Example 1 with LDAPUtilException
use of org.forgerock.openam.ldap.LDAPUtilException in project OpenAM by OpenRock.
the class LDAP method processLoginScreen.
private void processLoginScreen(ModuleState newState) throws AuthLoginException {
try {
switch(newState) {
case SUCCESS:
validatedUserID = ldapUtil.getUserId();
createProfile();
currentState = ISAuthConstants.LOGIN_SUCCEED;
setForceCallbacksRead(false);
break;
case PASSWORD_EXPIRING:
{
String fmtMsg = bundle.getString("PasswordExp");
String msg = com.sun.identity.shared.locale.Locale.formatMessage(fmtMsg, ldapUtil.getExpTime());
/**
* In case of sharedstate if the chain breaks in ldap
* because of abnormal condition like pwd expiring
* then the callbacks has to be read fresh so that new
* screen appears for the user.
*/
setForceCallbacksRead(true);
forceCallbacksInit();
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), msg);
}
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
break;
case PASSWORD_RESET_STATE:
case CHANGE_AFTER_RESET:
isReset = true;
String resetMsg = bundle.getString("PasswordReset");
/**
* In case of sharedstate if the chain breaks in ldap
* because of abnormal condition like pwd reset
* then the callbacks has to be read fresh so that new
* screen appears for the user.
*/
setForceCallbacksRead(true);
forceCallbacksInit();
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), resetMsg);
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
break;
case PASSWORD_EXPIRED_STATE:
setFailureID(ldapUtil.getUserId(userName));
currentState = LoginScreen.PASSWORD_EXPIRED_SCREEN.intValue();
break;
case ACCOUNT_LOCKED:
setFailureID(ldapUtil.getUserId(userName));
currentState = LoginScreen.ACCOUNT_LOCKED.intValue();
break;
case GRACE_LOGINS:
{
String fmtMsg = bundle.getString("GraceLogins");
String msg = com.sun.identity.shared.locale.Locale.formatMessage(fmtMsg, ldapUtil.getGraceLogins());
setForceCallbacksRead(true);
forceCallbacksInit();
if (ldapUtil.getGraceLogins() == 1) {
Callback[] callback = getCallback(LoginScreen.PASSWORD_CHANGE.intValue());
for (int i = 0; i < callback.length; i++) {
Callback cbk = callback[i];
if (cbk instanceof ConfirmationCallback) {
ConfirmationCallback confirm = (ConfirmationCallback) cbk;
String[] options = confirm.getOptions();
String[] newOptions = new String[1];
System.arraycopy(options, 0, newOptions, 0, 1);
ConfirmationCallback newConfirm = new ConfirmationCallback(confirm.getMessageType(), newOptions, confirm.getDefaultOption());
replaceCallback(LoginScreen.PASSWORD_CHANGE.intValue(), i, newConfirm);
}
}
}
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), msg);
}
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
break;
case TIME_BEFORE_EXPIRATION:
{
String fmtMsg = bundle.getString("TimeBeforeExpiration");
String msg = com.sun.identity.shared.locale.Locale.formatMessage(fmtMsg, ldapUtil.getExpTime());
setForceCallbacksRead(true);
forceCallbacksInit();
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), msg);
}
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
case USER_NOT_FOUND:
throw new LDAPUtilException("noUserMatchFound", (Object[]) null);
case SERVER_DOWN:
throw new AuthLoginException(AM_AUTH, "LDAPex", null);
default:
}
} catch (LDAPUtilException ex) {
if (getCredentialsFromSharedState && !isUseFirstPassEnabled()) {
getCredentialsFromSharedState = false;
currentState = LoginScreen.LOGIN_START.intValue();
return;
}
if (newState != ModuleState.USER_NOT_FOUND) {
debug.error("Unknown Login State:", ex);
}
throw new AuthLoginException(AM_AUTH, "LDAPex", null, ex);
}
}
Also used :
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
ConfirmationCallback(javax.security.auth.callback.ConfirmationCallback)
Callback(javax.security.auth.callback.Callback)
ConfirmationCallback(javax.security.auth.callback.ConfirmationCallback)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
LDAPUtilException(org.forgerock.openam.ldap.LDAPUtilException)
Example 2 with LDAPUtilException
use of org.forgerock.openam.ldap.LDAPUtilException in project OpenAM by OpenRock.
