use of org.forgerock.opendj.ldap.RDN in project OpenAM by OpenRock.
the class DelegationResourceNameSplitter method getIndexes.
@Override
public ResourceSearchIndexes getIndexes(String resource, String realm) {
Matcher match = PATTERN.matcher(resource);
if (!match.matches()) {
return super.getIndexes(resource, realm);
}
String rootSuffix = SMSEntry.getRootSuffix();
String dn = match.group(2);
if (dn.trim().length() == 0) {
dn = rootSuffix;
}
String prefix = match.group(1);
String suffix = match.group(3);
if (LDAPUtils.isDN(dn)) {
DN rootDN = DN.valueOf(rootSuffix);
DN dnObject = DN.valueOf(dn);
if (rootDN.equals(dnObject)) {
return super.getIndexes(resource, realm);
} else {
ResourceSearchIndexes indexes = null;
StringBuilder buff = new StringBuilder();
boolean start = false;
List<RDN> rdns = new ArrayList<>();
for (RDN rdn : dnObject) {
rdns.add(rdn);
}
for (int i = rdns.size() - 1; i >= 0; --i) {
if (buff.length() > 0) {
buff.insert(0, ",");
}
buff.insert(0, rdns.get(i).toString());
if (!start) {
start = rootDN.equals(DN.valueOf(buff.toString()));
if (start) {
indexes = super.getIndexes(prefix + buff.toString() + suffix, realm);
}
} else {
ResourceSearchIndexes idx = super.getIndexes(prefix + buff.toString() + suffix, realm);
indexes.addAll(idx);
}
}
return indexes;
}
} else {
return super.getIndexes(resource, realm);
}
}
use of org.forgerock.opendj.ldap.RDN in project OpenAM by OpenRock.
the class PersistentObject method rename.
/**
* Renames the RDN to a new value. Note: The modified or added attribute
* values are not saved by this call.
*
* @param newRDN
* the new RDN value
* @param deleteOldName
* if true old RDN value is deleted, otherwise the old value is
* retained.
*
* @throws AccessRightsException
* if an access rights exception occurs.
* @throws EntryNotFoundException
* if the entry is not found
* @throws UMSException
* on failure to save to persistent storage
*
* @supported.api
*/
public void rename(String newRDN, boolean deleteOldName) throws AccessRightsException, EntryNotFoundException, UMSException {
String required = null;
if (m_principal == null) {
required = "principal";
} else if (m_guid == null) {
required = "guid";
}
if (required != null) {
// TODO: This is not an illegal argument case. Should be
// a more sophisticated exception.
String[] args = new String[1];
args[0] = required;
String msg = i18n.getString(IUMSConstants.NO_REQUIRED, args);
throw new UMSException(msg);
}
try {
DataLayer.getInstance().rename(getPrincipal(), getGuid(), newRDN, deleteOldName);
} finally {
// Must be set to new ID since the orignal DN would have changed now
RDN rdn = RDN.valueOf(newRDN);
DN parentDN = DN.valueOf(m_guid.toString()).parent();
parentDN.child(rdn);
m_guid.setDn(parentDN.toString());
}
}
use of org.forgerock.opendj.ldap.RDN in project OpenAM by OpenRock.
the class CreateServerConfigXML method canonicalize.
private String canonicalize(String nSuffix) {
StringBuilder buff = new StringBuilder(1024);
DN dn = DN.valueOf(nSuffix);
for (Iterator<RDN> iter = dn.iterator(); iter.hasNext(); ) {
RDN rdn = iter.next();
buff.append(DN.escapeAttributeValue(rdn.toString()));
if (iter.hasNext()) {
buff.append(",");
}
}
return buff.toString();
}
use of org.forgerock.opendj.ldap.RDN in project OpenAM by OpenRock.
the class DirectoryServicesImpl method validateAttributeUniqueness.
