Examples with DirContext javax.naming.directory.DirContext used on opensource projects

Example 66 with DirContext

use of javax.naming.directory.DirContext in project jetty.project by eclipse.

the class LdapLoginModule method bindingLogin.

/**
     * binding authentication check
     * This method of authentication works only if the user branch of the DIT (ldap tree)
     * has an ACI (access control instruction) that allow the access to any user or at least
     * for the user that logs in.
     *
     * @param username the user name
     * @param password the password
     * @return true always
     * @throws LoginException if unable to bind the login
     * @throws NamingException if failure to bind login
     */
public boolean bindingLogin(String username, Object password) throws LoginException, NamingException {
    SearchResult searchResult = findUser(username);
    String userDn = searchResult.getNameInNamespace();
    LOG.info("Attempting authentication: " + userDn);
    Hashtable<Object, Object> environment = getEnvironment();
    if (userDn == null || "".equals(userDn)) {
        throw new NamingException("username may not be empty");
    }
    environment.put(Context.SECURITY_PRINCIPAL, userDn);
    // RFC 4513 section 6.3.1, protect against ldap server implementations that allow successful binding on empty passwords
    if (password == null || "".equals(password)) {
        throw new NamingException("password may not be empty");
    }
    environment.put(Context.SECURITY_CREDENTIALS, password);
    DirContext dirContext = new InitialDirContext(environment);
    List<String> roles = getUserRolesByDn(dirContext, userDn);
    UserInfo userInfo = new UserInfo(username, null, roles);
    setCurrentUser(new JAASUserInfo(userInfo));
    setAuthenticated(true);
    return true;
}

Example 67 with DirContext

use of javax.naming.directory.DirContext in project Openfire by igniterealtime.

the class LdapAuthorizationPolicy method getAuthorized.

/**
     * Returns a String Collection of principals that are authorized to use
     * the named user.
     *
     * @param username the username.
     * @return A String Collection of principals that are authorized.
     */
private Collection<String> getAuthorized(String username) {
    // Un-escape Node
    username = JID.unescapeNode(username);
    Collection<String> authorized = new ArrayList<>();
    DirContext ctx = null;
    try {
        String userDN = manager.findUserDN(username);
        // Load record.
        String[] attributes = new String[] { usernameField, authorizeField };
        ctx = manager.getContext();
        Attributes attrs = ctx.getAttributes(userDN, attributes);
        Attribute authorizeField_a = attrs.get(authorizeField);
        if (authorizeField_a != null) {
            for (Enumeration e = authorizeField_a.getAll(); e.hasMoreElements(); ) {
                authorized.add((String) e.nextElement());
            }
        }
        return authorized;
    } catch (Exception e) {
    // Ignore.
    } finally {
        try {
            if (ctx != null) {
                ctx.close();
            }
        } catch (Exception ignored) {
        // Ignore.
        }
    }
    return authorized;
}

Example 68 with DirContext

use of javax.naming.directory.DirContext in project Openfire by igniterealtime.

the class LdapManager method findGroupDN.

