Example 31 with SearchResultEntry
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project admin-console-beta by connexta.
the class ServerGuesser method getClaimAttributeOptions.
public Set<String> getClaimAttributeOptions(String baseUserDn) {
try {
// Find all object classes with names like *person* in the core schema
// this will catch person, organizationalPerson, inetOrgPerson, etc. if present
SortedSet<String> attributes = extractAttributes(Schema.getCoreSchema().getObjectClasses(), oc -> oc.getNameOrOID().toLowerCase().matches(".*person.*"));
// Find any given user with the clearance attribute
SearchRequest clearanceReq = Requests.newSearchRequest(DN.valueOf(baseUserDn), SearchScope.WHOLE_SUBTREE, Filter.present("2.16.840.1.101.2.2.1.203"), "objectClass");
ConnectionEntryReader clearanceReader = connection.search(clearanceReq);
if (clearanceReader.hasNext()) {
SearchResultEntry entry = clearanceReader.readEntry();
RootDSE rootDSE = RootDSE.readRootDSE(connection);
DN subschemaDN = rootDSE.getSubschemaSubentry();
Schema subschema = Schema.readSchema(connection, subschemaDN);
// Check against both the subschema and the default schema
attributes.addAll(extractAttributes(Entries.getObjectClasses(entry, subschema), STRUCT_OR_AUX));
attributes.addAll(extractAttributes(Entries.getObjectClasses(entry), STRUCT_OR_AUX));
}
return attributes;
} catch (SearchResultReferenceIOException | LdapException e) {
LOGGER.warn("Error retrieving attributes from LDAP server; this may indicate a configuration issue with config.");
return Collections.emptySet();
}
}
Also used :
SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
Schema(org.forgerock.opendj.ldap.schema.Schema)
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LdapException(org.forgerock.opendj.ldap.LdapException)
RootDSE(org.forgerock.opendj.ldap.RootDSE)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 32 with SearchResultEntry
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project admin-console-beta by connexta.
the class ServerGuesser method getChoices.
private Set<String> getChoices(String query, boolean returnParents, Comparator<String> sorter) {
List<SearchResultEntry> queryResults = getResults(query);
Set<String> choices = new TreeSet<>(sorter);
for (SearchResultEntry entry : queryResults) {
DN name = entry.getName();
if (returnParents) {
choices.add(name.parent().toString());
} else {
choices.add(name.toString());
}
}
return choices;
}
Also used :
TreeSet(java.util.TreeSet)
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 33 with SearchResultEntry
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project ddf by codice.
the class RoleClaimsHandlerTest method testRetrieveClaimsValuesIgnoredReferences.
@Test
public void testRetrieveClaimsValuesIgnoredReferences() throws LdapException, SearchResultReferenceIOException {
BindResult bindResult = mock(BindResult.class);
ClaimsParameters claimsParameters;
Connection connection = mock(Connection.class);
ConnectionEntryReader membershipReader = mock(ConnectionEntryReader.class);
ConnectionEntryReader groupNameReader = mock(ConnectionEntryReader.class);
LinkedAttribute membershipAttribute = new LinkedAttribute("uid");
LinkedAttribute groupNameAttribute = new LinkedAttribute("cn");
ClaimsCollection processedClaims;
RoleClaimsHandler claimsHandler;
SearchResultEntry membershipSearchResult = mock(SearchResultEntry.class);
DN resultDN = DN.valueOf("uid=tstark,");
SearchResultEntry groupNameSearchResult = mock(SearchResultEntry.class);
String groupName = "avengers";
when(bindResult.isSuccess()).thenReturn(true);
membershipAttribute.add("tstark");
when(membershipSearchResult.getAttribute(anyString())).thenReturn(membershipAttribute);
// simulate two items in the list (a reference and an entry)
when(membershipReader.hasNext()).thenReturn(true, true, false);
// test a reference followed by entries thereafter
when(membershipReader.isEntry()).thenReturn(false, true);
when(membershipReader.readEntry()).thenReturn(membershipSearchResult);
