Search in sources :

Example 11 with ResultCode

use of org.forgerock.opendj.ldap.ResultCode in project OpenAM by OpenRock.

the class Organization method getValidValues.

/**
     * Returns a list of possible values for the <code>Organization
     * </code> that satisfy the given <code>pattern</code>.
     *
     * @param token the <code>SSOToken</code> that will be used
     * to determine the possible values
     * @param pattern search pattern that will be used to narrow
     * the list of valid names.
     *
     * @return <code>ValidValues</code>
     *
     * @exception SSOException if <code>SSOToken</code> is not valid
     * @exception PolicyException if unable to get the list of valid
     * names.
     */
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
    if (!initialized) {
        throw (new PolicyException(ResBundleUtils.rbName, "org_subject_not_yet_initialized", null, null));
    }
    String searchFilter = null;
    if ((pattern != null) && !(pattern.trim().length() == 0)) {
        searchFilter = "(&" + orgSearchFilter + "(" + orgRDNAttrName + "=" + pattern + "))";
    } else {
        searchFilter = orgSearchFilter;
    }
    if (debug.messageEnabled()) {
        debug.message("Organization.getValidValues(): organization search filter is: " + searchFilter);
    }
    String[] attrs = { orgRDNAttrName };
    Set<String> validOrgDNs = new HashSet<>();
    int status = ValidValues.SUCCESS;
    try {
        SearchRequest request = LDAPRequests.newSearchRequest(baseDN, orgSearchScope, searchFilter, attrs);
        try (Connection conn = connPool.getConnection()) {
            // connect to the server to authenticate
            ConnectionEntryReader reader = conn.search(request);
            while (reader.hasNext()) {
                if (reader.isReference()) {
                    //ignore
                    reader.readReference();
                } else {
                    SearchResultEntry entry = reader.readEntry();
                    validOrgDNs.add(entry.getName().toString());
                    debug.message("Organization.getValidValues(): found org name = {}", entry.getName().toString());
                }
            }
        }
    } catch (LdapException le) {
        ResultCode resultCode = le.getResult().getResultCode();
        if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("Organization.getValidValues(): exceeded the size limit");
            status = ValidValues.SIZE_LIMIT_EXCEEDED;
        } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("Organization.getValidValues(): exceeded the time limit");
            status = ValidValues.TIME_LIMIT_EXCEEDED;
        } else {
            if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
                throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
            } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
                String[] objs = { baseDN };
                throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
            }
            String errorMsg = le.getMessage();
            String additionalMsg = le.getResult().getDiagnosticMessage();
            if (additionalMsg != null) {
                throw new PolicyException(errorMsg + ": " + additionalMsg);
            } else {
                throw new PolicyException(errorMsg);
            }
        }
    } catch (Exception e) {
        throw new PolicyException(e);
    }
    if (debug.messageEnabled()) {
        debug.message("Organization.getValidValues(): return set= {}", validOrgDNs.toString());
    }
    return new ValidValues(status, validOrgDNs);
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) ValidValues(com.sun.identity.policy.ValidValues) Connection(org.forgerock.opendj.ldap.Connection) LdapException(org.forgerock.opendj.ldap.LdapException) NameNotFoundException(com.sun.identity.policy.NameNotFoundException) PolicyException(com.sun.identity.policy.PolicyException) InvalidNameException(com.sun.identity.policy.InvalidNameException) SSOException(com.iplanet.sso.SSOException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 12 with ResultCode

use of org.forgerock.opendj.ldap.ResultCode in project OpenAM by OpenRock.

the class Organization method getUserDN.

