Example 1 with LdapConnectionConfig
use of org.apache.directory.ldap.client.api.LdapConnectionConfig in project graylog2-server by Graylog2.
the class LdapResource method testLdapConfiguration.
@POST
@Timed
@RequiresPermissions(RestPermissions.LDAP_EDIT)
@ApiOperation("Test LDAP Configuration")
@Path("/test")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@NoAuditEvent("only used to test LDAP configuration")
public LdapTestConfigResponse testLdapConfiguration(@ApiParam(name = "Configuration to test", required = true) @Valid @NotNull LdapTestConfigRequest request) {
final LdapConnectionConfig config = new LdapConnectionConfig();
final URI ldapUri = request.ldapUri();
config.setLdapHost(ldapUri.getHost());
config.setLdapPort(ldapUri.getPort());
config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
config.setUseTls(request.useStartTls());
if (request.trustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
if (!isNullOrEmpty(request.systemUsername()) && !isNullOrEmpty(request.systemPassword())) {
config.setName(request.systemUsername());
config.setCredentials(request.systemPassword());
}
LdapNetworkConnection connection = null;
try {
try {
connection = ldapConnector.connect(config);
} catch (LdapException e) {
return LdapTestConfigResponse.create(false, false, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet(), e.getMessage());
}
if (null == connection) {
return LdapTestConfigResponse.create(false, false, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet(), "Could not connect to LDAP server");
}
boolean connected = connection.isConnected();
boolean systemAuthenticated = connection.isAuthenticated();
// the web interface allows testing the connection only, in that case we can bail out early.
if (request.testConnectOnly()) {
return LdapTestConfigResponse.create(connected, systemAuthenticated, false, Collections.<String, String>emptyMap(), Collections.<String>emptySet());
}
String userPrincipalName = null;
boolean loginAuthenticated = false;
Map<String, String> entryMap = Collections.emptyMap();
String exception = null;
Set<String> groups = Collections.emptySet();
try {
final LdapEntry entry = ldapConnector.search(connection, request.searchBase(), request.searchPattern(), "*", request.principal(), request.activeDirectory(), request.groupSearchBase(), request.groupIdAttribute(), request.groupSearchPattern());
if (entry != null) {
userPrincipalName = entry.getBindPrincipal();
entryMap = entry.getAttributes();
groups = entry.getGroups();
}
} catch (CursorException | LdapException e) {
exception = e.getMessage();
}
try {
loginAuthenticated = ldapConnector.authenticate(connection, userPrincipalName, request.password());
} catch (Exception e) {
exception = e.getMessage();
}
return LdapTestConfigResponse.create(connected, systemAuthenticated, loginAuthenticated, entryMap, groups, exception);
} finally {
if (connection != null) {
try {
connection.close();
} catch (IOException e) {
LOG.warn("Unable to close LDAP connection.", e);
}
}
}
}
Also used :
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
LdapEntry(org.graylog2.shared.security.ldap.LdapEntry)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
IOException(java.io.IOException)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
URI(java.net.URI)
BadRequestException(javax.ws.rs.BadRequestException)
InternalServerErrorException(javax.ws.rs.InternalServerErrorException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
IOException(java.io.IOException)
ValidationException(org.graylog2.plugin.database.ValidationException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
Timed(com.codahale.metrics.annotation.Timed)
ApiOperation(io.swagger.annotations.ApiOperation)
NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent)
Example 2 with LdapConnectionConfig
use of org.apache.directory.ldap.client.api.LdapConnectionConfig in project jackrabbit-oak by apache.
the class LdapIdentityProvider method createConnectionConfig.
/**
* Creates a new connection config based on the config.
* @return the connection config.
*/
@Nonnull
private LdapConnectionConfig createConnectionConfig() {
LdapConnectionConfig cc = new LdapConnectionConfig();
cc.setLdapHost(config.getHostname());
cc.setLdapPort(config.getPort());
cc.setUseSsl(config.useSSL());
cc.setUseTls(config.useTLS());
// todo: implement better trustmanager/keystore management (via sling/felix)
if (config.noCertCheck()) {
cc.setTrustManagers(new NoVerificationTrustManager());
}
if (enabledSSLProtocols != null) {
cc.setEnabledProtocols(enabledSSLProtocols);
}
return cc;
}
Also used :
NoVerificationTrustManager(org.apache.directory.ldap.client.api.NoVerificationTrustManager)
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
Nonnull(javax.annotation.Nonnull)
Example 3 with LdapConnectionConfig
use of org.apache.directory.ldap.client.api.LdapConnectionConfig in project jackrabbit-oak by apache.
the class LdapIdentityProvider method init.
