use of password.pwm.error.ErrorInformation in project pwm by pwm-project.
the class LDAPAuthenticationRequest method testCredentials.
private void testCredentials(final UserIdentity userIdentity, final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
log(PwmLogLevel.TRACE, "beginning testCredentials process");
if (userIdentity == null || userIdentity.getUserDN() == null || userIdentity.getUserDN().length() < 1) {
final String errorMsg = "attempt to authenticate with null userDN";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
if (password == null) {
final String errorMsg = "attempt to authenticate with null password";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
// try authenticating the user using a normal ldap BIND operation.
log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");
boolean bindSucceeded = false;
try {
// read a provider using the user's DN and password.
userProvider = LdapOperationsHelper.createChaiProvider(pwmApplication, sessionLabel, userIdentity.getLdapProfile(pwmApplication.getConfig()), pwmApplication.getConfig(), userIdentity.getUserDN(), password);
// issue a read operation to trigger a bind.
userProvider.readStringAttribute(userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);
bindSucceeded = true;
} catch (ChaiException e) {
if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
final String errorMsg = "intruder lockout detected for user " + userIdentity + " marking session as locked out: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
log(PwmLogLevel.WARN, errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation errorInformation;
if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
errorInformation = new ErrorInformation(pwmError, e.getMessage());
} else {
errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, "ldap error during password check: " + e.getMessage());
}
log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
throw new PwmOperationalException(errorInformation);
} finally {
if (!bindSucceeded && userProvider != null) {
try {
userProvider.close();
userProvider = null;
} catch (Throwable e) {
log(PwmLogLevel.ERROR, "unexpected error closing invalid ldap connection after failed login attempt: " + e.getMessage());
}
}
}
}
use of password.pwm.error.ErrorInformation in project pwm by pwm-project.
the class LDAPAuthenticationRequest method setTempUserPassword.
private PasswordData setTempUserPassword() throws ChaiUnavailableException, ImpossiblePasswordPolicyException, PwmUnrecoverableException {
final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
final ChaiProvider chaiProvider = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
final ChaiUser chaiUser = chaiProvider.getEntryFactory().newChaiUser(userIdentity.getUserDN());
// try setting a random password on the account to authenticate.
if (!configAlwaysUseProxy && requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
log(PwmLogLevel.DEBUG, "attempting to set temporary random password");
final PwmPasswordPolicy passwordPolicy = PasswordUtility.readPasswordPolicyForUser(pwmApplication, sessionLabel, userIdentity, chaiUser, PwmConstants.DEFAULT_LOCALE);
// create random password for user
final RandomPasswordGenerator.RandomGeneratorConfig randomGeneratorConfig = RandomPasswordGenerator.RandomGeneratorConfig.builder().seedlistPhrases(RandomPasswordGenerator.DEFAULT_SEED_PHRASES).passwordPolicy(passwordPolicy).build();
final PasswordData currentPass = RandomPasswordGenerator.createRandomPassword(sessionLabel, randomGeneratorConfig, pwmApplication);
try {
final String oracleDSPrePasswordAllowChangeTime = oraclePreTemporaryPwHandler(chaiProvider, chaiUser);
// write the random password for the user.
chaiUser.setPassword(currentPass.getStringValue());
oraclePostTemporaryPwHandler(chaiProvider, chaiUser, oracleDSPrePasswordAllowChangeTime);
log(PwmLogLevel.INFO, "user " + userIdentity + " password has been set to random value to use for user authentication");
} catch (ChaiOperationException e) {
final String errorStr = "error setting random password for user " + userIdentity + " " + e.getMessage();
log(PwmLogLevel.ERROR, errorStr);
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
}
return currentPass;
}
return null;
}
use of password.pwm.error.ErrorInformation in project pwm by pwm-project.
the class LDAPAuthenticationRequest method oraclePreTemporaryPwHandler.
