Example 1 with Control
use of org.forgerock.opendj.ldap.controls.Control in project OpenAM by OpenRock.
the class LDAPAuthUtils method authenticate.
/**
* Connect to LDAP server using parameters specified in
* constructor and/or by setting properties attempt to authenticate.
* checks for the password controls and sets to the appropriate states
*/
private void authenticate() throws LDAPUtilException {
Connection conn = null;
List<Control> controls = null;
try {
try {
BindRequest bindRequest = LDAPRequests.newSimpleBindRequest(userDN, userPassword.toCharArray());
if (beheraEnabled) {
bindRequest.addControl(PasswordPolicyRequestControl.newControl(false));
}
conn = getConnection();
BindResult bindResult = conn.bind(bindRequest);
controls = processControls(bindResult);
} finally {
if (conn != null) {
conn.close();
}
}
// Were there any password policy controls returned?
PasswordPolicyResult result = checkControls(controls);
if (result == null) {
if (debug.messageEnabled()) {
debug.message("No controls returned");
}
setState(ModuleState.SUCCESS);
} else {
processPasswordPolicyControls(result);
}
} catch (LdapException ere) {
if (ere.getResult().getResultCode().equals(ResultCode.INVALID_CREDENTIALS)) {
if (!isAd) {
controls = processControls(ere.getResult());
PasswordPolicyResult result = checkControls(controls);
if (result != null && result.getPasswordPolicyErrorType() != null && result.getPasswordPolicyErrorType().equals(PasswordPolicyErrorType.PASSWORD_EXPIRED)) {
if (result.getPasswordPolicyWarningType() != null) {
//this case the credential was actually wrong
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
} else {
if (debug.messageEnabled()) {
debug.message("Password expired and must be reset");
}
setState(ModuleState.PASSWORD_EXPIRED_STATE);
}
} else if (result != null && result.getPasswordPolicyErrorType() != null && result.getPasswordPolicyErrorType().equals(PasswordPolicyErrorType.ACCOUNT_LOCKED)) {
if (debug.messageEnabled()) {
debug.message("Account Locked");
}
processPasswordPolicyControls(result);
} else {
if (debug.messageEnabled()) {
debug.message("Failed auth due to invalid credentials");
}
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
}
} else {
PasswordPolicyResult result = checkADResult(ere.getResult().getDiagnosticMessage());
if (result != null) {
processPasswordPolicyControls(result);
} else {
if (debug.messageEnabled()) {
debug.message("Failed auth due to invalid credentials");
}
throw new LDAPUtilException("CredInvalid", ResultCode.INVALID_CREDENTIALS, null);
}
}
} else if (ere.getResult().getResultCode().equals(ResultCode.NO_SUCH_OBJECT)) {
if (debug.messageEnabled()) {
debug.message("user does not exist");
}
throw new LDAPUtilException("UsrNotExist", ResultCode.NO_SUCH_OBJECT, null);
} else if (ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_CONNECT_ERROR) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_SERVER_DOWN) || ere.getResult().getResultCode().equals(ResultCode.UNAVAILABLE) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_TIMEOUT)) {
if (debug.messageEnabled()) {
debug.message("Cannot connect to " + servers, ere);
}
setState(ModuleState.SERVER_DOWN);
} else if (ere.getResult().getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
if (debug.messageEnabled()) {
debug.message(servers + " unwilling to perform auth request");
}
// cases for err=53
// - disconnect in progress
// - backend unavailable (read-only, etc)
// - server locked down
// - reject unauthenticated requests
// - low disk space (updates only)
// - bind with no password (binds only)
String[] args = { ere.getMessage() };
throw new LDAPUtilException("FConnect", ResultCode.UNWILLING_TO_PERFORM, args);
} else if (ere.getResult().getResultCode().equals(ResultCode.INAPPROPRIATE_AUTHENTICATION)) {
if (debug.messageEnabled()) {
debug.message("Failed auth due to inappropriate authentication");
}
throw new LDAPUtilException("amAuth", "InappAuth", ResultCode.INAPPROPRIATE_AUTHENTICATION, null);
} else if (ere.getResult().getResultCode().equals(ResultCode.CONSTRAINT_VIOLATION)) {
if (debug.messageEnabled()) {
debug.message("Exceed password retry limit.");
}
throw new LDAPUtilException(ISAuthConstants.EXCEED_RETRY_LIMIT, ResultCode.CONSTRAINT_VIOLATION, null);
} else {
if (debug.messageEnabled()) {
debug.message("Cannot authenticate to " + servers, ere);
}
throw new LDAPUtilException("amAuth", "FAuth", null, null);
}
}
}
Also used :
PasswordExpiringResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiringResponseControl)
PasswordExpiredResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiredResponseControl)
PasswordPolicyRequestControl(org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl)
Control(org.forgerock.opendj.ldap.controls.Control)
PasswordPolicyResponseControl(org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl)
Connection(org.forgerock.opendj.ldap.Connection)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
ByteString(org.forgerock.opendj.ldap.ByteString)
LdapException(org.forgerock.opendj.ldap.LdapException)
Example 2 with Control
use of org.forgerock.opendj.ldap.controls.Control in project OpenAM by OpenRock.
the class LDAPAuthUtils method changePassword.
