Example 16 with LdapNetworkConnection
use of org.apache.directory.ldap.client.api.LdapNetworkConnection in project midpoint by Evolveum.
the class AbstractLdapTest method addLdapGroup.
protected Entry addLdapGroup(String cn, String description, String... memberDns) throws LdapException, IOException, CursorException {
LdapNetworkConnection connection = ldapConnect();
Entry entry = createGroupEntry(cn, description, memberDns);
LOGGER.trace("Adding LDAP entry:\n{}", entry);
connection.add(entry);
display("Added LDAP group:" + entry);
ldapDisconnect(connection);
return entry;
}
Also used :
Entry(org.apache.directory.api.ldap.model.entry.Entry)
SearchResultEntry(org.apache.directory.api.ldap.model.message.SearchResultEntry)
DefaultEntry(org.apache.directory.api.ldap.model.entry.DefaultEntry)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
Example 17 with LdapNetworkConnection
use of org.apache.directory.ldap.client.api.LdapNetworkConnection in project midpoint by Evolveum.
the class AbstractLdapTest method assertLdapPassword.
protected void assertLdapPassword(UserLdapConnectionConfig config, Entry entry, String password) throws LdapException, IOException, CursorException {
LdapNetworkConnection conn = ldapConnect(config, entry.getDn().toString(), password);
assertTrue("Not connected", conn.isConnected());
assertTrue("Not authenticated", conn.isAuthenticated());
ldapDisconnect(conn);
}
Also used :
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
Example 18 with LdapNetworkConnection
use of org.apache.directory.ldap.client.api.LdapNetworkConnection in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
// safe, we only handle this type
final UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
final LdapSettings ldapSettings = ldapSettingsService.load();
if (ldapSettings == null || !ldapSettings.isEnabled()) {
LOG.trace("LDAP is disabled, skipping");
return null;
}
final LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(ldapSettings.getUri().getHost());
config.setLdapPort(ldapSettings.getUri().getPort());
config.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
final String principal = (String) token.getPrincipal();
final char[] tokenPassword = firstNonNull(token.getPassword(), new char[0]);
final String password = String.valueOf(tokenPassword);
// do not try to look a token up in LDAP if there is no principal or password
if (isNullOrEmpty(principal) || isNullOrEmpty(password)) {
LOG.debug("Principal or password were empty. Not trying to look up a token in LDAP.");
return null;
}
try (final LdapNetworkConnection connection = ldapConnector.connect(config)) {
if (null == connection) {
LOG.error("Couldn't connect to LDAP directory");
return null;
}
final LdapEntry userEntry = ldapConnector.search(connection, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), ldapSettings.getDisplayNameAttribute(), principal, ldapSettings.isActiveDirectory(), ldapSettings.getGroupSearchBase(), ldapSettings.getGroupIdAttribute(), ldapSettings.getGroupSearchPattern());
if (userEntry == null) {
LOG.debug("User {} not found in LDAP", principal);
return null;
}
// needs to use the DN of the entry, not the parameter for the lookup filter we used to find the entry!
final boolean authenticated = ldapConnector.authenticate(connection, userEntry.getDn(), password);
if (!authenticated) {
LOG.info("Invalid credentials for user {} (DN {})", principal, userEntry.getDn());
return null;
}
// user found and authenticated, sync the user entry with mongodb
final User user = syncFromLdapEntry(userEntry, ldapSettings, principal);
if (user == null) {
// in case there was an error reading, creating or modifying the user in mongodb, we do not authenticate the user.
LOG.error("Unable to sync LDAP user {} (DN {})", userEntry.getBindPrincipal(), userEntry.getDn());
return null;
}
return new SimpleAccount(principal, null, "ldap realm");
} catch (LdapException e) {
LOG.error("LDAP error", e);
} catch (CursorException e) {
LOG.error("Unable to read LDAP entry", e);
} catch (Exception e) {
LOG.error("Error during LDAP user account sync. Cannot log in user {}", principal, e);
}
// Return null by default to ensure a login failure if anything goes wrong.
return null;
}
Also used :
SimpleAccount(org.apache.shiro.authc.SimpleAccount)
User(org.graylog2.plugin.database.users.User)
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
LdapEntry(org.graylog2.shared.security.ldap.LdapEntry)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
NotFoundException(org.graylog2.database.NotFoundException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
ValidationException(org.graylog2.plugin.database.ValidationException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Example 19 with LdapNetworkConnection
use of org.apache.directory.ldap.client.api.LdapNetworkConnection in project graylog2-server by Graylog2.
the class LdapResource method readGroups.
