Search in sources :

Example 21 with ConnectionEntryReader

use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.

the class DJLDAPv3Repo method search.

/**
     * Performs a search in the directory based on the provided parameters.
     * Using the pattern and avPairs parameters an example search filter would look something like:
     * <code>(&(|(attr1=value1)(attr2=value2))(searchAttr=pattern)(objectclassfilter))</code>.
     *
     * @param token Not used.
     * @param type The type of the identity.
     * @param crestQuery Either a string, coming from something like the CREST endpoint _queryId or a fully
     *                        fledged query filter, coming from a CREST endpoint's _queryFilter
     * @param maxTime The time limit for this search (in seconds). When maxTime &lt; 1, the default time limit will
     * be used.
     * @param maxResults The number of maximum results we should receive for this search. When maxResults &lt; 1 the
     * default sizelimit will be used.
     * @param returnAttrs The attributes that should be returned from the "search hits".
     * @param returnAllAttrs <code>true</code> if all user attribute should be returned.
     * @param filterOp When avPairs is provided, this logical operation will be used between them. Use
     * {@link IdRepo#AND_MOD} or {@link IdRepo#OR_MOD}.
     * @param avPairs Attribute-value pairs based on the search should be performed.
     * @param recursive Deprecated setting, not used.
     * @return The search results based on the provided parameters.
     * @throws IdRepoException Shouldn't be thrown as the returned RepoSearchResults will contain the error code.
     */
@Override
public RepoSearchResults search(SSOToken token, IdType type, CrestQuery crestQuery, int maxTime, int maxResults, Set<String> returnAttrs, boolean returnAllAttrs, int filterOp, Map<String, Set<String>> avPairs, boolean recursive) throws IdRepoException {
    if (DEBUG.messageEnabled()) {
        DEBUG.message("search invoked with type: " + type + " crestQuery: " + crestQuery + " avPairs: " + avPairs + " maxTime: " + maxTime + " maxResults: " + maxResults + " returnAttrs: " + returnAttrs + " returnAllAttrs: " + returnAllAttrs + " filterOp: " + filterOp + " recursive: " + recursive);
    }
    DN baseDN = getBaseDN(type);
    // Recursive is a deprecated setting on IdSearchControl, hence we should use the searchscope defined in the
    // datastore configuration.
    SearchScope scope = defaultScope;
    String searchAttr = getSearchAttribute(type);
    String[] attrs;
    Filter first;
    if (crestQuery.hasQueryId()) {
        first = Filter.valueOf(searchAttr + "=" + crestQuery.getQueryId());
    } else {
        first = crestQuery.getQueryFilter().accept(new LdapFromJsonQueryFilterVisitor(), null);
    }
    Filter filter = Filter.and(first, getObjectClassFilter(type));
    Filter tempFilter = constructFilter(filterOp, avPairs);
    if (tempFilter != null) {
        filter = Filter.and(tempFilter, filter);
    }
    if (returnAllAttrs || (returnAttrs != null && returnAttrs.contains("*"))) {
        Set<String> predefinedAttrs = getDefinedAttributes(type);
        attrs = predefinedAttrs.toArray(new String[predefinedAttrs.size()]);
        returnAllAttrs = true;
    } else if (returnAttrs != null && !returnAttrs.isEmpty()) {
        returnAttrs.add(searchAttr);
        attrs = returnAttrs.toArray(new String[returnAttrs.size()]);
    } else {
        attrs = new String[] { searchAttr };
    }
    SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, scope, filter, attrs);
    searchRequest.setSizeLimit(maxResults < 1 ? defaultSizeLimit : maxResults);
    searchRequest.setTimeLimit(maxTime < 1 ? defaultTimeLimit : maxTime);
    Connection conn = null;
    Set<String> names = new HashSet<String>();
    Map<String, Map<String, Set<String>>> entries = new HashMap<String, Map<String, Set<String>>>();
    int errorCode = RepoSearchResults.SUCCESS;
    try {
        conn = connectionFactory.getConnection();
        ConnectionEntryReader reader = conn.search(searchRequest);
        while (reader.hasNext()) {
            Map<String, Set<String>> attributes = new HashMap<String, Set<String>>();
            if (reader.isEntry()) {
                SearchResultEntry entry = reader.readEntry();
                String name = entry.parseAttribute(searchAttr).asString();
                names.add(name);
                if (returnAllAttrs) {
                    for (Attribute attribute : entry.getAllAttributes()) {
                        LDAPUtils.addAttributeToMapAsString(attribute, attributes);
                    }
                    entries.put(name, attributes);
                } else if (returnAttrs != null && !returnAttrs.isEmpty()) {
                    for (String attr : returnAttrs) {
                        Attribute attribute = entry.getAttribute(attr);
                        if (attribute != null) {
                            LDAPUtils.addAttributeToMapAsString(attribute, attributes);
                        }
                    }
                    entries.put(name, attributes);
                } else {
                //there is no attribute to return, don't populate the entries map
                }
            } else {
                //ignore search result references
                reader.readReference();
            }
        }
    } catch (LdapException ere) {
        ResultCode resultCode = ere.getResult().getResultCode();
        if (resultCode.equals(ResultCode.NO_SUCH_OBJECT)) {
            return new RepoSearchResults(new HashSet<String>(0), RepoSearchResults.SUCCESS, Collections.EMPTY_MAP, type);
        } else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED) || resultCode.equals(ResultCode.CLIENT_SIDE_TIMEOUT)) {
            errorCode = RepoSearchResults.TIME_LIMIT_EXCEEDED;
        } else if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
            errorCode = RepoSearchResults.SIZE_LIMIT_EXCEEDED;
        } else {
            DEBUG.error("Unexpected error occurred during search", ere);
            errorCode = resultCode.intValue();
        }
    } catch (SearchResultReferenceIOException srrioe) {
        //should never ever happen...
        DEBUG.error("Got reference instead of entry", srrioe);
        throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
    } finally {
        IOUtils.closeIfNotNull(conn);
    }
    return new RepoSearchResults(names, errorCode, entries, type);
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) Set(java.util.Set) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) CollectionUtils.asSet(org.forgerock.openam.utils.CollectionUtils.asSet) LdapFromJsonQueryFilterVisitor(org.forgerock.openam.ldap.LdapFromJsonQueryFilterVisitor) HashMap(java.util.HashMap) CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap) Attribute(org.forgerock.opendj.ldap.Attribute) LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute) Connection(org.forgerock.opendj.ldap.Connection) DN(org.forgerock.opendj.ldap.DN) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) Filter(org.forgerock.opendj.ldap.Filter) SearchScope(org.forgerock.opendj.ldap.SearchScope) RepoSearchResults(com.sun.identity.idm.RepoSearchResults) Map(java.util.Map) HashMap(java.util.HashMap) CaseInsensitiveHashMap(com.sun.identity.common.CaseInsensitiveHashMap) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 22 with ConnectionEntryReader