/**
* Updates to new password by using the parameters passed by the user.
*
* @param oldPwd Current password entered.
* @param password New password entered.
* @param confirmPassword Confirm password.
* @throws LDAPUtilException
*/
public void changePassword(String oldPwd, String password, String confirmPassword) throws LDAPUtilException {
if (password.equals(oldPwd)) {
setState(ModuleState.WRONG_PASSWORD_ENTERED);
return;
}
if (!(password.equals(confirmPassword))) {
setState(ModuleState.PASSWORD_MISMATCH);
return;
}
if (password.equals(userId)) {
setState(ModuleState.USER_PASSWORD_SAME);
return;
}
Connection modConn = null;
List<Control> controls;
try {
ModifyRequest mods = LDAPRequests.newModifyRequest(userDN);
if (beheraEnabled) {
mods.addControl(PasswordPolicyRequestControl.newControl(false));
}
if (!isAd) {
mods.addModification(ModificationType.DELETE, LDAP_PASSWD_ATTR, oldPwd);
mods.addModification(ModificationType.ADD, LDAP_PASSWD_ATTR, password);
modConn = getConnection();
modConn.bind(LDAPRequests.newSimpleBindRequest(userDN, oldPwd.toCharArray()));
} else {
mods.addModification(ModificationType.DELETE, AD_PASSWD_ATTR, updateADPassword(oldPwd));
mods.addModification(ModificationType.ADD, AD_PASSWD_ATTR, updateADPassword(password));
modConn = getAdminConnection();
}
Result modResult = modConn.modify(mods);
controls = processControls(modResult);
// Were there any password policy controls returned?
PasswordPolicyResult result = checkControls(controls);
if (result == null) {
if (debug.messageEnabled()) {
debug.message("No controls returned");
}
setState(ModuleState.PASSWORD_UPDATED_SUCCESSFULLY);
} else {
processPasswordPolicyControls(result);
}
} catch (LdapException ere) {
if (ere.getResult().getResultCode().equals(ResultCode.CONSTRAINT_VIOLATION)) {
PasswordPolicyResult result = checkControls(processControls(ere.getResult()));
if (result != null) {
processPasswordPolicyControls(result);
} else {
if (isAd) {
setState(ModuleState.PASSWORD_NOT_UPDATE);
} else {
setState(ModuleState.INSUFFICIENT_PASSWORD_QUALITY);
}
}
} else if (ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_CONNECT_ERROR) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_SERVER_DOWN) || ere.getResult().getResultCode().equals(ResultCode.UNAVAILABLE) || ere.getResult().getResultCode().equals(ResultCode.CLIENT_SIDE_TIMEOUT)) {
if (debug.messageEnabled()) {
debug.message("changepassword:Cannot connect to " + servers + ": ", ere);
}
setState(ModuleState.SERVER_DOWN);
return;
} else if (ere.getResult().getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
// Were there any password policy controls returned?
PasswordPolicyResult result = checkControls(processControls(ere.getResult()));
if (result != null) {
processPasswordPolicyControls(result);
} else {
setState(ModuleState.INSUFFICIENT_PASSWORD_QUALITY);
}
} else if (ere.getResult().getResultCode().equals(ResultCode.INVALID_CREDENTIALS)) {
Result r = ere.getResult();
if (r != null) {
// Were there any password policy controls returned?
PasswordPolicyResult result = checkControls(processControls(r));
if (result != null) {
processPasswordPolicyControls(result);
}
}
setState(ModuleState.PASSWORD_NOT_UPDATE);
} else {
setState(ModuleState.PASSWORD_NOT_UPDATE);
}
if (debug.warningEnabled()) {
debug.warning("Cannot update : ", ere);
}
} finally {
if (modConn != null) {
modConn.close();
}
}
}
Also used :
PasswordExpiringResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiringResponseControl)
PasswordExpiredResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiredResponseControl)
PasswordPolicyRequestControl(org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl)
Control(org.forgerock.opendj.ldap.controls.Control)
PasswordPolicyResponseControl(org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl)
Connection(org.forgerock.opendj.ldap.Connection)
ModifyRequest(org.forgerock.opendj.ldap.requests.ModifyRequest)
LdapException(org.forgerock.opendj.ldap.LdapException)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
Result(org.forgerock.opendj.ldap.responses.Result)
Example 3 with Control
use of org.forgerock.opendj.ldap.controls.Control in project OpenAM by OpenRock.
