Example 36 with LdapName
use of javax.naming.ldap.LdapName in project SSM by Intel-bigdata.
the class LdapRealm method isUserMemberOfDynamicGroup.
boolean isUserMemberOfDynamicGroup(LdapName userLdapDn, String memberUrl, final LdapContextFactory ldapContextFactory) throws NamingException {
if (memberUrl == null) {
return false;
}
String[] tokens = memberUrl.split("\\?");
if (tokens.length < 4) {
return false;
}
String searchBaseString = tokens[0].substring(tokens[0].lastIndexOf("/") + 1);
String searchScope = tokens[2];
String searchFilter = tokens[3];
LdapName searchBaseDn = new LdapName(searchBaseString);
// do scope test
if (searchScope.equalsIgnoreCase("base")) {
log.debug("DynamicGroup SearchScope base");
return false;
}
if (!userLdapDn.toString().endsWith(searchBaseDn.toString())) {
return false;
}
if (searchScope.equalsIgnoreCase("one") && (userLdapDn.size() != searchBaseDn.size() - 1)) {
log.debug("DynamicGroup SearchScope one");
return false;
}
// search for the filter, substituting base with userDn
// search for base_dn=userDn, scope=base, filter=filter
LdapContext systemLdapCtx = null;
systemLdapCtx = ldapContextFactory.getSystemLdapContext();
boolean member = false;
NamingEnumeration<SearchResult> searchResultEnum = null;
try {
searchResultEnum = systemLdapCtx.search(userLdapDn, searchFilter, searchScope.equalsIgnoreCase("sub") ? SUBTREE_SCOPE : ONELEVEL_SCOPE);
if (searchResultEnum.hasMore()) {
return true;
}
} finally {
try {
if (searchResultEnum != null) {
searchResultEnum.close();
}
} finally {
LdapUtils.closeContext(systemLdapCtx);
}
}
return member;
}
Also used :
SearchResult(javax.naming.directory.SearchResult)
LdapContext(javax.naming.ldap.LdapContext)
LdapName(javax.naming.ldap.LdapName)
Example 37 with LdapName
use of javax.naming.ldap.LdapName in project Smack by igniterealtime.
the class XmppHostnameVerifier method matchDns.
/**
* Try to match a certificate with a DNS name. This method returns if the certificate matches or
* throws a {@link CertificateException} if not.
*
* @param name the DNS name.
* @param cert the certificate.
* @throws CertificateException if the DNS name does not match the certificate.
*/
private static void matchDns(String name, X509Certificate cert) throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
List<String> nonMatchingDnsAltnames = new LinkedList<>();
for (List<?> san : subjAltNames) {
if (((Integer) san.get(0)).intValue() != ALTNAME_DNS) {
continue;
}
String dnsName = (String) san.get(1);
if (matchesPerRfc2818(name, dnsName)) {
// Signal success by returning.
return;
} else {
nonMatchingDnsAltnames.add(dnsName);
}
}
if (!nonMatchingDnsAltnames.isEmpty()) {
// Reject if certificate contains subject alt names, but none of them matches
StringBuilder sb = new StringBuilder("No subject alternative DNS name matching " + name + " found. Tried: ");
for (String nonMatchingDnsAltname : nonMatchingDnsAltnames) {
sb.append(nonMatchingDnsAltname).append(',');
}
throw new CertificateException(sb.toString());
}
}
// Control flow will end here if the X509 certificate does not have *any* Subject
// Alternative Names (SANs). Fallback trying to validate against the CN of the subject.
LdapName dn = null;
try {
dn = new LdapName(cert.getSubjectX500Principal().getName());
} catch (InvalidNameException e) {
LOGGER.warning("Invalid DN: " + e.getMessage());
}
if (dn != null) {
for (Rdn rdn : dn.getRdns()) {
if (rdn.getType().equalsIgnoreCase("CN")) {
if (matchesPerRfc2818(name, rdn.getValue().toString())) {
// Signal success by returning.
return;
}
break;
}
}
}
throw new CertificateException("No name matching " + name + " found");
}
Also used :
InvalidNameException(javax.naming.InvalidNameException)
List(java.util.List)
LinkedList(java.util.LinkedList)
CertificateException(java.security.cert.CertificateException)
Rdn(javax.naming.ldap.Rdn)
LinkedList(java.util.LinkedList)
LdapName(javax.naming.ldap.LdapName)
Example 38 with LdapName
use of javax.naming.ldap.LdapName in project zm-mailbox by Zimbra.
the class ClientCertAuthenticator method getAccountByX509SubjectDN.
