use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.
the class DJLDAPv3Repo method search.
/**
* Performs a search in the directory based on the provided parameters.
* Using the pattern and avPairs parameters an example search filter would look something like:
* <code>(&(|(attr1=value1)(attr2=value2))(searchAttr=pattern)(objectclassfilter))</code>.
*
* @param token Not used.
* @param type The type of the identity.
* @param crestQuery Either a string, coming from something like the CREST endpoint _queryId or a fully
* fledged query filter, coming from a CREST endpoint's _queryFilter
* @param maxTime The time limit for this search (in seconds). When maxTime < 1, the default time limit will
* be used.
* @param maxResults The number of maximum results we should receive for this search. When maxResults < 1 the
* default sizelimit will be used.
* @param returnAttrs The attributes that should be returned from the "search hits".
* @param returnAllAttrs <code>true</code> if all user attribute should be returned.
* @param filterOp When avPairs is provided, this logical operation will be used between them. Use
* {@link IdRepo#AND_MOD} or {@link IdRepo#OR_MOD}.
* @param avPairs Attribute-value pairs based on the search should be performed.
* @param recursive Deprecated setting, not used.
* @return The search results based on the provided parameters.
* @throws IdRepoException Shouldn't be thrown as the returned RepoSearchResults will contain the error code.
*/
@Override
public RepoSearchResults search(SSOToken token, IdType type, CrestQuery crestQuery, int maxTime, int maxResults, Set<String> returnAttrs, boolean returnAllAttrs, int filterOp, Map<String, Set<String>> avPairs, boolean recursive) throws IdRepoException {
if (DEBUG.messageEnabled()) {
DEBUG.message("search invoked with type: " + type + " crestQuery: " + crestQuery + " avPairs: " + avPairs + " maxTime: " + maxTime + " maxResults: " + maxResults + " returnAttrs: " + returnAttrs + " returnAllAttrs: " + returnAllAttrs + " filterOp: " + filterOp + " recursive: " + recursive);
}
DN baseDN = getBaseDN(type);
// Recursive is a deprecated setting on IdSearchControl, hence we should use the searchscope defined in the
// datastore configuration.
SearchScope scope = defaultScope;
String searchAttr = getSearchAttribute(type);
String[] attrs;
Filter first;
if (crestQuery.hasQueryId()) {
first = Filter.valueOf(searchAttr + "=" + crestQuery.getQueryId());
} else {
first = crestQuery.getQueryFilter().accept(new LdapFromJsonQueryFilterVisitor(), null);
}
Filter filter = Filter.and(first, getObjectClassFilter(type));
Filter tempFilter = constructFilter(filterOp, avPairs);
if (tempFilter != null) {
filter = Filter.and(tempFilter, filter);
}
if (returnAllAttrs || (returnAttrs != null && returnAttrs.contains("*"))) {
Set<String> predefinedAttrs = getDefinedAttributes(type);
attrs = predefinedAttrs.toArray(new String[predefinedAttrs.size()]);
returnAllAttrs = true;
} else if (returnAttrs != null && !returnAttrs.isEmpty()) {
returnAttrs.add(searchAttr);
attrs = returnAttrs.toArray(new String[returnAttrs.size()]);
} else {
attrs = new String[] { searchAttr };
}
SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, scope, filter, attrs);
searchRequest.setSizeLimit(maxResults < 1 ? defaultSizeLimit : maxResults);
searchRequest.setTimeLimit(maxTime < 1 ? defaultTimeLimit : maxTime);
Connection conn = null;
Set<String> names = new HashSet<String>();
Map<String, Map<String, Set<String>>> entries = new HashMap<String, Map<String, Set<String>>>();
int errorCode = RepoSearchResults.SUCCESS;
try {
conn = connectionFactory.getConnection();
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
Map<String, Set<String>> attributes = new HashMap<String, Set<String>>();
if (reader.isEntry()) {
SearchResultEntry entry = reader.readEntry();
String name = entry.parseAttribute(searchAttr).asString();
names.add(name);
if (returnAllAttrs) {
for (Attribute attribute : entry.getAllAttributes()) {
LDAPUtils.addAttributeToMapAsString(attribute, attributes);
}
entries.put(name, attributes);
} else if (returnAttrs != null && !returnAttrs.isEmpty()) {
for (String attr : returnAttrs) {
Attribute attribute = entry.getAttribute(attr);
if (attribute != null) {
LDAPUtils.addAttributeToMapAsString(attribute, attributes);
}
}
entries.put(name, attributes);
} else {
//there is no attribute to return, don't populate the entries map
}
} else {
//ignore search result references
reader.readReference();
}
}
} catch (LdapException ere) {
ResultCode resultCode = ere.getResult().getResultCode();
if (resultCode.equals(ResultCode.NO_SUCH_OBJECT)) {
return new RepoSearchResults(new HashSet<String>(0), RepoSearchResults.SUCCESS, Collections.EMPTY_MAP, type);
} else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED) || resultCode.equals(ResultCode.CLIENT_SIDE_TIMEOUT)) {
errorCode = RepoSearchResults.TIME_LIMIT_EXCEEDED;
} else if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
errorCode = RepoSearchResults.SIZE_LIMIT_EXCEEDED;
} else {
DEBUG.error("Unexpected error occurred during search", ere);
errorCode = resultCode.intValue();
}
} catch (SearchResultReferenceIOException srrioe) {
//should never ever happen...