use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.

the class DJLDAPv3Repo method getGroupMemberships.

/**
     * Returns the group membership informations for this given user. In case the memberOf attribute is configured,
     * this will try to query the user entry and return the group DNs found in the memberOf attribute. Otherwise a
     * search request will be issued using the uniqueMember attribute looking for matches with the user DN.
     *
     * @param dn The DN of the user identity.
     * @return The DNs of the groups that the provided user is member of.
     * @throws IdRepoException If there was an error while retrieving the group membership information.
     */
private Set<String> getGroupMemberships(String dn) throws IdRepoException {
    Set<String> results = new HashSet<String>();
    if (memberOfAttr == null) {
        Filter filter = Filter.and(groupSearchFilter, Filter.equality(uniqueMemberAttr, dn));
        SearchRequest searchRequest = LDAPRequests.newSearchRequest(getBaseDN(IdType.GROUP), defaultScope, filter, DN_ATTR);
        searchRequest.setTimeLimit(defaultTimeLimit);
        searchRequest.setSizeLimit(defaultSizeLimit);
        Connection conn = null;
        try {
            conn = connectionFactory.getConnection();
            ConnectionEntryReader reader = conn.search(searchRequest);
            while (reader.hasNext()) {
                if (reader.isEntry()) {
                    results.add(reader.readEntry().getName().toString());
                } else {
                    //ignore search result references
                    reader.readReference();
                }
            }
        } catch (LdapException ere) {
            DEBUG.error("An error occurred while trying to retrieve group memberships for " + dn + " using " + uniqueMemberAttr, ere);
            handleErrorResult(ere);
        } catch (SearchResultReferenceIOException srrioe) {
            //should never ever happen...
            DEBUG.error("Got reference instead of entry", srrioe);
            throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
        } finally {
            IOUtils.closeIfNotNull(conn);
        }
    } else {
        Connection conn = null;
        try {
            conn = connectionFactory.getConnection();
            SearchResultEntry entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(dn, memberOfAttr));
            Attribute attr = entry.getAttribute(memberOfAttr);
            if (attr != null) {
                results.addAll(LDAPUtils.getAttributeValuesAsStringSet(attr));
            }
        } catch (LdapException ere) {
            DEBUG.error("An error occurred while trying to retrieve group memberships for " + dn + " using " + memberOfAttr + " attribute", ere);
            handleErrorResult(ere);
        } finally {
            IOUtils.closeIfNotNull(conn);
        }
    }
    return results;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) Filter(org.forgerock.opendj.ldap.Filter) Attribute(org.forgerock.opendj.ldap.Attribute) LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute) Connection(org.forgerock.opendj.ldap.Connection) ByteString(org.forgerock.opendj.ldap.ByteString) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LdapException(org.forgerock.opendj.ldap.LdapException) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 23 with ConnectionEntryReader

