Search in sources :

Example 11 with ChaiProvider

use of com.novell.ldapchai.provider.ChaiProvider in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authenticateUserImpl.

private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    if (startTime == null) {
        startTime = new Date();
    }
    log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
    final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    intruderManager.convenience().checkUserIdentity(userIdentity);
    intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
    // verify user is not account disabled
    AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
    boolean allowBindAsUser = true;
    if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
        allowBindAsUser = false;
    }
    if (allowBindAsUser) {
        try {
            testCredentials(userIdentity, password);
        } catch (PwmOperationalException e) {
            boolean permitAuthDespiteError = false;
            final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
            if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                } else if (vendor == DirectoryVendor.ORACLE_DS) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            } else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
                // handle ad case where password is expired
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
                            throw e;
                        }
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            }
            if (!permitAuthDespiteError) {
                // auth failed, presumably due to wrong password.
                statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
                throw e;
            }
        }
    }
    statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
    statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
    statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
    final AuthenticationType returnAuthType;
    if (!allowBindAsUser) {
        returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
    } else {
        if (requestedAuthType == null) {
            returnAuthType = AuthenticationType.AUTHENTICATED;
        } else {
            if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
                returnAuthType = AuthenticationType.AUTHENTICATED;
            } else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
                returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
            } else {
                returnAuthType = requestedAuthType;
            }
        }
    }
    final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
    final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
    final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
    final StringBuilder debugMsg = new StringBuilder();
    debugMsg.append("successful ldap authentication for ").append(userIdentity);
    debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
    debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
    debugMsg.append(", using proxy connection: ").append(useProxy);
    debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
    log(PwmLogLevel.INFO, debugMsg);
    final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
    final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
    pwmApplication.getAuditManager().submit(auditRecord);
    pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
    return authenticationResult;
}
Also used : Date(java.util.Date) PwmOperationalException(password.pwm.error.PwmOperationalException) AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory) StatisticsManager(password.pwm.svc.stats.StatisticsManager) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) MacroMachine(password.pwm.util.macro.MacroMachine) DirectoryVendor(com.novell.ldapchai.provider.DirectoryVendor) IntruderManager(password.pwm.svc.intruder.IntruderManager) AuditRecord(password.pwm.svc.event.AuditRecord)

Example 12 with ChaiProvider

use of com.novell.ldapchai.provider.ChaiProvider in project pwm by pwm-project.

the class LDAPAuthenticationRequest method setTempUserPassword.

private PasswordData setTempUserPassword() throws ChaiUnavailableException, ImpossiblePasswordPolicyException, PwmUnrecoverableException {
    final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
    final ChaiProvider chaiProvider = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
    final ChaiUser chaiUser = chaiProvider.getEntryFactory().newChaiUser(userIdentity.getUserDN());
    // try setting a random password on the account to authenticate.
    if (!configAlwaysUseProxy && requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
        log(PwmLogLevel.DEBUG, "attempting to set temporary random password");
        final PwmPasswordPolicy passwordPolicy = PasswordUtility.readPasswordPolicyForUser(pwmApplication, sessionLabel, userIdentity, chaiUser, PwmConstants.DEFAULT_LOCALE);
        // create random password for user
        final RandomPasswordGenerator.RandomGeneratorConfig randomGeneratorConfig = RandomPasswordGenerator.RandomGeneratorConfig.builder().seedlistPhrases(RandomPasswordGenerator.DEFAULT_SEED_PHRASES).passwordPolicy(passwordPolicy).build();
        final PasswordData currentPass = RandomPasswordGenerator.createRandomPassword(sessionLabel, randomGeneratorConfig, pwmApplication);
        try {
            final String oracleDSPrePasswordAllowChangeTime = oraclePreTemporaryPwHandler(chaiProvider, chaiUser);
            // write the random password for the user.
            chaiUser.setPassword(currentPass.getStringValue());
            oraclePostTemporaryPwHandler(chaiProvider, chaiUser, oracleDSPrePasswordAllowChangeTime);
            log(PwmLogLevel.INFO, "user " + userIdentity + " password has been set to random value to use for user authentication");
        } catch (ChaiOperationException e) {
            final String errorStr = "error setting random password for user " + userIdentity + " " + e.getMessage();
            log(PwmLogLevel.ERROR, errorStr);
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        }
        return currentPass;
    }
    return null;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) ChaiUser(com.novell.ldapchai.ChaiUser) PasswordData(password.pwm.util.PasswordData) PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy) RandomPasswordGenerator(password.pwm.util.RandomPasswordGenerator) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)