when(membershipSearchResult.getName()).thenReturn(resultDN);
groupNameAttribute.add(groupName);
when(groupNameSearchResult.getAttribute(anyString())).thenReturn(groupNameAttribute);
when(groupNameReader.hasNext()).thenReturn(true, true, false);
when(groupNameReader.isEntry()).thenReturn(false, true);
when(groupNameReader.readEntry()).thenReturn(groupNameSearchResult);
when(connection.bind(any())).thenReturn(bindResult);
when(connection.search(any(), any(), eq("(&(objectClass=groupOfNames)(|(member=uid=tstark,)(member=uid=tstark,)))"), any())).thenReturn(groupNameReader);
when(connection.search(anyString(), any(), anyString(), matches("uid"))).thenReturn(membershipReader);
claimsHandler = new RoleClaimsHandler(new AttributeMapLoader(new SubjectUtils()));
ConnectionFactory mockConnectionFactory = mock(ConnectionFactory.class);
when(mockConnectionFactory.getConnection()).thenReturn(connection);
claimsHandler.setLdapConnectionFactory(mockConnectionFactory);
claimsHandler.setBindMethod("Simple");
claimsHandler.setBindUserCredentials("foo");
claimsHandler.setBindUserDN("bar");
claimsParameters = new ClaimsParametersImpl(new UserPrincipal(USER_CN), new HashSet<>(), new HashMap<>());
processedClaims = claimsHandler.retrieveClaims(claimsParameters);
assertThat(processedClaims, hasSize(1));
Claim claim = processedClaims.get(0);
assertThat(claim.getValues(), hasSize(1));
assertThat(claim.getValues().get(0), equalTo(groupName));
}
Also used :
SubjectUtils(ddf.security.service.impl.SubjectUtils)
HashMap(java.util.HashMap)
Connection(org.forgerock.opendj.ldap.Connection)
DN(org.forgerock.opendj.ldap.DN)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
ClaimsParameters(ddf.security.claims.ClaimsParameters)
LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
ConnectionFactory(org.forgerock.opendj.ldap.ConnectionFactory)
ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
ClaimsCollection(ddf.security.claims.ClaimsCollection)
Claim(ddf.security.claims.Claim)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 34 with SearchResultEntry
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project ddf by codice.
the class SslLdapLoginModule method doLogin.
protected boolean doLogin() throws LoginException {
// --------- EXTRACT USERNAME AND PASSWORD FOR LDAP LOOKUP -------------
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException ioException) {
LOGGER.debug("Exception while handling login.", ioException);
throw new LoginException(ioException.getMessage());
} catch (UnsupportedCallbackException unsupportedCallbackException) {
LOGGER.debug("Exception while handling login.", unsupportedCallbackException);
throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
}
user = ((NameCallback) callbacks[0]).getName();
if (user == null) {
return false;
}
user = user.trim();
validateUsername(user);
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
// this method.
if ("none".equalsIgnoreCase(getBindMethod()) && (tmpPassword != null)) {
LOGGER.debug("Changing from authentication = none to simple since user or password was specified.");
// default to simple so that the provided user/password will get checked
setBindMethod(DEFAULT_AUTHENTICATION);
}
if (tmpPassword == null) {
tmpPassword = new char[0];
}
// ---------------------------------------------------------------------
// RESET OBJECT STATE AND DECLARE LOCAL VARS
principals = new HashSet<>();
Connection connection;
String userDn;
// ------------- CREATE CONNECTION #1 ----------------------------------
try {
connection = ldapConnectionPool.borrowObject();
} catch (Exception e) {
LOGGER.info("Unable to obtain ldap connection from pool", e);
return false;
}
try {
if (connection != null) {
// ------------- BIND #1 (CONNECTION USERNAME & PASSWORD) --------------
try {
BindRequest request;
switch(bindMethod) {
case "Simple":
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
case "SASL":
request = Requests.newPlainSASLBindRequest(connectionUsername, connectionPassword);
break;
case "GSSAPI SASL":
request = Requests.newGSSAPISASLBindRequest(connectionUsername, connectionPassword);
