Search in sources :

Example 6 with SSLContextBuilder

use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.

the class AMCertStore method getConnection.

/**
     * Return ldap connection for ldap certificate store, or null if an error occured when connecting.
     */
synchronized Connection getConnection() {
    if (ldapconn == null) {
        /*
             * Setup the LDAP certificate directory service context for
             * use in verification of the users certificates.
             */
        String serverName = storeParam.getServerName();
        int port = storeParam.getPort();
        LDAPConnectionFactory factory;
        // Regardless of SSL on connection, we will use authentication
        SimpleBindRequest authenticatedRequest = LDAPRequests.newSimpleBindRequest(storeParam.getUser(), storeParam.getPassword().toCharArray());
        Options options = Options.defaultOptions().set(AUTHN_BIND_REQUEST, authenticatedRequest);
        if (storeParam.isSecure()) {
            debug.message("AMCertStore.getConnection: initial connection factory using ssl.");
            try {
                options = options.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
                ldapconn = new LDAPConnectionFactory(serverName, port, options);
                debug.message("AMCertStore.getConnection: SSLSocketFactory called");
            } catch (GeneralSecurityException e) {
                debug.error("AMCertStore.getConnection: Error getting SSL Context", e);
                return null;
            }
        } else {
            // non-ssl
            ldapconn = new LDAPConnectionFactory(serverName, port, options);
        }
    }
    try {
        return ldapconn.getConnection();
    } catch (LdapException e) {
        debug.error("AMCertStore.getConnection: Exception in connection to LDAP server", e);
        return null;
    }
}
Also used : Options(org.forgerock.util.Options) SimpleBindRequest(org.forgerock.opendj.ldap.requests.SimpleBindRequest) GeneralSecurityException(java.security.GeneralSecurityException) ByteString(org.forgerock.opendj.ldap.ByteString) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder) LdapException(org.forgerock.opendj.ldap.LdapException)

Example 7 with SSLContextBuilder

use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.

the class AMCRLStore method getCRLByLdapURI.

/**
     * It gets the new CRL from ldap server.
     * If it is ldap URI, the URI has to be a dn that can be accessed
     * with ldap anonymous bind.
     * (example : ldap://server:port/uid=ca,o=company.com)
     * This dn entry has to have CRL in attribute certificaterevocationlist
     * or certificaterevocationlist;binary.
     *
     * @param uri
     */
private byte[] getCRLByLdapURI(String uri) {
    if (debug.messageEnabled()) {
        debug.message("AMCRLStore.getCRLByLdapURI: uri = " + uri);
    }
    LDAPUrl url;
    LDAPConnectionFactory factory;
    byte[] crl = null;
    try {
        url = LDAPUrl.valueOf(uri);
    } catch (LocalizedIllegalArgumentException e) {
        debug.error("AMCRLStore.getCRLByLdapURI(): Could not parse uri: {}", uri, e);
        return null;
    }
    debug.message("AMCRLStore.getCRLByLdapURI: url.dn = {}", url.getName());
    // Check ldap over SSL
    if (url.isSecure()) {
        try {
            factory = new LDAPConnectionFactory(url.getHost(), url.getPort(), Options.defaultOptions().set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext()));
        } catch (GeneralSecurityException e) {
            debug.error("AMCRLStore.getCRLByLdapURI: Error getting SSL Context", e);
            return null;
        }
    } else {
        // non-ssl
        factory = new LDAPConnectionFactory(url.getHost(), url.getPort());
    }
    try (Connection ldc = factory.getConnection()) {
        ConnectionEntryReader results = ldc.search(url.asSearchRequest().addControl(TransactionIdControl.newControl(AuditRequestContext.createSubTransactionIdValue())));
        if (!results.hasNext()) {
            debug.error("verifyCertificate - No CRL distribution Point configured");
            return null;
        }
        if (results.isReference()) {
            debug.warning("Getting CRL but got LDAP reference: {}", results.readReference());
            return null;
        }
        SearchResultEntry entry = results.readEntry();
        /* 
            * Retrieve the certificate revocation list if available.
            */
        Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
        if (crlAttribute == null) {
            crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST_BINARY);
            if (crlAttribute == null) {
                debug.error("verifyCertificate - No CRL distribution Point configured");
                return null;
            }
        }
        crl = crlAttribute.firstValue().toByteArray();
    } catch (Exception e) {
        debug.error("getCRLByLdapURI : Error in getting CRL", e);
    }
    return crl;
}
Also used : ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl) Attribute(org.forgerock.opendj.ldap.Attribute) GeneralSecurityException(java.security.GeneralSecurityException) HttpURLConnection(java.net.HttpURLConnection) Connection(org.forgerock.opendj.ldap.Connection) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder) LdapException(org.forgerock.opendj.ldap.LdapException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 8 with SSLContextBuilder

use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.