/**
* Validate attribute uniqueness
*
* @param newEntry
* true if create a new user
* @throws AMException
* if attribute uniqueness is violated
*/
void validateAttributeUniqueness(String entryDN, int profileType, boolean newEntry, Map modMap) throws AMException {
boolean attrExists = false;
if (modMap == null || modMap.isEmpty()) {
return;
}
try {
if (profileType == AMTemplate.DYNAMIC_TEMPLATE || profileType == AMTemplate.ORGANIZATION_TEMPLATE || profileType == AMTemplate.POLICY_TEMPLATE) {
// no namespace validation for these objects
return;
}
DN dn = DN.valueOf(entryDN);
int size = dn.size();
if (size < 2) {
return;
}
List<RDN> rdns = new ArrayList<>();
for (Iterator<RDN> iter = dn.iterator(); iter.hasNext(); ) {
rdns.add(iter.next());
}
String orgDN = rdns.get(rdns.size() - 1).toString();
AMStoreConnection amsc = new AMStoreConnection(CommonUtils.getInternalToken());
DN rootDN = DN.valueOf(AMStoreConnection.getAMSdkBaseDN());
DN thisDN = DN.valueOf(orgDN);
for (int i = size - 2; i >= 0; i--) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl.validateAttributeUniqueness: " + "try DN = " + orgDN);
}
int type = -1;
if (!rootDN.isInScopeOf(thisDN, SearchScope.SUBORDINATES)) {
try {
type = amsc.getAMObjectType(orgDN);
} catch (AMException ame) {
if (debug.warningEnabled()) {
debug.warning("AMObjectImpl." + "validateAttributeUniqueness: " + "Unable to determine object type of " + orgDN + " :Attribute uniqueness check aborted..", ame);
}
return;
}
}
Set list = null;
AMObject amobj = null;
if (type == AMObject.ORGANIZATION) {
AMOrganization amorg = amsc.getOrganization(orgDN);
list = amorg.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorg;
} else if (type == AMObject.ORGANIZATIONAL_UNIT) {
AMOrganizationalUnit amorgu = amsc.getOrganizationalUnit(orgDN);
list = amorgu.getAttribute(UNIQUE_ATTRIBUTE_LIST_ATTRIBUTE);
amobj = amorgu;
}
if ((list != null) && !list.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: list =" + list);
}
/*
* After adding the uniquness attributes 'ou,cn' to the
* list, creating a role with the same name as the existing
* user say 'amadmin' fails with 'Attribute uniqueness
* violation' The filter (|(cn='attrname')) is used for all
* objects. Fixed the code to look for 'Role' profile types
* and set the filter as
* (&(objectclass=ldapsubentry)
* (objectclass=nsroledefinition)
* (cn='attrname'))
*
* The same issue happens when a group is created with
* existing user name. Fixed the code to look for 'Group'
* profile types and set the filter as
* (&(objectClass=groupofuniquenames)
* (objectClass=iplanet-am-managed-group)(cn='attrname'))
* The logic in the while loop is iterate through the
* attribute unique list and check if the list contains the
* naming attribute of the object we are trying to create.
* If the naming attribute is in the list,then look if the
* profile type of the object we are trying to create is
* 'role' or 'group', add appropriate objectclasses and the
* entry rdn to the search filter. This filter is used to
* search the iDS and determine the attribute uniqueness
* violation. The boolean variable 'attrExists' is set to
* false initially. This variable is set to true when the
* profile type is 'role' or 'group'. The check for this
* boolean variable decides the number of matching closing
* parens of the three different types of filters.
*/
Iterator iter = list.iterator();
StringBuffer filterSB = new StringBuffer();
StringBuffer newEntrySB = new StringBuffer();
filterSB.append("(|");
while (iter.hasNext()) {
String[] attrList = getAttrList((String) iter.next());
Set attr = getAttrValues(attrList, modMap);
for (int j = 0; j < attrList.length; j++) {
String attrName = attrList[j];
if (attrName.equals(getNamingAttribute(profileType)) && newEntry) {
if ((profileType == AMObject.ROLE) || (profileType == AMObject.MANAGED_ROLE) || (profileType == AMObject.FILTERED_ROLE)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=ldapsubentry)");
newEntrySB.append("(" + "objectclass=nsroledefinition)");
attrExists = true;
