use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.
the class PropertyDAO method getProperties.
/**
* Get properties on the provided entity using the provided property provider
*
* @param entity A FortressEntity that supports properties (Role, AdminRole, Group, Permission, PermObj)
* @param propProvider DAO for entity type that implements property provider interface
* @return Current properties of entity
* @throws FinderException
*/
Properties getProperties(FortEntity entity, PropertyProvider propProvider) throws FinderException {
Properties props = null;
LdapConnection ld = null;
String entityDn = propProvider.getDn(entity);
try {
ld = getAdminConnection();
Entry findEntry = read(ld, entityDn, new String[] { GlobalIds.PROPS });
props = PropUtil.getProperties(getAttributes(findEntry, GlobalIds.PROPS));
if (props == null) {
props = new Properties();
}
} catch (LdapNoSuchObjectException e) {
String warning = "get properties COULD NOT FIND ENTRY for entity [" + entityDn + "]";
throw new FinderException(GlobalErrIds.ENTITY_PROPS_NOT_FOUND, warning);
} catch (LdapException e) {
String error = "get properties [" + entityDn + "]= caught LDAPException=" + e.getMessage();
throw new FinderException(GlobalErrIds.ENTITY_PROPS_LOAD_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return props;
}
use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.
the class AuditDAO method searchAuthZs.
/**
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> searchAuthZs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String permRoot = getRootDn(audit.isAdmin(), audit.getContextId());
String userRoot = getRootDn(audit.getContextId(), GlobalIds.USER_ROOT);
try {
String reqDn = PermDAO.getOpRdn(audit.getOpName(), audit.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + audit.getObjName() + "," + permRoot;
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" + reqDn + ")(" + REQUAUTHZID + "=" + SchemaConstants.UID_AT + "=" + audit.getUserId() + "," + userRoot + ")";
if (audit.isFailedOnly()) {
filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// System.out.println("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
auditList.add(getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++));
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.
the class AuditDAO method searchUserMods.
/**
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<Mod> searchUserMods(UserAudit audit) throws FinderException {
List<Mod> modList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String userRoot = getRootDn(audit.getContextId(), GlobalIds.USER_ROOT);
try {
String filter = GlobalIds.FILTER_PREFIX + ACCESS_MOD_CLASS_NM + ")(" + REQDN + "=" + SchemaConstants.UID_AT + "=" + audit.getUserId() + "," + userRoot + ")";
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// log.warn("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
modList.add(getModEntityFromLdapEntry(searchResults.getEntry(), sequence++));
}
} catch (LdapException e) {
String error = "searchUserMods caught LdapException id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "searchUserMods caught CursorException id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return modList;
}
use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.
the class AuditDAO method getAllAuthZs.
/**
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> getAllAuthZs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String userRoot = getRootDn(audit.getContextId(), GlobalIds.USER_ROOT);
try {
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
if (audit.getUserId() != null && audit.getUserId().length() > 0) {
filter += REQUAUTHZID + "=" + SchemaConstants.UID_AT + "=" + audit.getUserId() + "," + userRoot + ")";
} else {
// have to limit the query to only authorization entries.
// TODO: determine why the cn=Manager user is showing up in this search:
filter += REQUAUTHZID + "=*)(!(" + REQUAUTHZID + "=cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + "))";
// TODO: fix this so filter by only the Fortress AuthZ entries and not the others:
if (audit.isFailedOnly()) {
filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
}
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// log.warn("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
auditList.add(getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++));
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.getAllAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.
the class AuditDAO method searchInvalidAuthNs.
/**
* This method returns failed authentications where the userid is not present in the directory. This
* is possible because Fortress performs read on user before the bind.
* User:
* dn: reqStart=20101014235402.000000Z, cn=log
* reqStart: 20101014235402.000000Z
* reqEnd: 20101014235402.000001Z
* reqAuthzID: cn=Manager,dc=jts,dc=com
* reqDerefAliases: never
* reqSession: 84
* reqAttrsOnly: FALSE
* reqSizeLimit: -1
* objectClass: auditSearch
* reqResult: 32
* reqAttr: ftId
* reqAttr: uid
* reqAttr: userpassword
* reqAttr: description
* reqAttr: ou
* reqAttr: cn
* reqAttr: sn
* reqAttr: ftRoleCstr
* reqAttr: ftCstr
* reqAttr: ftRoleAsgn
* reqAttr: pwdReset
* reqAttr: pwdAccountLockedTime
* reqAttr: ftProps
* reqEntries: 0
* reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
* reqType: search
* reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
* reqTimeLimit: -1
* reqScope: base
*
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> searchInvalidAuthNs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String userRoot = Config.getInstance().getProperty(GlobalIds.USER_ROOT);
try {
// use wildcard for user if not passed in:
// reqDN: uid=foo,ou=People,dc=jts,dc=com
// (&
// (objectclass=auditSearch)
// (reqDN=uid=*,ou=People,dc=jts,dc=com)
// (reqAuthzID=cn=Manager,dc=jts,dc=com)
// (reqEntries=0)
// )
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
String userId;
if (StringUtils.isNotEmpty(audit.getUserId())) {
userId = audit.getUserId();
filter += REQDN + "=" + SchemaConstants.UID_AT + "=" + userId + "," + userRoot + ")(" + REQUAUTHZID + "=" + "cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + ")";
} else {
// pull back all failed authN attempts for all users:
filter += REQATTR + "=" + SchemaConstants.UID_AT + ")(" + REQUAUTHZID + "=" + "cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + ")";
}
if (audit.isFailedOnly()) {
filter += "(" + REQENTRIES + "=" + 0 + ")";
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// log.warn("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
AuthZ authZ = getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++);
// Work around is to remove the ou=People failed searches from user failed searches on authN.
if (!AuditUtil.getAuthZId(authZ.getReqDN()).equalsIgnoreCase("People")) {
auditList.add(authZ);
}
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
Aggregations