Revision 3022
Added by sgarg over 18 years ago
| src/edu/ucsb/nceas/metacat/AuthLdap.java | ||
|---|---|---|
| 35 | 35 |
import javax.naming.NamingEnumeration; |
| 36 | 36 |
import javax.naming.NamingException; |
| 37 | 37 |
import javax.naming.SizeLimitExceededException; |
| 38 |
import javax.naming.InitialContext; |
|
| 39 | 38 |
import javax.naming.directory.InvalidSearchFilterException; |
| 40 | 39 |
import javax.naming.directory.Attribute; |
| 41 | 40 |
import javax.naming.directory.Attributes; |
| 42 |
import javax.naming.directory.BasicAttribute; |
|
| 43 |
import javax.naming.directory.BasicAttributes; |
|
| 44 | 41 |
import javax.naming.directory.DirContext; |
| 45 | 42 |
import javax.naming.directory.InitialDirContext; |
| 46 | 43 |
import javax.naming.directory.SearchResult; |
| 47 | 44 |
import javax.naming.directory.SearchControls; |
| 48 | 45 |
import javax.naming.ReferralException; |
| 49 |
import javax.naming.ldap.*; |
|
| 46 |
import javax.naming.ldap.InitialLdapContext; |
|
| 47 |
import javax.naming.ldap.LdapContext; |
|
| 48 |
import javax.naming.ldap.StartTlsRequest; |
|
| 49 |
import javax.naming.ldap.StartTlsResponse; |
|
| 50 |
import javax.net.ssl.SSLSession; |
|
| 50 | 51 |
|
| 51 | 52 |
import org.apache.log4j.Logger; |
| 52 | 53 |
|
| ... | ... | |
| 99 | 100 |
* @param password the password to use for authentication |
| 100 | 101 |
* @returns boolean true if authentication successful, false otherwise |
| 101 | 102 |
*/ |
| 103 |
|
|
| 102 | 104 |
public boolean authenticate(String user, String password) throws |
| 103 | 105 |
ConnectException {
|
| 104 | 106 |
String ldapUrl = this.ldapUrl; |
| ... | ... | |
| 106 | 108 |
String ldapBase = this.ldapBase; |
| 107 | 109 |
boolean authenticated = false; |
| 108 | 110 |
String identifier = user; |
| 111 |
|
|
| 109 | 112 |
//get uid here. |
| 110 |
//uid=user.substring(0, user.indexOf(","));
|
|
| 113 |
String uid=user.substring(0, user.indexOf(","));
|
|
| 114 |
user = user.substring(user.indexOf(","), user.length());
|
|
| 111 | 115 |
|
| 116 |
logMetacat.debug("identifier: " + identifier);
|
|
| 117 |
logMetacat.debug("uid: " + uid);
|
|
| 118 |
logMetacat.debug("user: " + user);
|
|
| 119 |
|
|
| 112 | 120 |
try {
|
| 113 |
// Check the usename as passed in |
|
| 114 |
authenticated = ldapAuthenticate(identifier, password); |
|
| 115 |
// if not found, try looking up a valid DN then auth again |
|
| 116 |
if (!authenticated) {
|
|
| 117 |
logMetacat.info("Looking up DN for: " + identifier);
|
|
| 118 |
identifier = getIdentifyingName(identifier, ldapUrl, ldapBase); |
|
| 119 |
logMetacat.info("DN found: " + identifier);
|
|
| 120 |
String decoded = URLDecoder.decode(identifier); |
|
| 121 |
logMetacat.info("DN decoded: " + decoded);
|
|
| 122 |
identifier = decoded; |
|
| 123 |
String refUrl = ""; |
|
| 124 |
String refBase = ""; |
|
| 125 |
if (identifier.startsWith("ldap")) {
|
|
| 126 |
refUrl = identifier.substring(0, |
|
| 127 |
identifier.lastIndexOf("/") + 1);
|
|
| 128 |
logMetacat.info("Ref ldapUrl: " + refUrl);
|
|
| 129 |
int position = identifier.indexOf(",");
|
|
| 130 |
int position2 = identifier.indexOf(",", position + 1);
|
|
| 131 |
refBase = identifier.substring(position2 + 1); |
|
| 132 |
logMetacat.info("Ref ldapBase: " + refBase);