@GET
@ApiOperation(value = "Get the available LDAP groups", notes = "")
@RequiresPermissions(RestPermissions.LDAPGROUPS_READ)
@Path("/groups")
@Produces(MediaType.APPLICATION_JSON)
public Set<String> readGroups() {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
if (!ldapSettings.isEnabled()) {
throw new BadRequestException("LDAP is disabled.");
}
if (isNullOrEmpty(ldapSettings.getGroupSearchBase()) || isNullOrEmpty(ldapSettings.getGroupIdAttribute())) {
throw new BadRequestException("LDAP group configuration settings are not set.");
}
final LdapConnectionConfig config = new LdapConnectionConfig();
final URI ldapUri = ldapSettings.getUri();
config.setLdapHost(ldapUri.getHost());
config.setLdapPort(ldapUri.getPort());
config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
if (!isNullOrEmpty(ldapSettings.getSystemUserName()) && !isNullOrEmpty(ldapSettings.getSystemPassword())) {
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
}
try (LdapNetworkConnection connection = ldapConnector.connect(config)) {
return ldapConnector.listGroups(connection, ldapSettings.getGroupSearchBase(), ldapSettings.getGroupSearchPattern(), ldapSettings.getGroupIdAttribute());
} catch (IOException | LdapException e) {
LOG.error("Unable to retrieve available LDAP groups", e);
throw new InternalServerErrorException("Unable to retrieve available LDAP groups", e);
}
}
Also used :
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
BadRequestException(javax.ws.rs.BadRequestException)
InternalServerErrorException(javax.ws.rs.InternalServerErrorException)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
IOException(java.io.IOException)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
URI(java.net.URI)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
Example 20 with LdapNetworkConnection
use of org.apache.directory.ldap.client.api.LdapNetworkConnection in project graylog2-server by Graylog2.
the class LdapConnector method connect.
public LdapNetworkConnection connect(LdapConnectionConfig config) throws LdapException {
final LdapNetworkConnection connection = new LdapNetworkConnection(config);
connection.setTimeOut(connectionTimeout);
if (LOG.isTraceEnabled()) {
LOG.trace("Connecting to LDAP server {}:{}, binding with user {}", config.getLdapHost(), config.getLdapPort(), config.getName());
}
// this will perform an anonymous bind if there were no system credentials
final ThreadFactory threadFactory = new ThreadFactoryBuilder().setNameFormat("ldap-connector-%d").build();
final SimpleTimeLimiter timeLimiter = new SimpleTimeLimiter(Executors.newSingleThreadExecutor(threadFactory));
@SuppressWarnings("unchecked") final Callable<Boolean> timeLimitedConnection = timeLimiter.newProxy(new Callable<Boolean>() {
@Override
public Boolean call() throws Exception {
return connection.connect();
}
}, Callable.class, connectionTimeout, TimeUnit.MILLISECONDS);
try {
final Boolean connected = timeLimitedConnection.call();
if (!connected) {
return null;
}
} catch (UncheckedTimeoutException e) {
LOG.error("Timed out connecting to LDAP server", e);
throw new LdapException("Could not connect to LDAP server", e.getCause());
} catch (LdapException e) {
throw e;
} catch (Exception e) {
// unhandled different exception, should really not happen here.
throw new LdapException("Unexpected error connecting to LDAP", e);
}
connection.bind();
return connection;
}
Also used :
ThreadFactory(java.util.concurrent.ThreadFactory)
ThreadFactoryBuilder(com.google.common.util.concurrent.ThreadFactoryBuilder)
UncheckedTimeoutException(com.google.common.util.concurrent.UncheckedTimeoutException)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
SimpleTimeLimiter(com.google.common.util.concurrent.SimpleTimeLimiter)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
UncheckedTimeoutException(com.google.common.util.concurrent.UncheckedTimeoutException)
IOException(java.io.IOException)
LdapInvalidDnException(org.apache.directory.api.ldap.model.exception.LdapInvalidDnException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
Aggregations
LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)24
Entry (org.apache.directory.api.ldap.model.entry.Entry)11
DefaultEntry (org.apache.directory.api.ldap.model.entry.DefaultEntry)10
SearchResultEntry (org.apache.directory.api.ldap.model.message.SearchResultEntry)8
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)5
Test (org.testng.annotations.Test)5
AbstractModelIntegrationTest (com.evolveum.midpoint.model.test.AbstractModelIntegrationTest)4
OperationResult (com.evolveum.midpoint.schema.result.OperationResult)4
Task (com.evolveum.midpoint.task.api.Task)4
UserType (com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)4
IOException (java.io.IOException)4
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)4
Dn (org.apache.directory.api.ldap.model.name.Dn)3
LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)3
ApiOperation (io.swagger.annotations.ApiOperation)2
URI (java.net.URI)2
BadRequestException (javax.ws.rs.BadRequestException)2
InternalServerErrorException (javax.ws.rs.InternalServerErrorException)2
Path (javax.ws.rs.Path)2
Produces (javax.ws.rs.Produces)2