private String oraclePreTemporaryPwHandler(final ChaiProvider chaiProvider, final ChaiUser chaiUser) throws PwmUnrecoverableException, ChaiUnavailableException, ChaiOperationException {
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) {
return null;
}
if (DirectoryVendor.ORACLE_DS != chaiUser.getChaiProvider().getDirectoryVendor()) {
return null;
}
// oracle DS special case: passwordAllowChangeTime handler
final String oracleDSPrePasswordAllowChangeTime = chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME);
log(PwmLogLevel.TRACE, "read OracleDS value of passwordAllowChangeTime value=" + oracleDSPrePasswordAllowChangeTime);
if (oracleDSPrePasswordAllowChangeTime != null && !oracleDSPrePasswordAllowChangeTime.isEmpty()) {
final Instant date = OracleDSEntries.convertZuluToDate(oracleDSPrePasswordAllowChangeTime);
final boolean enforceFromForgotten = !ForgottenPasswordUtil.permitPwChangeDuringMinLifetime(pwmApplication, sessionLabel, userIdentity);
if (enforceFromForgotten) {
if (Instant.now().isBefore(date)) {
final String errorMsg = "change not permitted until " + JavaHelper.toIsoDate(date);
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg));
}
}
}
return oracleDSPrePasswordAllowChangeTime;
}
use of password.pwm.error.ErrorInformation in project pwm by pwm-project.
the class LDAPAuthenticationRequest method authUsingUnknownPw.
@Override
public AuthenticationResult authUsingUnknownPw() throws ChaiUnavailableException, PwmUnrecoverableException {
initialize();
log(PwmLogLevel.TRACE, "beginning authentication using unknown password procedure");
PasswordData userPassword = null;
final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
if (configAlwaysUseProxy) {
strategy = AuthenticationStrategy.ADMIN_PROXY;
} else {
userPassword = learnUserPassword();
if (userPassword != null) {
strategy = AuthenticationStrategy.READ_THEN_BIND;
} else {
userPassword = setTempUserPassword();
if (userPassword != null) {
strategy = AuthenticationStrategy.WRITE_THEN_BIND;
}
}
if (userPassword == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "no available unknown-pw authentication method"));
}
}
try {
return authenticateUserImpl(userPassword);
} catch (PwmOperationalException e) {
if (strategy == AuthenticationStrategy.READ_THEN_BIND) {
final String errorStr = "unable to authenticate with password read from directory, check proxy rights, ldap logs; error: " + e.getMessage();
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
} else if (strategy == AuthenticationStrategy.WRITE_THEN_BIND) {
final String errorStr = "unable to authenticate with temporary password, check proxy rights, ldap logs; error: " + e.getMessage();
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
}
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "unable to authenticate via authWithUnknownPw method: " + e.getMessage()));
}
}
use of password.pwm.error.ErrorInformation in project pwm by pwm-project.
the class SessionAuthenticator method searchAndAuthenticateUser.
public void searchAndAuthenticateUser(final String username, final PasswordData password, final String context, final String ldapProfile) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
UserIdentity userIdentity = null;
try {
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
userIdentity = userSearchEngine.resolveUsername(username, context, ldapProfile, sessionLabel);
final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, AuthenticationType.AUTHENTICATED, authenticationSource);
final AuthenticationResult authResult = authEngine.authenticateUser(password);
postAuthenticationSequence(userIdentity, authResult);
} catch (PwmOperationalException e) {
postFailureSequence(e, username, userIdentity);
if (readHiddenErrorTypes().contains(e.getError())) {
if (pwmApplication.determineIfDetailErrorMsgShown()) {
LOGGER.debug(pwmSession, "allowing error " + e.getError() + " to be returned though it is configured as a hidden type; " + "app is currently permitting detailed error messages");
} else {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD);
LOGGER.debug(pwmSession, "converting error from ldap " + e.getError() + " to " + PwmError.ERROR_WRONGPASSWORD + " due to app property " + AppProperty.SECURITY_LOGIN_HIDDEN_ERROR_TYPES.getKey());
throw new PwmOperationalException(errorInformation);
}
}
throw e;
}
}
Aggregations