((GSSAPISASLBindRequest) request).setRealm(realm);
((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
break;
case "Digest MD5 SASL":
request = Requests.newDigestMD5SASLBindRequest(connectionUsername, connectionPassword);
((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
((DigestMD5SASLBindRequest) request).getQOPs().clear();
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
if (StringUtils.isNotEmpty(realm)) {
((DigestMD5SASLBindRequest) request).setRealm(realm);
}
break;
default:
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
}
LOGGER.trace("Attempting LDAP bind for administrator: {}", connectionUsername);
BindResult bindResult = connection.bind(request);
if (!bindResult.isSuccess()) {
LOGGER.debug(BIND_FAILURE_MSG);
return false;
}
} catch (LdapException e) {
LOGGER.debug("Unable to bind to LDAP server.", e);
return false;
}
LOGGER.trace("LDAP bind successful for administrator: {}", connectionUsername);
// --------- SEARCH #1, FIND USER DISTINGUISHED NAME -----------
SearchScope scope;
scope = userSearchSubtree ? SearchScope.WHOLE_SUBTREE : SearchScope.SINGLE_LEVEL;
userFilter = userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
userFilter = userFilter.replace("\\", "\\\\");
LOGGER.trace("Performing LDAP query for user: {} at {} with filter {}", user, userBaseDN, userFilter);
try (ConnectionEntryReader entryReader = connection.search(userBaseDN, scope, userFilter)) {
while (entryReader.hasNext() && entryReader.isReference()) {
LOGGER.debug("Referral ignored while searching for user {}", user);
entryReader.readReference();
}
if (!entryReader.hasNext()) {
LOGGER.info("User {} not found in LDAP.", user);
return false;
}
SearchResultEntry searchResultEntry = entryReader.readEntry();
userDn = searchResultEntry.getName().toString();
} catch (LdapException | SearchResultReferenceIOException e) {
LOGGER.info("Unable to read contents of LDAP user search.", e);
return false;
}
// Validate user's credentials.
try {
LOGGER.trace("Attempting LDAP bind for user: {}", userDn);
BindResult bindResult = connection.bind(userDn, tmpPassword);
if (!bindResult.isSuccess()) {
LOGGER.info(BIND_FAILURE_MSG);
return false;
}
} catch (Exception e) {
LOGGER.info("Unable to bind user: {} to LDAP server.", userDn, e);
return false;
}
LOGGER.trace("LDAP bind successful for user: {}", userDn);
// ---------- ADD USER AS PRINCIPAL --------------------------------
principals.add(new UserPrincipal(user));
// ----- BIND #3 (CONNECTION USERNAME & PASSWORD) --------------
try {
LOGGER.trace("Attempting LDAP bind for administrator: {}", connectionUsername);
BindResult bindResult = connection.bind(connectionUsername, connectionPassword);
if (!bindResult.isSuccess()) {
LOGGER.info(BIND_FAILURE_MSG);
return false;
}
} catch (LdapException e) {
LOGGER.info("Unable to bind to LDAP server.", e);
return false;
}
LOGGER.trace("LDAP bind successful for administrator: {}", connectionUsername);
// --------- SEARCH #3, GET ROLES ------------------------------
scope = roleSearchSubtree ? SearchScope.WHOLE_SUBTREE : SearchScope.SINGLE_LEVEL;
roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userBaseDN));
roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDn));
roleFilter = roleFilter.replace("\\", "\\\\");
LOGGER.trace("Performing LDAP query for roles for user: {} at {} with filter {} for role attribute {}", user, roleBaseDN, roleFilter, roleNameAttribute);
// ------------- ADD ROLES AS NEW PRINCIPALS -------------------
try (ConnectionEntryReader entryReader = connection.search(roleBaseDN, scope, roleFilter, roleNameAttribute)) {
SearchResultEntry entry;
while (entryReader.hasNext()) {
if (entryReader.isEntry()) {
entry = entryReader.readEntry();
Attribute attr = entry.getAttribute(roleNameAttribute);
if (attr == null) {
throw new LoginException("No attributes returned for [" + roleNameAttribute + " : " + roleBaseDN + "]");
}
for (ByteString role : attr) {
principals.add(new RolePrincipal(role.toString()));
}
} else {
// Got a continuation reference.