//------------------------------------------------------------< private >---
/**
* Initializes the ldap identity provider.
*/
private void init() {
if (adminConnectionFactory != null) {
throw new IllegalStateException("Provider already initialized.");
}
// make sure the JVM supports the TLSv1.1
try {
enabledSSLProtocols = null;
SSLContext.getInstance("TLSv1.1");
} catch (NoSuchAlgorithmException e) {
log.warn("JDK does not support TLSv1.1. Disabling it.");
enabledSSLProtocols = new String[] { "TLSv1" };
}
// setup admin connection pool
LdapConnectionConfig cc = createConnectionConfig();
String bindDN = config.getBindDN();
if (bindDN != null && !bindDN.isEmpty()) {
cc.setName(bindDN);
cc.setCredentials(config.getBindPassword());
}
adminConnectionFactory = new ValidatingPoolableLdapConnectionFactory(cc);
if (config.getAdminPoolConfig().lookupOnValidate()) {
adminConnectionFactory.setValidator(new LookupLdapConnectionValidator());
} else {
adminConnectionFactory.setValidator(new DefaultLdapConnectionValidator());
}
if (config.getAdminPoolConfig().getMaxActive() != 0) {
adminPool = new LdapConnectionPool(adminConnectionFactory);
adminPool.setTestOnBorrow(true);
adminPool.setMaxActive(config.getAdminPoolConfig().getMaxActive());
adminPool.setWhenExhaustedAction(GenericObjectPool.WHEN_EXHAUSTED_BLOCK);
}
// setup unbound connection pool. let's create a new version of the config
cc = createConnectionConfig();
userConnectionFactory = new PoolableUnboundConnectionFactory(cc);
if (config.getUserPoolConfig().lookupOnValidate()) {
userConnectionFactory.setValidator(new UnboundLookupConnectionValidator());
} else {
userConnectionFactory.setValidator(new UnboundConnectionValidator());
}
if (config.getUserPoolConfig().getMaxActive() != 0) {
userPool = new UnboundLdapConnectionPool(userConnectionFactory);
userPool.setTestOnBorrow(true);
userPool.setMaxActive(config.getUserPoolConfig().getMaxActive());
userPool.setWhenExhaustedAction(GenericObjectPool.WHEN_EXHAUSTED_BLOCK);
}
log.info("LdapIdentityProvider initialized: {}", config);
}
Also used :
DefaultLdapConnectionValidator(org.apache.directory.ldap.client.api.DefaultLdapConnectionValidator)
ValidatingPoolableLdapConnectionFactory(org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory)
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
LookupLdapConnectionValidator(org.apache.directory.ldap.client.api.LookupLdapConnectionValidator)
LdapConnectionPool(org.apache.directory.ldap.client.api.LdapConnectionPool)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Example 4 with LdapConnectionConfig
use of org.apache.directory.ldap.client.api.LdapConnectionConfig in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
// safe, we only handle this type
final UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
final LdapSettings ldapSettings = ldapSettingsService.load();
if (ldapSettings == null || !ldapSettings.isEnabled()) {
LOG.trace("LDAP is disabled, skipping");
return null;
}
final LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(ldapSettings.getUri().getHost());
config.setLdapPort(ldapSettings.getUri().getPort());
config.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
final String principal = (String) token.getPrincipal();
final char[] tokenPassword = firstNonNull(token.getPassword(), new char[0]);
final String password = String.valueOf(tokenPassword);
// do not try to look a token up in LDAP if there is no principal or password
if (isNullOrEmpty(principal) || isNullOrEmpty(password)) {
LOG.debug("Principal or password were empty. Not trying to look up a token in LDAP.");
return null;
}
try (final LdapNetworkConnection connection = ldapConnector.connect(config)) {
if (null == connection) {
LOG.error("Couldn't connect to LDAP directory");
return null;
}
final LdapEntry userEntry = ldapConnector.search(connection, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), ldapSettings.getDisplayNameAttribute(), principal, ldapSettings.isActiveDirectory(), ldapSettings.getGroupSearchBase(), ldapSettings.getGroupIdAttribute(), ldapSettings.getGroupSearchPattern());
if (userEntry == null) {
LOG.debug("User {} not found in LDAP", principal);
return null;
}
// needs to use the DN of the entry, not the parameter for the lookup filter we used to find the entry!