|
|
| 133 |
identifier = identifier.substring( |
|
| 134 |
identifier.lastIndexOf("/") + 1);
|
|
| 135 |
logMetacat.info("Trying: " + identifier);
|
|
| 136 |
authenticated = ldapAuthenticate(identifier, password, |
|
| 137 |
refUrl, refBase); |
|
| 121 |
// Check the usename as passed in |
|
| 122 |
logMetacat.info("Calling ldapAuthenticate");
|
|
| 123 |
logMetacat.info("with user as identifier: " + identifier);
|
|
| 124 |
logMetacat.info("and password as: " + password);
|
|
| 125 |
|
|
| 126 |
authenticated = ldapAuthenticate(identifier, password, |
|
| 127 |
(new Boolean(MetaCatUtil.getOption("onlySecureLDAPConnection"))).booleanValue());
|
|
| 128 |
// if not found, try looking up a valid DN then auth again |
|
| 129 |
if (!authenticated) {
|
|
| 130 |
logMetacat.info("Not Authenticated");
|
|
| 131 |
logMetacat.info("Looking up DN for: " + identifier);
|
|
| 132 |
identifier = getIdentifyingName(identifier, ldapUrl, ldapBase); |
|
| 133 |
if(identifier == null){
|
|
| 134 |
logMetacat.warn("No DN found from getIdentifyingName");
|
|
| 135 |
return authenticated; |
|
| 136 |
} |
|
| 137 |
|
|
| 138 |
logMetacat.info("DN found from getIdentifyingName: " + identifier);
|
|
| 139 |
String decoded = URLDecoder.decode(identifier); |
|
| 140 |
logMetacat.info("DN decoded: " + decoded);
|
|
| 141 |
identifier = decoded; |
|
| 142 |
String refUrl = ""; |
|
| 143 |
String refBase = ""; |
|
| 144 |
if (identifier.startsWith("ldap")) {
|
|
| 145 |
logMetacat.debug("identifier starts with ldap");
|
|
| 146 |
|
|
| 147 |
refUrl = identifier.substring(0, identifier.lastIndexOf("/") + 1);
|
|
| 148 |
logMetacat.info("Ref ldapUrl: " + refUrl);
|
|
| 149 |
int position = identifier.indexOf(",");
|
|
| 150 |
int position2 = identifier.indexOf(",", position + 1);
|
|
| 151 |
refBase = identifier.substring(position2 + 1); |
|
| 152 |
logMetacat.info("Ref ldapBase: " + refBase);
|
|
| 153 |
identifier = identifier.substring(identifier.lastIndexOf("/") + 1);
|
|
| 154 |
logMetacat.info("Trying: " + identifier);
|
|
| 155 |
logMetacat.info("Calling ldapAuthenticate");
|
|
| 156 |
logMetacat.info("with user as identifier: " + identifier);
|
|
| 157 |
logMetacat.info("and password as: " + password);
|
|
| 158 |
logMetacat.info("and refUrl as: " + refUrl);
|
|
| 159 |
logMetacat.info("and refBase as: " + refBase);
|
|
| 160 |
|
|
| 161 |
authenticated = ldapAuthenticate(identifier, password, refUrl, refBase, |
|
| 162 |
(new Boolean(MetaCatUtil.getOption("onlySecureLDAPReferalsConnection")))
|
|
| 163 |
.booleanValue()); |
|
| 164 |
} else {
|
|
| 165 |
logMetacat.info("identifier doesnt start with ldap");
|
|
| 166 |
logMetacat.info("Calling ldapAuthenticate");
|
|
| 167 |
logMetacat.info("with user as identifier: " + identifier);
|
|
| 168 |
logMetacat.info("and password as: " + password);
|
|
| 169 |
|
|
| 170 |
identifier = identifier + "," + ldapBase; |
|
| 171 |
logMetacat.info("Trying: " + identifier);
|
|
| 172 |
authenticated = ldapAuthenticate(identifier, password, |
|
| 173 |
(new Boolean(MetaCatUtil.getOption("onlySecureLDAPConnection"))).booleanValue());
|
|
| 174 |
} |
|
| 138 | 175 |
} |
| 139 |
else {
|
|
| 140 |
identifier = identifier + "," + ldapBase; |
|
| 141 |
logMetacat.info("Trying: " + identifier);
|
|
