Search in sources :

Example 1 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class ClusterStatsService method ldapStats.

public LdapStats ldapStats() {
    int numberOfRoles = 0;
    LdapSettings ldapSettings = null;
    try {
        numberOfRoles = roleService.loadAll().size();
        ldapSettings = ldapSettingsService.load();
    } catch (NotFoundException ignored) {
    }
    if (ldapSettings == null) {
        return LdapStats.create(false, false, 0, numberOfRoles);
    }
    return LdapStats.create(ldapSettings.isEnabled(), ldapSettings.isActiveDirectory(), ldapSettings.getGroupMapping().size(), numberOfRoles);
}
Also used : NotFoundException(org.graylog2.database.NotFoundException) LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)

Example 2 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapUserAuthenticator method updateFromLdap.

private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
    final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
    final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
    user.setName(username);
    user.setFullName(fullName);
    user.setExternal(true);
    if (user.getTimeZone() == null) {
        user.setTimeZone(rootTimeZone);
    }
    final String email = userEntry.getEmail();
    if (isNullOrEmpty(email)) {
        LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
        user.setEmail(username + "@localhost");
    } else {
        user.setEmail(email);
    }
    // TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
    if (isNullOrEmpty(user.getHashedPassword())) {
        ((UserImpl) user).setHashedPassword("User synced from LDAP.");
    }
    // map ldap groups to user roles, if the mapping is present
    final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
    if (!userEntry.getGroups().isEmpty()) {
        // ldap search returned groups, these always override the ones set on the user
        try {
            final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
            for (String ldapGroupName : userEntry.getGroups()) {
                final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
                if (roleName == null) {
                    LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
                    continue;
                }
                final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
                if (role != null) {
                    LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
                    translatedRoleIds.add(role.getId());
                } else {
                    LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
                }
            }
        } catch (NotFoundException e) {
            LOG.error("Unable to load user roles", e);
        }
    } else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
        // no group mapping or configuration set, we'll leave the previously set groups alone on sync
        // when first creating the user these will be empty
        translatedRoleIds.addAll(user.getRoleIds());
    }
    user.setRoleIds(translatedRoleIds);
    // preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
    user.setPermissions(user.getPermissions());
}
Also used : Role(org.graylog2.shared.users.Role) UserImpl(org.graylog2.users.UserImpl) NotFoundException(org.graylog2.database.NotFoundException)

Example 3 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapResource method updateGroupMappingSettings.

@PUT
@RequiresPermissions(value = { RestPermissions.LDAPGROUPS_EDIT, RestPermissions.LDAP_EDIT }, logical = OR)
@ApiOperation(value = "Update the LDAP group to Graylog role mapping", notes = "Corresponds directly to the output of GET /system/ldap/settings/groups")
@Path("/settings/groups")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_GROUP_MAPPING_UPDATE)
public Response updateGroupMappingSettings(@ApiParam(name = "JSON body", required = true, value = "A hash in which the keys are the LDAP group names and values is the Graylog role name.") @NotNull Map<String, String> groupMapping) throws ValidationException {
    final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
    ldapSettings.setGroupMapping(groupMapping);
    ldapSettingsService.save(ldapSettings);
    return Response.noContent().build();
}
Also used : LdapSettings(org.graylog2.shared.security.ldap.LdapSettings) Path(javax.ws.rs.Path) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) Consumes(javax.ws.rs.Consumes) ApiOperation(io.swagger.annotations.ApiOperation) NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent) AuditEvent(org.graylog2.audit.jersey.AuditEvent) PUT(javax.ws.rs.PUT)

Example 4 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapSettingsServiceImplTest method loadReturnNullIfPasswordSecretIsWrong.

@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT, locations = "LdapSettingsServiceImplTest-invalid-password.json")
public void loadReturnNullIfPasswordSecretIsWrong() throws Exception {
    final LdapSettings ldapSettings = ldapSettingsService.load();
    assertThat(ldapSettings).isNull();
}
Also used : LdapSettings(org.graylog2.shared.security.ldap.LdapSettings) UsingDataSet(com.lordofthejars.nosqlunit.annotation.UsingDataSet) Test(org.junit.Test)

Example 5 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapGroupMappingMigration method doRun.

@Override
public void doRun() {
    final LdapSettings ldapSettings = ldapSettingsService.load();
    if (ldapSettings != null) {
        ldapSettings.setGroupMapping(ldapSettings.getGroupMapping());
        try {
            ldapSettingsService.save(ldapSettings);
            clusterConfigService.write(LdapGroupMappingMigrationState.create(true));
            log.info("Migrated LDAP group mapping format");
        } catch (ValidationException e) {
            log.error("Unable to save migrated LDAP settings!", e);
        }
    }
}
Also used : ValidationException(org.graylog2.plugin.database.ValidationException) LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)

Aggregations

LdapSettings (org.graylog2.shared.security.ldap.LdapSettings)10 Test (org.junit.Test)5 UsingDataSet (com.lordofthejars.nosqlunit.annotation.UsingDataSet)4 User (org.graylog2.plugin.database.users.User)4 ApiOperation (io.swagger.annotations.ApiOperation)3 Path (javax.ws.rs.Path)3 LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)3 RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)3 NotFoundException (org.graylog2.database.NotFoundException)3 ValidationException (org.graylog2.plugin.database.ValidationException)3 LdapEntry (org.graylog2.shared.security.ldap.LdapEntry)3 UserImpl (org.graylog2.users.UserImpl)3 Consumes (javax.ws.rs.Consumes)2 PUT (javax.ws.rs.PUT)2 LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2 LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)2 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)2 AuditEvent (org.graylog2.audit.jersey.AuditEvent)2 NoAuditEvent (org.graylog2.audit.jersey.NoAuditEvent)2 TrustAllX509TrustManager (org.graylog2.security.TrustAllX509TrustManager)2