the class Application method authenticateToLDAP.
private ModuleState authenticateToLDAP(String userName, String userPassword) throws AuthLoginException {
if (debug.messageEnabled()) {
debug.message("In authenticateToLDAP with User : " + userName);
}
try {
if (isSuperAdmin(userName)) {
String baseDN = CollectionHelper.getServerMapAttr(currentConfig, ISAuthConstants.LDAP_BASEDN);
ldapUtil = new LDAPAuthUtils(Collections.singleton(AuthD.directoryHostName + ":" + AuthD.directoryPort), Collections.<String>emptySet(), ldapSSL, AMResourceBundleCache.getInstance().getResBundle(amAuthApplication, getLoginLocale()), baseDN, debug);
ldapUtil.authenticateUser(userName, userPassword);
if (ldapUtil.getState() == ModuleState.SUCCESS) {
userTokenId = userName;
} else {
debug.message("Invalid adminID or admin Password");
setFailureID(ldapUtil.getUserId(userName));
throw new AuthLoginException(amAuthApplication, "InvalidUP", null);
}
} else {
if (initLDAPAttributes(ISAuthConstants.LDAP_SERVICE_NAME)) {
ldapUtil.authenticateUser(userName, userPassword);
} else {
debug.message("Invalid userID or user Password");
setFailureID(userName);
throw new AuthLoginException(amAuthApplication, "basicLDAPex", null);
}
}
return ldapUtil.getState();
} catch (LDAPUtilException ex) {
setFailureID(userName);
if (ResultCode.NO_SUCH_OBJECT.equals(ex.getResultCode())) {
debug.message("The specified user does not exist.");
throw new AuthLoginException(amAuthApplication, "NoUser", null);
} else if (ResultCode.INVALID_CREDENTIALS.equals(ex.getResultCode())) {
debug.message("Invalid password.");
String failureUserID = ldapUtil.getUserId();
throw new InvalidPasswordException(amAuthApplication, "InvalidUP", null, failureUserID, ex);
} else {
throw new AuthLoginException(amAuthApplication, "basicLDAPex", null);
}
}
}
Also used :
LDAPAuthUtils(org.forgerock.openam.ldap.LDAPAuthUtils)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
LDAPUtilException(org.forgerock.openam.ldap.LDAPUtilException)
Example 3 with LDAPUtilException
use of org.forgerock.openam.ldap.LDAPUtilException in project OpenAM by OpenRock.
the class AMSDKRepo method authenticate.
public boolean authenticate(Callback[] credentials) throws IdRepoException, AuthLoginException {
debug.message("AMSDKRepo: authenticate. ");
// Obtain user name and password from credentials and authenticate
String username = null;
String password = null;
for (int i = 0; i < credentials.length; i++) {
if (credentials[i] instanceof NameCallback) {
username = ((NameCallback) credentials[i]).getName();
if (debug.messageEnabled()) {
debug.message("LDPv3Repo:authenticate username: " + username);
}
} else if (credentials[i] instanceof PasswordCallback) {
char[] passwd = ((PasswordCallback) credentials[i]).getPassword();
if (passwd != null) {
password = new String(passwd);
debug.message("AMSDKRepo: authenticate passwd XXX.");
}
}
}
if (username == null || (username.length() == 0) || password == null) {
Object[] args = { CLASS_NAME };
throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.UNABLE_TO_AUTHENTICATE, args);
}
ServerInstance svrCfg = getDsSvrCfg(LDAPUser.Type.AUTH_ADMIN);
boolean ssl = (svrCfg.getConnectionType() == Server.Type.CONN_SSL);
LDAPAuthUtils ldapAuthUtil;
try {
ldapAuthUtil = new LDAPAuthUtils(Collections.singleton(svrCfg.getServerName() + ":" + svrCfg.getPort()), Collections.<String>emptySet(), ssl, AMResourceBundleCache.getInstance().getResBundle(IdRepoBundle.BUNDLE_NAME, Locale.getDefaultLocale()), //BaseDN is set later based on whether authenticating user or agent
"BASE_DN", debug);
} catch (LDAPUtilException ldapUtilEx) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo: authenticate" + " LDAPUtilException: " + ldapUtilEx.getMessage());
}
Object[] args = { CLASS_NAME, username };
throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ERROR_DURING_SEARCH, args);
}
ldapAuthUtil.setAuthDN(AdminUtils.getAdminDN());
ldapAuthUtil.setAuthPassword(new String(AdminUtils.getAdminPassword()).toCharArray());
ldapAuthUtil.setScope(SearchScope.SINGLE_LEVEL);
if (authenticateIt(ldapAuthUtil, IdType.USER, username, password)) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo: IdType.USER authenticateIt=true");
}
return (true);
}
if (authenticateIt(ldapAuthUtil, IdType.AGENT, username, password)) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo: IdType.AGENT authenticateIt=true");
}
return (true);
}
return (false);
}
Also used :
LDAPAuthUtils(org.forgerock.openam.ldap.LDAPAuthUtils)
NameCallback(javax.security.auth.callback.NameCallback)
IdRepoException(com.sun.identity.idm.IdRepoException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
LDAPUtilException(org.forgerock.openam.ldap.LDAPUtilException)
ServerInstance(com.iplanet.services.ldap.ServerInstance)
Example 4 with LDAPUtilException
use of org.forgerock.openam.ldap.LDAPUtilException in project OpenAM by OpenRock.
