Search in sources :

Example 16 with SearchResultReferenceIOException

use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.

the class DJLDAPv3Repo method getGroupMembers.

/**
     * Returns the DNs of the members of this group. If the MemberURL attribute has been configured, then this
     * will also try to retrieve dynamic group members using the memberURL.
     *
     * @param dn The DN of the group to query.
     * @return The DNs of the members.
     * @throws IdRepoException If there is an error while trying to retrieve the members.
     */
private Set<String> getGroupMembers(String dn) throws IdRepoException {
    Set<String> results = new HashSet<String>();
    Connection conn = null;
    String[] attrs;
    if (memberURLAttr != null) {
        attrs = new String[] { uniqueMemberAttr, memberURLAttr };
    } else {
        attrs = new String[] { uniqueMemberAttr };
    }
    try {
        conn = connectionFactory.getConnection();
        SearchResultEntry entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(dn, attrs));
        Attribute attr = entry.getAttribute(uniqueMemberAttr);
        if (attr != null) {
            results.addAll(LDAPUtils.getAttributeValuesAsStringSet(attr));
        } else if (memberURLAttr != null) {
            attr = entry.getAttribute(memberURLAttr);
            if (attr != null) {
                for (ByteString byteString : attr) {
                    LDAPUrl url = LDAPUrl.valueOf(byteString.toString());
                    SearchRequest searchRequest = LDAPRequests.newSearchRequest(url.getName(), url.getScope(), url.getFilter(), DN_ATTR);
                    searchRequest.setTimeLimit(defaultTimeLimit);
                    searchRequest.setSizeLimit(defaultSizeLimit);
                    ConnectionEntryReader reader = conn.search(searchRequest);
                    while (reader.hasNext()) {
                        if (reader.isEntry()) {
                            results.add(reader.readEntry().getName().toString());
                        } else {
                            //ignore search result references
                            reader.readReference();
                        }
                    }
                }
            }
        }
    } catch (LdapException ere) {
        DEBUG.error("An error occurred while retrieving group members for " + dn, ere);
        handleErrorResult(ere);
    } catch (SearchResultReferenceIOException srrioe) {
        //should never ever happen...
        DEBUG.error("Got reference instead of entry", srrioe);
        throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
    } finally {
        IOUtils.closeIfNotNull(conn);
    }
    return results;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) Attribute(org.forgerock.opendj.ldap.Attribute) LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute) ByteString(org.forgerock.opendj.ldap.ByteString) Connection(org.forgerock.opendj.ldap.Connection) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl) LdapException(org.forgerock.opendj.ldap.LdapException) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 17 with SearchResultReferenceIOException

use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.

the class LDAPFilterCondition method searchFilterSatisfied.

/**
     * returns a boolean result indicating if the specified
     * <code>searchFilter</code> is satisfied by 
     * making a directory search using the filter.
     */
private boolean searchFilterSatisfied(String searchFilter) throws SSOException, PolicyException {
    if (debug.messageEnabled()) {
        debug.message("LDAPFilterCondition.searchFilterSatified():" + "entering, searchFitler=" + searchFilter);
    }
    boolean filterSatisfied = false;
    String[] attrs = { userRDNAttrName };
    // search the remote ldap         
    Connection ld = null;
    try (Connection conn = connPool.getConnection()) {
        SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
        ConnectionEntryReader reader = conn.search(searchRequest);
        if (reader.hasNext()) {
            if (reader.isReference()) {
                //Ignore
                reader.readReference();
            } else {
                SearchResultEntry entry = reader.readEntry();
                if (entry != null) {
                    String dn = entry.getName().toString();
                    if (dn != null && dn.length() != 0) {
                        debug.message("LDAPFilterCondition.searchFilterSatified(): dn={}", dn);
                        filterSatisfied = true;
                    }
                }
            }
        }
    } catch (LdapException le) {
        ResultCode resultCode = le.getResult().getResultCode();
        if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the size limit");
        } else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
            debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the time limit");
        } else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
            throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
        } else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
            String[] objs = { baseDN };
            throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_users_base_dn", objs, null);
        }
        String errorMsg = le.getMessage();
        String additionalMsg = le.getResult().getDiagnosticMessage();
        if (additionalMsg != null) {
            throw new PolicyException(errorMsg + ": " + additionalMsg);
        } else {
            throw new PolicyException(errorMsg);
        }
    } catch (SearchResultReferenceIOException e) {
        debug.warning("LDAPFilterCondition.searchFilterSatified()" + ": Partial results have been received, status code 9." + " The message provided by the LDAP server is: \n" + e.getMessage());
    }
    debug.message("LDAPFilterCondition.searchFilterSatified():returning, filterSatisfied={}", filterSatisfied);
    return filterSatisfied;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) Connection(org.forgerock.opendj.ldap.Connection) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 18 with SearchResultReferenceIOException

use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.

the class LDAPUsers method getValidValues.

