Example 31 with NamingEnumeration
use of javax.naming.NamingEnumeration in project Openfire by igniterealtime.
the class LdapAuthorizationMapping method map.
@Override
public String map(String principal) {
String username = principal;
DirContext ctx = null;
try {
Log.debug("LdapAuthorizationMapping: Starting LDAP search...");
String usernameField = manager.getUsernameField();
//String baseDN = manager.getBaseDN();
boolean subTreeSearch = manager.isSubTreeSearch();
ctx = manager.getContext();
SearchControls constraints = new SearchControls();
if (subTreeSearch) {
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
} else // Otherwise, only search a single level.
{
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
}
constraints.setReturningAttributes(new String[] { usernameField });
NamingEnumeration answer = ctx.search("", princSearchFilter, new String[] { LdapManager.sanitizeSearchFilter(principal) }, constraints);
Log.debug("LdapAuthorizationMapping: ... search finished");
if (answer == null || !answer.hasMoreElements()) {
Log.debug("LdapAuthorizationMapping: Username based on principal '" + principal + "' not found.");
return principal;
}
Attributes atrs = ((SearchResult) answer.next()).getAttributes();
Attribute usernameAttribute = atrs.get(usernameField);
username = (String) usernameAttribute.get();
} catch (Exception e) {
// Ignore.
} finally {
try {
if (ctx != null) {
ctx.close();
}
} catch (Exception ignored) {
// Ignore.
}
}
return username;
}
Also used :
Attribute(javax.naming.directory.Attribute)
Attributes(javax.naming.directory.Attributes)
SearchControls(javax.naming.directory.SearchControls)
NamingEnumeration(javax.naming.NamingEnumeration)
SearchResult(javax.naming.directory.SearchResult)
DirContext(javax.naming.directory.DirContext)
Example 32 with NamingEnumeration
use of javax.naming.NamingEnumeration in project neo4j by neo4j.
the class LdapRealm method findRoleNamesForUser.
// TODO: Extract to an LdapAuthorizationStrategy ? This ("group by attribute") is one of multiple possible strategies
Set<String> findRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
Set<String> roleNames = new LinkedHashSet<>();
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setReturningAttributes(membershipAttributeNames.toArray(new String[1]));
// Use search argument to prevent potential code injection
Object[] searchArguments = new Object[] { username };
NamingEnumeration result = ldapContext.search(userSearchBase, userSearchFilter, searchArguments, searchCtls);
if (result.hasMoreElements()) {
SearchResult searchResult = (SearchResult) result.next();
if (result.hasMoreElements()) {
securityLog.warn(securityLog.isDebugEnabled() ? withRealm("LDAP user search for user principal '%s' is ambiguous. The first match that will " + "be checked for group membership is '%s' but the search also matches '%s'. " + "Please check your LDAP realm configuration.", username, searchResult.toString(), result.next().toString()) : withRealm("LDAP user search for user principal '%s' is ambiguous. The search matches more " + "than one entry. Please check your LDAP realm configuration.", username));
}
Attributes attributes = searchResult.getAttributes();
if (attributes != null) {
NamingEnumeration attributeEnumeration = attributes.getAll();
while (attributeEnumeration.hasMore()) {
Attribute attribute = (Attribute) attributeEnumeration.next();
String attributeId = attribute.getID();
if (membershipAttributeNames.stream().anyMatch(attributeId::equalsIgnoreCase)) {
Collection<String> groupNames = LdapUtils.getAllAttributeValues(attribute);
Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
roleNames.addAll(rolesForGroups);
}
}
}
}
return roleNames;
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
Attribute(javax.naming.directory.Attribute)
Attributes(javax.naming.directory.Attributes)
SearchControls(javax.naming.directory.SearchControls)
NamingEnumeration(javax.naming.NamingEnumeration)
SearchResult(javax.naming.directory.SearchResult)
Example 33 with NamingEnumeration
use of javax.naming.NamingEnumeration in project neo4j by neo4j.
the class LdapRealmTest method shouldWarnAboutGroupMembershipsBeingEmpty.
@Test
public void shouldWarnAboutGroupMembershipsBeingEmpty() throws Exception {
when(config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(Collections.emptyList());
LdapContext ldapContext = mock(LdapContext.class);
NamingEnumeration result = mock(NamingEnumeration.class);
when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
when(result.hasMoreElements()).thenReturn(false);
assertException(this::makeAndInit, IllegalArgumentException.class, "Illegal LDAP user search settings, see security log for details.");
verify(securityLog).error(contains("LDAP group membership attribute names are empty. " + "Authorization will not be possible."));
}
Also used :
NamingEnumeration(javax.naming.NamingEnumeration)
LdapContext(javax.naming.ldap.LdapContext)
Test(org.junit.Test)
Example 34 with NamingEnumeration
use of javax.naming.NamingEnumeration in project neo4j by neo4j.
the class LdapRealmTest method shouldWarnAboutUserSearchFilterWithoutArgument.
