use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.
the class DJLDAPv3Repo method getGroupMembers.
/**
* Returns the DNs of the members of this group. If the MemberURL attribute has been configured, then this
* will also try to retrieve dynamic group members using the memberURL.
*
* @param dn The DN of the group to query.
* @return The DNs of the members.
* @throws IdRepoException If there is an error while trying to retrieve the members.
*/
private Set<String> getGroupMembers(String dn) throws IdRepoException {
Set<String> results = new HashSet<String>();
Connection conn = null;
String[] attrs;
if (memberURLAttr != null) {
attrs = new String[] { uniqueMemberAttr, memberURLAttr };
} else {
attrs = new String[] { uniqueMemberAttr };
}
try {
conn = connectionFactory.getConnection();
SearchResultEntry entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(dn, attrs));
Attribute attr = entry.getAttribute(uniqueMemberAttr);
if (attr != null) {
results.addAll(LDAPUtils.getAttributeValuesAsStringSet(attr));
} else if (memberURLAttr != null) {
attr = entry.getAttribute(memberURLAttr);
if (attr != null) {
for (ByteString byteString : attr) {
LDAPUrl url = LDAPUrl.valueOf(byteString.toString());
SearchRequest searchRequest = LDAPRequests.newSearchRequest(url.getName(), url.getScope(), url.getFilter(), DN_ATTR);
searchRequest.setTimeLimit(defaultTimeLimit);
searchRequest.setSizeLimit(defaultSizeLimit);
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
if (reader.isEntry()) {
results.add(reader.readEntry().getName().toString());
} else {
//ignore search result references
reader.readReference();
}
}
}
}
}
} catch (LdapException ere) {
DEBUG.error("An error occurred while retrieving group members for " + dn, ere);
handleErrorResult(ere);
} catch (SearchResultReferenceIOException srrioe) {
//should never ever happen...
DEBUG.error("Got reference instead of entry", srrioe);
throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
} finally {
IOUtils.closeIfNotNull(conn);
}
return results;
}
use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.
the class LDAPFilterCondition method searchFilterSatisfied.
/**
* returns a boolean result indicating if the specified
* <code>searchFilter</code> is satisfied by
* making a directory search using the filter.
*/
private boolean searchFilterSatisfied(String searchFilter) throws SSOException, PolicyException {
if (debug.messageEnabled()) {
debug.message("LDAPFilterCondition.searchFilterSatified():" + "entering, searchFitler=" + searchFilter);
}
boolean filterSatisfied = false;
String[] attrs = { userRDNAttrName };
// search the remote ldap
Connection ld = null;
try (Connection conn = connPool.getConnection()) {
SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
ConnectionEntryReader reader = conn.search(searchRequest);
if (reader.hasNext()) {
if (reader.isReference()) {
//Ignore
reader.readReference();
} else {
SearchResultEntry entry = reader.readEntry();
if (entry != null) {
String dn = entry.getName().toString();
if (dn != null && dn.length() != 0) {
debug.message("LDAPFilterCondition.searchFilterSatified(): dn={}", dn);
filterSatisfied = true;
}
}
}
}
} catch (LdapException le) {
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the size limit");
} else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("LDAPFilterCondition.searchFilterSatified(): exceeded the time limit");
} else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
String[] objs = { baseDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_users_base_dn", objs, null);
}
String errorMsg = le.getMessage();
String additionalMsg = le.getResult().getDiagnosticMessage();
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
} catch (SearchResultReferenceIOException e) {
debug.warning("LDAPFilterCondition.searchFilterSatified()" + ": Partial results have been received, status code 9." + " The message provided by the LDAP server is: \n" + e.getMessage());
}
debug.message("LDAPFilterCondition.searchFilterSatified():returning, filterSatisfied={}", filterSatisfied);
return filterSatisfied;
}
use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project OpenAM by OpenRock.
the class LDAPUsers method getValidValues.
/**
* Returns a list of possible values for the <code>LDAPUsers
* </code> that satisfy the given <code>pattern</code>.
*
* @param token the <code>SSOToken</code> that will be used
* to determine the possible values
* @param pattern search pattern that will be used to narrow
* the list of valid names.
*
* @return <code>ValidValues</code> object
*
* @exception SSOException if <code>SSOToken</code> is not valid
* @exception PolicyException if unable to get the list of valid
* names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
if (!initialized) {
throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_not_yet_initialized", null, null));
}
String searchFilter = getSearchFilter(pattern);
Set<String> validUserDNs = new HashSet<>();
int status = ValidValues.SUCCESS;
try (Connection ld = connPool.getConnection()) {
ConnectionEntryReader res = search(searchFilter, ld, userRDNAttrName);
while (res.hasNext()) {
try {
if (res.isEntry()) {
SearchResultEntry entry = res.readEntry();
String name = entry.getName().toString();
validUserDNs.add(name);
debug.message("LDAPUsers.getValidValues(): found user name={}", name);
} else {
// ignore referrals
debug.message("LDAPUsers.getValidValues(): Ignoring reference: {}", res.readReference());
}
} catch (LdapException e) {
ResultCode resultCode = e.getResult().getResultCode();
if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getValidValues(): exceeded the size limit");
status = ValidValues.SIZE_LIMIT_EXCEEDED;
} else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getValidValues(): exceeded the time limit");
status = ValidValues.TIME_LIMIT_EXCEEDED;
} else {
throw new PolicyException(e);
}
} catch (SearchResultReferenceIOException e) {
// ignore referrals
}
}
} catch (LdapException e) {
throw handleResultException(e);
}
return new ValidValues(status, validUserDNs);
}
use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project ddf by codice.
the class LdapClaimsHandler method retrieveClaimValues.
