Revision 1005
Added by Matt Jones over 22 years ago
| src/edu/ucsb/nceas/metacat/AuthLdap.java | ||
|---|---|---|
| 109 | 109 |
authenticated = ldapAuthenticate(identifier, password); |
| 110 | 110 |
// if not found, try looking up a valid DN then auth again |
| 111 | 111 |
if (!authenticated) {
|
| 112 |
MetaCatUtil.debugMessage("Looking up DN for: " + identifier);
|
|
| 112 | 113 |
identifier = getIdentifyingName(identifier,ldapUrl,ldapBase); |
| 113 | 114 |
System.out.println("identifier: "+identifier);
|
| 114 |
authenticated = ldapAuthenticate(identifier+","+ldapBase, password); |
|
| 115 |
String refUrl = ""; |
|
| 116 |
String refBase = ""; |
|
| 117 |
if (identifier.startsWith("ldap")) {
|
|
| 118 |
refUrl = identifier.substring(0, |
|
| 119 |
identifier.lastIndexOf("/")+1);
|
|
| 120 |
MetaCatUtil.debugMessage("Ref ldapUrl: " + refUrl);
|
|
| 121 |
int position = identifier.indexOf(",");
|
|
| 122 |
int position2 = identifier.indexOf(",", position+1);
|
|
| 123 |
refBase = identifier.substring(position2+1); |
|
| 124 |
MetaCatUtil.debugMessage("Ref ldapBase: " + refBase);
|
|
| 125 |
identifier = identifier.substring( |
|
| 126 |
identifier.lastIndexOf("/")+1);
|
|
| 127 |
MetaCatUtil.debugMessage("Trying: " + identifier);
|
|
| 128 |
authenticated = ldapAuthenticate(identifier, password, |
|
| 129 |
refUrl, refBase); |
|
| 130 |
} else {
|
|
| 131 |
identifier = identifier+","+ldapBase; |
|
| 132 |
MetaCatUtil.debugMessage("Trying: " + identifier);
|
|
| 133 |
authenticated = ldapAuthenticate(identifier, password); |
|
| 134 |
} |
|
| 135 |
//authenticated = ldapAuthenticate(identifier, password); |
|
| 115 | 136 |
} |
| 116 | 137 |
|
| 117 | 138 |
} catch (NullPointerException e) {
|
| ... | ... | |
| 141 | 162 |
private boolean ldapAuthenticate(String identifier, String password) |
| 142 | 163 |
throws ConnectException, NamingException, NullPointerException |
| 143 | 164 |
{
|
| 165 |
return ldapAuthenticate(identifier, password, |
|
| 166 |
this.ldapsUrl, this.ldapBase); |
|
| 167 |
} |
|
| 168 |
|
|
| 169 |
/** |
|
| 170 |
* Connect to the LDAP directory and do the authentication using the |
|
| 171 |
* username and password as passed into the routine. |
|
| 172 |
* |
|
| 173 |
* @param identifier the distinguished name to check against LDAP |
|
| 174 |
* @param password the password for authentication |
|
| 175 |
*/ |
|
| 176 |
private boolean ldapAuthenticate(String identifier, String password, |
|
| 177 |
String directoryUrl, String searchBase) |
|
| 178 |
throws ConnectException, NamingException, NullPointerException |
|
| 179 |
{
|
|
| 144 | 180 |
double totStartTime = System.currentTimeMillis(); |
| 145 | 181 |
boolean authenticated = false; |
| 146 | 182 |
if (identifier != null && !password.equals(""))
|
| ... | ... | |
| 154 | 190 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
| 155 | 191 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
| 156 | 192 |
env.put(Context.REFERRAL, "throw"); |
| 157 |
env.put(Context.PROVIDER_URL, ldapsUrl + ldapBase);
|
|
| 193 |
env.put(Context.PROVIDER_URL, directoryUrl + searchBase);
|
|
| 158 | 194 |
if ( !ldapsUrl.equals(ldapUrl) ) |
| 159 | 195 |
{
|
| 160 | 196 |
// ldap is set on default port 389 |
| 161 | 197 |
// ldaps is set on second port - 636 by default |
| 162 |
env.put(Context.SECURITY_PROTOCOL, "ssl"); |
|
| 198 |
//env.put(Context.SECURITY_PROTOCOL, "ssl");
|
|
| 163 | 199 |
} |
| 164 | 200 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
| 165 | 201 |
env.put(Context.SECURITY_PRINCIPAL, identifier); |
| ... | ... | |
| 266 | 302 |
// Search for the user id or name using the uid, then cn and sn |
| 267 | 303 |
//attributes |
| 268 | 304 |
// If we find a record, determine the dn for the record |
| 305 |
// The following blocks need to be refactored into a subroutine |
|
| 306 |
// they have a ridiculous amount of redundancy |
|
| 269 | 307 |
|
| 270 |
String filter = "(" + user + ")";
|
|
| 308 |
// Parse out the uid and org components and look up the real DN |
|
| 309 |
// This assumes a dn like "uid=x,o=y,dc=someinst,dc=org" |
|
| 310 |
int position = user.indexOf(",");
|
|
| 311 |
String comp1 = user.substring(0, position); |
|
| 312 |
MetaCatUtil.debugMessage("First comp is: " + comp1);