final boolean authenticated = ldapConnector.authenticate(connection, userEntry.getDn(), password);
if (!authenticated) {
LOG.info("Invalid credentials for user {} (DN {})", principal, userEntry.getDn());
return null;
}
// user found and authenticated, sync the user entry with mongodb
final User user = syncFromLdapEntry(userEntry, ldapSettings, principal);
if (user == null) {
// in case there was an error reading, creating or modifying the user in mongodb, we do not authenticate the user.
LOG.error("Unable to sync LDAP user {} (DN {})", userEntry.getBindPrincipal(), userEntry.getDn());
return null;
}
return new SimpleAccount(principal, null, "ldap realm");
} catch (LdapException e) {
LOG.error("LDAP error", e);
} catch (CursorException e) {
LOG.error("Unable to read LDAP entry", e);
} catch (Exception e) {
LOG.error("Error during LDAP user account sync. Cannot log in user {}", principal, e);
}
// Return null by default to ensure a login failure if anything goes wrong.
return null;
}
Also used :
SimpleAccount(org.apache.shiro.authc.SimpleAccount)
User(org.graylog2.plugin.database.users.User)
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
LdapEntry(org.graylog2.shared.security.ldap.LdapEntry)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
NotFoundException(org.graylog2.database.NotFoundException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
ValidationException(org.graylog2.plugin.database.ValidationException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Example 5 with LdapConnectionConfig
use of org.apache.directory.ldap.client.api.LdapConnectionConfig in project graylog2-server by Graylog2.
the class LdapResource method readGroups.
@GET
@ApiOperation(value = "Get the available LDAP groups", notes = "")
@RequiresPermissions(RestPermissions.LDAPGROUPS_READ)
@Path("/groups")
@Produces(MediaType.APPLICATION_JSON)
public Set<String> readGroups() {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
if (!ldapSettings.isEnabled()) {
throw new BadRequestException("LDAP is disabled.");
}
if (isNullOrEmpty(ldapSettings.getGroupSearchBase()) || isNullOrEmpty(ldapSettings.getGroupIdAttribute())) {
throw new BadRequestException("LDAP group configuration settings are not set.");
}
final LdapConnectionConfig config = new LdapConnectionConfig();
final URI ldapUri = ldapSettings.getUri();
config.setLdapHost(ldapUri.getHost());
config.setLdapPort(ldapUri.getPort());
config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
if (!isNullOrEmpty(ldapSettings.getSystemUserName()) && !isNullOrEmpty(ldapSettings.getSystemPassword())) {
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
}
try (LdapNetworkConnection connection = ldapConnector.connect(config)) {
return ldapConnector.listGroups(connection, ldapSettings.getGroupSearchBase(), ldapSettings.getGroupSearchPattern(), ldapSettings.getGroupIdAttribute());
} catch (IOException | LdapException e) {
LOG.error("Unable to retrieve available LDAP groups", e);
throw new InternalServerErrorException("Unable to retrieve available LDAP groups", e);
}
}
Also used :
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
BadRequestException(javax.ws.rs.BadRequestException)
InternalServerErrorException(javax.ws.rs.InternalServerErrorException)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
IOException(java.io.IOException)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
URI(java.net.URI)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
Aggregations
LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)7
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)3
LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)3
TrustAllX509TrustManager (org.graylog2.security.TrustAllX509TrustManager)3
ApiOperation (io.swagger.annotations.ApiOperation)2
IOException (java.io.IOException)2
URI (java.net.URI)2
BadRequestException (javax.ws.rs.BadRequestException)2
InternalServerErrorException (javax.ws.rs.InternalServerErrorException)2
Path (javax.ws.rs.Path)2
Produces (javax.ws.rs.Produces)2
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)2
RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)2
ValidationException (org.graylog2.plugin.database.ValidationException)2
LdapEntry (org.graylog2.shared.security.ldap.LdapEntry)2
LdapSettings (org.graylog2.shared.security.ldap.LdapSettings)2
Before (org.junit.Before)2
Timed (com.codahale.metrics.annotation.Timed)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
Nonnull (javax.annotation.Nonnull)1
