Example 1 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class ClusterStatsService method ldapStats.
public LdapStats ldapStats() {
int numberOfRoles = 0;
LdapSettings ldapSettings = null;
try {
numberOfRoles = roleService.loadAll().size();
ldapSettings = ldapSettingsService.load();
} catch (NotFoundException ignored) {
}
if (ldapSettings == null) {
return LdapStats.create(false, false, 0, numberOfRoles);
}
return LdapStats.create(ldapSettings.isEnabled(), ldapSettings.isActiveDirectory(), ldapSettings.getGroupMapping().size(), numberOfRoles);
}
Also used :
NotFoundException(org.graylog2.database.NotFoundException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Example 2 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method updateFromLdap.
private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
user.setName(username);
user.setFullName(fullName);
user.setExternal(true);
if (user.getTimeZone() == null) {
user.setTimeZone(rootTimeZone);
}
final String email = userEntry.getEmail();
if (isNullOrEmpty(email)) {
LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
user.setEmail(username + "@localhost");
} else {
user.setEmail(email);
}
// TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
if (isNullOrEmpty(user.getHashedPassword())) {
((UserImpl) user).setHashedPassword("User synced from LDAP.");
}
// map ldap groups to user roles, if the mapping is present
final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
if (!userEntry.getGroups().isEmpty()) {
// ldap search returned groups, these always override the ones set on the user
try {
final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
for (String ldapGroupName : userEntry.getGroups()) {
final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
if (roleName == null) {
LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
continue;
}
final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
if (role != null) {
LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
translatedRoleIds.add(role.getId());
} else {
LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
}
}
} catch (NotFoundException e) {
LOG.error("Unable to load user roles", e);
}
} else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
// no group mapping or configuration set, we'll leave the previously set groups alone on sync
// when first creating the user these will be empty
translatedRoleIds.addAll(user.getRoleIds());
}
user.setRoleIds(translatedRoleIds);
// preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
user.setPermissions(user.getPermissions());
}
Also used :
Role(org.graylog2.shared.users.Role)
UserImpl(org.graylog2.users.UserImpl)
NotFoundException(org.graylog2.database.NotFoundException)
Example 3 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapResource method updateGroupMappingSettings.
@PUT
@RequiresPermissions(value = { RestPermissions.LDAPGROUPS_EDIT, RestPermissions.LDAP_EDIT }, logical = OR)
@ApiOperation(value = "Update the LDAP group to Graylog role mapping", notes = "Corresponds directly to the output of GET /system/ldap/settings/groups")
@Path("/settings/groups")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_GROUP_MAPPING_UPDATE)
public Response updateGroupMappingSettings(@ApiParam(name = "JSON body", required = true, value = "A hash in which the keys are the LDAP group names and values is the Graylog role name.") @NotNull Map<String, String> groupMapping) throws ValidationException {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
ldapSettings.setGroupMapping(groupMapping);
ldapSettingsService.save(ldapSettings);
return Response.noContent().build();
}
Also used :
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Consumes(javax.ws.rs.Consumes)
ApiOperation(io.swagger.annotations.ApiOperation)
NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent)
AuditEvent(org.graylog2.audit.jersey.AuditEvent)
PUT(javax.ws.rs.PUT)
Example 4 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapSettingsServiceImplTest method loadReturnNullIfPasswordSecretIsWrong.
@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT, locations = "LdapSettingsServiceImplTest-invalid-password.json")
public void loadReturnNullIfPasswordSecretIsWrong() throws Exception {
final LdapSettings ldapSettings = ldapSettingsService.load();
assertThat(ldapSettings).isNull();
}
Also used :
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
UsingDataSet(com.lordofthejars.nosqlunit.annotation.UsingDataSet)
Test(org.junit.Test)
Example 5 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapGroupMappingMigration method doRun.
@Override
public void doRun() {
final LdapSettings ldapSettings = ldapSettingsService.load();
if (ldapSettings != null) {
ldapSettings.setGroupMapping(ldapSettings.getGroupMapping());
try {
ldapSettingsService.save(ldapSettings);
clusterConfigService.write(LdapGroupMappingMigrationState.create(true));
log.info("Migrated LDAP group mapping format");
} catch (ValidationException e) {
log.error("Unable to save migrated LDAP settings!", e);
}
}
}
Also used :
ValidationException(org.graylog2.plugin.database.ValidationException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Aggregations
LdapSettings (org.graylog2.shared.security.ldap.LdapSettings)10
Test (org.junit.Test)5
UsingDataSet (com.lordofthejars.nosqlunit.annotation.UsingDataSet)4
User (org.graylog2.plugin.database.users.User)4
ApiOperation (io.swagger.annotations.ApiOperation)3
Path (javax.ws.rs.Path)3
LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)3
RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)3
NotFoundException (org.graylog2.database.NotFoundException)3
ValidationException (org.graylog2.plugin.database.ValidationException)3
LdapEntry (org.graylog2.shared.security.ldap.LdapEntry)3
UserImpl (org.graylog2.users.UserImpl)3
Consumes (javax.ws.rs.Consumes)2
PUT (javax.ws.rs.PUT)2
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2
LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)2
UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)2
AuditEvent (org.graylog2.audit.jersey.AuditEvent)2
NoAuditEvent (org.graylog2.audit.jersey.NoAuditEvent)2
TrustAllX509TrustManager (org.graylog2.security.TrustAllX509TrustManager)2