use of org.forgerock.opendj.ldif.ConnectionEntryReader in project ddf by codice.

the class SslLdapLoginModule method doLogin.

protected boolean doLogin() throws LoginException {
    //--------- EXTRACT USERNAME AND PASSWORD FOR LDAP LOOKUP -------------
    Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback("Username: ");
    callbacks[1] = new PasswordCallback("Password: ", false);
    try {
        callbackHandler.handle(callbacks);
    } catch (IOException ioException) {
        throw new LoginException(ioException.getMessage());
    } catch (UnsupportedCallbackException unsupportedCallbackException) {
        boolean result;
        throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
    }
    user = ((NameCallback) callbacks[0]).getName();
    if (user == null) {
        return false;
    }
    user = user.trim();
    validateUsername(user);
    char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
    // this method.
    if ("none".equalsIgnoreCase(getBindMethod()) && (tmpPassword != null)) {
        LOGGER.debug("Changing from authentication = none to simple since user or password was specified.");
        // default to simple so that the provided user/password will get checked
        setBindMethod(DEFAULT_AUTHENTICATION);
    }
    if (tmpPassword == null) {
        tmpPassword = new char[0];
    }
    //---------------------------------------------------------------------
    // RESET OBJECT STATE AND DECLARE LOCAL VARS
    principals = new HashSet<>();
    Connection connection;
    String userDn;
    //------------- CREATE CONNECTION #1 ----------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        try {
            //------------- BIND #1 (CONNECTION USERNAME & PASSWORD) --------------
            try {
                BindRequest request;
                switch(getBindMethod()) {
                    case "Simple":
                        request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
                        break;
                    case "SASL":
                        request = Requests.newPlainSASLBindRequest(connectionUsername, connectionPassword);
                        break;
                    case "GSSAPI SASL":
                        request = Requests.newGSSAPISASLBindRequest(connectionUsername, connectionPassword);
                        ((GSSAPISASLBindRequest) request).setRealm(realm);
                        ((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
                        break;
                    case "Digest MD5 SASL":
                        request = Requests.newDigestMD5SASLBindRequest(connectionUsername, connectionPassword);
                        ((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
                        ((DigestMD5SASLBindRequest) request).getQOPs().clear();
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
                        ((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
                        if (StringUtils.isNotEmpty(realm)) {
                            ((DigestMD5SASLBindRequest) request).setRealm(realm);
                        }
                        break;
                    default:
                        request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
                        break;
                }
                BindResult bindResult = connection.bind(request);
                if (!bindResult.isSuccess()) {
                    LOGGER.debug("Bind failed");
                    return false;
                }
            } catch (LdapException e) {
                LOGGER.debug("Unable to bind to LDAP server.", e);
                return false;
            }
            //--------- SEARCH #1, FIND USER DISTINGUISHED NAME -----------
            SearchScope scope;
            if (userSearchSubtree) {
                scope = SearchScope.WHOLE_SUBTREE;
            } else {
                scope = SearchScope.SINGLE_LEVEL;
            }
            userFilter = userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
            userFilter = userFilter.replace("\\", "\\\\");
            ConnectionEntryReader entryReader = connection.search(userBaseDN, scope, userFilter);
            try {
                if (!entryReader.hasNext()) {
                    LOGGER.info("User {} not found in LDAP.", user);
                    return false;
                }
                SearchResultEntry searchResultEntry = entryReader.readEntry();
                userDn = searchResultEntry.getName().toString();
            } catch (LdapException | SearchResultReferenceIOException e) {
                LOGGER.info("Unable to read contents of LDAP user search.", e);
                return false;
            }
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
    } else {
        return false;
    }
    //------------- CREATE CONNECTION #2 ----------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        // Validate user's credentials.
        try {
            BindResult bindResult = connection.bind(userDn, tmpPassword);
            if (!bindResult.isSuccess()) {
                LOGGER.info("Bind failed");
                return false;
            }
        } catch (Exception e) {
            LOGGER.info("Unable to bind user to LDAP server.", e);
            return false;
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
        //---------- ADD USER AS PRINCIPAL --------------------------------
        principals.add(new UserPrincipal(user));
    } else {
        return false;
    }
    //-------------- CREATE CONNECTION #3 ---------------------------------
    try {
        connection = ldapConnectionFactory.getConnection();
    } catch (LdapException e) {
        LOGGER.info("Unable to get LDAP Connection from factory.", e);
        return false;
    }
    if (connection != null) {
        try {
            //----- BIND #3 (CONNECTION USERNAME & PASSWORD) --------------
            try {
                BindResult bindResult = connection.bind(connectionUsername, connectionPassword);
                if (!bindResult.isSuccess()) {
                    LOGGER.info("Bind failed");
                    return false;
                }
            } catch (LdapException e) {
                LOGGER.info("Unable to bind to LDAP server.", e);
                return false;
            }
            //--------- SEARCH #3, GET ROLES ------------------------------
            SearchScope scope;
            if (roleSearchSubtree) {
                scope = SearchScope.WHOLE_SUBTREE;
            } else {
                scope = SearchScope.SINGLE_LEVEL;
            }
            roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
            roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userBaseDN));
            roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDn));
            roleFilter = roleFilter.replace("\\", "\\\\");
            ConnectionEntryReader entryReader = connection.search(roleBaseDN, scope, roleFilter, roleNameAttribute);
            SearchResultEntry entry;
            //------------- ADD ROLES AS NEW PRINCIPALS -------------------
            try {
                while (entryReader.hasNext()) {
                    entry = entryReader.readEntry();
                    Attribute attr = entry.getAttribute(roleNameAttribute);
                    for (ByteString role : attr) {
                        principals.add(new RolePrincipal(role.toString()));
                    }
                }
            } catch (Exception e) {
                boolean result;
                throw new LoginException("Can't get user " + user + " roles: " + e.getMessage());
            }
        } finally {
            //------------ CLOSE CONNECTION -------------------------------
            connection.close();
        }
    } else {
        return false;
    }
    return true;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) GSSAPISASLBindRequest(org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal) LdapException(org.forgerock.opendj.ldap.LdapException) Connection(org.forgerock.opendj.ldap.Connection) IOException(java.io.IOException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LoginException(javax.security.auth.login.LoginException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) LdapException(org.forgerock.opendj.ldap.LdapException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) DigestMD5SASLBindRequest(org.forgerock.opendj.ldap.requests.DigestMD5SASLBindRequest) SearchScope(org.forgerock.opendj.ldap.SearchScope) LoginException(javax.security.auth.login.LoginException) BindResult(org.forgerock.opendj.ldap.responses.BindResult) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 24 with ConnectionEntryReader

