Examples with Connection org.forgerock.opendj.ldap.Connection used on opensource projects

Example 76 with Connection

use of org.forgerock.opendj.ldap.Connection in project OpenAM by OpenRock.

the class LDAPGroups method isMemberOfGroup.

/**
     * Find out if a user belongs to a particular group
     * @param groupName the ldap DN of the group
     * @param userDN the ldap DN of the user
     * @return <code>true</code> if the user is member of the group;
     * <code>false</code> otherwise.
     */
private boolean isMemberOfGroup(String groupName, DN userDN, String userRDN, SSOToken token) throws SSOException, PolicyException {
    if (debug.messageEnabled()) {
        debug.message("LDAPGroups.isMemberOfGroup():" + " entering with groupName = " + groupName + ",userDN = " + userDN);
    }
    if ((groupName == null) || (groupName.length() == 0) || (userDN == null)) {
        return false;
    }
    String tokenID = token.getTokenID().toString();
    boolean groupMatch = false;
    SearchResultEntry entry;
    try (Connection conn = connPool.getConnection()) {
        entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(groupName));
    } catch (Exception e) {
        debug.warning("LDAPGroups: invalid group name {} specified in the policy definition.", groupName);
        return false;
    }
    debug.message("LDAPGroups.isMemberOfGroup(): get {} group attribute", STATIC_GROUP_MEMBER_ATTR);
    Attribute attribute = entry.getAttribute(STATIC_GROUP_MEMBER_ATTR);
    if (attribute != null) {
        for (ByteString memberDNStr : attribute) {
            debug.message("LDAPGroups.isMemberOfGroup(): memberDNStr = ", memberDNStr);
            DN memberDN = DN.valueOf(memberDNStr.toString());
            if (userDN.equals(memberDN)) {
                groupMatch = true;
                break;
            }
        }
    }
    if (!groupMatch) {
        debug.message("LDAPGroups.isMemberOfGroup(): get {} group attribute", STATIC_GROUP_MEMBER_ALT_ATTR);
        attribute = entry.getAttribute(STATIC_GROUP_MEMBER_ALT_ATTR);
        if (attribute != null) {
            for (ByteString memberDNStr : attribute) {
                debug.message("LDAPGroups.isMemberOfGroup(): memberDNStr = ", memberDNStr);
                DN memberDN = DN.valueOf(memberDNStr.toString());
                if (userDN.equals(memberDN)) {
                    groupMatch = true;
                    break;
                }
            }
        }
    }
    if (!groupMatch) {
        attribute = entry.getAttribute(DYNAMIC_GROUP_MEMBER_URL);
        if (attribute != null) {
            for (ByteString memberUrl : attribute) {
                try {
                    LDAPUrl ldapUrl = LDAPUrl.valueOf(memberUrl.toString());
                    Set members = findDynamicGroupMembersByUrl(ldapUrl, userRDN);
                    Iterator iter = members.iterator();
                    while (iter.hasNext()) {
                        String memberDNStr = (String) iter.next();
                        DN memberDN = DN.valueOf(memberDNStr);
                        if (userDN.equals(memberDN)) {
                            groupMatch = true;
                            break;
                        }
                    }
                } catch (LocalizedIllegalArgumentException e) {
                    throw new PolicyException(e);
                }
            }
        }
    }
    debug.message("LDAPGroups.isMemberOfGroup():adding entry {} {} {} {} in subject evaluation cache.", tokenID, ldapServer, groupName, groupMatch);
    SubjectEvaluationCache.addEntry(tokenID, ldapServer, groupName, groupMatch);
    return groupMatch;
}

Example 77 with Connection

use of org.forgerock.opendj.ldap.Connection in project OpenAM by OpenRock.

the class LDAPFilterCondition method searchFilterSatisfied.

