Search in sources :

Example 1 with DigestMD5SASLBindRequest

use of org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest in project ddf by codice.

the class SslLdapLoginModule method doLogin.

protected boolean doLogin() throws LoginException {
    //--------- EXTRACT USERNAME AND PASSWORD FOR LDAP LOOKUP -------------
    Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback("Username: ");
    callbacks[1] = new PasswordCallback("Password: ", false);
    try {
        callbackHandler.handle(callbacks);
    } catch (IOException ioException) {
        throw new LoginException(ioException.getMessage());
    } catch (UnsupportedCallbackException unsupportedCallbackException) {
        boolean result;
        throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
    }
    user = ((NameCallback) callbacks[0]).getName();
    if (user == null) {
        return false;
    }
    user = user.trim();
    validateUsername(user);
    char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
    // this method.
    if ("none".equalsIgnoreCase(getBindMethod()) && (tmpPassword != null)) {
        LOGGER.debug("Changing from authentication = none to simple since user or password was specified.");
        // default to simple so that the provided user/password will get checked
        setBindMethod(DEFAULT_AUTHENTICATION);
    }
    if (tmpPassword == null) {
        tmpPassword = new char[0];
    }
    //---------------------------------------------------------------------
    // RESET OBJECT STATE AND DECLARE LOCAL VARS
    principals = new HashSet<>();
    Connection connection;
    String userDn;
    //------------- CREATE CONNECTION #1 ----------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        try {
            //------------- BIND #1 (CONNECTION USERNAME & PASSWORD) --------------
            try {
                BindRequest request;
                switch(getBindMethod()) {
                    case "Simple":
                        request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
                        break;
                    case "SASL":
                        request = Requests.newPlainSASLBindRequest(connectionUsername, connectionPassword);
                        break;
                    case "GSSAPI SASL":
                        request = Requests.newGSSAPISASLBindRequest(connectionUsername, connectionPassword);
                        ((GSSAPISASLBindRequest) request).setRealm(realm);
                        ((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
                        break;
                    case "Digest MD5 SASL":
                        request = Requests.newDigestMD5SASLBindRequest(connectionUsername, connectionPassword);
                        ((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
                        ((DigestMD5SASLBindRequest) request).getQOPs().clear();
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
                        if (StringUtils.isNotEmpty(realm)) {
                            ((DigestMD5SASLBindRequest) request).setRealm(realm);
                        }
                        break;
                    default:
                        request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
                        break;
                }
                BindResult bindResult = connection.bind(request);
                if (!bindResult.isSuccess()) {
                    LOGGER.debug("Bind failed");
                    return false;
                }
            } catch (LdapException e) {
                LOGGER.debug("Unable to bind to LDAP server.", e);
                return false;
            }
            //--------- SEARCH #1, FIND USER DISTINGUISHED NAME -----------
            SearchScope scope;
            if (userSearchSubtree) {
                scope = SearchScope.WHOLE_SUBTREE;
            } else {
                scope = SearchScope.SINGLE_LEVEL;
            }
            userFilter = userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
            userFilter = userFilter.replace("\\", "\\\\");
            ConnectionEntryReader entryReader = connection.search(userBaseDN, scope, userFilter);
            try {
                if (!entryReader.hasNext()) {
                    LOGGER.info("User {} not found in LDAP.", user);
                    return false;
                }
                SearchResultEntry searchResultEntry = entryReader.readEntry();
                userDn = searchResultEntry.getName().toString();
            } catch (LdapException | SearchResultReferenceIOException e) {
                LOGGER.info("Unable to read contents of LDAP user search.", e);
                return false;
            }
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
    } else {
        return false;
    }
    //------------- CREATE CONNECTION #2 ----------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        // Validate user's credentials.
        try {
            BindResult bindResult = connection.bind(userDn, tmpPassword);
            if (!bindResult.isSuccess()) {
                LOGGER.info("Bind failed");
                return false;
            }
        } catch (Exception e) {
            LOGGER.info("Unable to bind user to LDAP server.", e);
            return false;
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
        //---------- ADD USER AS PRINCIPAL --------------------------------
        principals.add(new UserPrincipal(user));
    } else {
        return false;
    }
    //-------------- CREATE CONNECTION #3 ---------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        try {
            //----- BIND #3 (CONNECTION USERNAME & PASSWORD) --------------
            try {
                BindResult bindResult = connection.bind(connectionUsername, connectionPassword);
                if (!bindResult.isSuccess()) {
                    LOGGER.info("Bind failed");
                    return false;
                }
            } catch (LdapException e) {
                LOGGER.info("Unable to bind to LDAP server.", e);
                return false;
            }
            //--------- SEARCH #3, GET ROLES ------------------------------
            SearchScope scope;
            if (roleSearchSubtree) {
                scope = SearchScope.WHOLE_SUBTREE;
            } else {
                scope = SearchScope.SINGLE_LEVEL;
            }
            roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
            roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userBaseDN));
            roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDn));
            roleFilter = roleFilter.replace("\\", "\\\\");
            ConnectionEntryReader entryReader = connection.search(roleBaseDN, scope, roleFilter, roleNameAttribute);
            SearchResultEntry entry;
            //------------- ADD ROLES AS NEW PRINCIPALS -------------------
            try {
                while (entryReader.hasNext()) {
                    entry = entryReader.readEntry();
                    Attribute attr = entry.getAttribute(roleNameAttribute);
                    for (ByteString role : attr) {
                        principals.add(new RolePrincipal(role.toString()));
                    }
                }
            } catch (Exception e) {
                boolean result;
                throw new LoginException("Can't get user " + user + " roles: " + e.getMessage());
            }
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
    } else {
        return false;
    }
    return true;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal) LdapException(org.forgerock.opendj.ldap.LdapException) Connection(org.forgerock.opendj.ldap.Connection) IOException(java.io.IOException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LoginException(javax.security.auth.login.LoginException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) LdapException(org.forgerock.opendj.ldap.LdapException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) SearchScope(org.forgerock.opendj.ldap.SearchScope) LoginException(javax.security.auth.login.LoginException) BindResult(org.forgerock.opendj.ldap.responses.BindResult) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 2 with DigestMD5SASLBindRequest