final SearchResultReference ref = entryReader.readReference();
LOGGER.debug("Skipping result reference: {}", ref.getURIs());
}
}
} catch (Exception e) {
LOGGER.debug("Exception while getting roles for [" + user + "].", e);
throw new LoginException("Can't get roles for [" + user + "]: " + e.getMessage());
}
} else {
LOGGER.trace("LDAP Connection was null could not authenticate user.");
return false;
}
succeeded = true;
commitSucceeded = true;
return true;
} finally {
ldapConnectionPool.returnObject(connection);
}
}
Also used :
Attribute(org.forgerock.opendj.ldap.Attribute)
ByteString(org.forgerock.opendj.ldap.ByteString)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
SearchResultReference(org.forgerock.opendj.ldap.responses.SearchResultReference)
ByteString(org.forgerock.opendj.ldap.ByteString)
GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
LdapException(org.forgerock.opendj.ldap.LdapException)
Connection(org.forgerock.opendj.ldap.Connection)
IOException(java.io.IOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
LdapException(org.forgerock.opendj.ldap.LdapException)
InvalidSyntaxException(org.osgi.framework.InvalidSyntaxException)
IOException(java.io.IOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest)
SearchScope(org.forgerock.opendj.ldap.SearchScope)
LoginException(javax.security.auth.login.LoginException)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 35 with SearchResultEntry
use of org.forgerock.opendj.ldap.responses.SearchResultEntry in project OpenAM by OpenRock.
the class SMSLdapObject method getSubEntries.
private Set<String> getSubEntries(SSOToken token, String dn, String filter, int numOfEntries, boolean sortResults, boolean ascendingOrder) throws SMSException, SSOException {
SearchRequest request = getSearchRequest(dn, filter, SearchScope.SINGLE_LEVEL, numOfEntries, 0, sortResults, ascendingOrder, getNamingAttribute(), O_ATTR);
int retry = 0;
Set<String> answer = new LinkedHashSet<>();
ConnectionEntryReader results;
while (retry <= connNumRetry) {
debug.message("SMSLdapObject.subEntries() retry: {}", retry);
try (Connection conn = getConnection(token.getPrincipal())) {
// Get the sub entries
ConnectionEntryReader iterResults = conn.search(request);
iterResults.hasNext();
results = iterResults;
// Construct the results and return
try {
while (results != null && results.hasNext()) {
try {
if (results.isReference()) {
debug.warning("Skipping reference result: {}", results.readReference());
continue;
}
SearchResultEntry entry = results.readEntry();
// Workaround for 3823, where (objectClass=*) is used
if (entry.getName().toString().toLowerCase().startsWith("ou=")) {
answer.add(entry.getName().rdn().getFirstAVA().getAttributeValue().toString());
}
} catch (SearchResultReferenceIOException e) {
debug.error("SMSLdapObject.subEntries: Reference should be handled already for dn {}", dn, e);
}
}
} catch (LdapException e) {
debug.warning("SMSLdapObject.subEntries: Error in obtaining sub-entries: {}", dn, e);
throw new SMSException(e, "sms-entry-cannot-obtain");
}
break;
} catch (LdapException e) {
ResultCode errorCode = e.getResult().getResultCode();
if (errorCode.equals(ResultCode.NO_SUCH_OBJECT)) {
debug.message("SMSLdapObject.subEntries(): entry not present: {}", dn);
break;
}
if (!retryErrorCodes.contains(errorCode) || retry >= connNumRetry) {
debug.warning("SMSLdapObject.subEntries: Unable to search for sub-entries: {}", dn, e);
throw new SMSException(e, "sms-entry-cannot-search");
}
retry++;
try {
Thread.sleep(connRetryInterval);
} catch (InterruptedException ex) {
// ignored
}
}
}
debug.message("SMSLdapObject.subEntries: Successfully obtained sub-entries for {}", dn);
return answer;
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest)
SMSException(com.sun.identity.sm.SMSException)
Connection(org.forgerock.opendj.ldap.Connection)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Aggregations
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)62
LdapException (org.forgerock.opendj.ldap.LdapException)46
ByteString (org.forgerock.opendj.ldap.ByteString)43
Connection (org.forgerock.opendj.ldap.Connection)43
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)43
Attribute (org.forgerock.opendj.ldap.Attribute)30
HashSet (java.util.HashSet)25
SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)24
SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)19
IOException (java.io.IOException)18
PolicyException (com.sun.identity.policy.PolicyException)15
ResultCode (org.forgerock.opendj.ldap.ResultCode)15
SSOException (com.iplanet.sso.SSOException)14
DN (org.forgerock.opendj.ldap.DN)11
InvalidNameException (com.sun.identity.policy.InvalidNameException)10
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)10
LinkedAttribute (org.forgerock.opendj.ldap.LinkedAttribute)10
ArrayList (java.util.ArrayList)9
BindResult (org.forgerock.opendj.ldap.responses.BindResult)8
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)7