@Override
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
Principal principal = parameters.getPrincipal();
String user = AttributeMapLoader.getUser(principal);
if (user == null) {
LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
return new ProcessedClaimCollection();
}
ProcessedClaimCollection claimsColl = new ProcessedClaimCollection();
Connection connection = null;
try {
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("objectclass", this.getObjectClass())).and(new EqualsFilter(this.getUserNameAttribute(), user));
List<String> searchAttributeList = new ArrayList<String>();
for (Claim claim : claims) {
if (getClaimsLdapAttributeMapping().keySet().contains(claim.getClaimType().toString())) {
searchAttributeList.add(getClaimsLdapAttributeMapping().get(claim.getClaimType().toString()));
} else {
LOGGER.debug("Unsupported claim: {}", claim.getClaimType());
}
}
String[] searchAttributes = null;
searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
connection = connectionFactory.getConnection();
if (connection != null) {
BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
BindResult bindResult = connection.bind(request);
if (bindResult.isSuccess()) {
String baseDN = AttributeMapLoader.getBaseDN(principal, getUserBaseDN(), overrideCertDn);
LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", baseDN, filter.toString());
ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), searchAttributes);
SearchResultEntry entry;
while (entryReader.hasNext()) {
entry = entryReader.readEntry();
for (Claim claim : claims) {
URI claimType = claim.getClaimType();
String ldapAttribute = getClaimsLdapAttributeMapping().get(claimType.toString());
Attribute attr = entry.getAttribute(ldapAttribute);
if (attr == null) {
LOGGER.trace("Claim '{}' is null", claim.getClaimType());
} else {
ProcessedClaim c = new ProcessedClaim();
c.setClaimType(claimType);
c.setPrincipal(principal);
for (ByteString value : attr) {
String itemValue = value.toString();
if (this.isX500FilterEnabled()) {
try {
X500Principal x500p = new X500Principal(itemValue);
itemValue = x500p.getName();
int index = itemValue.indexOf('=');
itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
} catch (Exception ex) {
// Ignore, not X500 compliant thus use the whole
// string as the value
LOGGER.debug("Not X500 compliant", ex);
}
}
c.addValue(itemValue);
}
claimsColl.add(c);
}
}
}
} else {
LOGGER.info("LDAP Connection failed.");
}
}
} catch (LdapException e) {
LOGGER.info("Cannot connect to server, therefore unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
LOGGER.debug("Cannot connect to server, therefore unable to set user attributes.", e);
} catch (SearchResultReferenceIOException e) {
LOGGER.info("Unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
LOGGER.debug("Unable to set user attributes.", e);
} finally {
if (connection != null) {
connection.close();
}
}
return claimsColl;
}
use of org.forgerock.opendj.ldap.SearchResultReferenceIOException in project ddf by codice.
the class RoleClaimsHandler method retrieveClaimValues.
@Override
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
String[] attributes = { groupNameAttribute, memberNameAttribute };
ProcessedClaimCollection claimsColl = new ProcessedClaimCollection();
Connection connection = null;
try {
Principal principal = parameters.getPrincipal();
String user = AttributeMapLoader.getUser(principal);
if (user == null) {
LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
return new ProcessedClaimCollection();
}
connection = connectionFactory.getConnection();
if (connection != null) {
BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
BindResult bindResult = connection.bind(request);
String membershipValue = user;
AndFilter filter;
ConnectionEntryReader entryReader;
if (!membershipUserAttribute.equals(loginUserAttribute)) {
String baseDN = AttributeMapLoader.getBaseDN(principal, userBaseDn, overrideCertDn);
filter = new AndFilter();
filter.and(new EqualsFilter(this.getLoginUserAttribute(), user));
entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), membershipUserAttribute);
while (entryReader.hasNext()) {
SearchResultEntry entry = entryReader.readEntry();
Attribute attr = entry.getAttribute(membershipUserAttribute);
if (attr != null) {
for (ByteString value : attr) {
membershipValue = value.toString();
}
}
}
}
filter = new AndFilter();
String userBaseDN = AttributeMapLoader.getBaseDN(principal, getUserBaseDn(), overrideCertDn);
filter.and(new EqualsFilter("objectClass", getObjectClass())).and(new EqualsFilter(getMemberNameAttribute(), getMembershipUserAttribute() + "=" + membershipValue + "," + userBaseDN));
if (bindResult.isSuccess()) {
LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", groupBaseDn, filter.toString());
entryReader = connection.search(groupBaseDn, SearchScope.WHOLE_SUBTREE, filter.toString(), attributes);
SearchResultEntry entry;
while (entryReader.hasNext()) {
entry = entryReader.readEntry();
Attribute attr = entry.getAttribute(groupNameAttribute);
if (attr == null) {
LOGGER.trace("Claim '{}' is null", roleClaimType);
} else {
ProcessedClaim c = new ProcessedClaim();
c.setClaimType(getRoleURI());
c.setPrincipal(principal);
for (ByteString value : attr) {
String itemValue = value.toString();
c.addValue(itemValue);
}
claimsColl.add(c);
}
}
} else {
LOGGER.info("LDAP Connection failed.");
}
}
} catch (LdapException e) {
LOGGER.info("Cannot connect to server, therefore unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
LOGGER.debug("Cannot connect to server, therefore unable to set role claims.", e);
} catch (SearchResultReferenceIOException e) {
LOGGER.info("Unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
LOGGER.debug("Unable to set role claims.", e);
} finally {
if (connection != null) {
connection.close();
}
}
return claimsColl;
}
Aggregations