} else if ((profileType == AMObject.GROUP) || (profileType == AMObject.STATIC_GROUP) || (profileType == AMObject.ASSIGNABLE_DYNAMIC_GROUP) || (profileType == AMObject.DYNAMIC_GROUP)) {
newEntrySB.append("(&");
newEntrySB.append("(objectclass=iplanet-am-managed-group)");
newEntrySB.append("(objectclass=groupofuniquenames)");
attrExists = true;
} else if (profileType == AMObject.ORGANIZATION) {
newEntrySB.append("(&(!");
newEntrySB.append("(objectclass=");
newEntrySB.append(SMSEntry.OC_REALM_SERVICE);
newEntrySB.append("))");
attrExists = true;
}
filterSB.append("(").append(rdns.get(0)).append(")");
}
if (attr != null && !attr.isEmpty()) {
Iterator itr = attr.iterator();
while (itr.hasNext()) {
filterSB.append("(").append(attrName);
filterSB.append("=").append(itr.next());
filterSB.append(")");
}
}
// if
}
}
if (filterSB.length() > 2) {
if (attrExists) {
// pre-pend the creation filter part to the filter
// This is being done so that the filter is
// correctly created as
// (&(<creation-filter)(|(<attr filter>)))
newEntrySB.append(filterSB.toString()).append("))");
filterSB = newEntrySB;
} else {
filterSB.append(")");
}
if (debug.messageEnabled()) {
debug.message("AMObjectImpl." + "validateAttributeUniqueness: " + "filter = " + filterSB.toString());
}
Set users = amobj.search(AMConstants.SCOPE_SUB, filterSB.toString());
// In that case,ignore the violation
if (users != null && users.size() == 1) {
String userDN = (String) users.iterator().next();
DN dnObject = DN.valueOf(userDN);
if (dnObject.equals(DN.valueOf(entryDN))) {
return;
}
}
if ((users != null) && !users.isEmpty()) {
throw new AMException(AMSDKBundle.getString("162"), "162");
}
}
}
orgDN = rdns.get(i).toString() + "," + orgDN;
thisDN = DN.valueOf(orgDN);
}
} catch (SSOException ex) {
if (debug.warningEnabled()) {
debug.warning("Unable to validate attribute uniqneness", ex);
}
}
}
use of org.forgerock.opendj.ldap.RDN in project OpenAM by OpenRock.
the class DirectoryServicesImpl method getTopLevelContainers.
public Set getTopLevelContainers(SSOToken token) throws AMException, SSOException {
String userDN = token.getPrincipal().getName();
AMStoreConnection amsc = new AMStoreConnection(internalToken);
AMUser auser = amsc.getUser(userDN);
Set set = new HashSet();
Set roleDNs = auser.getRoleDNs();
roleDNs.addAll(auser.getFilteredRoleDNs());
Iterator iter = roleDNs.iterator();
while (iter.hasNext()) {
String roleDN = (String) iter.next();
if (debug.messageEnabled()) {
debug.message("DirectoryServicesImpl." + "getTopLevelContainers: roleDN=" + roleDN);
}
AMRole role = amsc.getRole(roleDN);
set.addAll(role.getAttribute(ROLE_MANAGED_CONTAINER_DN_ATTRIBUTE));
}
if (set.isEmpty()) {
String filter = "(|" + SearchFilterManager.getGlobalSearchFilter(AMObject.ORGANIZATION) + SearchFilterManager.getGlobalSearchFilter(AMObject.ORGANIZATIONAL_UNIT) + SearchFilterManager.getGlobalSearchFilter(AMObject.PEOPLE_CONTAINER) + SearchFilterManager.getGlobalSearchFilter(AMObject.DYNAMIC_GROUP) + SearchFilterManager.getGlobalSearchFilter(AMObject.ASSIGNABLE_DYNAMIC_GROUP) + SearchFilterManager.getGlobalSearchFilter(AMObject.GROUP) + ")";
set = search(token, AMStoreConnection.getAMSdkBaseDN(), filter, SCOPE_SUB);
}
HashSet resultSet = new HashSet();
iter = set.iterator();
while (iter.hasNext()) {
String containerDN = (String) iter.next();
DN cDN = DN.valueOf(containerDN);
Iterator iter2 = resultSet.iterator();
HashSet tmpSet = new HashSet();
boolean toAdd = true;
while (iter2.hasNext()) {
String resultDN = (String) iter2.next();
DN rDN = DN.valueOf(resultDN);
if (cDN.isInScopeOf(rDN, SearchScope.SUBORDINATES)) {
toAdd = false;
tmpSet.add(resultDN);
break;
} else if (!rDN.isInScopeOf(cDN, SearchScope.SUBORDINATES)) {
tmpSet.add(resultDN);
}
}
if (toAdd) {
tmpSet.add(containerDN);
}
resultSet = tmpSet;
}
if (debug.messageEnabled()) {
debug.message("DirectoryServicesImpl.getTopLevelContainers");
iter = resultSet.iterator();
StringBuilder tmpBuffer = new StringBuilder();
while (iter.hasNext()) {
String tmpDN = (String) iter.next();
tmpBuffer.append(tmpDN).append("\n");
}
debug.message("containerDNs\n" + tmpBuffer.toString());
}
return resultSet;
}
Aggregations