Search in sources :

Example 1 with StartTLSExtendedRequest

use of com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest in project zm-mailbox by Zimbra.

the class UBIDLdapContext method ldapAuthenticate.

/**
     * authenticate to LDAP server.
     *
     * This is method is called for:
     *   - external LDAP auth
     *   - auth to Zimbra LDAP server when the stored password is not SSHA.
     *
     * @param urls
     * @param wantStartTLS
     * @param bindDN
     * @param password
     * @param note
     * @throws ServiceException
     */
private static void ldapAuthenticate(LdapServerConfig config, String bindDN, String password, LdapUsage usage) throws ServiceException {
    /*
         * About dereferencing alias.
         *
         * The legacy JNDI implementation supports specifying deref
         * alias policy during bind, via the "java.naming.ldap.derefAliases"
         * DirContext env property.
         *
         * Doesn't look like unboundid has an obvious way to specify
         * deref alias policy during bind.
         *
         * The LDAP protocol http://tools.ietf.org/html/rfc4511 disallows
         * LDAP server to deref alias during bind anyway.
         *
         * section 4.2
         * ..., it SHALL NOT perform alias dereferencing.
         *
         * Therefore, we do *not* support dereferencing alias during bind anymore.
         *
         */
    boolean succeeded = false;
    LdapServerPool serverPool = new LdapServerPool(config);
    LDAPConnection connection = null;
    BindResult bindResult = null;
    long startTime = UBIDLdapOperation.GENERIC_OP.begin();
    try {
        if (InMemoryLdapServer.isOn()) {
            connection = InMemoryLdapServer.getConnection();
            password = InMemoryLdapServer.Password.treatPassword(password);
        } else {
            connection = serverPool.getServerSet().getConnection();
        }
        if (serverPool.getConnectionType() == LdapConnType.STARTTLS) {
            SSLContext startTLSContext = LdapSSLUtil.createSSLContext(config.sslAllowUntrustedCerts());
            ExtendedResult extendedResult = connection.processExtendedOperation(new StartTLSExtendedRequest(startTLSContext));
            // response.
            if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
                throw ServiceException.FAILURE("unable to send or receive startTLS extended operation", null);
            }
        }
        bindResult = connection.bind(bindDN, password);
        if (bindResult.getResultCode() != ResultCode.SUCCESS) {
            throw ServiceException.FAILURE("unable to bind", null);
        }
        succeeded = true;
    } catch (LDAPException e) {
        throw UBIDLdapException.mapToExternalLdapException("unable to ldap authenticate", e);
    } finally {
        UBIDLdapOperation.GENERIC_OP.end(LdapOp.OPEN_CONN, usage, startTime, succeeded, bindResult, String.format("conn=[%s], url=[%s], connType=[%s], bindDN=[%s]", connection == null ? "null" : connection.getConnectionID(), serverPool.getRawUrls(), serverPool.getConnectionType().name(), bindDN));
        if (connection != null) {
            UBIDLogger.beforeOp(LdapOp.CLOSE_CONN, connection);
            connection.close();
        }
    }
}
Also used : LDAPException(com.unboundid.ldap.sdk.LDAPException) ExtendedResult(com.unboundid.ldap.sdk.ExtendedResult) BindResult(com.unboundid.ldap.sdk.BindResult) LDAPConnection(com.unboundid.ldap.sdk.LDAPConnection) SSLContext(javax.net.ssl.SSLContext) StartTLSExtendedRequest(com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest)

Example 2 with StartTLSExtendedRequest

use of com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest in project gitblit by gitblit.

the class LdapConnection method connect.

public boolean connect() {
    try {
        URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
        String ldapHost = ldapUrl.getHost();
        int ldapPort = ldapUrl.getPort();
        if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {
            // SSL
            SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
            conn = new LDAPConnection(sslUtil.createSSLSocketFactory());
            if (ldapPort == -1) {
                ldapPort = 636;
            }
        } else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
            // no encryption or StartTLS
            conn = new LDAPConnection();
            if (ldapPort == -1) {
                ldapPort = 389;
            }
        } else {
            logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());
            return false;
        }
        conn.connect(ldapHost, ldapPort);
        if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
            SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
            ExtendedResult extendedResult = conn.processExtendedOperation(new StartTLSExtendedRequest(sslUtil.createSSLContext()));
            if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
                throw new LDAPException(extendedResult.getResultCode());
            }
        }
        return true;
    } catch (URISyntaxException e) {
        logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
    } catch (GeneralSecurityException e) {
        logger.error("Unable to create SSL Connection", e);
    } catch (LDAPException e) {
        logger.error("Error Connecting to LDAP", e);
    }
    return false;
}
Also used : SSLUtil(com.unboundid.util.ssl.SSLUtil) LDAPException(com.unboundid.ldap.sdk.LDAPException) GeneralSecurityException(java.security.GeneralSecurityException) ExtendedResult(com.unboundid.ldap.sdk.ExtendedResult) TrustAllTrustManager(com.unboundid.util.ssl.TrustAllTrustManager) LDAPConnection(com.unboundid.ldap.sdk.LDAPConnection) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI) StartTLSExtendedRequest(com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest)

Aggregations

ExtendedResult (com.unboundid.ldap.sdk.ExtendedResult)2 LDAPConnection (com.unboundid.ldap.sdk.LDAPConnection)2 LDAPException (com.unboundid.ldap.sdk.LDAPException)2 StartTLSExtendedRequest (com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest)2 BindResult (com.unboundid.ldap.sdk.BindResult)1 SSLUtil (com.unboundid.util.ssl.SSLUtil)1 TrustAllTrustManager (com.unboundid.util.ssl.TrustAllTrustManager)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 GeneralSecurityException (java.security.GeneralSecurityException)1 SSLContext (javax.net.ssl.SSLContext)1