the class LDAPAuthUtils method processControls.
private List<Control> processControls(Result result) {
if (result == null) {
return Collections.EMPTY_LIST;
}
List<Control> controls = new ArrayList<Control>();
DecodeOptions options = new DecodeOptions();
Control c;
try {
c = result.getControl(PasswordExpiredResponseControl.DECODER, options);
if (c != null) {
controls.add(c);
}
} catch (DecodeException de) {
if (debug.warningEnabled()) {
debug.warning("unable to decode PasswordExpiredResponseControl", de);
}
}
try {
c = result.getControl(PasswordExpiringResponseControl.DECODER, options);
if (c != null) {
controls.add(c);
}
} catch (DecodeException de) {
if (debug.warningEnabled()) {
debug.warning("unable to decode PasswordExpiringResponseControl", de);
}
}
try {
c = result.getControl(PasswordPolicyResponseControl.DECODER, options);
if (c != null) {
controls.add(c);
}
} catch (DecodeException de) {
if (debug.warningEnabled()) {
debug.warning("unable to decode PasswordPolicyResponseControl", de);
}
}
return controls;
}
Also used :
PasswordExpiringResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiringResponseControl)
PasswordExpiredResponseControl(org.forgerock.opendj.ldap.controls.PasswordExpiredResponseControl)
PasswordPolicyRequestControl(org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl)
Control(org.forgerock.opendj.ldap.controls.Control)
PasswordPolicyResponseControl(org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl)
ArrayList(java.util.ArrayList)
DecodeException(org.forgerock.opendj.ldap.DecodeException)
DecodeOptions(org.forgerock.opendj.ldap.DecodeOptions)
Example 4 with Control
use of org.forgerock.opendj.ldap.controls.Control in project OpenAM by OpenRock.
the class LDAPv3PersistentSearch method startSearch.
private void startSearch(Connection conn) throws LdapException {
if (mode == null) {
detectPersistentSearchMode(conn);
}
Control control = null;
String[] attrs = null;
//exception already.
switch(mode) {
case NONE:
{
DEBUG.error("Persistent search is not supported by the directory, persistent search will be disabled");
return;
}
case STANDARD:
{
control = PersistentSearchRequestControl.newControl(IS_CRITICAL, CHANGES_ONLY, RETURN_CONTROLS, EnumSet.allOf(PersistentSearchChangeType.class));
List<String> attributes = new ArrayList<>(attributeNames);
attributes.add(DN_ATTR);
attrs = attributes.toArray(new String[0]);
}
break;
case AD:
{
control = GenericControl.newControl(AD_NOTIFICATION_OID, true);
List<String> attributes = new ArrayList<>(attributeNames);
attributes.addAll(AD_DEFAULT_ATTRIBUTES);
attributes.add(DN_ATTR);
attrs = attributes.toArray(new String[0]);
}
}
SearchRequest searchRequest = LDAPRequests.newSearchRequest(searchBaseDN, searchScope, searchFilter, attrs);
searchRequest.addControl(control);
if (DEBUG.messageEnabled()) {
DEBUG.message("Starting persistent search against baseDN: " + searchBaseDN + ", scope: " + searchScope.toString() + ", filter: " + searchFilter + ", attrs: " + Arrays.toString(attrs) + " against " + factory.toString());
}
//since psearch wasn't running until now, let's clear the caches to make sure that if something got into the
//cache, while PS was stopped, those gets cleared out and we start with a clean cache.
clearCaches();
futureResult = conn.searchAsync(searchRequest, null, new PersistentSearchResultHandler());
}
Also used :
SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest)
PersistentSearchRequestControl(org.forgerock.opendj.ldap.controls.PersistentSearchRequestControl)
Control(org.forgerock.opendj.ldap.controls.Control)
GenericControl(org.forgerock.opendj.ldap.controls.GenericControl)
EntryChangeNotificationResponseControl(org.forgerock.opendj.ldap.controls.EntryChangeNotificationResponseControl)
PersistentSearchChangeType(org.forgerock.opendj.ldap.controls.PersistentSearchChangeType)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 5 with Control
use of org.forgerock.opendj.ldap.controls.Control in project OpenAM by OpenRock.
the class SearchResults method get.
/**
* Get search result attributes related to the search operation performed.
