Search in sources :

Example 6 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapUserAuthenticator method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authtoken) throws AuthenticationException {
    // safe, we only handle this type
    final UsernamePasswordToken token = (UsernamePasswordToken) authtoken;
    final LdapSettings ldapSettings = ldapSettingsService.load();
    if (ldapSettings == null || !ldapSettings.isEnabled()) {
        LOG.trace("LDAP is disabled, skipping");
        return null;
    }
    final LdapConnectionConfig config = new LdapConnectionConfig();
    config.setLdapHost(ldapSettings.getUri().getHost());
    config.setLdapPort(ldapSettings.getUri().getPort());
    config.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
    config.setUseTls(ldapSettings.isUseStartTls());
    if (ldapSettings.isTrustAllCertificates()) {
        config.setTrustManagers(new TrustAllX509TrustManager());
    }
    config.setName(ldapSettings.getSystemUserName());
    config.setCredentials(ldapSettings.getSystemPassword());
    final String principal = (String) token.getPrincipal();
    final char[] tokenPassword = firstNonNull(token.getPassword(), new char[0]);
    final String password = String.valueOf(tokenPassword);
    // do not try to look a token up in LDAP if there is no principal or password
    if (isNullOrEmpty(principal) || isNullOrEmpty(password)) {
        LOG.debug("Principal or password were empty. Not trying to look up a token in LDAP.");
        return null;
    }
    try (final LdapNetworkConnection connection = ldapConnector.connect(config)) {
        if (null == connection) {
            LOG.error("Couldn't connect to LDAP directory");
            return null;
        }
        final LdapEntry userEntry = ldapConnector.search(connection, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), ldapSettings.getDisplayNameAttribute(), principal, ldapSettings.isActiveDirectory(), ldapSettings.getGroupSearchBase(), ldapSettings.getGroupIdAttribute(), ldapSettings.getGroupSearchPattern());
        if (userEntry == null) {
            LOG.debug("User {} not found in LDAP", principal);
            return null;
        }
        // needs to use the DN of the entry, not the parameter for the lookup filter we used to find the entry!
        final boolean authenticated = ldapConnector.authenticate(connection, userEntry.getDn(), password);
        if (!authenticated) {
            LOG.info("Invalid credentials for user {} (DN {})", principal, userEntry.getDn());
            return null;
        }
        // user found and authenticated, sync the user entry with mongodb
        final User user = syncFromLdapEntry(userEntry, ldapSettings, principal);
        if (user == null) {
            // in case there was an error reading, creating or modifying the user in mongodb, we do not authenticate the user.
            LOG.error("Unable to sync LDAP user {} (DN {})", userEntry.getBindPrincipal(), userEntry.getDn());
            return null;
        }
        return new SimpleAccount(principal, null, "ldap realm");
    } catch (LdapException e) {
        LOG.error("LDAP error", e);
    } catch (CursorException e) {
        LOG.error("Unable to read LDAP entry", e);
    } catch (Exception e) {
        LOG.error("Error during LDAP user account sync. Cannot log in user {}", principal, e);
    }
    // Return null by default to ensure a login failure if anything goes wrong.
    return null;
}
Also used : SimpleAccount(org.apache.shiro.authc.SimpleAccount) User(org.graylog2.plugin.database.users.User) LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig) LdapEntry(org.graylog2.shared.security.ldap.LdapEntry) LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection) TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager) CursorException(org.apache.directory.api.ldap.model.cursor.CursorException) NotFoundException(org.graylog2.database.NotFoundException) AuthenticationException(org.apache.shiro.authc.AuthenticationException) ValidationException(org.graylog2.plugin.database.ValidationException) LdapException(org.apache.directory.api.ldap.model.exception.LdapException) UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken) CursorException(org.apache.directory.api.ldap.model.cursor.CursorException) LdapException(org.apache.directory.api.ldap.model.exception.LdapException) LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)

Example 7 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapUserAuthenticator method syncFromLdapEntry.

@Nullable
@VisibleForTesting
User syncFromLdapEntry(LdapEntry userEntry, LdapSettings ldapSettings, String username) {
    User user = userService.load(username);
    // create new user object if necessary
    if (user == null) {
        user = userService.create();
    }
    // update user attributes from ldap entry
    updateFromLdap(user, userEntry, ldapSettings, username);
    try {
        userService.save(user);
    } catch (ValidationException e) {
        LOG.error("Cannot save user.", e);
        return null;
    }
    return user;
}
Also used : User(org.graylog2.plugin.database.users.User) ValidationException(org.graylog2.plugin.database.ValidationException) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Nullable(javax.annotation.Nullable)

Example 8 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapResource method readGroups.

