Example 6 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
// safe, we only handle this type
final UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
final LdapSettings ldapSettings = ldapSettingsService.load();
if (ldapSettings == null || !ldapSettings.isEnabled()) {
LOG.trace("LDAP is disabled, skipping");
return null;
}
final LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(ldapSettings.getUri().getHost());
config.setLdapPort(ldapSettings.getUri().getPort());
config.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
final String principal = (String) token.getPrincipal();
final char[] tokenPassword = firstNonNull(token.getPassword(), new char[0]);
final String password = String.valueOf(tokenPassword);
// do not try to look a token up in LDAP if there is no principal or password
if (isNullOrEmpty(principal) || isNullOrEmpty(password)) {
LOG.debug("Principal or password were empty. Not trying to look up a token in LDAP.");
return null;
}
try (final LdapNetworkConnection connection = ldapConnector.connect(config)) {
if (null == connection) {
LOG.error("Couldn't connect to LDAP directory");
return null;
}
final LdapEntry userEntry = ldapConnector.search(connection, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), ldapSettings.getDisplayNameAttribute(), principal, ldapSettings.isActiveDirectory(), ldapSettings.getGroupSearchBase(), ldapSettings.getGroupIdAttribute(), ldapSettings.getGroupSearchPattern());
if (userEntry == null) {
LOG.debug("User {} not found in LDAP", principal);
return null;
}
// needs to use the DN of the entry, not the parameter for the lookup filter we used to find the entry!
final boolean authenticated = ldapConnector.authenticate(connection, userEntry.getDn(), password);
if (!authenticated) {
LOG.info("Invalid credentials for user {} (DN {})", principal, userEntry.getDn());
return null;
}
// user found and authenticated, sync the user entry with mongodb
final User user = syncFromLdapEntry(userEntry, ldapSettings, principal);
if (user == null) {
// in case there was an error reading, creating or modifying the user in mongodb, we do not authenticate the user.
LOG.error("Unable to sync LDAP user {} (DN {})", userEntry.getBindPrincipal(), userEntry.getDn());
return null;
}
return new SimpleAccount(principal, null, "ldap realm");
} catch (LdapException e) {
LOG.error("LDAP error", e);
} catch (CursorException e) {
LOG.error("Unable to read LDAP entry", e);
} catch (Exception e) {
LOG.error("Error during LDAP user account sync. Cannot log in user {}", principal, e);
}
// Return null by default to ensure a login failure if anything goes wrong.
return null;
}
Also used :
SimpleAccount(org.apache.shiro.authc.SimpleAccount)
User(org.graylog2.plugin.database.users.User)
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
LdapEntry(org.graylog2.shared.security.ldap.LdapEntry)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
NotFoundException(org.graylog2.database.NotFoundException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
ValidationException(org.graylog2.plugin.database.ValidationException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Example 7 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method syncFromLdapEntry.
@Nullable
@VisibleForTesting
User syncFromLdapEntry(LdapEntry userEntry, LdapSettings ldapSettings, String username) {
User user = userService.load(username);
// create new user object if necessary
if (user == null) {
user = userService.create();
}
// update user attributes from ldap entry
updateFromLdap(user, userEntry, ldapSettings, username);
try {
userService.save(user);
} catch (ValidationException e) {
LOG.error("Cannot save user.", e);
return null;
}
return user;
}
Also used :
User(org.graylog2.plugin.database.users.User)
ValidationException(org.graylog2.plugin.database.ValidationException)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Nullable(javax.annotation.Nullable)
Example 8 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapResource method readGroups.
@GET
@ApiOperation(value = "Get the available LDAP groups", notes = "")
@RequiresPermissions(RestPermissions.LDAPGROUPS_READ)
@Path("/groups")
@Produces(MediaType.APPLICATION_JSON)
public Set<String> readGroups() {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
if (!ldapSettings.isEnabled()) {
throw new BadRequestException("LDAP is disabled.");
}
if (isNullOrEmpty(ldapSettings.getGroupSearchBase()) || isNullOrEmpty(ldapSettings.getGroupIdAttribute())) {
throw new BadRequestException("LDAP group configuration settings are not set.");
}
final LdapConnectionConfig config = new LdapConnectionConfig();
final URI ldapUri = ldapSettings.getUri();
config.setLdapHost(ldapUri.getHost());
config.setLdapPort(ldapUri.getPort());
config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
config.setUseTls(ldapSettings.isUseStartTls());
if (ldapSettings.isTrustAllCertificates()) {
config.setTrustManagers(new TrustAllX509TrustManager());
}
if (!isNullOrEmpty(ldapSettings.getSystemUserName()) && !isNullOrEmpty(ldapSettings.getSystemPassword())) {
config.setName(ldapSettings.getSystemUserName());
config.setCredentials(ldapSettings.getSystemPassword());
}
try (LdapNetworkConnection connection = ldapConnector.connect(config)) {
return ldapConnector.listGroups(connection, ldapSettings.getGroupSearchBase(), ldapSettings.getGroupSearchPattern(), ldapSettings.getGroupIdAttribute());
} catch (IOException | LdapException e) {
LOG.error("Unable to retrieve available LDAP groups", e);
throw new InternalServerErrorException("Unable to retrieve available LDAP groups", e);
}
}
Also used :
LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig)
BadRequestException(javax.ws.rs.BadRequestException)
InternalServerErrorException(javax.ws.rs.InternalServerErrorException)
LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection)
IOException(java.io.IOException)
TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager)
URI(java.net.URI)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
Example 9 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapResource method updateLdapSettings.