/**
     * Finds a groups's dn using it's group name. Normally, this search will
     * be performed using the field "cn", but this can be changed by setting
     * the <tt>groupNameField</tt> property.<p>
     *
     * Searches are performed over all subtrees relative to the <tt>baseDN</tt>.
     * If the search fails in the <tt>baseDN</tt> then another search will be
     * performed in the <tt>alternateBaseDN</tt>. For example, if the <tt>baseDN</tt>
     * is "o=jivesoftware, o=com" and we do a search for "managers", then we might
     * find a groupDN of "uid=managers,ou=Groups". This kind of searching is a good
     * thing since it doesn't make the assumption that all user records are stored
     * in a flat structure. However, it does add the requirement that "cn" field
     * (or the other field specified) must be unique over the entire subtree from
     * the <tt>baseDN</tt>. For example, it's entirely possible to create two dn's
     * in your LDAP directory with the same cn: "cn=managers,ou=Financial" and
     * "cn=managers,ou=Engineers". In such a case, it's not possible to
     * uniquely identify a group, so this method will throw an error.<p>
     *
     * The dn that's returned is relative to the default <tt>baseDN</tt>.
     *
     * @param groupname the groupname to lookup the dn for.
     * @param baseDN the base DN to use for this search.
     * @return the dn associated with <tt>groupname</tt>.
     * @throws Exception if the search for the dn fails.
     * @see #findGroupDN(String) to search using the default baseDN and alternateBaseDN.
     */
public String findGroupDN(String groupname, String baseDN) throws Exception {
    boolean debug = Log.isDebugEnabled();
    if (debug) {
        Log.debug("LdapManager: Trying to find a groups's DN based on it's groupname. " + groupNameField + ": " + groupname + ", Base DN: " + baseDN + "...");
    }
    DirContext ctx = null;
    try {
        ctx = getContext(baseDN);
        if (debug) {
            Log.debug("LdapManager: Starting LDAP search...");
        }
        // Search for the dn based on the groupname.
        SearchControls constraints = new SearchControls();
        // If sub-tree searching is enabled (default is true) then search the entire tree.
        if (subTreeSearch) {
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
        } else // Otherwise, only search a single level.
        {
            constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
        }
        constraints.setReturningAttributes(new String[] { groupNameField });
        String filter = MessageFormat.format(getGroupSearchFilter(), sanitizeSearchFilter(groupname));
        NamingEnumeration<SearchResult> answer = ctx.search("", filter, constraints);
        if (debug) {
            Log.debug("LdapManager: ... search finished");
        }
        if (answer == null || !answer.hasMoreElements()) {
            if (debug) {
                Log.debug("LdapManager: Group DN based on groupname '" + groupname + "' not found.");
            }
            throw new GroupNotFoundException("Groupname " + groupname + " not found");
        }
        String groupDN = answer.next().getName();
        // The baseDN must be set correctly so that this doesn't happen.
        if (answer.hasMoreElements()) {
            if (debug) {
                Log.debug("LdapManager: Search for groupDN based on groupname '" + groupname + "' found multiple " + "responses, throwing exception.");
            }
            throw new GroupNotFoundException("LDAP groupname lookup for " + groupname + " matched multiple entries.");
        }
        // Close the enumeration.
        answer.close();
        // following code converts a referral back to a "partial" LDAP string.
        if (groupDN.startsWith("ldap://")) {
            groupDN = groupDN.replace("," + baseDN, "");
            groupDN = groupDN.substring(groupDN.lastIndexOf("/") + 1);
            groupDN = java.net.URLDecoder.decode(groupDN, "UTF-8");
        }
        if (encloseGroupDN) {
            groupDN = getEnclosedDN(groupDN);
        }
        return groupDN;
    } catch (Exception e) {
        if (debug) {
            Log.debug("LdapManager: Exception thrown when searching for groupDN based on groupname '" + groupname + "'", e);
        }
        throw e;
    } finally {
        try {
            ctx.close();
        } catch (Exception ignored) {
        // Ignore.
        }
    }
}

Example 69 with DirContext

use of javax.naming.directory.DirContext in project Openfire by igniterealtime.

the class LdapManager method findUserDN.