*
* @param name
* Name of attribute to return, null if attribute is unknown or
* not found
* @throws UMSException
* from accessor methods on LDAPVirtualListResponse control
*
* @supported.api
*/
public Object get(String name) throws UMSException {
//
if (!isVLVAttrs(name)) {
return m_attrHash == null ? null : m_attrHash.get(name);
}
//
if (currentEntry == null)
return null;
List<Control> ctrls = currentEntry.getControls();
if (ctrls == null && expectVlvResponse() == true) {
//
// Code to deal with response controls not being returned yet. It
// instructs a small search with vlv ranage that expect one result
// to
// return so that the response is returned. This probe is only
// launched if EXPECT_VLV_RESPONSE is set for true in SearchResults
//
PersistentObject parent = getParentContainer();
synchronized (this) {
// The following code fragment uses a test control that only
// asks
// one result to return. This is done so that the response
// control
// can be queried for the vlvContentCount. This is a search
// probe to
// get the vlvCount
//
String[] sortAttrNames = { "objectclass" };
SortKey[] sortKeys = (SortKey[]) get(SearchResults.SORT_KEYS);
String filter = (String) get(SearchResults.SEARCH_FILTER);
Integer scopeVal = (Integer) get(SearchResults.SEARCH_SCOPE);
int scope = scopeVal == null ? SearchControl.SCOPE_SUB : scopeVal.intValue();
SearchControl testControl = new SearchControl();
testControl.setVLVRange(1, 0, 0);
if (sortKeys == null) {
testControl.setSortKeys(sortAttrNames);
} else {
testControl.setSortKeys(sortKeys);
}
testControl.setSearchScope(scope);
SearchResults testResults = parent.search(filter, sortAttrNames, testControl);
while (testResults.hasMoreElements()) {
// This while loop is required to
// enumerate the result set to get the response control
testResults.next();
}
// After all the hazzle, now the response should be in after the
// search probe, use the probe's search results to get the vlv
// related attribute(s). Set the internal flag not to launch
// the probe again in subsequent get.
//
testResults.set(SearchResults.EXPECT_VLV_RESPONSE, Boolean.FALSE);
return testResults.get(name);
}
}
// the control can be null
if (ctrls == null)
return null;
VirtualListViewResponseControl vlvResponse = null;
//
for (Control control : ctrls) {
if (VirtualListViewResponseControl.OID.equals(control.getOID())) {
vlvResponse = (VirtualListViewResponseControl) control;
}
}
//
if (vlvResponse != null) {
if (name.equalsIgnoreCase(VLVRESPONSE_CONTENT_COUNT)) {
return vlvResponse.getContentCount();
} else if (name.equalsIgnoreCase(VLVRESPONSE_FIRST_POSITION)) {
return vlvResponse.getTargetPosition();
} else if (name.equalsIgnoreCase(VLVRESPONSE_RESULT_CODE)) {
return vlvResponse.getResult().intValue();
} else if (name.equalsIgnoreCase(VLVRESPONSE_CONTEXT)) {
return vlvResponse.getValue().toString();
}
}
//
return null;
}
Also used :
Control(org.forgerock.opendj.ldap.controls.Control)
VirtualListViewResponseControl(org.forgerock.opendj.ldap.controls.VirtualListViewResponseControl)
VirtualListViewResponseControl(org.forgerock.opendj.ldap.controls.VirtualListViewResponseControl)
Aggregations
Control (org.forgerock.opendj.ldap.controls.Control)7
PasswordExpiredResponseControl (org.forgerock.opendj.ldap.controls.PasswordExpiredResponseControl)4
PasswordExpiringResponseControl (org.forgerock.opendj.ldap.controls.PasswordExpiringResponseControl)4
PasswordPolicyRequestControl (org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl)4
PasswordPolicyResponseControl (org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl)4
Connection (org.forgerock.opendj.ldap.Connection)3
LdapException (org.forgerock.opendj.ldap.LdapException)3
ArrayList (java.util.ArrayList)2
ByteString (org.forgerock.opendj.ldap.ByteString)2
SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)2
BindResult (org.forgerock.opendj.ldap.responses.BindResult)2
List (java.util.List)1
DecodeException (org.forgerock.opendj.ldap.DecodeException)1
DecodeOptions (org.forgerock.opendj.ldap.DecodeOptions)1
ResultCode (org.forgerock.opendj.ldap.ResultCode)1
EntryChangeNotificationResponseControl (org.forgerock.opendj.ldap.controls.EntryChangeNotificationResponseControl)1
GenericControl (org.forgerock.opendj.ldap.controls.GenericControl)1
PasswordPolicyErrorType (org.forgerock.opendj.ldap.controls.PasswordPolicyErrorType)1
PasswordPolicyWarningType (org.forgerock.opendj.ldap.controls.PasswordPolicyWarningType)1
PersistentSearchChangeType (org.forgerock.opendj.ldap.controls.PersistentSearchChangeType)1