DEBUG.error("Got reference instead of entry", srrioe);
throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
} finally {
IOUtils.closeIfNotNull(conn);
}
return new RepoSearchResults(names, errorCode, entries, type);
}
use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.
the class DJLDAPv3Repo method getGroupMemberships.
/**
* Returns the group membership informations for this given user. In case the memberOf attribute is configured,
* this will try to query the user entry and return the group DNs found in the memberOf attribute. Otherwise a
* search request will be issued using the uniqueMember attribute looking for matches with the user DN.
*
* @param dn The DN of the user identity.
* @return The DNs of the groups that the provided user is member of.
* @throws IdRepoException If there was an error while retrieving the group membership information.
*/
private Set<String> getGroupMemberships(String dn) throws IdRepoException {
Set<String> results = new HashSet<String>();
if (memberOfAttr == null) {
Filter filter = Filter.and(groupSearchFilter, Filter.equality(uniqueMemberAttr, dn));
SearchRequest searchRequest = LDAPRequests.newSearchRequest(getBaseDN(IdType.GROUP), defaultScope, filter, DN_ATTR);
searchRequest.setTimeLimit(defaultTimeLimit);
searchRequest.setSizeLimit(defaultSizeLimit);
Connection conn = null;
try {
conn = connectionFactory.getConnection();
ConnectionEntryReader reader = conn.search(searchRequest);
while (reader.hasNext()) {
if (reader.isEntry()) {
results.add(reader.readEntry().getName().toString());
} else {
//ignore search result references
reader.readReference();
}
}
} catch (LdapException ere) {
DEBUG.error("An error occurred while trying to retrieve group memberships for " + dn + " using " + uniqueMemberAttr, ere);
handleErrorResult(ere);
} catch (SearchResultReferenceIOException srrioe) {
//should never ever happen...
DEBUG.error("Got reference instead of entry", srrioe);
throw newIdRepoException(IdRepoErrorCode.SEARCH_FAILED, CLASS_NAME);
} finally {
IOUtils.closeIfNotNull(conn);
}
} else {
Connection conn = null;
try {
conn = connectionFactory.getConnection();
SearchResultEntry entry = conn.searchSingleEntry(LDAPRequests.newSingleEntrySearchRequest(dn, memberOfAttr));
Attribute attr = entry.getAttribute(memberOfAttr);
if (attr != null) {
results.addAll(LDAPUtils.getAttributeValuesAsStringSet(attr));
}
} catch (LdapException ere) {
DEBUG.error("An error occurred while trying to retrieve group memberships for " + dn + " using " + memberOfAttr + " attribute", ere);
handleErrorResult(ere);
} finally {
IOUtils.closeIfNotNull(conn);
}
}
return results;
}
use of org.forgerock.opendj.ldif.ConnectionEntryReader in project ddf by codice.
the class SslLdapLoginModule method doLogin.
protected boolean doLogin() throws LoginException {
//--------- EXTRACT USERNAME AND PASSWORD FOR LDAP LOOKUP -------------
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException ioException) {
throw new LoginException(ioException.getMessage());
} catch (UnsupportedCallbackException unsupportedCallbackException) {
boolean result;
throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
}
user = ((NameCallback) callbacks[0]).getName();
if (user == null) {
return false;
}
user = user.trim();
validateUsername(user);
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
// this method.
