Example 11 with LDAPUrl
use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.
the class DJLDAPv3Repo method getGroupMembers.
/**
* Returns the DNs of the members of this group. If the MemberURL attribute has been configured, then this
* will also try to retrieve dynamic group members using the memberURL.
*
* @param dn The DN of the group to query.
* @return The DNs of the members.
* @throws IdRepoException If there is an error while trying to retrieve the members.
*/
private Set<String> getGroupMembers(String dn) throws IdRepoException {
Set<String> results = new HashSet<String>();
Connection conn = null;
String[] attrs;
if (memberURLAttr != null) {
attrs = new String[] { uniqueMemberAttr, memberURLAttr };
} else {
attrs = new String[] { uniqueMemberAttr };
}
try {
conn = connectionFactory.getConnection();
SearchResultEntry entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(dn, attrs));
Attribute attr = entry.getAttribute(uniqueMemberAttr);
if (attr != null) {
results.addAll(LDAPUtils.getAttributeValuesAsStringSet(attr));
} else if (memberURLAttr != null) {
attr = entry.getAttribute(memberURLAttr);
if (attr != null) {
for (ByteString byteString : attr) {
LDAPUrl url = LDAPUrl.valueOf(byteString.toString());
SearchRequest searchRequest = LDAPRequests.newSearchRequest(url.getName(), url.getScope(), url.getFilter(), DN_ATTR);
searchRequest.setTimeLimit(defaultTimeLimit);
searchRequest.setSizeLimit(defaultSizeLimit);
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
if (reader.isEntry()) {
results.add(reader.readEntry().getName().toString());
} else {
//ignore search result references
reader.readReference();
}
}
}
}
}
} catch (LdapException ere) {
DEBUG.error("An error occurred while retrieving group members for " + dn, ere);
handleErrorResult(ere);
} catch (SearchResultReferenceIOException srrioe) {
//should never ever happen...
DEBUG.error("Got reference instead of entry", srrioe);
throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
} finally {
IOUtils.closeIfNotNull(conn);
}
return results;
}
Also used :
SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest)
Attribute(org.forgerock.opendj.ldap.Attribute)
LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute)
ByteString(org.forgerock.opendj.ldap.ByteString)
Connection(org.forgerock.opendj.ldap.Connection)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl)
LdapException(org.forgerock.opendj.ldap.LdapException)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 12 with LDAPUrl
use of org.forgerock.opendj.ldap.LDAPUrl in project OpenAM by OpenRock.
the class LDAPGroups method isMemberOfGroup.
/**
* Find out if a user belongs to a particular group
* @param groupName the ldap DN of the group
* @param userDN the ldap DN of the user
* @return <code>true</code> if the user is member of the group;
* <code>false</code> otherwise.
*/
private boolean isMemberOfGroup(String groupName, DN userDN, String userRDN, SSOToken token) throws SSOException, PolicyException {
if (debug.messageEnabled()) {
debug.message("LDAPGroups.isMemberOfGroup():" + " entering with groupName = " + groupName + ",userDN = " + userDN);
}
if ((groupName == null) || (groupName.length() == 0) || (userDN == null)) {
return false;
}
String tokenID = token.getTokenID().toString();
boolean groupMatch = false;
SearchResultEntry entry;
try (Connection conn = connPool.getConnection()) {
entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(groupName));
} catch (Exception e) {
debug.warning("LDAPGroups: invalid group name {} specified in the policy definition.", groupName);
return false;
}
debug.message("LDAPGroups.isMemberOfGroup(): get {} group attribute", STATIC_GROUP_MEMBER_ATTR);
Attribute attribute = entry.getAttribute(STATIC_GROUP_MEMBER_ATTR);
if (attribute != null) {
for (ByteString memberDNStr : attribute) {
debug.message("LDAPGroups.isMemberOfGroup(): memberDNStr = ", memberDNStr);
DN memberDN = DN.valueOf(memberDNStr.toString());
if (userDN.equals(memberDN)) {
groupMatch = true;
break;
}
}
}
if (!groupMatch) {
debug.message("LDAPGroups.isMemberOfGroup(): get {} group attribute", STATIC_GROUP_MEMBER_ALT_ATTR);
attribute = entry.getAttribute(STATIC_GROUP_MEMBER_ALT_ATTR);
if (attribute != null) {
for (ByteString memberDNStr : attribute) {
debug.message("LDAPGroups.isMemberOfGroup(): memberDNStr = ", memberDNStr);
DN memberDN = DN.valueOf(memberDNStr.toString());
if (userDN.equals(memberDN)) {
groupMatch = true;
break;
}
}
}
}
if (!groupMatch) {
attribute = entry.getAttribute(DYNAMIC_GROUP_MEMBER_URL);
if (attribute != null) {
for (ByteString memberUrl : attribute) {
try {
LDAPUrl ldapUrl = LDAPUrl.valueOf(memberUrl.toString());
Set members = findDynamicGroupMembersByUrl(ldapUrl, userRDN);
Iterator iter = members.iterator();
while (iter.hasNext()) {
String memberDNStr = (String) iter.next();
DN memberDN = DN.valueOf(memberDNStr);
if (userDN.equals(memberDN)) {
groupMatch = true;
break;
}
}
} catch (LocalizedIllegalArgumentException e) {
throw new PolicyException(e);
}
}
}
}
debug.message("LDAPGroups.isMemberOfGroup():adding entry {} {} {} {} in subject evaluation cache.", tokenID, ldapServer, groupName, groupMatch);
SubjectEvaluationCache.addEntry(tokenID, ldapServer, groupName, groupMatch);
return groupMatch;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
Attribute(org.forgerock.opendj.ldap.Attribute)
ByteString(org.forgerock.opendj.ldap.ByteString)
Connection(org.forgerock.opendj.ldap.Connection)
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
LdapException(org.forgerock.opendj.ldap.LdapException)
NameNotFoundException(com.sun.identity.policy.NameNotFoundException)
PolicyException(com.sun.identity.policy.PolicyException)
InvalidNameException(com.sun.identity.policy.InvalidNameException)
SSOException(com.iplanet.sso.SSOException)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Aggregations
LDAPUrl (org.forgerock.opendj.ldap.LDAPUrl)12
LocalizedIllegalArgumentException (org.forgerock.i18n.LocalizedIllegalArgumentException)8
HashSet (java.util.HashSet)3
Set (java.util.Set)3
Attribute (org.forgerock.opendj.ldap.Attribute)3
Connection (org.forgerock.opendj.ldap.Connection)3
DN (org.forgerock.opendj.ldap.DN)3
LdapException (org.forgerock.opendj.ldap.LdapException)3
SearchScope (org.forgerock.opendj.ldap.SearchScope)3
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)3
Attr (com.iplanet.services.ldap.Attr)2
Iterator (java.util.Iterator)2
ByteString (org.forgerock.opendj.ldap.ByteString)2
Filter (org.forgerock.opendj.ldap.Filter)2
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)2
SSOException (com.iplanet.sso.SSOException)1
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)1
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)1
InvalidNameException (com.sun.identity.policy.InvalidNameException)1
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)1