@GET
@ApiOperation(value = "Get the available LDAP groups", notes = "")
@RequiresPermissions(RestPermissions.LDAPGROUPS_READ)
@Path("/groups")
@Produces(MediaType.APPLICATION_JSON)
public Set<String> readGroups() {
    final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
    if (!ldapSettings.isEnabled()) {
        throw new BadRequestException("LDAP is disabled.");
    }
    if (isNullOrEmpty(ldapSettings.getGroupSearchBase()) || isNullOrEmpty(ldapSettings.getGroupIdAttribute())) {
        throw new BadRequestException("LDAP group configuration settings are not set.");
    }
    final LdapConnectionConfig config = new LdapConnectionConfig();
    final URI ldapUri = ldapSettings.getUri();
    config.setLdapHost(ldapUri.getHost());
    config.setLdapPort(ldapUri.getPort());
    config.setUseSsl(ldapUri.getScheme().startsWith("ldaps"));
    config.setUseTls(ldapSettings.isUseStartTls());
    if (ldapSettings.isTrustAllCertificates()) {
        config.setTrustManagers(new TrustAllX509TrustManager());
    }
    if (!isNullOrEmpty(ldapSettings.getSystemUserName()) && !isNullOrEmpty(ldapSettings.getSystemPassword())) {
        config.setName(ldapSettings.getSystemUserName());
        config.setCredentials(ldapSettings.getSystemPassword());
    }
    try (LdapNetworkConnection connection = ldapConnector.connect(config)) {
        return ldapConnector.listGroups(connection, ldapSettings.getGroupSearchBase(), ldapSettings.getGroupSearchPattern(), ldapSettings.getGroupIdAttribute());
    } catch (IOException | LdapException e) {
        LOG.error("Unable to retrieve available LDAP groups", e);
        throw new InternalServerErrorException("Unable to retrieve available LDAP groups", e);
    }
}
Also used : LdapConnectionConfig(org.apache.directory.ldap.client.api.LdapConnectionConfig) BadRequestException(javax.ws.rs.BadRequestException) InternalServerErrorException(javax.ws.rs.InternalServerErrorException) LdapNetworkConnection(org.apache.directory.ldap.client.api.LdapNetworkConnection) IOException(java.io.IOException) TrustAllX509TrustManager(org.graylog2.security.TrustAllX509TrustManager) URI(java.net.URI) LdapException(org.apache.directory.api.ldap.model.exception.LdapException) LdapSettings(org.graylog2.shared.security.ldap.LdapSettings) Path(javax.ws.rs.Path) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation)

Example 9 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapResource method updateLdapSettings.

@PUT
@Timed
@RequiresPermissions(RestPermissions.LDAP_EDIT)
@ApiOperation("Update the LDAP configuration")
@Path("/settings")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_CONFIGURATION_UPDATE)
public void updateLdapSettings(@ApiParam(name = "JSON body", required = true) @Valid @NotNull LdapSettingsRequest request) throws ValidationException {
    // load the existing config, or create a new one. we only support having one, currently
    final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
    ldapSettings.setSystemUsername(request.systemUsername());
    ldapSettings.setSystemPassword(request.systemPassword());
    ldapSettings.setUri(request.ldapUri());
    ldapSettings.setUseStartTls(request.useStartTls());
    ldapSettings.setTrustAllCertificates(request.trustAllCertificates());
    ldapSettings.setActiveDirectory(request.activeDirectory());
    ldapSettings.setSearchPattern(request.searchPattern());
    ldapSettings.setSearchBase(request.searchBase());
    ldapSettings.setEnabled(request.enabled());
    ldapSettings.setDisplayNameAttribute(request.displayNameAttribute());
    ldapSettings.setDefaultGroup(request.defaultGroup());
    ldapSettings.setGroupMapping(request.groupMapping());
    ldapSettings.setGroupSearchBase(request.groupSearchBase());
    ldapSettings.setGroupIdAttribute(request.groupIdAttribute());
    ldapSettings.setGroupSearchPattern(request.groupSearchPattern());
    ldapSettings.setAdditionalDefaultGroups(request.additionalDefaultGroups());
    ldapSettingsService.save(ldapSettings);
}
Also used : LdapSettings(org.graylog2.shared.security.ldap.LdapSettings) Path(javax.ws.rs.Path) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) Consumes(javax.ws.rs.Consumes) Timed(com.codahale.metrics.annotation.Timed) ApiOperation(io.swagger.annotations.ApiOperation) NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent) AuditEvent(org.graylog2.audit.jersey.AuditEvent) PUT(javax.ws.rs.PUT)

Example 10 with LdapSettings

use of org.graylog2.shared.security.ldap.LdapSettings in project graylog2-server by Graylog2.

the class LdapSettingsServiceImplTest method loadReturnsLdapSettings.

@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT)
public void loadReturnsLdapSettings() throws Exception {
    final LdapSettings ldapSettings = ldapSettingsService.load();
    assertThat(ldapSettings).isNotNull();
    assertThat(ldapSettings.getId()).isEqualTo("54e3deadbeefdeadbeefaffe");
    assertThat(ldapSettings.getUri()).isEqualTo(URI.create("ldap://localhost:389"));
    assertThat(ldapSettings.getSystemPassword()).isEqualTo("password");
}
Also used : LdapSettings(org.graylog2.shared.security.ldap.LdapSettings) UsingDataSet(com.lordofthejars.nosqlunit.annotation.UsingDataSet) Test(org.junit.Test)

Aggregations

LdapSettings (org.graylog2.shared.security.ldap.LdapSettings)10 Test (org.junit.Test)5 UsingDataSet (com.lordofthejars.nosqlunit.annotation.UsingDataSet)4 User (org.graylog2.plugin.database.users.User)4 ApiOperation (io.swagger.annotations.ApiOperation)3 Path (javax.ws.rs.Path)3 LdapConnectionConfig (org.apache.directory.ldap.client.api.LdapConnectionConfig)3 RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)3 NotFoundException (org.graylog2.database.NotFoundException)3 ValidationException (org.graylog2.plugin.database.ValidationException)3 LdapEntry (org.graylog2.shared.security.ldap.LdapEntry)3 UserImpl (org.graylog2.users.UserImpl)3 Consumes (javax.ws.rs.Consumes)2 PUT (javax.ws.rs.PUT)2 LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2 LdapNetworkConnection (org.apache.directory.ldap.client.api.LdapNetworkConnection)2 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)2 AuditEvent (org.graylog2.audit.jersey.AuditEvent)2 NoAuditEvent (org.graylog2.audit.jersey.NoAuditEvent)2 TrustAllX509TrustManager (org.graylog2.security.TrustAllX509TrustManager)2