/**
     * Gets the DN for a user identified 
     * by the token. If the Directory server is locally installed to speed
     * up the search, no directoty search is performed and the DN obtained
     * from the token is returned. If the directory is remote
     * a LDAP search is performed to get the user DN.
     */
private DN getUserDN(SSOToken token) throws SSOException, PolicyException {
    DN userDN = null;
    Set<String> qualifiedUserDNs = new HashSet<>();
    String userLocalDN = token.getPrincipal().getName();
    if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
        userDN = DN.valueOf(userLocalDN);
    } else {
        // try to figure out the user name from the local user DN
        int beginIndex = userLocalDN.indexOf("=");
        int endIndex = userLocalDN.indexOf(",");
        if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
            throw (new PolicyException(ResBundleUtils.rbName, "org_subject_invalid_local_user_dn", null, null));
        }
        String userName = userLocalDN.substring(beginIndex + 1, endIndex);
        String searchFilter = null;
        if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
            searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
        } else {
            searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
        }
        if (debug.messageEnabled()) {
            debug.message("Organization.getUserDN(): search filter is: " + searchFilter);
        }
        String[] attrs = { userRDNAttrName };
        // search the remote ldap and find out the user DN          
        try (Connection conn = connPool.getConnection()) {
            SearchRequest request = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
            ConnectionEntryReader reader = conn.search(request);
            while (reader.hasNext()) {
                if (reader.isReference()) {
                    //ignore
                    reader.readReference();
                } else {
                    SearchResultEntry entry = reader.readEntry();
                    if (entry != null) {
                        qualifiedUserDNs.add(entry.getName().toString());
                    }
                }
            }
        } catch (LdapException le) {
            String[] objs = { orgName };
            ResultCode resultCode = le.getResult().getResultCode();
            if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
                debug.warning("Organization.getUserDN(): exceeded the size limit");
                throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
            } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
                debug.warning("Organization.getUserDN(): exceeded the time limit");
                throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
            } else {
                if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
                    throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
                } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
                    objs = new String[] { baseDN };
                    throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
                }
                String errorMsg = le.getMessage();
                String additionalMsg = le.getResult().getDiagnosticMessage();
                if (additionalMsg != null) {
                    throw new PolicyException(errorMsg + ": " + additionalMsg);
                } else {
                    throw new PolicyException(errorMsg);
                }
            }
        } catch (Exception e) {
            throw new PolicyException(e);
        }
        if (qualifiedUserDNs.size() > 0) {
            if (debug.messageEnabled()) {
                debug.message("Organization.getUserDN(): qualified users=" + qualifiedUserDNs);
            }
            Iterator iter = qualifiedUserDNs.iterator();
            // we only take the first qualified DN
            userDN = DN.valueOf((String) iter.next());
        }
    }
    return userDN;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) Connection(org.forgerock.opendj.ldap.Connection) DN(org.forgerock.opendj.ldap.DN) LdapException(org.forgerock.opendj.ldap.LdapException) NameNotFoundException(com.sun.identity.policy.NameNotFoundException) PolicyException(com.sun.identity.policy.PolicyException) InvalidNameException(com.sun.identity.policy.InvalidNameException) SSOException(com.iplanet.sso.SSOException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) Iterator(java.util.Iterator) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 13 with ResultCode

use of org.forgerock.opendj.ldap.ResultCode in project OpenAM by OpenRock.

the class LDAPRoles method getUserEntry.

/**
     * Gets the <code>LDAPEntry</code> for a user identified 
     * by the token. The base DN used to perform the user search
     * is the DN of the user if the user is local to speed
     * up the search, but if user is not local then the base DN as
     * configured in the policy config service is used.
     */
private SearchResultEntry getUserEntry(SSOToken token) throws SSOException, PolicyException {
    Set<SearchResultEntry> qualifiedUsers = new HashSet<>();
    String userLocalDN = token.getPrincipal().getName();
    if (debug.messageEnabled()) {
        debug.message("LDAPRoles.getUserEntry(): user local DN is " + userLocalDN);
    }
    String searchBaseDN = baseDN;
    if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
        // if it is local, then we search the user entry only
        searchBaseDN = DN.valueOf(userLocalDN).toString();
        debug.message("LDAPRoles.getUserEntry(): search user {} only as it is local.", searchBaseDN);
    }
    // try to figure out the user name from the local user DN
    int beginIndex = userLocalDN.indexOf("=");
    int endIndex = userLocalDN.indexOf(",");
    if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
        throw (new PolicyException(ResBundleUtils.rbName, "ldaproles_subject_invalid_local_user_dn", null, null));
    }
    String userName = userLocalDN.substring(beginIndex + 1, endIndex);
    String searchFilter = null;
    if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
        searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
    } else {
        searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
    }
    if (debug.messageEnabled()) {
        debug.message("LDAPRoles.getUserEntry(): search filter is: " + searchFilter);
    }
    // search the remote ldap and find out the user DN        
    String[] myAttrs = { LDAP_USER_ROLE_ATTR };
    try (Connection conn = connPool.getConnection()) {
        SearchRequest searchRequest = LDAPRequests.newSearchRequest(searchBaseDN, userSearchScope, searchFilter, myAttrs);
        ConnectionEntryReader reader = conn.search(searchRequest);
        while (reader.hasNext()) {
            if (reader.isReference()) {
                //Ignore
                reader.readReference();
            } else {
                qualifiedUsers.add(reader.readEntry());
            }
        }
    } catch (LdapException le) {
        ResultCode resultCode = le.getResult().getResultCode();
        if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
            String[] objs = { orgName };
            debug.warning("LDAPRoles.isMember(): exceeded the size limit");
            throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
        } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
            String[] objs = { orgName };
            debug.warning("LDAPRoles.isMember(): exceeded the time limit");
            throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
        } else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
            throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
        } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
            String[] objs = { baseDN };
            throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
        }
        String errorMsg = le.getMessage();
        String additionalMsg = le.getResult().getDiagnosticMessage();
        if (additionalMsg != null) {
            throw new PolicyException(errorMsg + ": " + additionalMsg);
        } else {
            throw new PolicyException(errorMsg);
        }
    } catch (Exception e) {
        throw new PolicyException(e);
    }
    if (qualifiedUsers.size() > 0) {
        Iterator<SearchResultEntry> iter = qualifiedUsers.iterator();
        // we only take the first qualified DN
        return iter.next();
    }
    return null;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) Connection(org.forgerock.opendj.ldap.Connection) ByteString(org.forgerock.opendj.ldap.ByteString) LdapException(org.forgerock.opendj.ldap.LdapException) NameNotFoundException(com.sun.identity.policy.NameNotFoundException) PolicyException(com.sun.identity.policy.PolicyException) InvalidNameException(com.sun.identity.policy.InvalidNameException) SSOException(com.iplanet.sso.SSOException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 14 with ResultCode