the class AddAMSDKIdRepoPlugin method getLDAPConnection.

private ConnectionFactory getLDAPConnection(DSEntry ds) throws Exception {
    BindRequest bindRequest = LDAPRequests.newSimpleBindRequest(bindDN, bindPwd.toCharArray());
    Options options = Options.defaultOptions().set(CONNECT_TIMEOUT, new Duration((long) 300, TimeUnit.MILLISECONDS)).set(AUTHN_BIND_REQUEST, bindRequest);
    if (ds.ssl) {
        options = options.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
    }
    return new LDAPConnectionFactory(ds.host, ds.port, options);
}
Also used : Options(org.forgerock.util.Options) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) Duration(org.forgerock.util.time.Duration) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder)

Example 9 with SSLContextBuilder

use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.

the class AjaxPage method getConnection.

protected Connection getConnection(String host, int port, String bindDN, char[] bindPwd, int timeout, boolean isSSl) throws GeneralSecurityException, LdapException {
    Options ldapOptions = Options.defaultOptions().set(CONNECT_TIMEOUT, new Duration((long) timeout, TimeUnit.SECONDS)).set(AUTHN_BIND_REQUEST, LDAPRequests.newSimpleBindRequest(bindDN, bindPwd));
    if (isSSl) {
        ldapOptions = ldapOptions.set(SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
    }
    ConnectionFactory factory = new LDAPConnectionFactory(host, port, ldapOptions);
    return factory.getConnection();
}
Also used : Options(org.forgerock.util.Options) ConnectionFactory(org.forgerock.opendj.ldap.ConnectionFactory) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) Duration(org.forgerock.util.time.Duration) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder)

Example 10 with SSLContextBuilder

use of org.forgerock.opendj.ldap.SSLContextBuilder in project OpenAM by OpenRock.

the class LDAPAuthUtils method createConnectionPool.

