Examples with ExternalLdapConfig com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig used on opensource projects

Example 1 with ExternalLdapConfig

use of com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig in project zm-mailbox by Zimbra.

the class AutoProvision method getExternalAttrsByName.

protected ExternalEntry getExternalAttrsByName(String loginName) throws ServiceException {
    String url = domain.getAutoProvLdapURL();
    boolean wantStartTLS = domain.isAutoProvLdapStartTlsEnabled();
    String adminDN = domain.getAutoProvLdapAdminBindDn();
    String adminPassword = domain.getAutoProvLdapAdminBindPassword();
    String[] attrs = getAttrsToFetch();
    // always use the admin bind DN/password, not the user's bind DN/password
    ExternalLdapConfig config = new ExternalLdapConfig(url, wantStartTLS, null, adminDN, adminPassword, null, "auto provision account");
    ZLdapContext zlc = null;
    try {
        zlc = LdapClient.getExternalContext(config, LdapUsage.AUTO_PROVISION);
        String searchFilterTemplate = domain.getAutoProvLdapSearchFilter();
        if (searchFilterTemplate != null) {
            // get attrs by search
            String searchBase = domain.getAutoProvLdapSearchBase();
            if (searchBase == null) {
                searchBase = LdapConstants.DN_ROOT_DSE;
            }
            String searchFilter = LdapUtil.computeDn(loginName, searchFilterTemplate);
            ZimbraLog.autoprov.debug("AutoProvision: computed search filter" + searchFilter);
            ZSearchResultEntry entry = prov.getHelper().searchForEntry(searchBase, ZLdapFilterFactory.getInstance().fromFilterString(FilterId.AUTO_PROVISION_SEARCH, searchFilter), zlc, attrs);
            if (entry == null) {
                throw AccountServiceException.NO_SUCH_EXTERNAL_ENTRY(loginName);
            }
            return new ExternalEntry(entry.getDN(), entry.getAttributes());
        }
        String bindDNTemplate = domain.getAutoProvLdapBindDn();
        if (bindDNTemplate != null) {
            // get attrs by external DN template
            String dn = LdapUtil.computeDn(loginName, bindDNTemplate);
            ZimbraLog.autoprov.debug("AutoProvision: computed external DN" + dn);
            return new ExternalEntry(dn, prov.getHelper().getAttributes(zlc, dn, attrs));
        }
    } finally {
        LdapClient.closeContext(zlc);
    }
    throw ServiceException.FAILURE("One of " + Provisioning.A_zimbraAutoProvLdapBindDn + " or " + Provisioning.A_zimbraAutoProvLdapSearchFilter + " must be set", null);
}

Example 2 with ExternalLdapConfig

use of com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig in project zm-mailbox by Zimbra.

the class AutoProvision method searchAutoProvDirectory.