/**
     * Finds a user's dn using their username in the specified baseDN. Normally, this search
     * will be performed using the field "uid", but this can be changed by setting
     * the <tt>usernameField</tt> property.<p>
     *
     * Searches are performed over all sub-trees relative to the <tt>baseDN</tt> unless
     * sub-tree searching has been disabled. For example, if the <tt>baseDN</tt> is
     * "o=jivesoftware, o=com" and we do a search for "mtucker", then we might find a userDN of
     * "uid=mtucker,ou=People". This kind of searching is a good thing since
     * it doesn't make the assumption that all user records are stored in a flat
     * structure. However, it does add the requirement that "uid" field (or the
     * other field specified) must be unique over the entire subtree from the
     * <tt>baseDN</tt>. For example, it's entirely possible to create two dn's
     * in your LDAP directory with the same uid: "uid=mtucker,ou=People" and
     * "uid=mtucker,ou=Administrators". In such a case, it's not possible to
     * uniquely identify a user, so this method will throw an error.<p>
     *
     * The DN that's returned is relative to the <tt>baseDN</tt>.
     *
     * @param username the username to lookup the dn for.
     * @param baseDN the base DN to use for this search.
     * @return the dn associated with <tt>username</tt>.
     * @throws Exception if the search for the dn fails.
     * @see #findUserDN(String) to search using the default baseDN and alternateBaseDN.
     */
public String findUserDN(String username, String baseDN) throws Exception {
    boolean debug = Log.isDebugEnabled();
    //Support for usernameSuffix
    username = username + usernameSuffix;
    if (debug) {
        Log.debug("LdapManager: Trying to find a user's DN based on their username. " + usernameField + ": " + username + ", Base DN: " + baseDN + "...");
    }
    DirContext ctx = null;
    try {
        ctx = getContext(baseDN);
        if (debug) {
            Log.debug("LdapManager: Starting LDAP search...");
        }
        // Search for the dn based on the username.
        SearchControls constraints = new SearchControls();
        // If sub-tree searching is enabled (default is true) then search the entire tree.
        if (subTreeSearch) {
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
        } else // Otherwise, only search a single level.
        {
            constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
        }
        constraints.setReturningAttributes(new String[] { usernameField });
        // NOTE: this assumes that the username has already been JID-unescaped
        NamingEnumeration<SearchResult> answer = ctx.search("", getSearchFilter(), new String[] { sanitizeSearchFilter(username) }, constraints);
        if (debug) {
            Log.debug("LdapManager: ... search finished");
        }
        if (answer == null || !answer.hasMoreElements()) {
            if (debug) {
                Log.debug("LdapManager: User DN based on username '" + username + "' not found.");
            }
            throw new UserNotFoundException("Username " + username + " not found");
        }
        String userDN = answer.next().getName();
        // The baseDN must be set correctly so that this doesn't happen.
        if (answer.hasMoreElements()) {
            if (debug) {
                Log.debug("LdapManager: Search for userDN based on username '" + username + "' found multiple " + "responses, throwing exception.");
            }
            throw new UserNotFoundException("LDAP username lookup for " + username + " matched multiple entries.");
        }
        // Close the enumeration.
        answer.close();
        // following code converts a referral back to a "partial" LDAP string.
        if (userDN.startsWith("ldap://")) {
            userDN = userDN.replace("," + baseDN, "");
            userDN = userDN.substring(userDN.lastIndexOf("/") + 1);
            userDN = java.net.URLDecoder.decode(userDN, "UTF-8");
        }
        if (encloseUserDN) {
            userDN = getEnclosedDN(userDN);
        }
        return userDN;
    } catch (Exception e) {
        if (debug) {
            Log.debug("LdapManager: Exception thrown when searching for userDN based on username '" + username + "'", e);
        }
        throw e;
    } finally {
        try {
            ctx.close();
        } catch (Exception ignored) {
        // Ignore.
        }
    }
}

Example 70 with DirContext

use of javax.naming.directory.DirContext in project Openfire by igniterealtime.

the class LdapAuthorizationMapping method map.

@Override
public String map(String principal) {
    String username = principal;
    DirContext ctx = null;
    try {
        Log.debug("LdapAuthorizationMapping: Starting LDAP search...");
        String usernameField = manager.getUsernameField();
        //String baseDN = manager.getBaseDN();
        boolean subTreeSearch = manager.isSubTreeSearch();
        ctx = manager.getContext();
        SearchControls constraints = new SearchControls();
        if (subTreeSearch) {
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
        } else // Otherwise, only search a single level.
        {
            constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
        }
        constraints.setReturningAttributes(new String[] { usernameField });
        NamingEnumeration answer = ctx.search("", princSearchFilter, new String[] { LdapManager.sanitizeSearchFilter(principal) }, constraints);
        Log.debug("LdapAuthorizationMapping: ... search finished");
        if (answer == null || !answer.hasMoreElements()) {
            Log.debug("LdapAuthorizationMapping: Username based on principal '" + principal + "' not found.");
            return principal;
        }
        Attributes atrs = ((SearchResult) answer.next()).getAttributes();
        Attribute usernameAttribute = atrs.get(usernameField);
        username = (String) usernameAttribute.get();
    } catch (Exception e) {
    // Ignore.
    } finally {
        try {
            if (ctx != null) {
                ctx.close();
            }
        } catch (Exception ignored) {
        // Ignore.
        }
    }
    return username;
}