Example 13 with ChaiProvider

use of com.novell.ldapchai.provider.ChaiProvider in project pwm by pwm-project.

the class LdapBrowser method getChaiProvider.

private ChaiProvider getChaiProvider(final String profile) throws PwmUnrecoverableException {
    if (!providerCache.containsKey(profile)) {
        final Configuration configuration = new Configuration(storedConfiguration);
        final LdapProfile ldapProfile = LdapProfile.makeFromStoredConfiguration(storedConfiguration, profile);
        final ChaiProvider chaiProvider = LdapOperationsHelper.openProxyChaiProvider(chaiProviderFactory, null, ldapProfile, configuration, null);
        providerCache.put(profile, chaiProvider);
    }
    return providerCache.get(profile);
}
Also used : Configuration(password.pwm.config.Configuration) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) LdapProfile(password.pwm.config.profile.LdapProfile)

Example 14 with ChaiProvider

use of com.novell.ldapchai.provider.ChaiProvider in project pwm by pwm-project.

the class LdapBrowser method adRootDNList.

private Set<String> adRootDNList(final String profile) throws ChaiUnavailableException, ChaiOperationException, PwmUnrecoverableException {
    final ChaiProvider chaiProvider = getChaiProvider(profile);
    final Set<String> adRootValues = new HashSet<>();
    if (chaiProvider.getDirectoryVendor() == DirectoryVendor.ACTIVE_DIRECTORY) {
        final ChaiEntry chaiEntry = ChaiUtility.getRootDSE(chaiProvider);
        adRootValues.addAll(chaiEntry.readMultiStringAttribute("namingContexts"));
    }
    return adRootValues;
}
Also used : ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) ChaiEntry(com.novell.ldapchai.ChaiEntry) HashSet(java.util.HashSet)

Example 15 with ChaiProvider

use of com.novell.ldapchai.provider.ChaiProvider in project pwm by pwm-project.

the class UserInfoFactory method newUserInfoUsingProxy.

public static UserInfo newUserInfoUsingProxy(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity, final Locale locale, final PasswordData currentPassword) throws PwmUnrecoverableException {
    final String userLdapProfile = userIdentity.getLdapProfileID();
    final ChaiProvider provider = pwmApplication.getProxyChaiProvider(userLdapProfile);
    return newUserInfo(pwmApplication, sessionLabel, locale, userIdentity, provider, currentPassword);
}
Also used : ChaiProvider(com.novell.ldapchai.provider.ChaiProvider)

Aggregations

ChaiProvider (com.novell.ldapchai.provider.ChaiProvider)51 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)19 ChaiUser (com.novell.ldapchai.ChaiUser)18 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)18 ChaiConfiguration (com.novell.ldapchai.provider.ChaiConfiguration)16 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)15 ErrorInformation (password.pwm.error.ErrorInformation)15 ChaiEntry (com.novell.ldapchai.ChaiEntry)13 ChaiException (com.novell.ldapchai.exception.ChaiException)10 ArrayList (java.util.ArrayList)10 PwmOperationalException (password.pwm.error.PwmOperationalException)10 UserIdentity (password.pwm.bean.UserIdentity)9 LdapProfile (password.pwm.config.profile.LdapProfile)8 PasswordData (password.pwm.util.PasswordData)8 HashSet (java.util.HashSet)7 List (java.util.List)6 ChaiProviderFactory (com.novell.ldapchai.provider.ChaiProviderFactory)5 Instant (java.time.Instant)5 HashMap (java.util.HashMap)5 Map (java.util.Map)5