| 142 |
authenticated = ldapAuthenticate(identifier, password); |
|
| 143 |
} |
|
| 144 |
//authenticated = ldapAuthenticate(identifier, password); |
|
| 145 |
} |
|
| 146 |
|
|
| 147 | 176 |
} |
| 148 | 177 |
catch (NullPointerException e) {
|
| 149 |
logMetacat.error("NullPointerException b' password is null");
|
|
| 150 |
logMetacat.error("NullPointerException while authenticating in " +
|
|
| 178 |
logMetacat.error("NullPointerException b' password is null");
|
|
| 179 |
logMetacat.error("NullPointerException while authenticating in " +
|
|
| 151 | 180 |
"AuthLdap.authenticate: " + e); |
| 152 |
throw new ConnectException( |
|
| 181 |
e.printStackTrace(); |
|
| 182 |
|
|
| 183 |
throw new ConnectException( |
|
| 153 | 184 |
"NullPointerException while authenticating in " + |
| 154 | 185 |
"AuthLdap.authenticate: " + e); |
| 155 |
} |
|
| 156 |
catch (NamingException e) {
|
|
| 157 |
logMetacat.error("Naming exception while authenticating in " +
|
|
| 186 |
} catch (NamingException e) {
|
|
| 187 |
logMetacat.error("Naming exception while authenticating in " +
|
|
| 158 | 188 |
"AuthLdap.authenticate: " + e); |
| 159 |
e.printStackTrace(); |
|
| 189 |
e.printStackTrace(); |
|
| 190 |
} catch (Exception e) {
|
|
| 191 |
logMetacat.error(e.getMessage()); |
|
| 160 | 192 |
} |
| 161 |
catch (Exception e) {
|
|
| 162 |
logMetacat.error(e.getMessage()); |
|
| 163 |
} |
|
| 193 |
|
|
| 164 | 194 |
return authenticated; |
| 165 | 195 |
} |
| 166 | 196 |
|
| ... | ... | |
| 171 | 201 |
* @param identifier the distinguished name to check against LDAP |
| 172 | 202 |
* @param password the password for authentication |
| 173 | 203 |
*/ |
| 174 |
private boolean ldapAuthenticate(String identifier, String password) throws |
|
| 175 |
ConnectException, NamingException, NullPointerException {
|
|
| 204 |
private boolean ldapAuthenticate(String identifier, String password, |
|
| 205 |
boolean secureConnectionOnly) throws ConnectException, NamingException, |
|
| 206 |
NullPointerException {
|
|
| 176 | 207 |
return ldapAuthenticate(identifier, password, |
| 177 |
this.ldapsUrl, this.ldapBase); |
|
| 208 |
this.ldapsUrl, this.ldapBase, secureConnectionOnly);
|
|
| 178 | 209 |
} |
| 179 | 210 |
|
| 180 | 211 |
/** |
| ... | ... | |
| 184 | 215 |
* @param identifier the distinguished name to check against LDAP |
| 185 | 216 |
* @param password the password for authentication |
| 186 | 217 |
*/ |
| 187 |
private boolean ldapAuthenticate(String identifier, String password, |
|
| 188 |
String directoryUrl, String searchBase) throws |
|
| 189 |
ConnectException, NamingException, NullPointerException {
|
|
| 190 |
double totStartTime = System.currentTimeMillis(); |
|
| 191 |
boolean authenticated = false; |
|
| 192 |
if (identifier != null && !password.equals("")) {
|
|
| 218 |
|
|
| 219 |
private boolean ldapAuthenticate(String dn, String password, String rootServer, |
|
| 220 |
String rootBase, boolean secureConnectionOnly){
|
|
| 221 |
|
|
| 222 |
boolean authenticated = false; |
|
| 223 |
|
|
| 224 |
logMetacat.warn(secureConnectionOnly + ""); |
|
| 225 |
String server = ""; |
|
| 226 |
String userDN = ""; |
|
| 227 |
logMetacat.info("dn is: " + dn);
|
|
| 193 | 228 |
|
| 194 |
//Pass the username and password to run() method |
|
| 195 |