the class AMSDKRepo method authenticateIt.
private boolean authenticateIt(LDAPAuthUtils ldapAuthUtil, IdType type, String username, String password) throws IdRepoException, AuthLoginException {
String baseDN = null;
String namingAttr = null;
String userid = username;
try {
if (type.equals(IdType.USER)) {
String pcNamingAttr = AMStoreConnection.getNamingAttribute(AMObject.PEOPLE_CONTAINER);
baseDN = pcNamingAttr + "=" + getDefaultPeopleContainerName() + "," + orgDN;
namingAttr = AMStoreConnection.getNamingAttribute(AMObject.USER);
} else if (type.equals(IdType.AGENT)) {
baseDN = "ou=" + getDefaultAgentContainerName() + "," + orgDN;
namingAttr = AMStoreConnection.getNamingAttribute(100);
} else {
return (false);
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo: authenticateIt" + "AMException : " + ame.getMessage());
debug.message(" type=" + type + "; username=" + username);
}
return (false);
}
try {
ldapAuthUtil.setUserNamingAttribute(namingAttr);
Set userSearchAttr = new HashSet();
userSearchAttr.add(namingAttr);
ldapAuthUtil.setUserSearchAttribute(userSearchAttr);
ldapAuthUtil.setBase(baseDN);
// need to reset filter otherwise it appends
// new filter to previous.
ldapAuthUtil.setFilter("");
String[] attrs = new String[2];
attrs[0] = "dn";
attrs[1] = namingAttr;
ldapAuthUtil.setUserAttrs(attrs);
if (LDAPUtils.isDN(username)) {
userid = LDAPUtils.rdnValueFromDn(username);
}
ldapAuthUtil.authenticateUser(userid, password);
} catch (LDAPUtilException ldapUtilEx) {
if (ResultCode.NO_SUCH_OBJECT.equals(ldapUtilEx.getResultCode())) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt. " + "The specified user does not exist. " + "username=" + username);
}
throw new AuthLoginException(amAuthLDAP, "NoUser", null);
} else if (ResultCode.INVALID_CREDENTIALS.equals(ldapUtilEx.getResultCode())) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt." + " Invalid password. username=" + username);
}
String failureUserID = ldapAuthUtil.getUserId();
throw new InvalidPasswordException(amAuthLDAP, "InvalidUP", null, failureUserID, null);
} else if (ResultCode.UNWILLING_TO_PERFORM.equals(ldapUtilEx.getResultCode())) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt. " + "Unwilling to perform. Account inactivated." + " username" + username);
}
throw new AuthLoginException(amAuthLDAP, "FConnect", null);
} else if (ResultCode.INAPPROPRIATE_AUTHENTICATION.equals(ldapUtilEx.getResultCode())) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt. " + "Inappropriate authentication. username=" + username);
}
throw new AuthLoginException(amAuthLDAP, "InappAuth", null);
} else if (ResultCode.CONSTRAINT_VIOLATION.equals(ldapUtilEx.getResultCode())) {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt. " + "Exceed password retry limit. username" + username);
}
throw new AuthLoginException(amAuthLDAP, "ExceedRetryLimit", null);
} else {
if (debug.messageEnabled()) {
debug.message("AMSDKRepo:authenticateIt. " + "default exception. username=" + username);
}
throw new AuthLoginException(amAuthLDAP, "LDAPex", null);
}
}
return ldapAuthUtil.getState() == ModuleState.SUCCESS;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
LDAPUtilException(org.forgerock.openam.ldap.LDAPUtilException)
HashSet(java.util.HashSet)
Example 5 with LDAPUtilException
use of org.forgerock.openam.ldap.LDAPUtilException in project OpenAM by OpenRock.