use of org.forgerock.opendj.ldap.ResultCode in project OpenAM by OpenRock.

the class LDAPGroups method getValidValues.

/**
     * Returns a list of possible values for the <code>LDAPGroups
     * </code> that satisfy the given <code>pattern</code>.
     *
     * @param token the <code>SSOToken</code> that will be used
     * to determine the possible values
     * @param pattern search pattern that will be used to narrow
     * the list of valid names.
     *
     * @return <code>ValidValues</code> object
     *
     * @exception SSOException if <code>SSOToken</code> is not valid
     * @exception PolicyException if unable to get the list of valid
     * names.
     */
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
    if (!initialized) {
        throw new PolicyException(ResBundleUtils.rbName, "ldapgroups_subject_not_yet_initialized", null, null);
    }
    Set<String> validGroupDNs = new HashSet<>();
    String searchFilter;
    if (pattern != null && !pattern.trim().isEmpty()) {
        searchFilter = "(&" + groupSearchFilter + "(" + groupRDNAttrName + "=" + pattern + "))";
    } else {
        searchFilter = groupSearchFilter;
    }
    debug.message("LDAPGroups.getValidValues(): group search filter is: {}", searchFilter);
    String[] attrs = { groupRDNAttrName };
    Connection ld = null;
    int status = ValidValues.SUCCESS;
    try (Connection conn = connPool.getConnection()) {
        SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, groupSearchScope, searchFilter, attrs);
        ConnectionEntryReader reader = conn.search(searchRequest);
        while (reader.hasNext()) {
            if (reader.isReference()) {
                //Ignore
                reader.readReference();
            } else {
                SearchResultEntry entry = reader.readEntry();
                if (entry != null) {
                    validGroupDNs.add(entry.getName().toString());
                    debug.message("LDAPGroups.getValidValues(): found group name={}", entry.getName().toString());
                }
            }
        }
    } catch (LdapException lde) {
        ResultCode resultCode = lde.getResult().getResultCode();
        if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPGroups.getValidValues(): exceeded the size limit");
            return new ValidValues(ValidValues.SIZE_LIMIT_EXCEEDED, validGroupDNs);
        } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPGroups.getValidValues(): exceeded the time limit");
            return new ValidValues(ValidValues.TIME_LIMIT_EXCEEDED, validGroupDNs);
        } else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
            throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
        } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
            String[] objs = { baseDN };
            throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
        }
        String errorMsg = lde.getMessage();
        String additionalMsg = lde.getResult().getDiagnosticMessage();
        if (additionalMsg != null) {
            throw new PolicyException(errorMsg + ": " + additionalMsg);
        } else {
            throw new PolicyException(errorMsg);
        }
    } catch (Exception e) {
        throw new PolicyException(e);
    }
    return new ValidValues(status, validGroupDNs);
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) ValidValues(com.sun.identity.policy.ValidValues) Connection(org.forgerock.opendj.ldap.Connection) ByteString(org.forgerock.opendj.ldap.ByteString) LdapException(org.forgerock.opendj.ldap.LdapException) NameNotFoundException(com.sun.identity.policy.NameNotFoundException) PolicyException(com.sun.identity.policy.PolicyException) InvalidNameException(com.sun.identity.policy.InvalidNameException) SSOException(com.iplanet.sso.SSOException) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 15 with ResultCode

use of org.forgerock.opendj.ldap.ResultCode in project OpenAM by OpenRock.

the class LDAPGroups method getUserDN.