userName = identifier; |
|
| 196 |
userPassword = password; |
|
| 197 |
// Identify service provider to use |
|
| 198 |
Hashtable env = new Hashtable(11); |
|
| 199 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
|
| 200 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
|
| 201 |
env.put(Context.REFERRAL, "throw"); |
|
| 202 |
env.put(Context.PROVIDER_URL, directoryUrl + searchBase); |
|
| 203 |
logMetacat.info("PROVIDER_URL set to: " + directoryUrl + searchBase);
|
|
| 204 |
if (!ldapsUrl.equals(ldapUrl)) {
|
|
| 205 |
// ldap is set on default port 389 |
|
| 206 |
// ldaps is set on second port - 636 by default |
|
| 207 |
// env.put(Context.SECURITY_PROTOCOL, "ssl"); |
|
| 229 |
int position = dn.lastIndexOf("/");
|
|
| 230 |
logMetacat.debug("position is: " + position);
|
|
| 231 |
if (position == -1) {
|
|
| 232 |
server = rootServer; |
|
| 233 |
if(dn.indexOf(userDN) < 0){
|
|
| 234 |
userDN = dn + "," + rootBase; |
|
| 235 |
} else {
|
|
| 236 |
userDN = dn; |
|
| 237 |
} |
|
| 238 |
logMetacat.info("userDN is: " + userDN);
|
|
| 239 |
|
|
| 240 |
} else {
|
|
| 241 |
server = dn.substring(0, position+1); |
|
| 242 |
userDN = dn.substring(position+1); |
|
| 243 |
logMetacat.info("server is: " + server);
|
|
| 244 |
logMetacat.info("userDN is: " + userDN);
|
|
| 245 |
} |
|
| 246 |
|
|
| 247 |
logMetacat.warn("Trying to authenticate: " + userDN);
|
|
| 248 |
logMetacat.warn(" Using server: " + server);
|
|
| 249 |
|
|
| 250 |
LdapContext ctx = null; |
|
| 251 |
double startTime; |
|
| 252 |
double stopTime; |
|
| 253 |
try {
|
|
| 254 |
Hashtable env = new Hashtable(); |
|
| 255 |
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); |
|
| 256 |
env.put(Context.PROVIDER_URL, server); |
|
| 257 |
env.put(Context.REFERRAL, "throw"); |
|
| 258 |
|
|
| 259 |
try {
|
|
| 260 |
|
|
| 261 |
startTime = System.currentTimeMillis(); |
|
| 262 |
ctx = new InitialLdapContext(env, null); |
|
| 263 |
|
|
| 264 |
// Start up TLS here so that we don't pass our jewels in cleartext |
|
| 265 |
StartTlsResponse tls = |
|
| 266 |
(StartTlsResponse)ctx.extendedOperation(new StartTlsRequest()); |
|
| 267 |
//tls.setHostnameVerifier(new SampleVerifier()); |
|
| 268 |
SSLSession sess = tls.negotiate(); |
|
| 269 |
|
|
| 270 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 271 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
|
| 272 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
|
| 273 |
ctx.reconnect(null); |
|
| 274 |
|
|
| 275 |
stopTime = System.currentTimeMillis(); |
|
| 276 |
logMetacat.info("Connection time thru " + ldapsUrl + " was: " +
|
|
| 277 |
(stopTime - startTime) / 1000 + " seconds."); |
|
| 278 |
|
|
| 279 |
authenticated = true; |
|
| 280 |
} catch (java.io.IOException ioe) {
|
|
| 281 |
logMetacat.warn("Caught IOException in login while negotiating TLS: "
|
|
| 282 |
+ ioe.getMessage()); |
|
| 283 |
|
|
| 284 |
if(secureConnectionOnly){
|
|
| 285 |
return authenticated; |
|
| 286 |
} else {
|
|
| 287 |
|
|
| 288 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 289 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
|
| 290 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
| 291 |
|
|
| 292 |
startTime = System.currentTimeMillis(); |
|
| 293 |
ctx = new InitialLdapContext(env, null); |