/**
     * returns a boolean result indicating if the specified
     * <code>searchFilter</code> is satisfied by 
     * making a directory search using the filter.
     */
private boolean searchFilterSatisfied(String searchFilter) throws SSOException, PolicyException {
    if (debug.messageEnabled()) {
        debug.message("LDAPFilterCondition.searchFilterSatified():" + "entering, searchFitler=" + searchFilter);
    }
    boolean filterSatisfied = false;
    String[] attrs = { userRDNAttrName };
    // search the remote ldap         
    Connection ld = null;
    try (Connection conn = connPool.getConnection()) {
        SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
        ConnectionEntryReader reader = conn.search(searchRequest);
        if (reader.hasNext()) {
            if (reader.isReference()) {
                //Ignore
                reader.readReference();
            } else {
                SearchResultEntry entry = reader.readEntry();
                if (entry != null) {
                    String dn = entry.getName().toString();
                    if (dn != null && dn.length() != 0) {
                        debug.message("LDAPFilterCondition.searchFilterSatified(): dn={}", dn);
                        filterSatisfied = true;
                    }
                }
            }
        }
    } catch (LdapException le) {
        ResultCode resultCode = le.getResult().getResultCode();
        if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the size limit");
        } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the time limit");
        } else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
            throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
        } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
            String[] objs = { baseDN };
            throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_users_base_dn", objs, null);
        }
        String errorMsg = le.getMessage();
        String additionalMsg = le.getResult().getDiagnosticMessage();
        if (additionalMsg != null) {
            throw new PolicyException(errorMsg + ": " + additionalMsg);
        } else {
            throw new PolicyException(errorMsg);
        }
    } catch (SearchResultReferenceIOException e) {
        debug.warning("LDAPFilterCondition.searchFilterSatified()" + ": Partial results have been received, status code 9." + " The message provided by the LDAP server is: \n" + e.getMessage());
    }
    debug.message("LDAPFilterCondition.searchFilterSatified():returning, filterSatisfied={}", filterSatisfied);
    return filterSatisfied;
}

Example 78 with Connection

use of org.forgerock.opendj.ldap.Connection in project OpenAM by OpenRock.

the class LDAPUsers method getValidValues.

/**
     * Returns a list of possible values for the <code>LDAPUsers
     * </code> that satisfy the given <code>pattern</code>.
     *
     * @param token the <code>SSOToken</code> that will be used
     * to determine the possible values
     * @param pattern search pattern that will be used to narrow
     * the list of valid names.
     *
     * @return <code>ValidValues</code> object
     *
     * @exception SSOException if <code>SSOToken</code> is not valid
     * @exception PolicyException if unable to get the list of valid
     * names.
     */
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
    if (!initialized) {
        throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_not_yet_initialized", null, null));
    }
    String searchFilter = getSearchFilter(pattern);
    Set<String> validUserDNs = new HashSet<>();
    int status = ValidValues.SUCCESS;
    try (Connection ld = connPool.getConnection()) {
        ConnectionEntryReader res = search(searchFilter, ld, userRDNAttrName);
        while (res.hasNext()) {
            try {
                if (res.isEntry()) {
                    SearchResultEntry entry = res.readEntry();
                    String name = entry.getName().toString();
                    validUserDNs.add(name);
                    debug.message("LDAPUsers.getValidValues(): found user name={}", name);
                } else {
                    // ignore referrals
                    debug.message("LDAPUsers.getValidValues(): Ignoring reference: {}", res.readReference());
                }
            } catch (LdapException e) {
                ResultCode resultCode = e.getResult().getResultCode();
                if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
                    debug.warning("LDAPUsers.getValidValues(): exceeded the size limit");
                    status = ValidValues.SIZE_LIMIT_EXCEEDED;
                } else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
                    debug.warning("LDAPUsers.getValidValues(): exceeded the time limit");
                    status = ValidValues.TIME_LIMIT_EXCEEDED;
                } else {
                    throw new PolicyException(e);
                }
            } catch (SearchResultReferenceIOException e) {
            // ignore referrals
            }
        }
    } catch (LdapException e) {
        throw handleResultException(e);
    }
    return new ValidValues(status, validUserDNs);
}

Example 79 with Connection

use of org.forgerock.opendj.ldap.Connection in project OpenAM by OpenRock.

the class DataLayer method changePassword.

