Search in sources :

Example 1 with LdapPasswordPolicyConfiguration

use of org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration in project cas by apereo.

the class LdapAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential upc, final String originalPassword) throws GeneralSecurityException, PreventedException {
    final AuthenticationResponse response;
    try {
        LOGGER.debug("Attempting LDAP authentication for [{}]. Authenticator pre-configured attributes are [{}], " + "additional requested attributes for this authentication request are [{}]", upc, authenticator.getReturnAttributes(), authenticatedEntryAttributes);
        final AuthenticationRequest request = new AuthenticationRequest(upc.getUsername(), new org.ldaptive.Credential(upc.getPassword()), authenticatedEntryAttributes);
        response = authenticator.authenticate(request);
    } catch (final LdapException e) {
        LOGGER.trace(e.getMessage(), e);
        throw new PreventedException("Unexpected LDAP error", e);
    }
    LOGGER.debug("LDAP response: [{}]", response);
    final List<MessageDescriptor> messageList;
    final LdapPasswordPolicyConfiguration ldapPasswordPolicyConfiguration = (LdapPasswordPolicyConfiguration) super.getPasswordPolicyConfiguration();
    if (ldapPasswordPolicyConfiguration != null) {
        LOGGER.debug("Applying password policy to [{}]", response);
        messageList = ldapPasswordPolicyConfiguration.getAccountStateHandler().handle(response, ldapPasswordPolicyConfiguration);
    } else {
        LOGGER.debug("No ldap password policy configuration is defined");
        messageList = Collections.emptyList();
    }
    if (response.getResult()) {
        LOGGER.debug("LDAP response returned a result. Creating the final LDAP principal");
        return createHandlerResult(upc, createPrincipal(upc.getUsername(), response.getLdapEntry()), messageList);
    }
    if (AuthenticationResultCode.DN_RESOLUTION_FAILURE == response.getAuthenticationResultCode()) {
        LOGGER.warn("DN resolution failed. [{}]", response.getMessage());
        throw new AccountNotFoundException(upc.getUsername() + " not found.");
    }
    throw new FailedLoginException("Invalid credentials");
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration) AuthenticationRequest(org.ldaptive.auth.AuthenticationRequest) AuthenticationResponse(org.ldaptive.auth.AuthenticationResponse) LdapException(org.ldaptive.LdapException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)

Example 2 with LdapPasswordPolicyConfiguration

use of org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration in project cas by apereo.

the class LdapAuthenticationConfiguration method createLdapPasswordPolicyConfiguration.

private static LdapPasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(final LdapAuthenticationProperties l, final Authenticator authenticator) {
    final LdapPasswordPolicyConfiguration cfg = new LdapPasswordPolicyConfiguration(l.getPasswordPolicy());
    final Set<AuthenticationResponseHandler> handlers = new HashSet<>();
    if (cfg.getPasswordWarningNumberOfDays() > 0) {
        LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", l.getPasswordPolicy().getType());
        switch(l.getPasswordPolicy().getType()) {
            case AD:
                handlers.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
                break;
            case FreeIPA:
                handlers.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays()), cfg.getLoginFailures()));
                break;
            case EDirectory:
                handlers.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(cfg.getPasswordWarningNumberOfDays())));
                break;
            default:
                handlers.add(new PasswordPolicyAuthenticationResponseHandler());
                handlers.add(new PasswordExpirationAuthenticationResponseHandler());
                break;
        }
    } else {
        LOGGER.debug("Password warning number of days is undefined; LDAP authentication may NOT support " + "EDirectory, AD and FreeIPA to handle password policy authentication responses");
    }
    authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) handlers.toArray(new AuthenticationResponseHandler[handlers.size()]));
    LOGGER.debug("LDAP authentication response handlers configured are: [{}]", handlers);
    if (StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeName()) && StringUtils.isNotBlank(l.getPasswordPolicy().getWarningAttributeValue())) {
        LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", l.getPasswordPolicy().getWarningAttributeName(), l.getPasswordPolicy().getWarningAttributeValue());
        final OptionalWarningAccountStateHandler accountHandler = new OptionalWarningAccountStateHandler();
        accountHandler.setDisplayWarningOnMatch(l.getPasswordPolicy().isDisplayWarningOnMatch());
        accountHandler.setWarnAttributeName(l.getPasswordPolicy().getWarningAttributeName());
        accountHandler.setWarningAttributeValue(l.getPasswordPolicy().getWarningAttributeValue());
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
    } else {
        final DefaultAccountStateHandler accountHandler = new DefaultAccountStateHandler();
        accountHandler.setAttributesToErrorMap(l.getPasswordPolicy().getPolicyAttributes());
        cfg.setAccountStateHandler(accountHandler);
        LOGGER.debug("Configuring the default account state handler for LDAP authentication");
    }
    return cfg;
}
Also used : EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) FreeIPAAuthenticationResponseHandler(org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler) AuthenticationResponseHandler(org.ldaptive.auth.AuthenticationResponseHandler) PasswordPolicyAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler) PasswordExpirationAuthenticationResponseHandler(org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler) EDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler) LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration) ActiveDirectoryAuthenticationResponseHandler(org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler) DefaultAccountStateHandler(org.apereo.cas.authentication.support.DefaultAccountStateHandler) HashSet(java.util.HashSet) OptionalWarningAccountStateHandler(org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler)

Aggregations

LdapPasswordPolicyConfiguration (org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration)2 HashSet (java.util.HashSet)1 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)1 FailedLoginException (javax.security.auth.login.FailedLoginException)1 DefaultAccountStateHandler (org.apereo.cas.authentication.support.DefaultAccountStateHandler)1 OptionalWarningAccountStateHandler (org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler)1 LdapException (org.ldaptive.LdapException)1 AuthenticationRequest (org.ldaptive.auth.AuthenticationRequest)1 AuthenticationResponse (org.ldaptive.auth.AuthenticationResponse)1 AuthenticationResponseHandler (org.ldaptive.auth.AuthenticationResponseHandler)1 ActiveDirectoryAuthenticationResponseHandler (org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler)1 EDirectoryAuthenticationResponseHandler (org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler)1 FreeIPAAuthenticationResponseHandler (org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler)1 PasswordExpirationAuthenticationResponseHandler (org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler)1 PasswordPolicyAuthenticationResponseHandler (org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler)1