|
| 294 |
stopTime = System.currentTimeMillis(); |
|
| 295 |
logMetacat.info("Connection time thru " + ldapsUrl + " was: " +
|
|
| 296 |
(stopTime - startTime) / 1000 + " seconds."); |
|
| 297 |
|
|
| 298 |
authenticated = true; |
|
| 299 |
} |
|
| 300 |
} |
|
| 301 |
} catch (AuthenticationException ae) {
|
|
| 302 |
authenticated = false; |
|
| 303 |
} catch (javax.naming.InvalidNameException ine) {
|
|
| 304 |
logMetacat.error("An invalid DN was provided!");
|
|
| 305 |
} catch (NamingException e) {
|
|
| 306 |
logMetacat.warn("Caught NamingException in login: " + e.getClass().getName());
|
|
| 307 |
logMetacat.info(e.toString() + " " + e.getRootCause()); |
|
| 308 |
e.printStackTrace(); |
|
| 208 | 309 |
} |
| 209 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 210 |
env.put(Context.SECURITY_PRINCIPAL, identifier); |
|
| 211 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
| 212 |
// If our auth credentials are invalid, an exception will be thrown |
|
| 213 |
DirContext ctx = null; |
|
| 214 |
try {
|
|
| 215 |
double startTime = System.currentTimeMillis(); |
|
| 216 |
//Here to check the authorization |
|
| 217 |
ctx = new InitialDirContext(env); |
|
| 218 |
double stopTime = System.currentTimeMillis(); |
|
| 219 |
logMetacat.info("Connection time thru " + ldapsUrl + " was: " +
|
|
| 220 |
(stopTime - startTime) / 1000 + " seconds."); |
|
| 221 |
authenticated = true; |
|
| 222 |
//tls.close(); |
|
| 223 |
ctx.close(); |
|
| 224 |
this.ldapUrl = ldapUrl; |
|
| 225 |
this.ldapBase = ldapBase; |
|
| 226 |
//break; |
|
| 227 |
} |
|
| 228 |
catch (AuthenticationException ae) {
|
|
| 229 |
authenticated = false; |
|
| 230 |
if (ctx != null) {
|
|
| 231 |
ctx.close(); |
|
| 232 |
} |
|
| 233 |
} |
|
| 234 |
catch (javax.naming.InvalidNameException ine) {
|
|
| 235 |
logMetacat.error("An invalid DN was provided!");
|
|
| 236 |
} |
|
| 237 |
catch (javax.naming.ReferralException re) {
|
|
| 238 |
logMetacat.error("referral during authentication");
|
|
| 239 |
logMetacat.error("Referral information: " + re.getReferralInfo());
|
|
| 240 |
try {
|
|
| 241 |
refExc = re; |
|
| 242 | 310 |
|
| 243 |
Thread t = new Thread(this); |
|
| 244 |
t.start(); |
|
| 245 |
Thread.sleep(5000); //this is a manual override of ldap's |
|
| 246 |
//hideously long time out period. |
|
| 247 |
logMetacat.info("Awake after 5 seconds.");
|
|
| 248 |
if (referralContext == null) {
|
|
| 249 |
t.interrupt(); |
|
| 250 |
authenticated = false; |
|
| 251 |
} |
|
| 252 |
else {
|
|
| 253 |
authenticated = true; |
|
| 254 |
} |
|
| 255 |
} |
|
| 256 |
catch (Exception e) {
|
|
| 257 |
authenticated = false; |
|
| 258 |
} |
|
| 259 |
} |
|
| 260 |
} |
|
| 261 |
else {
|
|
| 262 |
logMetacat.info("User not found");
|
|
| 263 |
} |
|
| 264 |
double totStopTime = System.currentTimeMillis(); |
|
| 265 |
logMetacat.warn("total ldap authentication time: " +
|
|
| 266 |
(totStopTime - totStartTime) / 1000 + " seconds"); |
|
| 267 |
return authenticated; |
|
| 311 |
return authenticated; |
|
| 268 | 312 |
} |
| 269 | 313 |
|
| 314 |
|
|
| 270 | 315 |
/** |
| 271 | 316 |
* Get the identifying name for a given userid or name. This is the name |
| 272 | 317 |
* that is used in conjunction withthe LDAP BaseDN to create a |
| ... | ... | |
| 277 | 322 |