if ("none".equalsIgnoreCase(getBindMethod()) && (tmpPassword != null)) {
LOGGER.debug("Changing from authentication = none to simple since user or password was specified.");
// default to simple so that the provided user/password will get checked
setBindMethod(DEFAULT_AUTHENTICATION);
}
if (tmpPassword == null) {
tmpPassword = new char[0];
}
//---------------------------------------------------------------------
// RESET OBJECT STATE AND DECLARE LOCAL VARS
principals = new HashSet<>();
Connection connection;
String userDn;
//------------- CREATE CONNECTION #1 ----------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
try {
//------------- BIND #1 (CONNECTION USERNAME & PASSWORD) --------------
try {
BindRequest request;
switch(getBindMethod()) {
case "Simple":
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
case "SASL":
request = Requests.newPlainSASLBindRequest(connectionUsername, connectionPassword);
break;
case "GSSAPI SASL":
request = Requests.newGSSAPISASLBindRequest(connectionUsername, connectionPassword);
((GSSAPISASLBindRequest) request).setRealm(realm);
((GSSAPISASLBindRequest) request).setKDCAddress(kdcAddress);
break;
case "Digest MD5 SASL":
request = Requests.newDigestMD5SASLBindRequest(connectionUsername, connectionPassword);
((DigestMD5SASLBindRequest) request).setCipher(DigestMD5SASLBindRequest.CIPHER_HIGH);
((DigestMD5SASLBindRequest) request).getQOPs().clear();
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_CONF);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH_INT);
((DigestMD5SASLBindRequest) request).getQOPs().add(DigestMD5SASLBindRequest.QOP_AUTH);
if (StringUtils.isNotEmpty(realm)) {
((DigestMD5SASLBindRequest) request).setRealm(realm);
}
break;
default:
request = Requests.newSimpleBindRequest(connectionUsername, connectionPassword);
break;
}
BindResult bindResult = connection.bind(request);
if (!bindResult.isSuccess()) {
LOGGER.debug("Bind failed");
return false;
}
} catch (LdapException e) {
LOGGER.debug("Unable to bind to LDAP server.", e);
return false;
}
//--------- SEARCH #1, FIND USER DISTINGUISHED NAME -----------
SearchScope scope;
if (userSearchSubtree) {
scope = SearchScope.WHOLE_SUBTREE;
} else {
scope = SearchScope.SINGLE_LEVEL;
}
userFilter = userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
userFilter = userFilter.replace("\\", "\\\\");
ConnectionEntryReader entryReader = connection.search(userBaseDN, scope, userFilter);
try {
if (!entryReader.hasNext()) {
LOGGER.info("User {} not found in LDAP.", user);
return false;
}
SearchResultEntry searchResultEntry = entryReader.readEntry();
userDn = searchResultEntry.getName().toString();
} catch (LdapException | SearchResultReferenceIOException e) {
LOGGER.info("Unable to read contents of LDAP user search.", e);
return false;
}
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
} else {
return false;
}
//------------- CREATE CONNECTION #2 ----------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
// Validate user's credentials.
try {
BindResult bindResult = connection.bind(userDn, tmpPassword);
if (!bindResult.isSuccess()) {
LOGGER.info("Bind failed");
return false;
}
} catch (Exception e) {
LOGGER.info("Unable to bind user to LDAP server.", e);
return false;
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
//---------- ADD USER AS PRINCIPAL --------------------------------
principals.add(new UserPrincipal(user));
} else {
return false;
}
//-------------- CREATE CONNECTION #3 ---------------------------------
try {
connection = ldapConnectionFactory.getConnection();
} catch (LdapException e) {
LOGGER.info("Unable to get LDAP Connection from factory.", e);
return false;
}
if (connection != null) {
try {
//----- BIND #3 (CONNECTION USERNAME & PASSWORD) --------------
try {
BindResult bindResult = connection.bind(connectionUsername, connectionPassword);
if (!bindResult.isSuccess()) {
LOGGER.info("Bind failed");
return false;
}
} catch (LdapException e) {
LOGGER.info("Unable to bind to LDAP server.", e);
return false;
}
//--------- SEARCH #3, GET ROLES ------------------------------
SearchScope scope;
if (roleSearchSubtree) {
scope = SearchScope.WHOLE_SUBTREE;
} else {
scope = SearchScope.SINGLE_LEVEL;
}
roleFilter = roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(user));
roleFilter = roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(userBaseDN));
roleFilter = roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(userDn));
roleFilter = roleFilter.replace("\\", "\\\\");
ConnectionEntryReader entryReader = connection.search(roleBaseDN, scope, roleFilter, roleNameAttribute);
SearchResultEntry entry;
//------------- ADD ROLES AS NEW PRINCIPALS -------------------
try {
while (entryReader.hasNext()) {
entry = entryReader.readEntry();
Attribute attr = entry.getAttribute(roleNameAttribute);
for (ByteString role : attr) {
principals.add(new RolePrincipal(role.toString()));
}
}
} catch (Exception e) {
boolean result;
throw new LoginException("Can't get user " + user + " roles: " + e.getMessage());
}
} finally {
//------------ CLOSE CONNECTION -------------------------------
connection.close();
}
} else {
return false;
}
return true;
}
use of org.forgerock.opendj.ldif.ConnectionEntryReader in project admin-console-beta by connexta.
