Examples with LDAPUrl org.forgerock.opendj.ldap.LDAPUrl used on opensource projects

Example 6 with LDAPUrl

use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.

the class AMCRLStore method getCRLByLdapURI.

/**
     * It gets the new CRL from ldap server.
     * If it is ldap URI, the URI has to be a dn that can be accessed
     * with ldap anonymous bind.
     * (example : ldap://server:port/uid=ca,o=company.com)
     * This dn entry has to have CRL in attribute certificaterevocationlist
     * or certificaterevocationlist;binary.
     *
     * @param uri
     */
private byte[] getCRLByLdapURI(String uri) {
    if (debug.messageEnabled()) {
        debug.message("AMCRLStore.getCRLByLdapURI: uri = " + uri);
    }
    LDAPUrl url;
    LDAPConnectionFactory factory;
    byte[] crl = null;
    try {
        url = LDAPUrl.valueOf(uri);
    } catch (LocalizedIllegalArgumentException e) {
        debug.error("AMCRLStore.getCRLByLdapURI(): Could not parse uri: {}", uri, e);
        return null;
    }
    debug.message("AMCRLStore.getCRLByLdapURI: url.dn = {}", url.getName());
    // Check ldap over SSL
    if (url.isSecure()) {
        try {
            factory = new LDAPConnectionFactory(url.getHost(), url.getPort(), Options.defaultOptions().set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext()));
        } catch (GeneralSecurityException e) {
            debug.error("AMCRLStore.getCRLByLdapURI: Error getting SSL Context", e);
            return null;
        }
    } else {
        // non-ssl
        factory = new LDAPConnectionFactory(url.getHost(), url.getPort());
    }
    try (Connection ldc = factory.getConnection()) {
        ConnectionEntryReader results = ldc.search(url.asSearchRequest().addControl(TransactionIdControl.newControl(AuditRequestContext.createSubTransactionIdValue())));
        if (!results.hasNext()) {
            debug.error("verifyCertificate - No CRL distribution Point configured");
            return null;
        }
        if (results.isReference()) {
            debug.warning("Getting CRL but got LDAP reference: {}", results.readReference());
            return null;
        }
        SearchResultEntry entry = results.readEntry();
        /* 
            * Retrieve the certificate revocation list if available.
            */
        Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
        if (crlAttribute == null) {
            crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST_BINARY);
            if (crlAttribute == null) {
                debug.error("verifyCertificate - No CRL distribution Point configured");
                return null;
            }
        }
        crl = crlAttribute.firstValue().toByteArray();
    } catch (Exception e) {
        debug.error("getCRLByLdapURI : Error in getting CRL", e);
    }
    return crl;
}

Example 7 with LDAPUrl

use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.

the class Cert method initAuthConfig.