* or null if not found |
| 278 | 323 |
*/ |
| 279 | 324 |
private String getIdentifyingName(String user, String ldapUrl, |
| 280 |
String ldapBase) throws NamingException {
|
|
| 281 |
String identifier = null; |
|
| 282 |
// Identify service provider to use |
|
| 283 |
Hashtable env = new Hashtable(11); |
|
| 284 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
|
| 285 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
|
| 286 |
logMetacat.info("setting referrals to: " + referral);
|
|
| 287 |
env.put(Context.REFERRAL, referral); |
|
| 288 |
env.put(Context.PROVIDER_URL, ldapUrl + ldapBase); |
|
| 289 |
// non-secure LDAP context; dn are publicly readable |
|
| 290 |
try {
|
|
| 291 |
|
|
| 292 |
// Bind to the LDAP server, in order to search for the right |
|
| 293 |
// distinguished name (dn) based on userid (uid) or common name (cn) |
|
| 294 |
DirContext ctx = new InitialDirContext(env); |
|
| 295 |
SearchControls ctls = new SearchControls(); |
|
| 296 |
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); |
|
| 297 |
// Search for the user id or name using the uid, then cn and sn |
|
| 298 |
//attributes |
|
| 299 |
// If we find a record, determine the dn for the record |
|
| 300 |
// The following blocks need to be refactored into a subroutine |
|
| 301 |
// they have a ridiculous amount of redundancy |
|
| 302 |
|
|
| 303 |
// Parse out the uid and org components and look up the real DN |
|
| 304 |
// This assumes a dn like "uid=x,o=y,dc=someinst,dc=org" |
|
| 305 |
int position = user.indexOf(",");
|
|
| 306 |
String comp1 = user.substring(0, position); |
|
| 307 |
logMetacat.info("First comp is: " + comp1);
|
|
| 308 |
String comp2 = user.substring(position + 1, |
|
| 309 |
user.indexOf(",", position + 1));
|
|
| 310 |
logMetacat.info("Second comp is: " + comp2);
|
|
| 311 |
|
|
| 312 |
//String filter = "(&(" + comp1 + "))";
|
|
| 313 |
String filter = "(&(" + comp1 + ")(" + comp2 + "))";
|
|
| 314 |
logMetacat.info("Filter is: " + filter);
|
|
| 315 |
logMetacat.info("Provider URL is: " + ldapUrl + ldapBase);
|
|
| 316 |
NamingEnumeration answer; |
|
| 325 |
String ldapBase) throws NamingException {
|
|
| 326 |
|
|
| 327 |
String identifier = null; |
|
| 328 |
Hashtable env = new Hashtable(); |
|
| 329 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
|
| 330 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
|
| 331 |
env.put(Context.REFERRAL, "throw"); |
|
| 332 |
env.put(Context.PROVIDER_URL, ldapUrl + ldapBase); |
|
| 317 | 333 |
try {
|
| 318 |
logMetacat.info("Trying search 1: " + filter);
|
|
| 319 |
answer = ctx.search("", filter, ctls);
|
|
| 320 |
logMetacat.info("Search 1 complete");
|
|
| 321 |
if (answer == null) {
|
|
| 322 |
logMetacat.info("Search 1 answer is null.");
|
|
| 323 |
} |
|
| 324 |
if (answer.hasMore()) {
|
|
| 325 |
logMetacat.info("Search 1 has answers.");
|
|
| 326 |
SearchResult sr = (SearchResult) answer.next(); |
|
| 327 |
identifier = sr.getName(); |
|
| 328 |
logMetacat.info("Originally Found: " + identifier);
|
|
| 329 |
return identifier; |
|
| 330 |
} |
|
| 331 |
} |
|
| 332 |
catch (InvalidSearchFilterException e) {
|
|
| 333 |
logMetacat.error("Invalid Filter exception thrown (if1)");
|
|
| 334 |
} |
|
| 334 |
int position = user.indexOf(",");
|
|