|
|
| 313 |
String comp2 = user.substring(position+1, |
|
| 314 |
user.indexOf(",", position+1));
|
|
| 315 |
MetaCatUtil.debugMessage("Second comp is: " + comp2);
|
|
| 316 |
|
|
| 317 |
String filter = "(&(" + comp1 + ")(" + comp2 + "))";
|
|
| 318 |
MetaCatUtil.debugMessage("Filter is: " + filter);
|
|
| 319 |
MetaCatUtil.debugMessage("Provider URL is: " + ldapUrl + ldapBase);
|
|
| 271 | 320 |
NamingEnumeration answer; |
| 272 | 321 |
try {
|
| 273 | 322 |
answer = ctx.search("", filter, ctls);
|
| 274 | 323 |
if (answer.hasMore()) {
|
| 275 | 324 |
SearchResult sr = (SearchResult)answer.next(); |
| 276 | 325 |
identifier = sr.getName(); |
| 326 |
util.debugMessage("Originally Found: " + identifier);
|
|
| 327 |
return identifier; |
|
| 328 |
} |
|
| 329 |
} catch (InvalidSearchFilterException e) {}
|
|
| 330 |
|
|
| 331 |
// That failed, so check if it is just a username |
|
| 332 |
filter = "(" + user + ")";
|
|
| 333 |
try {
|
|
| 334 |
answer = ctx.search("", filter, ctls);
|
|
| 335 |
if (answer.hasMore()) {
|
|
| 336 |
SearchResult sr = (SearchResult)answer.next(); |
|
| 337 |
identifier = sr.getName(); |
|
| 277 | 338 |
if ( !sr.isRelative() ) {
|
| 278 | 339 |
this.ldapUrl = identifier.substring(0, |
| 279 | 340 |
identifier.lastIndexOf("/")+1);
|
| ... | ... | |
| 285 | 346 |
return identifier; |
| 286 | 347 |
} |
| 287 | 348 |
} catch (InvalidSearchFilterException e) {}
|
| 349 |
|
|
| 350 |
// Maybe its a user id (uid) |
|
| 288 | 351 |
filter = "(uid=" + user + ")"; |
| 289 | 352 |
answer = ctx.search("", filter, ctls);
|
| 290 | 353 |
if (answer.hasMore()) {
|
| ... | ... | |
| 298 | 361 |
} |
| 299 | 362 |
util.debugMessage("Found: " + identifier);
|
| 300 | 363 |
} else {
|
| 364 |
|
|
| 365 |
// maybe its just a common name |
|
| 301 | 366 |
filter = "(cn=" + user + ")"; |
| 302 | 367 |
NamingEnumeration answer2 = ctx.search("", filter, ctls);
|
| 303 | 368 |
if (answer2.hasMore()) {
|
| ... | ... | |
| 312 | 377 |
} |
| 313 | 378 |
util.debugMessage("Found: " + identifier);
|
| 314 | 379 |
} else {
|
| 380 |
|
|
| 381 |
// ok, last resort, is it a surname? |
|
| 315 | 382 |
filter = "(sn=" + user + ")"; |
| 316 | 383 |
NamingEnumeration answer3 = ctx.search("", filter, ctls);
|
| 317 | 384 |
if (answer3.hasMore()) {
|
| ... | ... | |
| 838 | 905 |
String user = args[0]; |
| 839 | 906 |
String password = args[1]; |
| 840 | 907 |
|
| 908 |
MetaCatUtil.debugMessage("Creating session...");
|
|
| 841 | 909 |
AuthLdap authservice = new AuthLdap(); |
| 842 |
|
|
| 910 |
MetaCatUtil.debugMessage("Session exists...");
|
|
| 843 | 911 |
|
| 844 | 912 |
boolean isValid = false; |
| 845 | 913 |
try {
|
| 914 |
MetaCatUtil.debugMessage("Authenticating...");
|
|
| 846 | 915 |
isValid = authservice.authenticate(user, password); |
| 847 | 916 |
if (isValid) {
|
| 848 | 917 |
MetaCatUtil.debugMessage("Authentication successful for: " + user );
|
| ... | ... | |
| 950 | 1019 |
referralInfo=(String)refExc.getReferralInfo(); |
| 951 | 1020 |
env.put(Context.PROVIDER_URL,refExc.getReferralInfo()); |
| 952 | 1021 |
System.out.println("referral info: "+referralInfo);
|
| 953 |
if (referralInfo.indexOf("piscoweb")!=-1)
|
|
| 954 |
{
|
|
| 955 |
userName=uid+",o=PISCO,dc=piscoweb,dc=org"; |
|
| 956 |
} |
|
| 1022 |
//if (referralInfo.indexOf("piscoweb")!=-1)
|
|
| 1023 |
//{
|
|
| 1024 |
//userName=uid+",o=PISCO,dc=piscoweb,dc=org";
|
|
| 1025 |
//}
|
|
| 957 | 1026 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
| 958 | 1027 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
| 959 | 1028 |
System.out.println("principal: "+userName);
|
Also available in: Unified diff
Fixed the getIdentifyingName() sub so that it properly looks up someones
DN if passed in a DN that is an alias. This is mainly important for
sites like PISCO that use a different root to their tree than the
ecoinformatics.org tree. Now we can successfully authenticate againast
PISCO.
One problem. This fix broke our SSL support, because we can no longer
assume that a difference between ldapUrl and ldapsUrl tells us whether
or not to use SSL. So I commented out the SSL line temporarily until we
figure out a more robust way of doing it, probably by using startTLS.