");
return false;
}
final boolean passwordTooSoon = passwordAge.isShorterThan(minimumLifetime);
if (!passwordTooSoon) {
LOGGER.trace(sessionLabel, "minimum lifetime check passed, password age ");
return false;
}
if (passwordStatus.isExpired() || passwordStatus.isPreExpired() || passwordStatus.isWarnPeriod()) {
LOGGER.debug(sessionLabel, "current password is too young, but skipping enforcement of minimum lifetime check because current password is expired");
return false;
}
return true;
}
use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.
the class DbCrOperator method writeResponses.
@Override
public void writeResponses(final UserIdentity userIdentity, final ChaiUser theUser, final String userGUID, final ResponseInfoBean responseInfoBean) throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_MISSING_GUID, "cannot save responses to remote database, user " + theUser.getEntryDN() + " does not have a guid"));
}
LOGGER.trace("attempting to save responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")");
try {
final ChaiResponseSet responseSet = ChaiCrFactory.newChaiResponseSet(responseInfoBean.getCrMap(), responseInfoBean.getHelpdeskCrMap(), responseInfoBean.getLocale(), responseInfoBean.getMinRandoms(), theUser.getChaiProvider().getChaiConfiguration(), responseInfoBean.getCsIdentifier());
final DatabaseAccessor databaseAccessor = pwmApplication.getDatabaseService().getAccessor();
databaseAccessor.put(DatabaseTable.PWM_RESPONSES, userGUID, responseSet.stringValue());
LOGGER.info("saved responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")");
} catch (ChaiException e) {
throw PwmUnrecoverableException.fromChaiException(e);
} catch (DatabaseException e) {
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, "unexpected error saving responses for " + theUser.getEntryDN() + " in remote database: " + e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
LOGGER.error(errorInfo.toDebugStr());
pwmOE.initCause(e);
throw pwmOE;
}
}
use of com.novell.ldapchai.exception.ChaiException in project pwm by pwm-project.
the class NMASCrOperator method readResponseInfo.
@Override
public ResponseInfoBean readResponseInfo(final ChaiUser theUser, final UserIdentity userIdentity, final String userGUID) throws PwmUnrecoverableException {
try {
if (theUser.getChaiProvider().getDirectoryVendor() != DirectoryVendor.EDIRECTORY) {
LOGGER.debug("skipping request to read NMAS responses for " + userIdentity + ", directory type is not eDirectory");
return null;
}
final ResponseSet responseSet = NmasCrFactory.readNmasResponseSet(theUser);
if (responseSet == null) {
return null;
}
final ResponseInfoBean responseInfoBean = CrOperators.convertToNoAnswerInfoBean(responseSet, DataStorageMethod.NMAS);
responseInfoBean.setTimestamp(null);
return responseInfoBean;
} catch (ChaiException e) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_RESPONSES_NORESPONSES, "unexpected error reading response info " + e.getMessage()));
}
}
Aggregations