| 335 |
String uid = user.substring(user.indexOf("=") + 1, position);
|
|
| 336 |
logMetacat.warn("uid is: " + uid);
|
|
| 337 |
String org = user.substring(user.indexOf("=", position + 1) + 1,
|
|
| 338 |
user.indexOf(",", position + 1));
|
|
| 339 |
logMetacat.warn("org is: " + org);
|
|
| 340 |
|
|
| 341 |
DirContext sctx = new InitialDirContext(env); |
|
| 342 |
SearchControls ctls = new SearchControls(); |
|
| 343 |
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); |
|
| 344 |
String filter = "(&(uid=" + uid + ")(o=" + org + "))"; |
|
| 345 |
logMetacat.warn("Filter: " + filter);
|
|
| 346 |
|
|
| 347 |
for (boolean moreReferrals = true; moreReferrals;) {
|
|
| 348 |
try {
|
|
| 349 |
// Perform the search |
|
| 350 |
NamingEnumeration answer = |
|
| 351 |
sctx.search("", filter, ctls);
|
|
| 335 | 352 |
|
| 336 |
// That failed, so check if it is just a username |
|
| 337 |
filter = "(" + user + ")";
|
|
| 338 |
try {
|
|
| 339 |
logMetacat.info("Trying again: " + filter);
|
|
| 340 |
answer = ctx.search("", filter, ctls);
|
|
| 341 |
if (answer.hasMore()) {
|
|
| 342 |
SearchResult sr = (SearchResult) answer.next(); |
|
| 343 |
identifier = sr.getName(); |
|
| 344 |
if (!sr.isRelative()) {
|
|
| 345 |
this.ldapUrl = identifier.substring(0, |
|
| 346 |
identifier.lastIndexOf("/") + 1);
|
|
| 347 |
this.ldapBase = identifier.substring(identifier.indexOf(",") + 1);
|
|
| 348 |
identifier = identifier.substring(identifier.lastIndexOf("/") + 1,
|
|
| 349 |
identifier.indexOf(","));
|
|
| 350 |
} |
|
| 351 |
logMetacat.info("Found: " + identifier);
|
|
| 352 |
return identifier; |
|
| 353 |
} |
|
| 354 |
} |
|
| 355 |
catch (InvalidSearchFilterException e) {}
|
|
| 353 |
// Return the answer |
|
| 354 |
while (answer.hasMore()) {
|
|
| 355 |
SearchResult sr = (SearchResult)answer.next(); |
|
| 356 |
identifier = sr.getName(); |
|
| 357 |
return identifier; |
|
| 358 |
} |
|
| 359 |
// The search completes with no more referrals |
|
| 360 |
moreReferrals = false; |
|
| 361 |
} catch (ReferralException e) {
|
|
| 362 |
logMetacat.info("Got referral: " + e.getReferralInfo());
|
|
| 356 | 363 |
|
| 357 |
// Maybe its a user id (uid) |
|
| 358 |
filter = "(uid=" + user + ")"; |
|
| 359 |
logMetacat.info("Trying again: " + filter);
|
|
| 360 |
answer = ctx.search("", filter, ctls);
|
|
| 361 |
if (answer.hasMore()) {
|
|
| 362 |
SearchResult sr = (SearchResult) answer.next(); |
|
| 363 |
identifier = sr.getName(); |
|
| 364 |
if (!sr.isRelative()) {
|
|
| 365 |
this.ldapUrl = identifier.substring(0, |
|
| 366 |
identifier.lastIndexOf("/") + 1);
|
|
| 367 |
this.ldapBase = identifier.substring(identifier.indexOf(",") + 1);
|
|
| 368 |
identifier = identifier.substring(identifier.lastIndexOf("/") + 1,
|
|
| 369 |
identifier.indexOf(","));
|
|
| 370 |
} |
|
| 371 |
logMetacat.info("Found: " + identifier);
|
|
| 372 |
} |
|
| 373 |
else {
|
|
| 374 |
|
|
| 375 |
// maybe its just a common name |
|
| 376 |
filter = "(cn=" + user + ")"; |
|
| 377 |
logMetacat.info("Trying again: " + filter);
|
|
| 378 |
NamingEnumeration answer2 = ctx.search("", filter, ctls);
|
|
| 379 |
if (answer2.hasMore()) {
|
|
| 380 |
SearchResult sr = (SearchResult) answer2.next(); |
|
| 381 |
identifier = sr.getName(); |
|
| 382 |
if (!sr.isRelative()) {