// Still called from nginx lookup servlet, TODO: retire
public static Account getAccountByX509SubjectDN(String x509SubjectDN) throws ServiceException {
try {
LdapName dn = new LdapName(x509SubjectDN);
List<Rdn> rdns = dn.getRdns();
for (Rdn rdn : rdns) {
String type = rdn.getType();
// recognize only email address for now
if ("EMAILADDRESS".equals(type)) {
Object value = rdn.getValue();
if (value != null) {
String email = value.toString();
Account acct = Provisioning.getInstance().get(AccountBy.name, email);
if (acct != null) {
return acct;
} else {
ZimbraLog.account.debug(LOG_PREFIX + "account not found: " + email);
}
}
}
}
} catch (InvalidNameException e) {
throw AuthFailedServiceException.AUTH_FAILED("ClientCertAuthenticator - invalid X509 subject: " + x509SubjectDN, e);
}
return null;
}
Also used :
Account(com.zimbra.cs.account.Account)
InvalidNameException(javax.naming.InvalidNameException)
Rdn(javax.naming.ldap.Rdn)
LdapName(javax.naming.ldap.LdapName)
Example 39 with LdapName
use of javax.naming.ldap.LdapName in project Openfire by igniterealtime.
the class LdapManagerTest method testGetProviderURLWithSpaces.
/**
* Test if {@link LdapManager#getProviderURL(LdapName)} escapes whitespace characters in the baseDN value.
*/
@Test
public void testGetProviderURLWithSpaces() throws Exception {
// Setup fixture.
final Map<String, String> properties = new HashMap<>();
properties.put("ldap.host", "localhost");
properties.put("ldap.port", "389");
properties.put("ldap.sslEnabled", "false");
final LdapManager manager = new LdapManager(properties);
final LdapName name = new LdapName("ou=people,dc=example with spaces,dc=org");
// Execute system under test.
final String result = manager.getProviderURL(name);
// Verify result.
assertEquals("ldap://localhost:389/ou=people,dc=example%20with%20spaces,dc=org", result);
}Example 40 with LdapName
use of javax.naming.ldap.LdapName in project aerospike-client-java by aerospike.
the class Connection method validateServerCertificate.
public static void validateServerCertificate(TlsPolicy policy, String tlsName, X509Certificate cert) throws Exception {
if (tlsName == null) {
// We don't want to retry on TLS errors. Throw standard AerospikeException instead.
throw new AerospikeException("Invalid TLS name: null");
}
// Exclude certificate serial numbers.
if (policy.revokeCertificates != null) {
BigInteger serialNumber = cert.getSerialNumber();
for (BigInteger sn : policy.revokeCertificates) {
if (sn.equals(serialNumber)) {
throw new AerospikeException("Invalid certificate serial number: " + sn);
}
}
}
// Search for subject certificate name.
String subject = cert.getSubjectX500Principal().getName(X500Principal.RFC2253);
LdapName ldapName = new LdapName(subject);
for (Rdn rdn : ldapName.getRdns()) {
Attribute cn = rdn.toAttributes().get("CN");
if (cn != null) {
String certName = (String) cn.get();
if (certName.equals(tlsName)) {
return;
}
}
}
// Search for subject alternative names.
Collection<List<?>> allNames = cert.getSubjectAlternativeNames();
if (allNames != null) {
for (List<?> list : allNames) {
int type = (Integer) list.get(0);
if (type == 2 && list.get(1).equals(tlsName)) {
return;
}
}
}
throw new AerospikeException("Invalid TLS name: " + tlsName);
}
Also used :
AerospikeException(com.aerospike.client.AerospikeException)
BigInteger(java.math.BigInteger)
Attribute(javax.naming.directory.Attribute)
BigInteger(java.math.BigInteger)
List(java.util.List)
Rdn(javax.naming.ldap.Rdn)
LdapName(javax.naming.ldap.LdapName)
Aggregations
LdapName (javax.naming.ldap.LdapName)86
Rdn (javax.naming.ldap.Rdn)43
InvalidNameException (javax.naming.InvalidNameException)27
Attribute (javax.naming.directory.Attribute)18
NamingException (javax.naming.NamingException)16
Attributes (javax.naming.directory.Attributes)12
SearchResult (javax.naming.directory.SearchResult)10
Test (org.junit.Test)10
IOException (java.io.IOException)6
X509Certificate (java.security.cert.X509Certificate)6
ArrayList (java.util.ArrayList)6
HashMap (java.util.HashMap)6
PolyString (com.evolveum.midpoint.prism.polystring.PolyString)5
Test (org.junit.jupiter.api.Test)5
HashSet (java.util.HashSet)4
List (java.util.List)4
NoSuchElementException (java.util.NoSuchElementException)4
TreeSet (java.util.TreeSet)4
SearchControls (javax.naming.directory.SearchControls)4
SSLException (javax.net.ssl.SSLException)4