/**
     * Get the full DN for the user using the RDN against the
     * LDAP server configured in the policy config service.
     */
private DN getUserDN(String userRDN) throws SSOException, PolicyException {
    DN userDN = null;
    if (userRDN != null) {
        Set<String> qualifiedUserDNs = new HashSet<>();
        String searchFilter = null;
        if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
            searchFilter = "(&" + userSearchFilter + userRDN + ")";
        } else {
            searchFilter = userRDN;
        }
        if (debug.messageEnabled()) {
            debug.message("LDAPGroups.getUserDN(): search filter is: " + searchFilter);
        }
        String[] attrs = { userRDNAttrName };
        try (Connection conn = connPool.getConnection()) {
            SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
            ConnectionEntryReader reader = conn.search(searchRequest);
            while (reader.hasNext()) {
                if (reader.isReference()) {
                    //Ignore
                    reader.readReference();
                } else {
                    SearchResultEntry entry = reader.readEntry();
                    if (entry != null) {
                        qualifiedUserDNs.add(entry.getName().toString());
                    }
                }
            }
        } catch (LdapException le) {
            ResultCode resultCode = le.getResult().getResultCode();
            if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
                String[] objs = { orgName };
                debug.warning("LDAPGroups.isMember(): exceeded the size limit");
                throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
            } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
                String[] objs = { orgName };
                debug.warning("LDAPGroups.isMember(): exceeded the time limit");
                throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
            } else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
                throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
            } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
                String[] objs = { baseDN };
                throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
            }
            String errorMsg = le.getMessage();
            String additionalMsg = le.getResult().getDiagnosticMessage();
            if (additionalMsg != null) {
                throw new PolicyException(errorMsg + ": " + additionalMsg);
            } else {
                throw new PolicyException(errorMsg);
            }
        } catch (Exception e) {
            throw new PolicyException(e);
        }
        // check if the user belongs to any of the selected groups
        if (qualifiedUserDNs.size() > 0) {
            debug.message("LDAPGroups.getUserDN(): qualified users={}", qualifiedUserDNs);
            Iterator<String> iter = qualifiedUserDNs.iterator();
            // we only take the first qualified DN if the DN
            userDN = DN.valueOf(iter.next());
        }
    }
    return userDN;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) Connection(org.forgerock.opendj.ldap.Connection) DN(org.forgerock.opendj.ldap.DN) ByteString(org.forgerock.opendj.ldap.ByteString) LdapException(org.forgerock.opendj.ldap.LdapException) NameNotFoundException(com.sun.identity.policy.NameNotFoundException) PolicyException(com.sun.identity.policy.PolicyException) InvalidNameException(com.sun.identity.policy.InvalidNameException) SSOException(com.iplanet.sso.SSOException) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Aggregations

ResultCode (org.forgerock.opendj.ldap.ResultCode)49 LdapException (org.forgerock.opendj.ldap.LdapException)37 Connection (org.forgerock.opendj.ldap.Connection)29 ByteString (org.forgerock.opendj.ldap.ByteString)18 ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)18 SMSException (com.sun.identity.sm.SMSException)17 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)17 SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)15 HashSet (java.util.HashSet)14 PolicyException (com.sun.identity.policy.PolicyException)13 SSOException (com.iplanet.sso.SSOException)9 InvalidNameException (com.sun.identity.policy.InvalidNameException)9 NameNotFoundException (com.sun.identity.policy.NameNotFoundException)9 SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)7 ValidValues (com.sun.identity.policy.ValidValues)6 LinkedHashSet (java.util.LinkedHashSet)6 InternalSearchOperation (org.opends.server.protocols.internal.InternalSearchOperation)6 AMException (com.iplanet.am.sdk.AMException)4 AMSearchResults (com.iplanet.am.sdk.AMSearchResults)4 IOException (java.io.IOException)4