/**
     * Changes user password.
     * 
     * @param guid globally unique identifier for the entry.
     * @param attrName password attribute name
     * @param oldPassword old password
     * @param newPassword new password
     * @exception AccessRightsException if insufficient access
     * @exception EntryNotFoundException if the entry is not found.
     * @exception UMSException if failure
     *
     * @supported.api
     */
public void changePassword(Guid guid, String attrName, String oldPassword, String newPassword) throws UMSException {
    Modification modification = new Modification(ModificationType.REPLACE, Attributes.singletonAttribute(attrName, newPassword));
    String id = guid.getDn();
    try {
        DSConfigMgr dsCfg = DSConfigMgr.getDSConfigMgr();
        String hostAndPort = dsCfg.getHostName("default");
        // All connections will use authentication
        SimpleBindRequest bindRequest = LDAPRequests.newSimpleBindRequest(id, oldPassword.toCharArray());
        Options options = Options.defaultOptions().set(AUTHN_BIND_REQUEST, bindRequest);
        try (ConnectionFactory factory = new LDAPConnectionFactory(hostAndPort, 389, options)) {
            Connection ldc = factory.getConnection();
            ldc.modify(LDAPRequests.newModifyRequest(id).addModification(modification));
        } catch (LdapException ldex) {
            if (debug.warningEnabled()) {
                debug.warning("DataLayer.changePassword:", ldex);
            }
            ResultCode errorCode = ldex.getResult().getResultCode();
            if (ResultCode.NO_SUCH_OBJECT.equals(errorCode)) {
                throw new EntryNotFoundException(id, ldex);
            } else if (ResultCode.INSUFFICIENT_ACCESS_RIGHTS.equals(errorCode)) {
                throw new AccessRightsException(id, ldex);
            } else {
                throw new UMSException(id, ldex);
            }
        }
    } catch (LDAPServiceException ex) {
        debug.error("DataLayer.changePassword:", ex);
        throw new UMSException(id, ex);
    }
}

Example 80 with Connection

use of org.forgerock.opendj.ldap.Connection in project OpenAM by OpenRock.

the class DataLayer method readLDAPEntry.

public ConnectionEntryReader readLDAPEntry(Principal principal, SearchRequest request) throws UMSException {
    LdapException ldapEx = null;
    int retry = 0;
    int connRetry = 0;
    while (retry <= replicaRetryNum && connRetry <= connNumRetry) {
        if (debug.messageEnabled()) {
            debug.message("DataLayer.readLDAPEntry: connRetry: " + connRetry);
            debug.message("DataLayer.readLDAPEntry: retry: " + retry);
        }
        try (Connection conn = getConnection(principal)) {
            return conn.search(request);
        } catch (LdapException e) {
            ResultCode errorCode = e.getResult().getResultCode();
            if (ResultCode.NO_SUCH_OBJECT.equals(errorCode)) {
                if (debug.messageEnabled()) {
                    debug.message("Replica: entry not found: " + request.getName().toString() + " retry: " + retry);
                }
                if (retry == replicaRetryNum) {
                    ldapEx = e;
                } else {
                    try {
                        Thread.sleep(replicaRetryInterval);
                    } catch (Exception ex) {
                    }
                }
                retry++;
            } else if (retryErrorCodes.contains("" + errorCode)) {
                if (connRetry == connNumRetry) {
                    ldapEx = e;
                } else {
                    try {
                        Thread.sleep(connRetryInterval);
                    } catch (Exception ex) {
                    }
                }
                connRetry++;
            } else {
                throw new UMSException(e.getMessage(), e);
            }
        }
    }
    throw new UMSException(ldapEx.getMessage(), ldapEx);
}