@PUT
@Timed
@RequiresPermissions(RestPermissions.LDAP_EDIT)
@ApiOperation("Update the LDAP configuration")
@Path("/settings")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_CONFIGURATION_UPDATE)
public void updateLdapSettings(@ApiParam(name = "JSON body", required = true) @Valid @NotNull LdapSettingsRequest request) throws ValidationException {
// load the existing config, or create a new one. we only support having one, currently
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
ldapSettings.setSystemUsername(request.systemUsername());
ldapSettings.setSystemPassword(request.systemPassword());
ldapSettings.setUri(request.ldapUri());
ldapSettings.setUseStartTls(request.useStartTls());
ldapSettings.setTrustAllCertificates(request.trustAllCertificates());
ldapSettings.setActiveDirectory(request.activeDirectory());
ldapSettings.setSearchPattern(request.searchPattern());
ldapSettings.setSearchBase(request.searchBase());
ldapSettings.setEnabled(request.enabled());
ldapSettings.setDisplayNameAttribute(request.displayNameAttribute());
ldapSettings.setDefaultGroup(request.defaultGroup());
ldapSettings.setGroupMapping(request.groupMapping());
ldapSettings.setGroupSearchBase(request.groupSearchBase());
ldapSettings.setGroupIdAttribute(request.groupIdAttribute());
ldapSettings.setGroupSearchPattern(request.groupSearchPattern());
ldapSettings.setAdditionalDefaultGroups(request.additionalDefaultGroups());
ldapSettingsService.save(ldapSettings);
}
Also used :
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Consumes(javax.ws.rs.Consumes)
Timed(com.codahale.metrics.annotation.Timed)
ApiOperation(io.swagger.annotations.ApiOperation)
NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent)
AuditEvent(org.graylog2.audit.jersey.AuditEvent)
PUT(javax.ws.rs.PUT)
Example 10 with LdapSettings
use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.
the class LdapSettingsServiceImplTest method loadReturnsLdapSettings.
@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT)
public void loadReturnsLdapSettings() throws Exception {
final LdapSettings ldapSettings = ldapSettingsService.load();
assertThat(ldapSettings).isNotNull();
assertThat(ldapSettings.getId()).isEqualTo("54e3deadbeefdeadbeefaffe");
assertThat(ldapSettings.getUri()).isEqualTo(URI.create("ldap://localhost:389"));
assertThat(ldapSettings.getSystemPassword()).isEqualTo("password");
}
Also used :
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
UsingDataSet(com.lordofthejars.nosqlunit.annotation.UsingDataSet)
Test(org.junit.Test)
Aggregations
LdapSettings (org.graylog2.shared.security.ldap.LdapSettings)10
Test (org.junit.Test)5
UsingDataSet (com.lordofthejars.nosqlunit.annotation.UsingDataSet)4
User (org.graylog2.plugin.database.users.User)4
ApiOperation (io.swagger.annotations.ApiOperation)3
Path (javax.ws.rs.Path)3
LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)3
RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)3
NotFoundException (org.graylog2.database.NotFoundException)3
ValidationException (org.graylog2.plugin.database.ValidationException)3
LdapEntry (org.graylog2.shared.security.ldap.LdapEntry)3
UserImpl (org.graylog2.users.UserImpl)3
Consumes (javax.ws.rs.Consumes)2
PUT (javax.ws.rs.PUT)2
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2
LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)2
UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)2
AuditEvent (org.graylog2.audit.jersey.AuditEvent)2
NoAuditEvent (org.graylog2.audit.jersey.NoAuditEvent)2
TrustAllX509TrustManager (org.graylog2.security.TrustAllX509TrustManager)2