/**
     * Returns a list of possible values for the <code>LDAPUsers
     * </code> that satisfy the given <code>pattern</code>.
     *
     * @param token the <code>SSOToken</code> that will be used
     * to determine the possible values
     * @param pattern search pattern that will be used to narrow
     * the list of valid names.
     *
     * @return <code>ValidValues</code> object
     *
     * @exception SSOException if <code>SSOToken</code> is not valid
     * @exception PolicyException if unable to get the list of valid
     * names.
     */
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
    if (!initialized) {
        throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_not_yet_initialized", null, null));
    }
    String searchFilter = getSearchFilter(pattern);
    Set<String> validUserDNs = new HashSet<>();
    int status = ValidValues.SUCCESS;
    try (Connection ld = connPool.getConnection()) {
        ConnectionEntryReader res = search(searchFilter, ld, userRDNAttrName);
        while (res.hasNext()) {
            try {
                if (res.isEntry()) {
                    SearchResultEntry entry = res.readEntry();
                    String name = entry.getName().toString();
                    validUserDNs.add(name);
                    debug.message("LDAPUsers.getValidValues(): found user name={}", name);
                } else {
                    // ignore referrals
                    debug.message("LDAPUsers.getValidValues(): Ignoring reference: {}", res.readReference());
                }
            } catch (LdapException e) {
                ResultCode resultCode = e.getResult().getResultCode();
                if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
                    debug.warning("LDAPUsers.getValidValues(): exceeded the size limit");
                    status = ValidValues.SIZE_LIMIT_EXCEEDED;
                } else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
                    debug.warning("LDAPUsers.getValidValues(): exceeded the time limit");
                    status = ValidValues.TIME_LIMIT_EXCEEDED;
                } else {
                    throw new PolicyException(e);
                }
            } catch (SearchResultReferenceIOException e) {
            // ignore referrals
            }
        }
    } catch (LdapException e) {
        throw handleResultException(e);
    }
    return new ValidValues(status, validUserDNs);
}
Also used : ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PolicyException(com.sun.identity.policy.PolicyException) ValidValues(com.sun.identity.policy.ValidValues) Connection(org.forgerock.opendj.ldap.Connection) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) HashSet(java.util.HashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 19 with SearchResultReferenceIOException

use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project ddf by codice.

the class LdapClaimsHandler method retrieveClaimValues.

@Override
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
    Principal principal = parameters.getPrincipal();
    String user = AttributeMapLoader.getUser(principal);
    if (user == null) {
        LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
        return new ProcessedClaimCollection();
    }
    ProcessedClaimCollection claimsColl = new ProcessedClaimCollection();
    Connection connection = null;
    try {
        AndFilter filter = new AndFilter();
        filter.and(new EqualsFilter("objectclass", this.getObjectClass())).and(new EqualsFilter(this.getUserNameAttribute(), user));
        List<String> searchAttributeList = new ArrayList<String>();
        for (Claim claim : claims) {
            if (getClaimsLdapAttributeMapping().keySet().contains(claim.getClaimType().toString())) {
                searchAttributeList.add(getClaimsLdapAttributeMapping().get(claim.getClaimType().toString()));
            } else {
                LOGGER.debug("Unsupported claim: {}", claim.getClaimType());
            }
        }
        String[] searchAttributes = null;
        searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
            BindResult bindResult = connection.bind(request);
            if (bindResult.isSuccess()) {
                String baseDN = AttributeMapLoader.getBaseDN(principal, getUserBaseDN(), overrideCertDn);
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", baseDN, filter.toString());
                ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), searchAttributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    entry = entryReader.readEntry();
                    for (Claim claim : claims) {
                        URI claimType = claim.getClaimType();
                        String ldapAttribute = getClaimsLdapAttributeMapping().get(claimType.toString());
                        Attribute attr = entry.getAttribute(ldapAttribute);
                        if (attr == null) {
                            LOGGER.trace("Claim '{}' is null", claim.getClaimType());
                        } else {
                            ProcessedClaim c = new ProcessedClaim();
                            c.setClaimType(claimType);
                            c.setPrincipal(principal);
                            for (ByteString value : attr) {
                                String itemValue = value.toString();
                                if (this.isX500FilterEnabled()) {
                                    try {
                                        X500Principal x500p = new X500Principal(itemValue);
                                        itemValue = x500p.getName();
                                        int index = itemValue.indexOf('=');
                                        itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
                                    } catch (Exception ex) {
                                        // Ignore, not X500 compliant thus use the whole
                                        // string as the value
                                        LOGGER.debug("Not X500 compliant", ex);
                                    }
                                }
                                c.addValue(itemValue);
                            }
                            claimsColl.add(c);
                        }
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Cannot connect to server, therefore unable to set user attributes.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Unable to set user attributes.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection) Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) Connection(org.forgerock.opendj.ldap.Connection) ArrayList(java.util.ArrayList) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) URI(java.net.URI) LdapException(org.forgerock.opendj.ldap.LdapException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim) BindResult(org.forgerock.opendj.ldap.responses.BindResult) X500Principal(javax.security.auth.x500.X500Principal) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal) ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim) Claim(org.apache.cxf.rt.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 20 with SearchResultReferenceIOException