/**
     * Search the external auto provision LDAP source
     *
     * Only one of filter or name can be provided.
     * - if name is provided, the search filter will be zimbraAutoProvLdapSearchFilter
     *   with place holders filled with the name.
     *
     * - if filter is provided, the provided filter will be the search filter.
     *
     * - if neither is provided, the search filter will be zimbraAutoProvLdapSearchFilter
     *   with place holders filled with "*".   If createTimestampLaterThan
     *   is provided, the search filter will be ANDed with (createTimestamp >= {timestamp})
     *
     * @param prov
     * @param domain
     * @param filter
     * @param name
     * @param createTimestampLaterThan
     * @param returnAttrs
     * @param maxResults
     * @param ldapVisitor
     * @param wantPartialResult whether TOO_MANY_SEARCH_RESULTS should be thrown if the
     *                          ldap search encountered LdapSizeLimitExceededException
     *                          Note: regardless of this parameter, the ldapVisitor.visit
     *                          is called for each entry returned from LDAP.
     *                          This behavior is currently hardcoded in
     *                          UBIDLdapContext.searchPaged and has been the legacy behavior.
     *                          We can probably change it into a parameter in SearchLdapOptions.
     * @throws ServiceException
     * @return whether LdapSizeLimitExceededException was hit
     */
static boolean searchAutoProvDirectory(LdapProv prov, Domain domain, String filter, String name, String createTimestampLaterThan, String[] returnAttrs, int maxResults, SearchLdapVisitor ldapVisitor, boolean wantPartialResult) throws ServiceException {
    // use either filter or name, make sure only one is provided
    if ((filter != null) && (name != null)) {
        throw ServiceException.INVALID_REQUEST("only one of filter or name can be provided", null);
    }
    String url = domain.getAutoProvLdapURL();
    boolean wantStartTLS = domain.isAutoProvLdapStartTlsEnabled();
    String adminDN = domain.getAutoProvLdapAdminBindDn();
    String adminPassword = domain.getAutoProvLdapAdminBindPassword();
    String searchBase = domain.getAutoProvLdapSearchBase();
    String searchFilterTemplate = domain.getAutoProvLdapSearchFilter();
    FilterId filterId = FilterId.AUTO_PROVISION_SEARCH;
    if (url == null) {
        throw ServiceException.FAILURE(String.format("missing %s on domain %s", Provisioning.A_zimbraAutoProvLdapURL, domain.getName()), null);
    }
    if (searchBase == null) {
        searchBase = LdapConstants.DN_ROOT_DSE;
    }
    ExternalLdapConfig config = new ExternalLdapConfig(url, wantStartTLS, null, adminDN, adminPassword, null, "search auto provision directory");
    boolean hitSizeLimitExceededException = false;
    ZLdapContext zlc = null;
    ZLdapFilter zFilter = null;
    try {
        zlc = LdapClient.getExternalContext(config, LdapUsage.AUTO_PROVISION_ADMIN_SEARCH);
        String searchFilter = null;
        String searchFilterWithoutLastPolling = null;
        if (name != null) {
            if (searchFilterTemplate == null) {
                throw ServiceException.INVALID_REQUEST("search filter template is not set on domain " + domain.getName(), null);
            }
            searchFilter = LdapUtil.computeDn(name, searchFilterTemplate);
        } else if (filter != null) {
            searchFilter = filter;
            filterId = FilterId.AUTO_PROVISION_ADMIN_SEARCH;
        } else {
            if (searchFilterTemplate == null) {
                throw ServiceException.INVALID_REQUEST("search filter template is not set on domain " + domain.getName(), null);
            }
            searchFilter = LdapUtil.computeDn("*", searchFilterTemplate);
            if (createTimestampLaterThan != null) {
                searchFilterWithoutLastPolling = searchFilter;
                // searchFilter = "(&" + searchFilter + "(createTimestamp>=" + createTimestampLaterThan + "))";
                searchFilter = "(&" + searchFilter + ZLdapFilterFactory.getInstance().createdLaterOrEqual(createTimestampLaterThan).toFilterString() + ")";
                filterId = FilterId.AUTO_PROVISION_SEARCH_CREATED_LATERTHAN;
            }
        }
        zFilter = ZLdapFilterFactory.getInstance().fromFilterString(filterId, searchFilter);
        SearchLdapOptions searchOptions;
        try {
            searchOptions = new SearchLdapOptions(searchBase, zFilter, returnAttrs, maxResults, null, ZSearchScope.SEARCH_SCOPE_SUBTREE, ldapVisitor);
            zlc.searchPaged(searchOptions);
        } catch (LdapInvalidAttrValueException eav) {
            ZimbraLog.autoprov.info("Retrying ldap search query with createTimestamp in seconds.");
            if (searchFilterWithoutLastPolling != null && createTimestampLaterThan != null) {
                createTimestampLaterThan = createTimestampLaterThan.replaceAll("\\..*Z$", "Z");
                // searchFilter = "(&" + searchFilter + "(createTimestamp>=" + createTimestampLaterThan + "))";
                searchFilter = "(&" + searchFilterWithoutLastPolling + ZLdapFilterFactory.getInstance().createdLaterOrEqual(createTimestampLaterThan).toFilterString() + ")";
                ZimbraLog.autoprov.info("new searchFilter = %s", searchFilter);
                filterId = FilterId.AUTO_PROVISION_SEARCH_CREATED_LATERTHAN;
            }
            zFilter = ZLdapFilterFactory.getInstance().fromFilterString(filterId, searchFilter);
            searchOptions = new SearchLdapOptions(searchBase, zFilter, returnAttrs, maxResults, null, ZSearchScope.SEARCH_SCOPE_SUBTREE, ldapVisitor);
            zlc.searchPaged(searchOptions);
        }
    } catch (LdapSizeLimitExceededException e) {
        hitSizeLimitExceededException = true;
        if (wantPartialResult) {
            // log at debug level
            ZimbraLog.autoprov.debug(String.format("searchAutoProvDirectory encountered LdapSizeLimitExceededException: " + "base=%s, filter=%s", searchBase, zFilter == null ? "" : zFilter.toFilterString()), e);
        } else {
            throw AccountServiceException.TOO_MANY_SEARCH_RESULTS("too many search results returned", e);
        }
    } finally {
        LdapClient.closeContext(zlc);
    }
    return hitSizeLimitExceededException;
}