@Test
public void shouldWarnAboutUserSearchFilterWithoutArgument() throws Exception {
when(config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("");
LdapContext ldapContext = mock(LdapContext.class);
NamingEnumeration result = mock(NamingEnumeration.class);
when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
when(result.hasMoreElements()).thenReturn(false);
makeAndInit();
verify(securityLog).warn(contains("LDAP user search filter does not contain the argument placeholder {0}"));
}
Also used :
NamingEnumeration(javax.naming.NamingEnumeration)
LdapContext(javax.naming.ldap.LdapContext)
Test(org.junit.Test)
Example 35 with NamingEnumeration
use of javax.naming.NamingEnumeration in project neo4j by neo4j.
the class LdapRealmTest method shouldAllowMultipleGroupMembershipAttributes.
@Test
public void shouldAllowMultipleGroupMembershipAttributes() throws NamingException {
when(config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("{0}");
when(config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(asList("attr0", "attr1", "attr2"));
when(config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group1=role1;group2=role2,role3");
LdapContext ldapContext = mock(LdapContext.class);
NamingEnumeration result = mock(NamingEnumeration.class);
SearchResult searchResult = mock(SearchResult.class);
Attributes attributes = mock(Attributes.class);
Attribute attribute1 = mock(Attribute.class);
Attribute attribute2 = mock(Attribute.class);
Attribute attribute3 = mock(Attribute.class);
NamingEnumeration attributeEnumeration = mock(NamingEnumeration.class);
NamingEnumeration groupEnumeration1 = mock(NamingEnumeration.class);
NamingEnumeration groupEnumeration2 = mock(NamingEnumeration.class);
NamingEnumeration groupEnumeration3 = mock(NamingEnumeration.class);
// Mock ldap search result "attr1" contains "group1" and "attr2" contains "group2" (a bit brittle...)
// "attr0" is non-existing and should have no effect
when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
when(result.hasMoreElements()).thenReturn(true, false);
when(result.next()).thenReturn(searchResult);
when(searchResult.getAttributes()).thenReturn(attributes);
when(attributes.getAll()).thenReturn(attributeEnumeration);
when(attributeEnumeration.hasMore()).thenReturn(true, true, false);
when(attributeEnumeration.next()).thenReturn(attribute1, attribute2, attribute3);
// This attribute should yield role1
when(attribute1.getID()).thenReturn("attr1");
when(attribute1.getAll()).thenReturn(groupEnumeration1);
when(groupEnumeration1.hasMore()).thenReturn(true, false);
when(groupEnumeration1.next()).thenReturn("group1");
// This attribute should yield role2 and role3
when(attribute2.getID()).thenReturn("attr2");
when(attribute2.getAll()).thenReturn(groupEnumeration2);
when(groupEnumeration2.hasMore()).thenReturn(true, false);
when(groupEnumeration2.next()).thenReturn("group2");
// This attribute should have no effect
when(attribute3.getID()).thenReturn("attr3");
when(attribute3.getAll()).thenReturn(groupEnumeration3);
when(groupEnumeration3.hasMore()).thenReturn(true, false);
when(groupEnumeration3.next()).thenReturn("groupWithNoRole");
// When
LdapRealm realm = new LdapRealm(config, securityLog, secureHasher);
Set<String> roles = realm.findRoleNamesForUser("username", ldapContext);
// Then
assertThat(roles, hasItems("role1", "role2", "role3"));
}
Also used :
Attribute(javax.naming.directory.Attribute)
Attributes(javax.naming.directory.Attributes)
NamingEnumeration(javax.naming.NamingEnumeration)
SearchResult(javax.naming.directory.SearchResult)
Matchers.anyString(org.mockito.Matchers.anyString)
LdapContext(javax.naming.ldap.LdapContext)
Test(org.junit.Test)
Aggregations
NamingEnumeration (javax.naming.NamingEnumeration)48
Attribute (javax.naming.directory.Attribute)22
SearchResult (javax.naming.directory.SearchResult)20
NamingException (javax.naming.NamingException)19
Attributes (javax.naming.directory.Attributes)19
SearchControls (javax.naming.directory.SearchControls)18
DirContext (javax.naming.directory.DirContext)14
ArrayList (java.util.ArrayList)11
LdapContext (javax.naming.ldap.LdapContext)10
Test (org.junit.Test)9
InitialContext (javax.naming.InitialContext)7
Hashtable (java.util.Hashtable)6
Context (javax.naming.Context)6
InitialDirContext (javax.naming.directory.InitialDirContext)6
HashMap (java.util.HashMap)5
IOException (java.io.IOException)3
HashSet (java.util.HashSet)3
Binding (javax.naming.Binding)3
NameClassPair (javax.naming.NameClassPair)3
NameNotFoundException (javax.naming.NameNotFoundException)3