use of org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest in project ddf by codice.

the class BindMethodChooser method selectBindMethod.

public static BindRequest selectBindMethod(String bindMethod, String bindUserDN, String bindUserCredentials, String realm, String kdcAddress) {
    BindRequest request;
    switch(bindMethod) {
        case "Simple":
            request = Requests.newSimpleBindRequest(bindUserDN, bindUserCredentials.toCharArray());
            break;
        case "SASL":
            request = Requests.newPlainSASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
            break;
        case "GSSAPI SASL":
            request = Requests.newGSSAPISASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
            ((GSSAPISASLBindRequest) request).setRealm(realm);
            ((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
            break;
        case "Digest MD5 SASL":
            request = Requests.newDigestMD5SASLBindRequest(bindUserDN, bindUserCredentials.toCharArray());
            ((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
            ((DigestMD5SASLBindRequest) request).getQOPs().clear();
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
            if (StringUtils.isNotEmpty(realm)) {
                ((DigestMD5SASLBindRequest) request).setRealm(realm);
            }
            break;
        default:
            request = Requests.newSimpleBindRequest(bindUserDN, bindUserCredentials.toCharArray());
            break;
    }
    return request;
}
Also used : DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)

Example 3 with DigestMD5SASLBindRequest

use of org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest in project admin-console-beta by connexta.

the class LdapTestingUtils method selectBindMethod.

private static BindRequest selectBindMethod(String bindMethod, String bindUser, String password, String realm, String kdcAddress) {
    BindRequest request;
    switch(bindMethod) {
        case SIMPLE:
            request = Requests.newSimpleBindRequest(bindUser, password.toCharArray());
            break;
        //                    break;
        case DIGEST_MD5_SASL:
            request = Requests.newDigestMD5SASLBindRequest(bindUser, password.toCharArray());
            ((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
            ((DigestMD5SASLBindRequest) request).getQOPs().clear();
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
            ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
            if (realm != null && !realm.equals("")) {
                ((DigestMD5SASLBindRequest) request).setRealm(realm);
            }
            break;
        default:
            request = Requests.newSimpleBindRequest(bindUser, password.toCharArray());
            break;
    }
    return request;
}
Also used : DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)

Aggregations

BindRequest (org.forgerock.opendj.ldap.requests.BindRequest)3 DigestMD5SASLBindRequest (org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)3 GSSAPISASLBindRequest (org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)2 IOException (java.io.IOException)1 GeneralSecurityException (java.security.GeneralSecurityException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Callback (javax.security.auth.callback.Callback)1 NameCallback (javax.security.auth.callback.NameCallback)1 PasswordCallback (javax.security.auth.callback.PasswordCallback)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 LoginException (javax.security.auth.login.LoginException)1 RolePrincipal (org.apache.karaf.jaas.boot.principal.RolePrincipal)1 UserPrincipal (org.apache.karaf.jaas.boot.principal.UserPrincipal)1 Attribute (org.forgerock.opendj.ldap.Attribute)1 ByteString (org.forgerock.opendj.ldap.ByteString)1 Connection (org.forgerock.opendj.ldap.Connection)1 LdapException (org.forgerock.opendj.ldap.LdapException)1 SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)1 SearchScope (org.forgerock.opendj.ldap.SearchScope)1 BindResult (org.forgerock.opendj.ldap.responses.BindResult)1