private ConnectionFactory createConnectionPool(Map<String, ConnectionFactory> connectionPools, String bindingUser, char[] bindingPwd) throws LdapException, LDAPUtilException {
    ConnectionFactory connPool;
    try {
        String configName = servers.toString() + ":" + bindingUser;
        connPool = connectionPools.get(configName);
        if (connPool == null) {
            synchronized (connectionPools) {
                connPool = connectionPools.get(configName);
                Options options = Options.defaultOptions().set(REQUEST_TIMEOUT, new Duration((long) operationsTimeout, TimeUnit.MILLISECONDS));
                if (connPool == null) {
                    if (debug.messageEnabled()) {
                        debug.message("Create ConnectionPool for servers:\n" + servers);
                    }
                    // Since connection pool for search and authentication
                    // are different, each gets half the configured size
                    int min = minDefaultPoolSize / 2 + 1;
                    int max = maxDefaultPoolSize / 2;
                    if (min >= max) {
                        min = max - 1;
                    }
                    Set<LDAPURL> primaryUrls = convertToLDAPURLs(primaryServers);
                    Set<LDAPURL> secondaryUrls = convertToLDAPURLs(secondaryServers);
                    if (poolSize != null && !poolSize.isEmpty()) {
                        String tmpmin = null;
                        String tmpmax = null;
                        for (String val : poolSize) {
                            // host:port:min:max
                            StringTokenizer stz = new StringTokenizer(val, ":");
                            if (stz.countTokens() == 4) {
                                LDAPURL url = LDAPURL.valueOf(stz.nextToken() + ":" + stz.nextToken());
                                if (primaryUrls.contains(url) || secondaryUrls.contains(url)) {
                                    tmpmin = stz.nextToken();
                                    tmpmax = stz.nextToken();
                                    break;
                                }
                            }
                        }
                        if (tmpmin != null) {
                            try {
                                min = Integer.parseInt(tmpmin);
                                max = Integer.parseInt(tmpmax);
                                if (max < min) {
                                    debug.error("ldap connection pool max size is less than min size");
                                    min = minDefaultPoolSize;
                                    max = maxDefaultPoolSize;
                                }
                            } catch (NumberFormatException ex) {
                                debug.error("Invalid ldap connection pool size", ex);
                                min = minDefaultPoolSize;
                                max = maxDefaultPoolSize;
                            }
                        }
                    }
                    if (debug.messageEnabled()) {
                        debug.message("LDAPAuthUtils.LDAPAuthUtils: min=" + min + ", max=" + max);
                    }
                    if (isSecure) {
                        SSLContextBuilder builder = new SSLContextBuilder();
                        if (trustAll) {
                            builder.setTrustManager(TrustManagers.trustAll());
                        }
                        SSLContext sslContext = builder.getSSLContext();
                        options.set(SSL_CONTEXT, sslContext);
                        if (useStartTLS) {
                            options.set(SSL_USE_STARTTLS, true);
                        }
                    }
                    final ConnectionFactory connFactory;
                    ConnectionFactory primaryCf = newFailoverConnectionPool(primaryUrls, bindingUser, bindingPwd, max, heartBeatInterval, heartBeatTimeUnit, options);
                    if (secondaryServers.isEmpty()) {
                        connFactory = primaryCf;
                    } else {
                        ConnectionFactory secondaryCf = newFailoverConnectionPool(secondaryUrls, bindingUser, bindingPwd, max, heartBeatInterval, heartBeatTimeUnit, options);
                        connFactory = Connections.newFailoverLoadBalancer(asList(primaryCf, secondaryCf), options);
                    }
                    ShutdownManager shutdownMan = com.sun.identity.common.ShutdownManager.getInstance();
                    shutdownMan.addShutdownListener(new ShutdownListener() {

                        public void shutdown() {
                            connFactory.close();
                        }
                    });
                    connPool = connFactory;
                    connectionPools.put(configName, connPool);
                }
            }
        }
    } catch (GeneralSecurityException gse) {
        debug.error("Unable to create connection pool", gse);
        throw new LDAPUtilException(gse);
    }
    return connPool;
}
Also used : Options(org.forgerock.util.Options) DecodeOptions(org.forgerock.opendj.ldap.DecodeOptions) GeneralSecurityException(java.security.GeneralSecurityException) ShutdownManager(com.sun.identity.common.ShutdownManager) Duration(org.forgerock.util.time.Duration) ByteString(org.forgerock.opendj.ldap.ByteString) SSLContext(javax.net.ssl.SSLContext) ShutdownListener(org.forgerock.util.thread.listener.ShutdownListener) ConnectionFactory(org.forgerock.opendj.ldap.ConnectionFactory) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) StringTokenizer(java.util.StringTokenizer) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder)

Aggregations

LDAPConnectionFactory (org.forgerock.opendj.ldap.LDAPConnectionFactory)11 SSLContextBuilder (org.forgerock.opendj.ldap.SSLContextBuilder)11 Options (org.forgerock.util.Options)8 Duration (org.forgerock.util.time.Duration)7 GeneralSecurityException (java.security.GeneralSecurityException)5 ConnectionFactory (org.forgerock.opendj.ldap.ConnectionFactory)5 LdapException (org.forgerock.opendj.ldap.LdapException)5 IOException (java.io.IOException)4 ShutdownListener (org.forgerock.util.thread.listener.ShutdownListener)3 ByteString (org.forgerock.opendj.ldap.ByteString)2 Connection (org.forgerock.opendj.ldap.Connection)2 SimpleBindRequest (org.forgerock.opendj.ldap.requests.SimpleBindRequest)2 ShutdownManager (org.forgerock.util.thread.listener.ShutdownManager)2 DSConfigMgr (com.iplanet.services.ldap.DSConfigMgr)1 LDAPServiceException (com.iplanet.services.ldap.LDAPServiceException)1 ServerInstance (com.iplanet.services.ldap.ServerInstance)1 ShutdownManager (com.sun.identity.common.ShutdownManager)1 IdRepoException (com.sun.identity.idm.IdRepoException)1 PolicyException (com.sun.identity.policy.PolicyException)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1