|
|
| 383 |
this.ldapUrl = identifier.substring(0, |
|
| 384 |
identifier.lastIndexOf("/") + 1);
|
|
| 385 |
this.ldapBase = identifier.substring(identifier.indexOf(",") + 1);
|
|
| 386 |
identifier = identifier.substring(identifier.lastIndexOf("/") + 1,
|
|
| 387 |
identifier.indexOf(","));
|
|
| 364 |
// Point to the new context from the referral |
|
| 365 |
if (moreReferrals) {
|
|
| 366 |
sctx = (DirContext) e.getReferralContext(); |
|
| 367 |
} |
|
| 368 |
} |
|
| 388 | 369 |
} |
| 389 |
logMetacat.info("Found: " + identifier);
|
|
| 390 |
} |
|
| 391 |
else {
|
|
| 392 |
|
|
| 393 |
// ok, last resort, is it a surname? |
|
| 394 |
filter = "(sn=" + user + ")"; |
|
| 395 |
logMetacat.info("Trying again: " + filter);
|
|
| 396 |
NamingEnumeration answer3 = ctx.search("", filter, ctls);
|
|
| 397 |
if (answer3.hasMore()) {
|
|
| 398 |
SearchResult sr = (SearchResult) answer3.next(); |
|
| 399 |
identifier = sr.getName(); |
|
| 400 |
if (!sr.isRelative()) {
|
|
| 401 |
this.ldapUrl = identifier.substring(0, |
|
| 402 |
identifier.lastIndexOf("/") +
|
|
| 403 |
1); |
|
| 404 |
this.ldapBase = identifier.substring(identifier.indexOf(",") + 1);
|
|
| 405 |
identifier = identifier.substring(identifier.lastIndexOf("/") + 1,
|
|
| 406 |
identifier.indexOf(","));
|
|
| 407 |
} |
|
| 408 |
logMetacat.info("Found: " + identifier);
|
|
| 409 |
} |
|
| 410 |
} |
|
| 411 |
} |
|
| 412 |
// Close the context when we're done the initial search |
|
| 413 |
ctx.close(); |
|
| 414 |
} |
|
| 415 |
catch (NamingException e) {
|
|
| 416 |
logMetacat.error("Naming exception while getting dn: " + e);
|
|
| 417 |
throw new NamingException( |
|
| 418 |
"Naming exception in AuthLdap.getIdentifyingName: " + e); |
|
| 419 |
} |
|
| 420 |
logMetacat.error("Returning found identifier as: " + identifier);
|
|
| 421 |
return identifier; |
|
| 370 |
} catch (NamingException e) {
|
|
| 371 |
logMetacat.error("Naming exception while getting dn: " + e);
|
|
| 372 |
throw new NamingException( |
|
| 373 |
"Naming exception in AuthLdap.getIdentifyingName: " + e); |
|
| 374 |
} |
|
| 375 |
return identifier; |
|
| 422 | 376 |
} |
| 423 |
|
|
| 377 |
|
|
| 424 | 378 |
/** |
| 425 | 379 |
* Get all users from the authentication service |
| 426 | 380 |
* |
| ... | ... | |
| 835 | 789 |
dc.close(); |
| 836 | 790 |
} |
| 837 | 791 |
catch (NamingException ne) {
|
| 838 |
logMetacat.warn("Naming Exception in AuthLdap.getGroups" +
|
|
| 792 |
logMetacat.info("Naming Exception in AuthLdap.getGroups for referals" +
|
|
| 839 | 793 |
ne.getExplanation() + ne.getMessage()); |
| 840 | 794 |
} |
| 841 | 795 |
} |
Also available in: Unified diff
Replaced getIdentifyingName and ldapAuthenticate with new code. ldapAuthenticate will first try to form a secure connection. If the secure connection fails then based on the value specified
in metacat.properties, an insecure connection will be made. authenticate() function first tries to connect using the dn specified with the default ldap base and url. in case that fails,
then getIdentifyingName is called and authentication is tried for any referals found.
Now, getIdentifyingName only considers the username provided as 'uid' and not as sn or cn. Any referals found are returned so that authentication can be tested against them