use of com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest in project zm-mailbox by Zimbra.
the class UBIDLdapContext method ldapAuthenticate.
/**
* authenticate to LDAP server.
*
* This is method is called for:
* - external LDAP auth
* - auth to Zimbra LDAP server when the stored password is not SSHA.
*
* @param urls
* @param wantStartTLS
* @param bindDN
* @param password
* @param note
* @throws ServiceException
*/
private static void ldapAuthenticate(LdapServerConfig config, String bindDN, String password, LdapUsage usage) throws ServiceException {
/*
* About dereferencing alias.
*
* The legacy JNDI implementation supports specifying deref
* alias policy during bind, via the "java.naming.ldap.derefAliases"
* DirContext env property.
*
* Doesn't look like unboundid has an obvious way to specify
* deref alias policy during bind.
*
* The LDAP protocol http://tools.ietf.org/html/rfc4511 disallows
* LDAP server to deref alias during bind anyway.
*
* section 4.2
* ..., it SHALL NOT perform alias dereferencing.
*
* Therefore, we do *not* support dereferencing alias during bind anymore.
*
*/
boolean succeeded = false;
LdapServerPool serverPool = new LdapServerPool(config);
LDAPConnection connection = null;
BindResult bindResult = null;
long startTime = UBIDLdapOperation.GENERIC_OP.begin();
try {
if (InMemoryLdapServer.isOn()) {
connection = InMemoryLdapServer.getConnection();
password = InMemoryLdapServer.Password.treatPassword(password);
} else {
connection = serverPool.getServerSet().getConnection();
}
if (serverPool.getConnectionType() == LdapConnType.STARTTLS) {
SSLContext startTLSContext = LdapSSLUtil.createSSLContext(config.sslAllowUntrustedCerts());
ExtendedResult extendedResult = connection.processExtendedOperation(new StartTLSExtendedRequest(startTLSContext));
// response.
if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
throw ServiceException.FAILURE("unable to send or receive startTLS extended operation", null);
}
}
bindResult = connection.bind(bindDN, password);
if (bindResult.getResultCode() != ResultCode.SUCCESS) {
throw ServiceException.FAILURE("unable to bind", null);
}
succeeded = true;
} catch (LDAPException e) {
throw UBIDLdapException.mapToExternalLdapException("unable to ldap authenticate", e);
} finally {
UBIDLdapOperation.GENERIC_OP.end(LdapOp.OPEN_CONN, usage, startTime, succeeded, bindResult, String.format("conn=[%s], url=[%s], connType=[%s], bindDN=[%s]", connection == null ? "null" : connection.getConnectionID(), serverPool.getRawUrls(), serverPool.getConnectionType().name(), bindDN));
if (connection != null) {
UBIDLogger.beforeOp(LdapOp.CLOSE_CONN, connection);
connection.close();
}
}
}
use of com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest in project gitblit by gitblit.
the class LdapConnection method connect.
public boolean connect() {
try {
URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
String ldapHost = ldapUrl.getHost();
int ldapPort = ldapUrl.getPort();
if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {
// SSL
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
conn = new LDAPConnection(sslUtil.createSSLSocketFactory());
if (ldapPort == -1) {
ldapPort = 636;
}
} else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
// no encryption or StartTLS
conn = new LDAPConnection();
if (ldapPort == -1) {
ldapPort = 389;
}
} else {
logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());
return false;
}
conn.connect(ldapHost, ldapPort);
if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
ExtendedResult extendedResult = conn.processExtendedOperation(new StartTLSExtendedRequest(sslUtil.createSSLContext()));
if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
throw new LDAPException(extendedResult.getResultCode());
}
}
return true;
} catch (URISyntaxException e) {
logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
} catch (GeneralSecurityException e) {
logger.error("Unable to create SSL Connection", e);
} catch (LDAPException e) {
logger.error("Error Connecting to LDAP", e);
}
return false;
}
Aggregations