Example 3 with ExternalLdapConfig

use of com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig in project zm-mailbox by Zimbra.

the class LdapGalSearch method searchLdapGal.

private static void searchLdapGal(GalParams.ExternalGalParams galParams, GalOp galOp, String query, int maxResults, LdapGalMapRules rules, String token, SearchGalResult result) throws ServiceException {
    ZLdapContext zlc = null;
    try {
        LdapGalCredential credential = galParams.credential();
        ExternalLdapConfig ldapConfig = new ExternalLdapConfig(galParams.url(), galParams.requireStartTLS(), credential.getAuthMech(), credential.getBindDn(), credential.getBindPassword(), rules.getBinaryLdapAttrs(), "external GAL");
        zlc = LdapClient.getExternalContext(ldapConfig, LdapUsage.fromGalOpLegacy(galOp));
        searchGal(zlc, GalSearchConfig.GalType.ldap, galParams.pageSize(), galParams.searchBase(), query, maxResults, rules, token, result);
    } finally {
        LdapClient.closeContext(zlc);
    }
}

Example 4 with ExternalLdapConfig

use of com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig in project zm-mailbox by Zimbra.

the class LdapGalSearch method doGalSearch.

private static void doGalSearch(GalSearchParams params) throws ServiceException {
    ZLdapContext zlc = null;
    try {
        GalSearchConfig cfg = params.getConfig();
        GalSearchConfig.GalType galType = params.getConfig().getGalType();
        if (galType == GalSearchConfig.GalType.zimbra) {
            zlc = LdapClient.getContext(LdapUsage.fromGalOp(params.getOp()));
        } else {
            ExternalLdapConfig ldapConfig = new ExternalLdapConfig(cfg.getUrl(), cfg.getStartTlsEnabled(), cfg.getAuthMech(), cfg.getBindDn(), cfg.getBindPassword(), cfg.getRules().getBinaryLdapAttrs(), "external GAL");
            zlc = LdapClient.getExternalContext(ldapConfig, LdapUsage.fromGalOp(params.getOp()));
        }
        String fetchEntryByDn = params.getSearchEntryByDn();
        if (fetchEntryByDn == null) {
            SearchGalResult sgr = params.getResult();
            if (sgr != null && GalOp.sync.equals(params.getOp())) {
                sgr.setLdapTimeStamp(params.getLdapTimeStamp());
                sgr.setLdapMatchCount(params.getLdapMatchCount());
                sgr.setHadMore(params.ldapHasMore());
                sgr.setMaxLdapTimeStamp(params.getMaxLdapTimeStamp());
            }
            searchGal(zlc, galType, cfg.getPageSize(), cfg.getSearchBase(), params.generateLdapQuery(), params.getLimit(), cfg.getRules(), params.getSyncToken(), params.getResult(), params.getOp());
        } else {
            getGalEntryByDn(zlc, galType, fetchEntryByDn, cfg.getRules(), params.getResult());
        }
    } finally {
        LdapClient.closeContext(zlc);
    }
}

Example 5 with ExternalLdapConfig

use of com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig in project zm-mailbox by Zimbra.

the class GroupHandler method getExternalDelegatedAdminGroupsLdapContext.

/*
     * callsite is responsible for closing the context after done.
     *
     * External group for delegated admin uses the external AD auth
     * settings.  The diff is, when looking for the account anywhere
     * other than authenticating the account, we have to use the
     * admin bindDN/password, because:
     *   - we no longer have the user's external LDAP password
     *   - it makes sense to do this task using the admin's credentials.
     */
public ZLdapContext getExternalDelegatedAdminGroupsLdapContext(Domain domain, boolean asAdmin) throws ServiceException {
    String[] ldapUrl = domain.getAuthLdapURL();
    if (ldapUrl == null || ldapUrl.length == 0) {
        throw ServiceException.INVALID_REQUEST("ubable to search external group, " + "missing " + Provisioning.A_zimbraAuthLdapURL, null);
    }
    boolean startTLSEnabled = domain.isAuthLdapStartTlsEnabled();
    String bindDN = domain.getAuthLdapSearchBindDn();
    String bindPassword = domain.getAuthLdapSearchBindPassword();
    ExternalLdapConfig ldapConfig = new ExternalLdapConfig(ldapUrl, startTLSEnabled, null, bindDN, bindPassword, null, "search external group");
    return LdapClient.getExternalContext(ldapConfig, LdapUsage.EXTERNAL_GROUP);
}