use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class Organization method getValidValues.
/**
* Returns a list of possible values for the <code>Organization
* </code> that satisfy the given <code>pattern</code>.
*
* @param token the <code>SSOToken</code> that will be used
* to determine the possible values
* @param pattern search pattern that will be used to narrow
* the list of valid names.
*
* @return <code>ValidValues</code>
*
* @exception SSOException if <code>SSOToken</code> is not valid
* @exception PolicyException if unable to get the list of valid
* names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
if (!initialized) {
throw (new PolicyException(ResBundleUtils.rbName, "org_subject_not_yet_initialized", null, null));
}
String searchFilter = null;
if ((pattern != null) && !(pattern.trim().length() == 0)) {
searchFilter = "(&" + orgSearchFilter + "(" + orgRDNAttrName + "=" + pattern + "))";
} else {
searchFilter = orgSearchFilter;
}
if (debug.messageEnabled()) {
debug.message("Organization.getValidValues(): organization search filter is: " + searchFilter);
}
String[] attrs = { orgRDNAttrName };
Set<String> validOrgDNs = new HashSet<>();
int status = ValidValues.SUCCESS;
try {
SearchRequest request = LDAPRequests.newSearchRequest(baseDN, orgSearchScope, searchFilter, attrs);
try (Connection conn = connPool.getConnection()) {
// connect to the server to authenticate
ConnectionEntryReader reader = conn.search(request);
while (reader.hasNext()) {
if (reader.isReference()) {
//ignore
reader.readReference();
} else {
SearchResultEntry entry = reader.readEntry();
validOrgDNs.add(entry.getName().toString());
debug.message("Organization.getValidValues(): found org name = {}", entry.getName().toString());
}
}
}
} catch (LdapException le) {
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("Organization.getValidValues(): exceeded the size limit");
status = ValidValues.SIZE_LIMIT_EXCEEDED;
} else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("Organization.getValidValues(): exceeded the time limit");
status = ValidValues.TIME_LIMIT_EXCEEDED;
} else {
if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
String[] objs = { baseDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
}
String errorMsg = le.getMessage();
String additionalMsg = le.getResult().getDiagnosticMessage();
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
}
} catch (Exception e) {
throw new PolicyException(e);
}
if (debug.messageEnabled()) {
debug.message("Organization.getValidValues(): return set= {}", validOrgDNs.toString());
}
return new ValidValues(status, validOrgDNs);
}
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class Organization method getUserDN.
/**
* Gets the DN for a user identified
* by the token. If the Directory server is locally installed to speed
* up the search, no directoty search is performed and the DN obtained
* from the token is returned. If the directory is remote
* a LDAP search is performed to get the user DN.
*/
private DN getUserDN(SSOToken token) throws SSOException, PolicyException {
DN userDN = null;
Set<String> qualifiedUserDNs = new HashSet<>();
String userLocalDN = token.getPrincipal().getName();
if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
userDN = DN.valueOf(userLocalDN);
} else {
// try to figure out the user name from the local user DN
int beginIndex = userLocalDN.indexOf("=");
int endIndex = userLocalDN.indexOf(",");
if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
throw (new PolicyException(ResBundleUtils.rbName, "org_subject_invalid_local_user_dn", null, null));
}
String userName = userLocalDN.substring(beginIndex + 1, endIndex);
String searchFilter = null;
if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
} else {
searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
}
if (debug.messageEnabled()) {
debug.message("Organization.getUserDN(): search filter is: " + searchFilter);
}
String[] attrs = { userRDNAttrName };
// search the remote ldap and find out the user DN
try (Connection conn = connPool.getConnection()) {
SearchRequest request = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
ConnectionEntryReader reader = conn.search(request);
while (reader.hasNext()) {
if (reader.isReference()) {
//ignore
reader.readReference();
} else {
SearchResultEntry entry = reader.readEntry();
if (entry != null) {
qualifiedUserDNs.add(entry.getName().toString());
}
}
}
} catch (LdapException le) {
String[] objs = { orgName };
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("Organization.getUserDN(): exceeded the size limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
} else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("Organization.getUserDN(): exceeded the time limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
} else {
if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
objs = new String[] { baseDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
}
String errorMsg = le.getMessage();
String additionalMsg = le.getResult().getDiagnosticMessage();
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
}
} catch (Exception e) {
throw new PolicyException(e);
}
if (qualifiedUserDNs.size() > 0) {
if (debug.messageEnabled()) {
debug.message("Organization.getUserDN(): qualified users=" + qualifiedUserDNs);
}
Iterator iter = qualifiedUserDNs.iterator();
// we only take the first qualified DN
userDN = DN.valueOf((String) iter.next());
}
}
return userDN;
}
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class LDAPRoles method isMember.