private void initAuthConfig() throws AuthLoginException {
    if (options != null) {
        debug.message("Certificate: getting attributes.");
        // init auth level
        String authLevel = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-auth-level");
        if (authLevel != null) {
            try {
                int tmp = Integer.parseInt(authLevel);
                setAuthLevel(tmp);
            } catch (Exception e) {
                // invalid auth level
                debug.error("Invalid auth level " + authLevel, e);
            }
        }
        // will need access control to ldap server; passwd and user name
        // will also need to yank out the user profile based on cn or dn
        //  out of "profile server"
        amAuthCert_securityType = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-security-type");
        amAuthCert_principleUser = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-principal-user");
        amAuthCert_principlePasswd = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-principal-passwd");
        amAuthCert_useSSL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-use-ssl");
        amAuthCert_userProfileMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper");
        amAuthCert_altUserProfileMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper-other");
        amAuthCert_subjectAltExtMapper = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-user-profile-mapper-ext");
        amAuthCert_chkCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-crl");
        if (amAuthCert_chkCRL.equalsIgnoreCase("true")) {
            amAuthCert_chkAttrCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-attr-check-crl");
            if (amAuthCert_chkAttrCRL == null || amAuthCert_chkAttrCRL.equals("")) {
                throw new AuthLoginException(amAuthCert, "noCRLAttr", null);
            } else {
                amAuthCert_chkAttributesCRL = trimItems(amAuthCert_chkAttrCRL.split(","));
            }
            amAuthCert_cacheCRL = CollectionHelper.getMapAttr(options, "openam-am-auth-cert-attr-cache-crl", "true");
            if (amAuthCert_cacheCRL.equalsIgnoreCase("false")) {
                doCRLCaching = false;
            }
            amAuthCert_updateCRL = CollectionHelper.getMapAttr(options, "openam-am-auth-cert-update-crl", "true");
            if (amAuthCert_updateCRL.equalsIgnoreCase("false")) {
                doCRLUpdate = false;
            }
            crlEnabled = true;
        }
        amAuthCert_validateCA = CollectionHelper.getMapAttr(options, "sunAMValidateCACert");
        amAuthCert_uriParamsCRL = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-param-get-crl");
        amAuthCert_chkCertInLDAP = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-cert-in-ldap");
        if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) {
            amAuthCert_chkAttrCertInLDAP = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-attr-check-ldap");
            if (amAuthCert_chkAttrCertInLDAP == null || amAuthCert_chkAttrCertInLDAP.equals("")) {
                throw new AuthLoginException(amAuthCert, "noLDAPAttr", null);
            }
        }
        String ocspChk = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-check-ocsp");
        ocspEnabled = (ocspChk != null && ocspChk.equalsIgnoreCase("true"));
        //
        //  portal-style gateway cert auth enabled if
        //  explicitly specified in cert service template.
        //  "none", empty list, or null means disabled;
        //  "any" or non-empty list means enabled.  also check
        //  non-empty list for remote client's addr.
        //
        String gwCertAuth = CollectionHelper.getMapAttr(options, "iplanet-am-auth-cert-gw-cert-auth-enabled");
        certParamName = CollectionHelper.getMapAttr(options, "sunAMHttpParamName");
        String client = getLoginState("process").getClient();
        portal_gw_cert_auth_enabled = false;
        if (gwCertAuth == null || gwCertAuth.equals("") || gwCertAuth.equalsIgnoreCase("none")) {
            if (debug.messageEnabled()) {
                debug.message("iplanet-am-auth-cert-gw-cert-auth-enabled = " + gwCertAuth);
            }
        } else if (gwCertAuth.equalsIgnoreCase("any")) {
            portal_gw_cert_auth_enabled = true;
        } else {
            portalGateways = (Set) options.get("iplanet-am-auth-cert-gw-cert-auth-enabled");
            if ((client != null) && (portalGateways.contains(client))) {
                portal_gw_cert_auth_enabled = true;
            } else {
                if (debug.messageEnabled()) {
                    debug.message("gateway list does not contain client");
                    Iterator clientIter = portalGateways.iterator();
                    while (clientIter.hasNext()) {
                        String clientStr = (String) clientIter.next();
                        debug.message("client list entry = " + clientStr);
                    }
                }
            }
        }
        amAuthCert_emailAddrTag = bundle.getString("emailAddrTag");
        amAuthCert_serverHost = CollectionHelper.getServerMapAttr(options, "iplanet-am-auth-cert-ldap-provider-url");
        if (amAuthCert_serverHost == null && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
            debug.error("Fatal error: LDAP Server and Port misconfigured");
            throw new AuthLoginException(amAuthCert, "wrongLDAPServer", null);
        }
        if (amAuthCert_serverHost != null) {
            // set LDAP Parameters
            try {
                LDAPUrl ldapUrl = LDAPUrl.valueOf("ldap://" + amAuthCert_serverHost);
                amAuthCert_serverPort = ldapUrl.getPort();
                amAuthCert_serverHost = ldapUrl.getHost();
            } catch (Exception e) {
                throw new AuthLoginException(amAuthCert, "wrongLDAPServer", null);
            }
        }
        amAuthCert_startSearchLoc = CollectionHelper.getServerMapAttr(options, "iplanet-am-auth-cert-start-search-loc");
        if (amAuthCert_startSearchLoc == null && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
            debug.error("Fatal error: LDAP Start Search " + "DN is not configured");
            throw new AuthLoginException(amAuthCert, "wrongStartDN", null);
        }
        if (amAuthCert_startSearchLoc != null) {
            if (!LDAPUtils.isDN(amAuthCert_startSearchLoc)) {
                throw new AuthLoginException(amAuthCert, "wrongStartDN", null);
            }
        }
        if (debug.messageEnabled()) {
            debug.message("\nldapProviderUrl=" + amAuthCert_serverHost + "\n\tamAuthCert_serverPort = " + amAuthCert_serverPort + "\n\tstartSearchLoc=" + amAuthCert_startSearchLoc + "\n\tsecurityType=" + amAuthCert_securityType + "\n\tprincipleUser=" + amAuthCert_principleUser + "\n\tauthLevel=" + authLevel + "\n\tuseSSL=" + amAuthCert_useSSL + "\n\tocspEnable=" + ocspEnabled + "\n\tuserProfileMapper=" + amAuthCert_userProfileMapper + "\n\tsubjectAltExtMapper=" + amAuthCert_subjectAltExtMapper + "\n\taltUserProfileMapper=" + amAuthCert_altUserProfileMapper + "\n\tchkCRL=" + amAuthCert_chkCRL + "\n\tchkAttrCRL=" + amAuthCert_chkAttrCRL + "\n\tchkAttributesCRL=" + Arrays.toString(amAuthCert_chkAttributesCRL) + "\n\tcacheCRL=" + doCRLCaching + "\n\tupdateCRLs=" + doCRLUpdate + "\n\tchkCertInLDAP=" + amAuthCert_chkCertInLDAP + "\n\tchkAttrCertInLDAP=" + amAuthCert_chkAttrCertInLDAP + "\n\temailAddr=" + amAuthCert_emailAddrTag + "\n\tgw-cert-auth-enabled=" + portal_gw_cert_auth_enabled + "\n\tclient=" + client);
        }
    } else {
        debug.error("options is null");
        throw new AuthLoginException(amAuthCert, "CERTex", null);
    }
}