the class LDAP method process.
public int process(Callback[] callbacks, int state) throws AuthLoginException {
currentState = state;
ModuleState newState;
LoginScreen loginScreen = LoginScreen.get(state);
try {
if (loginScreen.equals(LoginScreen.LOGIN_START)) {
if (callbacks == null || callbacks.length == 0) {
userName = (String) sharedState.get(getUserKey());
userPassword = (String) sharedState.get(getPwdKey());
if (userName == null || userPassword == null) {
return LoginScreen.LOGIN_START.intValue();
}
getCredentialsFromSharedState = true;
} else {
//callbacks is not null
userName = ((NameCallback) callbacks[0]).getName();
userPassword = charToString(((PasswordCallback) callbacks[1]).getPassword(), callbacks[1]);
}
if (userPassword == null || userPassword.length() == 0) {
if (debug.messageEnabled()) {
debug.message("LDAP.process: Password is null/empty");
}
throw new InvalidPasswordException("amAuth", "invalidPasswd", null);
}
//store username password both in success and failure case
storeUsernamePasswd(userName, userPassword);
if (initializeLDAP()) {
//validate username
validateUserName(userName, regEx);
ldapUtil.authenticateUser(userName, userPassword);
newState = ldapUtil.getState();
} else {
newState = ModuleState.SERVER_DOWN;
}
boolean passwordValidationSuccessFlag = true;
// information entered is correct
if (newState == ModuleState.SUCCESS) {
try {
validatePassword(userPassword);
} catch (UserNamePasswordValidationException upve) {
if (debug.messageEnabled()) {
debug.message("Password does not satisfy " + "password policy rules specified" + " in OpenAM");
}
isReset = true;
String invalidMsg = bundle.getString("PasswordInvalid");
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), invalidMsg);
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
passwordValidationSuccessFlag = false;
}
}
if (passwordValidationSuccessFlag) {
processLoginScreen(newState);
}
return currentState;
} else if (loginScreen.equals(LoginScreen.PASSWORD_CHANGE)) {
if (debug.messageEnabled()) {
debug.message("you are in Password Screen:" + currentState);
}
// callbacks[3] is a user selected button index
// PwdAction == 0 is a Submit button
int pwdAction = ((ConfirmationCallback) callbacks[3]).getSelectedIndex();
if (pwdAction == 0) {
String oldPassword = charToString(((PasswordCallback) callbacks[0]).getPassword(), callbacks[0]);
String newPassword = charToString(((PasswordCallback) callbacks[1]).getPassword(), callbacks[1]);
String confirmPassword = charToString(((PasswordCallback) callbacks[2]).getPassword(), callbacks[2]);
try {
validatePassword(newPassword);
// check minimal password length requirement
int newPasswordLength = 0;
if (newPassword != null) {
newPasswordLength = newPassword.length();
}
if (newPasswordLength < requiredPasswordLength) {
if (debug.messageEnabled()) {
debug.message("LDAP.process: new password less" + " than the minimal length of " + requiredPasswordLength);
}
newState = ModuleState.PASSWORD_MIN_CHARACTERS;
// add log
getLoginState("LDAP").logFailed(newState.name(), "CHANGE_USER_PASSWORD_FAILED", false, null);
} else {
ldapUtil.changePassword(oldPassword, newPassword, confirmPassword);
newState = ldapUtil.getState();
if (newState == ModuleState.PASSWORD_UPDATED_SUCCESSFULLY) {
// log change password success
getLoginState("LDAP").logSuccess("changePasswdSucceeded", "CHANGE_USER_PASSWORD_SUCCEEDED");
} else {
// add log
getLoginState("LDAP").logFailed(newState.name(), "CHANGE_USER_PASSWORD_FAILED", false, null);
}
}
processPasswordScreen(newState);
if (debug.messageEnabled()) {
debug.message("Password change state :" + newState);
}