/**
* Determines if the user identified by the token,
* belongs to this instance of the <code>LDAPRoles</code> object.
*
* @param token single-sign-on token of the user
*
* @return <code>true</code> if the user is member of the
* given subject; <code>false</code> otherwise.
*
* @exception SSOException if <code>SSOToken</code> is not valid
* @exception PolicyException if an error occured while
* checking if the user is a member of this subject
*/
public boolean isMember(SSOToken token) throws SSOException, PolicyException {
boolean roleMatch = false;
String userLocalDN = token.getPrincipal().getName();
if (selectedRFCRoleDNs.size() > 0) {
SearchResultEntry userEntry = null;
Set userRoles = null;
boolean listenerAdded = false;
String tokenID = token.getTokenID().toString();
Iterator items = selectedRFCRoleDNs.iterator();
while (items.hasNext()) {
String roleName = (String) items.next();
Boolean matchFound = null;
if ((matchFound = SubjectEvaluationCache.isMember(tokenID, ldapServer, roleName)) != null) {
if (debug.messageEnabled()) {
debug.message("LDAPRoles.isMember():Got membership " + "from cache of " + userLocalDN + " in LDAP role " + roleName + " :" + matchFound.booleanValue());
}
boolean result = matchFound.booleanValue();
if (result) {
return result;
} else {
continue;
}
}
// came here so no entry in subject eval cache
if (debug.messageEnabled()) {
debug.message("LDAPRoles.isMember():did not find entry " + " for " + roleName + " in SubjectEvaluation " + "cache, getting from LDAPRole cache");
}
if (userEntry == null) {
userEntry = getUserEntry(token);
if (userEntry == null) {
if (debug.messageEnabled()) {
debug.message("LDAPRoles.isMember(): User " + userLocalDN + " is not found in the directory");
}
return false;
}
}
if (userRoles == null) {
userRoles = getUserRoles(token, userEntry);
}
if (!listenerAdded) {
if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
token.addSSOTokenListener(PolicyEvaluator.ssoListener);
PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
if (debug.messageEnabled()) {
debug.message("LDAPRoles.isMember(): sso listener " + "added .\n");
}
listenerAdded = true;
}
}
if ((userRoles != null) && userRoles.size() > 0) {
// check if the user belongs to any of the selected roles
if (userRoles.contains(roleName)) {
roleMatch = true;
}
}
if (debug.messageEnabled()) {
String member = (roleMatch) ? "is member of" : "is not a member of";
debug.message("LDAPRoles.isMember(): User " + userLocalDN + " " + member + " the LDAPRole " + roleName + ", adding to Subject eval cache");
}
SubjectEvaluationCache.addEntry(tokenID, ldapServer, roleName, roleMatch);
if (roleMatch) {
break;
}
}
}
if (debug.messageEnabled()) {
if (!roleMatch) {
debug.message("LDAPRoles.isMember(): User " + userLocalDN + " is not a member of this LDAPRoles object");
} else {
debug.message("LDAPRoles.isMember(): User " + userLocalDN + " is a member of this LDAPRoles object");
}
}
return roleMatch;
}
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class LDAPRoles method getUserEntry.
/**
* Gets the <code>LDAPEntry</code> for a user identified
* by the token. The base DN used to perform the user search
* is the DN of the user if the user is local to speed
* up the search, but if user is not local then the base DN as
* configured in the policy config service is used.