use of org.forgerock.opendj.ldif.ConnectionEntryReader in project admin-console-beta by connexta.

the class ServerGuesser method getClaimAttributeOptions.

public Set<String> getClaimAttributeOptions(String baseUserDn) throws SearchResultReferenceIOException, LdapException {
    // Find all object classes with names like *person* in the core schema;
    // this will catch person, organizationalPerson, inetOrgPerson, etc. if present
    SortedSet<String> attributes = extractAttributes(Schema.getCoreSchema().getObjectClasses(), oc -> oc.getNameOrOID().toLowerCase().matches(".*person.*"));
    // TODO RAP 24 Jan 17: This should be moved elsewhere
    // Find any given user with the clearance attribute
    SearchRequest clearanceReq = Requests.newSearchRequest(DN.valueOf(baseUserDn), SearchScope.WHOLE_SUBTREE, Filter.present("2.16.840.1.101.2.2.1.203"), "objectClass");
    ConnectionEntryReader clearanceReader = connection.search(clearanceReq);
    if (clearanceReader.hasNext()) {
        SearchResultEntry entry = clearanceReader.readEntry();
        RootDSE rootDSE = RootDSE.readRootDSE(connection);
        DN subschemaDN = rootDSE.getSubschemaSubentry();
        Schema subschema = Schema.readSchema(connection, subschemaDN);
        // Check against both the subschema and the default schema
        attributes.addAll(extractAttributes(Entries.getObjectClasses(entry, subschema), STRUCT_OR_AUX));
        attributes.addAll(extractAttributes(Entries.getObjectClasses(entry), STRUCT_OR_AUX));
    }
    return attributes;
}
Also used : SearchRequest(org.forgerock.opendj.ldap.requests.SearchRequest) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) Schema(org.forgerock.opendj.ldap.schema.Schema) DN(org.forgerock.opendj.ldap.DN) RootDSE(org.forgerock.opendj.ldap.RootDSE) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 25 with ConnectionEntryReader

use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.

the class AMCRLStore method getCRLByLdapURI.