the class ServerGuesser method getClaimAttributeOptions.
public Set<String> getClaimAttributeOptions(String baseUserDn) throws SearchResultReferenceIOException, LdapException {
// Find all object classes with names like *person* in the core schema;
// this will catch person, organizationalPerson, inetOrgPerson, etc. if present
SortedSet<String> attributes = extractAttributes(Schema.getCoreSchema().getObjectClasses(), oc -> oc.getNameOrOID().toLowerCase().matches(".*person.*"));
// TODO RAP 24 Jan 17: This should be moved elsewhere
// Find any given user with the clearance attribute
SearchRequest clearanceReq = Requests.newSearchRequest(DN.valueOf(baseUserDn), SearchScope.WHOLE_SUBTREE, Filter.present("2.16.840.1.101.2.2.1.203"), "objectClass");
ConnectionEntryReader clearanceReader = connection.search(clearanceReq);
if (clearanceReader.hasNext()) {
SearchResultEntry entry = clearanceReader.readEntry();
RootDSE rootDSE = RootDSE.readRootDSE(connection);
DN subschemaDN = rootDSE.getSubschemaSubentry();
Schema subschema = Schema.readSchema(connection, subschemaDN);
// Check against both the subschema and the default schema
attributes.addAll(extractAttributes(Entries.getObjectClasses(entry, subschema), STRUCT_OR_AUX));
attributes.addAll(extractAttributes(Entries.getObjectClasses(entry), STRUCT_OR_AUX));
}
return attributes;
}
use of org.forgerock.opendj.ldif.ConnectionEntryReader in project OpenAM by OpenRock.
the class AMCRLStore method getCRLByLdapURI.
/**
* It gets the new CRL from ldap server.
* If it is ldap URI, the URI has to be a dn that can be accessed
* with ldap anonymous bind.
* (example : ldap://server:port/uid=ca,o=company.com)
* This dn entry has to have CRL in attribute certificaterevocationlist
* or certificaterevocationlist;binary.
*
* @param uri
*/
private byte[] getCRLByLdapURI(String uri) {
if (debug.messageEnabled()) {
debug.message("AMCRLStore.getCRLByLdapURI: uri = " + uri);
}
LDAPUrl url;
LDAPConnectionFactory factory;
byte[] crl = null;
try {
url = LDAPUrl.valueOf(uri);
} catch (LocalizedIllegalArgumentException e) {
debug.error("AMCRLStore.getCRLByLdapURI(): Could not parse uri: {}", uri, e);
return null;
}
debug.message("AMCRLStore.getCRLByLdapURI: url.dn = {}", url.getName());
// Check ldap over SSL
if (url.isSecure()) {
try {
factory = new LDAPConnectionFactory(url.getHost(), url.getPort(), Options.defaultOptions().set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext()));
} catch (GeneralSecurityException e) {
debug.error("AMCRLStore.getCRLByLdapURI: Error getting SSL Context", e);
return null;
}
} else {
// non-ssl
factory = new LDAPConnectionFactory(url.getHost(), url.getPort());
}
try (Connection ldc = factory.getConnection()) {
ConnectionEntryReader results = ldc.search(url.asSearchRequest().addControl(TransactionIdControl.newControl(AuditRequestContext.createSubTransactionIdValue())));
if (!results.hasNext()) {
debug.error("verifyCertificate - No CRL distribution Point configured");
return null;
}
if (results.isReference()) {
debug.warning("Getting CRL but got LDAP reference: {}", results.readReference());
return null;
}
SearchResultEntry entry = results.readEntry();
/*
* Retrieve the certificate revocation list if available.
*/
Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
if (crlAttribute == null) {
crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST_BINARY);
if (crlAttribute == null) {
debug.error("verifyCertificate - No CRL distribution Point configured");
return null;
}
}
crl = crlAttribute.firstValue().toByteArray();
} catch (Exception e) {
debug.error("getCRLByLdapURI : Error in getting CRL", e);
}
return crl;
}
Aggregations