use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project ddf by codice.

the class RoleClaimsHandler method retrieveClaimValues.

@Override
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
    String[] attributes = { groupNameAttribute, memberNameAttribute };
    ProcessedClaimCollection claimsColl = new ProcessedClaimCollection();
    Connection connection = null;
    try {
        Principal principal = parameters.getPrincipal();
        String user = AttributeMapLoader.getUser(principal);
        if (user == null) {
            LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
            return new ProcessedClaimCollection();
        }
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
            BindResult bindResult = connection.bind(request);
            String membershipValue = user;
            AndFilter filter;
            ConnectionEntryReader entryReader;
            if (!membershipUserAttribute.equals(loginUserAttribute)) {
                String baseDN = AttributeMapLoader.getBaseDN(principal, userBaseDn, overrideCertDn);
                filter = new AndFilter();
                filter.and(new EqualsFilter(this.getLoginUserAttribute(), user));
                entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), membershipUserAttribute);
                while (entryReader.hasNext()) {
                    SearchResultEntry entry = entryReader.readEntry();
                    Attribute attr = entry.getAttribute(membershipUserAttribute);
                    if (attr != null) {
                        for (ByteString value : attr) {
                            membershipValue = value.toString();
                        }
                    }
                }
            }
            filter = new AndFilter();
            String userBaseDN = AttributeMapLoader.getBaseDN(principal, getUserBaseDn(), overrideCertDn);
            filter.and(new EqualsFilter("objectClass", getObjectClass())).and(new EqualsFilter(getMemberNameAttribute(), getMembershipUserAttribute() + "=" + membershipValue + "," + userBaseDN));
            if (bindResult.isSuccess()) {
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", groupBaseDn, filter.toString());
                entryReader = connection.search(groupBaseDn, SearchScope.WHOLE_SUBTREE, filter.toString(), attributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    entry = entryReader.readEntry();
                    Attribute attr = entry.getAttribute(groupNameAttribute);
                    if (attr == null) {
                        LOGGER.trace("Claim '{}' is null", roleClaimType);
                    } else {
                        ProcessedClaim c = new ProcessedClaim();
                        c.setClaimType(getRoleURI());
                        c.setPrincipal(principal);
                        for (ByteString value : attr) {
                            String itemValue = value.toString();
                            c.addValue(itemValue);
                        }
                        claimsColl.add(c);
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Cannot connect to server, therefore unable to set role claims.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Unable to set role claims.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection) Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) Connection(org.forgerock.opendj.ldap.Connection) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim) BindResult(org.forgerock.opendj.ldap.responses.BindResult) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) Principal(java.security.Principal) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Aggregations

LdapException (org.forgerock.opendj.ldap.LdapException)21 SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)21 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)18 ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)18 Connection (org.forgerock.opendj.ldap.Connection)16 ByteString (org.forgerock.opendj.ldap.ByteString)14 HashSet (java.util.HashSet)10 SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)9 LinkedHashSet (java.util.LinkedHashSet)8 Attribute (org.forgerock.opendj.ldap.Attribute)8 ResultCode (org.forgerock.opendj.ldap.ResultCode)7 CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)5 Filter (org.forgerock.opendj.ldap.Filter)5 PolicyException (com.sun.identity.policy.PolicyException)4 DN (org.forgerock.opendj.ldap.DN)4 LinkedAttribute (org.forgerock.opendj.ldap.LinkedAttribute)4 SSOException (com.iplanet.sso.SSOException)2 InvalidNameException (com.sun.identity.policy.InvalidNameException)2 NameNotFoundException (com.sun.identity.policy.NameNotFoundException)2 ValidValues (com.sun.identity.policy.ValidValues)2