Example 8 with LDAPUrl

use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.

the class GroupResolver method isAssignable.

private boolean isAssignable(String id, String val) {
    try {
        LDAPUrl url = LDAPUrl.valueOf(val);
        String filter = url.getFilter().toString().trim();
        if (debug.messageEnabled()) {
            debug.message("AssignableDynamicGroup.GroupResolver." + "isAssignable: filter = <" + filter + ">");
        }
        if ((filter.startsWith("(")) && (filter.endsWith(")"))) {
            filter = filter.substring(1, filter.length() - 1);
            if (debug.messageEnabled()) {
                debug.message("AssignableDynamicGroup.GroupResolver." + "isAssignable: adjusted to <" + filter + ">");
            }
        }
        int ind = filter.indexOf('=');
        if (ind > 0) {
            String attrName = filter.substring(0, ind);
            if (debug.messageEnabled()) {
                debug.message("AssignableDynamicGroup.GroupResolver." + "isAssignable: attrName = <" + attrName + ">");
            }
            if (attrName.equalsIgnoreCase("memberof")) {
                String attrVal = filter.substring(ind + 1).trim();
                DN dn = DN.valueOf(guidToDN(attrVal));
                if (debug.messageEnabled()) {
                    debug.message("AssignableDynamicGroup.GroupResolver." + "isAssignable: comparing <" + dn + "> to <" + id + ">");
                }
                return dn.equals(DN.valueOf(guidToDN(id)));
            }
        }
    } catch (LocalizedIllegalArgumentException ex) {
        // TODO - Log Exception
        if (debug.messageEnabled()) {
            debug.message("AssignableDynamicGroup.isAssignable : " + "Exception : " + ex.getMessage());
        }
    }
    return false;
}

Example 9 with LDAPUrl

use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.

the class DynamicGroup method setSearchBase.

/**
     * Sets the search base used to evaluate this dynamic group.
     * 
     * @param baseGuid Search base for evaluating members of the group.
     *
     * @supported.api
     */
public void setSearchBase(Guid baseGuid) {
    LDAPUrl url = getUrl();
    SearchScope scope = url.getScope();
    Filter filter = url.getFilter();
    try {
        setUrl(baseGuid, filter, scope);
    } catch (Exception e) {
        // TODO - Log Exception
        debug.error("DynamicGroup.setSearchFilter : Exception : " + e.getMessage());
    }
}

Example 10 with LDAPUrl

use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.

the class DynamicGroup method setSearchScope.

/**
     * Sets the search scope used to evaluate this dynamic group.
     * 
     * @param scope Search scope for evaluating members of the group. Use one of
     *        the search scope <code>SCOPE_BASE</code>,
     *        <code>SCOPE_ONE</code>, or <code>SCOPE_SUB</code>.
     *
     * @supported.api
     */
public void setSearchScope(int scope) {
    LDAPUrl url = getUrl();
    Guid baseGuid = new Guid(url.getName().toString());
    Filter filter = url.getFilter();
    try {
        setUrl(baseGuid, filter, SearchScope.valueOf(scope));
    } catch (Exception e) {
        // TODO - Log Exception
        debug.error("DynamicGroup.setSearchFilter : Exception : " + e.getMessage());
    }
}