*/
private SearchResultEntry getUserEntry(SSOToken token) throws SSOException, PolicyException {
Set<SearchResultEntry> qualifiedUsers = new HashSet<>();
String userLocalDN = token.getPrincipal().getName();
if (debug.messageEnabled()) {
debug.message("LDAPRoles.getUserEntry(): user local DN is " + userLocalDN);
}
String searchBaseDN = baseDN;
if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
// if it is local, then we search the user entry only
searchBaseDN = DN.valueOf(userLocalDN).toString();
debug.message("LDAPRoles.getUserEntry(): search user {} only as it is local.", searchBaseDN);
}
// try to figure out the user name from the local user DN
int beginIndex = userLocalDN.indexOf("=");
int endIndex = userLocalDN.indexOf(",");
if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
throw (new PolicyException(ResBundleUtils.rbName, "ldaproles_subject_invalid_local_user_dn", null, null));
}
String userName = userLocalDN.substring(beginIndex + 1, endIndex);
String searchFilter = null;
if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
} else {
searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
}
if (debug.messageEnabled()) {
debug.message("LDAPRoles.getUserEntry(): search filter is: " + searchFilter);
}
// search the remote ldap and find out the user DN
String[] myAttrs = { LDAP_USER_ROLE_ATTR };
try (Connection conn = connPool.getConnection()) {
SearchRequest searchRequest = LDAPRequests.newSearchRequest(searchBaseDN, userSearchScope, searchFilter, myAttrs);
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
if (reader.isReference()) {
//Ignore
reader.readReference();
} else {
qualifiedUsers.add(reader.readEntry());
}
}
} catch (LdapException le) {
ResultCode resultCode = le.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
String[] objs = { orgName };
debug.warning("LDAPRoles.isMember(): exceeded the size limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
} else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
String[] objs = { orgName };
debug.warning("LDAPRoles.isMember(): exceeded the time limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
} else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
String[] objs = { baseDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
}
String errorMsg = le.getMessage();
String additionalMsg = le.getResult().getDiagnosticMessage();
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
} catch (Exception e) {
throw new PolicyException(e);
}
if (qualifiedUsers.size() > 0) {
Iterator<SearchResultEntry> iter = qualifiedUsers.iterator();
// we only take the first qualified DN
return iter.next();
}
return null;
}
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class LDAPGroups method getValidValues.
/**
* Returns a list of possible values for the <code>LDAPGroups
* </code> that satisfy the given <code>pattern</code>.
*
* @param token the <code>SSOToken</code> that will be used
* to determine the possible values
* @param pattern search pattern that will be used to narrow
* the list of valid names.
*
* @return <code>ValidValues</code> object
*
* @exception SSOException if <code>SSOToken</code> is not valid
* @exception PolicyException if unable to get the list of valid
* names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
if (!initialized) {
throw new PolicyException(ResBundleUtils.rbName, "ldapgroups_subject_not_yet_initialized", null, null);
}
Set<String> validGroupDNs = new HashSet<>();
String searchFilter;
if (pattern != null && !pattern.trim().isEmpty()) {
searchFilter = "(&" + groupSearchFilter + "(" + groupRDNAttrName + "=" + pattern + "))";
} else {
searchFilter = groupSearchFilter;
}
debug.message("LDAPGroups.getValidValues(): group search filter is: {}", searchFilter);
String[] attrs = { groupRDNAttrName };
Connection ld = null;
int status = ValidValues.SUCCESS;
try (Connection conn = connPool.getConnection()) {
SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, groupSearchScope, searchFilter, attrs);
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
if (reader.isReference()) {
//Ignore
reader.readReference();
} else {
SearchResultEntry entry = reader.readEntry();
if (entry != null) {
validGroupDNs.add(entry.getName().toString());
debug.message("LDAPGroups.getValidValues(): found group name={}", entry.getName().toString());
}
}
}
} catch (LdapException lde) {
ResultCode resultCode = lde.getResult().getResultCode();
if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("LDAPGroups.getValidValues(): exceeded the size limit");
return new ValidValues(ValidValues.SIZE_LIMIT_EXCEEDED, validGroupDNs);
} else if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
debug.warning("LDAPGroups.getValidValues(): exceeded the time limit");
return new ValidValues(ValidValues.TIME_LIMIT_EXCEEDED, validGroupDNs);
} else if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
String[] objs = { baseDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_ldap_base_dn", objs, null);
}
String errorMsg = lde.getMessage();
String additionalMsg = lde.getResult().getDiagnosticMessage();
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
} catch (Exception e) {
throw new PolicyException(e);
}
return new ValidValues(status, validGroupDNs);
}
Aggregations