/**
     * It gets the new CRL from ldap server.
     * If it is ldap URI, the URI has to be a dn that can be accessed
     * with ldap anonymous bind.
     * (example : ldap://server:port/uid=ca,o=company.com)
     * This dn entry has to have CRL in attribute certificaterevocationlist
     * or certificaterevocationlist;binary.
     *
     * @param uri
     */
private byte[] getCRLByLdapURI(String uri) {
    if (debug.messageEnabled()) {
        debug.message("AMCRLStore.getCRLByLdapURI: uri = " + uri);
    }
    LDAPUrl url;
    LDAPConnectionFactory factory;
    byte[] crl = null;
    try {
        url = LDAPUrl.valueOf(uri);
    } catch (LocalizedIllegalArgumentException e) {
        debug.error("AMCRLStore.getCRLByLdapURI(): Could not parse uri: {}", uri, e);
        return null;
    }
    debug.message("AMCRLStore.getCRLByLdapURI: url.dn = {}", url.getName());
    // Check ldap over SSL
    if (url.isSecure()) {
        try {
            factory = new LDAPConnectionFactory(url.getHost(), url.getPort(), Options.defaultOptions().set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext()));
        } catch (GeneralSecurityException e) {
            debug.error("AMCRLStore.getCRLByLdapURI: Error getting SSL Context", e);
            return null;
        }
    } else {
        // non-ssl
        factory = new LDAPConnectionFactory(url.getHost(), url.getPort());
    }
    try (Connection ldc = factory.getConnection()) {
        ConnectionEntryReader results = ldc.search(url.asSearchRequest().addControl(TransactionIdControl.newControl(AuditRequestContext.createSubTransactionIdValue())));
        if (!results.hasNext()) {
            debug.error("verifyCertificate - No CRL distribution Point configured");
            return null;
        }
        if (results.isReference()) {
            debug.warning("Getting CRL but got LDAP reference: {}", results.readReference());
            return null;
        }
        SearchResultEntry entry = results.readEntry();
        /* 
            * Retrieve the certificate revocation list if available.
            */
        Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
        if (crlAttribute == null) {
            crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST_BINARY);
            if (crlAttribute == null) {
                debug.error("verifyCertificate - No CRL distribution Point configured");
                return null;
            }
        }
        crl = crlAttribute.firstValue().toByteArray();
    } catch (Exception e) {
        debug.error("getCRLByLdapURI : Error in getting CRL", e);
    }
    return crl;
}
Also used : ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) LDAPUrl(org.forgerock.opendj.ldap.LDAPUrl) Attribute(org.forgerock.opendj.ldap.Attribute) GeneralSecurityException(java.security.GeneralSecurityException) HttpURLConnection(java.net.HttpURLConnection) Connection(org.forgerock.opendj.ldap.Connection) LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder) LdapException(org.forgerock.opendj.ldap.LdapException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Aggregations

ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)48 LdapException (org.forgerock.opendj.ldap.LdapException)38 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)38 Connection (org.forgerock.opendj.ldap.Connection)35 ByteString (org.forgerock.opendj.ldap.ByteString)26 SearchRequest (org.forgerock.opendj.ldap.requests.SearchRequest)26 SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)19 ResultCode (org.forgerock.opendj.ldap.ResultCode)18 HashSet (java.util.HashSet)17 Attribute (org.forgerock.opendj.ldap.Attribute)16 PolicyException (com.sun.identity.policy.PolicyException)12 SSOException (com.iplanet.sso.SSOException)11 IOException (java.io.IOException)10 InvalidNameException (com.sun.identity.policy.InvalidNameException)9 NameNotFoundException (com.sun.identity.policy.NameNotFoundException)9 SMSException (com.sun.identity.sm.SMSException)7 ArrayList (java.util.ArrayList)7 LinkedHashSet (java.util.LinkedHashSet)7 DN (org.forgerock.opendj.ldap.DN)7 CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)5