} catch (UserNamePasswordValidationException upve) {
if (debug.messageEnabled()) {
debug.message("Password could not be validated, " + "need a different password");
}
String invalidMsg = bundle.getString("NewPasswordInvalid");
replaceHeader(LoginScreen.PASSWORD_CHANGE.intValue(), invalidMsg);
currentState = LoginScreen.PASSWORD_CHANGE.intValue();
}
return currentState;
} else {
if (isReset) {
isReset = false;
return LoginScreen.LOGIN_START.intValue();
}
validatedUserID = ldapUtil.getUserId();
return ISAuthConstants.LOGIN_SUCCEED;
}
} else {
setFailureID(ldapUtil.getUserId(userName));
throw new AuthLoginException(AM_AUTH, "LDAPex", null);
}
} catch (LDAPUtilException ex) {
if (getCredentialsFromSharedState && !isUseFirstPassEnabled()) {
getCredentialsFromSharedState = false;
return LoginScreen.LOGIN_START.intValue();
}
setFailureID((ldapUtil != null) ? ldapUtil.getUserId(userName) : userName);
if (ex.getResultCode().equals(ResultCode.NO_SUCH_OBJECT)) {
if (debug.messageEnabled()) {
debug.message("The specified user does not exist.");
}
throw new AuthLoginException(AM_AUTH, "NoUser", null);
} else if (ex.getResultCode().equals(ResultCode.INVALID_CREDENTIALS)) {
if (debug.messageEnabled()) {
debug.message("Invalid password.");
}
String failureUserID = ldapUtil.getUserId();
throw new InvalidPasswordException(AM_AUTH, "InvalidUP", null, failureUserID, null);
} else if (ex.getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
if (debug.messageEnabled()) {
debug.message("Unwilling to perform. Account inactivated.");
}
currentState = LoginScreen.USER_INACTIVE.intValue();
return currentState;
} else if (ex.getResultCode().equals(ResultCode.INAPPROPRIATE_AUTHENTICATION)) {
if (debug.messageEnabled()) {
debug.message("Inappropriate authentication.");
}
throw new AuthLoginException(AM_AUTH, "InappAuth", null);
} else if (ex.getResultCode().equals(ResultCode.CONSTRAINT_VIOLATION)) {
if (debug.messageEnabled()) {
debug.message("Exceed password retry limit.");
}
throw new AuthLoginException(amAuthLDAP, ISAuthConstants.EXCEED_RETRY_LIMIT, null);
} else {
throw new AuthLoginException(AM_AUTH, "LDAPex", null);
}
} catch (UserNamePasswordValidationException upve) {
// Note: Do not set failure Id for this exception
if (debug.messageEnabled()) {
debug.message("Invalid Characters detected");
}
throw new AuthLoginException(upve);
}
}
Also used :
UserNamePasswordValidationException(com.sun.identity.authentication.spi.UserNamePasswordValidationException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
InvalidPasswordException(com.sun.identity.authentication.spi.InvalidPasswordException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
LDAPUtilException(org.forgerock.openam.ldap.LDAPUtilException)
ModuleState(org.forgerock.openam.ldap.ModuleState)
Aggregations
LDAPUtilException (org.forgerock.openam.ldap.LDAPUtilException)5
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)4
InvalidPasswordException (com.sun.identity.authentication.spi.InvalidPasswordException)3
PasswordCallback (javax.security.auth.callback.PasswordCallback)3
NameCallback (javax.security.auth.callback.NameCallback)2
LDAPAuthUtils (org.forgerock.openam.ldap.LDAPAuthUtils)2
ServerInstance (com.iplanet.services.ldap.ServerInstance)1
UserNamePasswordValidationException (com.sun.identity.authentication.spi.UserNamePasswordValidationException)1
IdRepoException (com.sun.identity.idm.IdRepoException)1
HashSet (java.util.HashSet)1
Set (java.util.Set)1
Callback (javax.security.auth.callback.Callback)1
ConfirmationCallback (javax.security.auth.callback.ConfirmationCallback)1
ModuleState (org.forgerock.openam.ldap.ModuleState)1
