org.apache.directory.ldap.client.api.LdapNetworkConnection Java Examples
The following examples show how to use
org.apache.directory.ldap.client.api.LdapNetworkConnection.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ApiLdapClientApiOsgiTest.java From directory-ldap-api with Apache License 2.0 | 6 votes |
@Override protected void useBundleClasses() throws Exception { new LdapNetworkConnection().close(); new SaslGssApiRequest(); new Krb5LoginConfiguration(); new AddFuture( new LdapNetworkConnection(), 2 ); new LdapConnectionTemplate( new LdapConnectionPool( new DefaultPoolableLdapConnectionFactory( new LdapConnectionConfig() ) ) ); FilterBuilder.and( FilterBuilder.not( FilterBuilder.contains( "cn", "a", "b" ) ) ).toString(); // Test for DIRAPI-239 PooledObjectFactory<LdapConnection> factory = new DefaultPoolableLdapConnectionFactory( new LdapConnectionConfig() ); GenericObjectPoolConfig config = new GenericObjectPoolConfig(); LdapConnectionPool ldapConnectionPool = new LdapConnectionPool( factory, config ); ldapConnectionPool.getLdapApiService(); ldapConnectionPool.getTestOnBorrow(); ldapConnectionPool.close(); }
Example #2
Source File: UserService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns all Guacamole users accessible to the user currently bound under * the given LDAP connection. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @return * All users accessible to the user currently bound under the given * LDAP connection, as a map of connection identifier to corresponding * user object. * * @throws GuacamoleException * If an error occurs preventing retrieval of users. */ public Map<String, User> getUsers(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Retrieve all visible user objects Collection<String> attributes = confService.getUsernameAttributes(); List<Entry> results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), attributes, null); // Convert retrieved users to map of identifier to Guacamole user object return queryService.asMap(results, entry -> { // Get username from record try { String username = queryService.getIdentifier(entry, attributes); if (username == null) { logger.warn("User \"{}\" is missing a username attribute " + "and will be ignored.", entry.getDn().toString()); return null; } return new SimpleUser(username); } catch (LdapInvalidAttributeValueException e) { return null; } }); }
Example #3
Source File: LdapAuthenticationBaseIT.java From datacollector with Apache License 2.0 | 5 votes |
static LdapConnection setupLdapServer(GenericContainer server, String setupFile) { // setup Ldap server 1 LdapConnection connection = new LdapNetworkConnection(server.getContainerIpAddress(), server.getMappedPort(LDAP_PORT)); try { connection.bind(BIND_DN, BIND_PWD); LdifReader reader = new LdifReader(Resources.getResource(setupFile).getFile()); for (LdifEntry entry : reader) { connection.add(entry.getEntry()); } } catch (LdapException e) { LOG.error("Setup server 1 failed " + e); } return connection; }
Example #4
Source File: LDAPApi.java From mamute with Apache License 2.0 | 5 votes |
private LdapConnection connection(String username, String password) throws LdapException { // Manually build the configuration since the convenience constructor in // the LdapNetworkConnection doesn't let us specify a TLS setting LdapConnectionConfig config = new LdapConnectionConfig(); config.setLdapHost(host); config.setLdapPort(port); config.setUseTls(useTls); config.setUseSsl(useSsl); LdapNetworkConnection conn = new LdapNetworkConnection(config); conn.bind(username, password); return conn; }
Example #5
Source File: LdapLoginManager.java From openmeetings with Apache License 2.0 | 5 votes |
public LdapWorker(Long domainId) { this.domainId = domainId; ldapCfg = ldapConfigDao.get(domainId); loadLdapConf(ldapCfg.getConfigFileName(), config); options = new LdapOptions(config); conn = new LdapNetworkConnection(options.host, options.port, options.secure); }
Example #6
Source File: ConnectionService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns an LDAP search filter which queries all connections accessible * by the user having the given DN. * * @param userDN * DN of the user to search for associated guacConfigGroup connections. * * @param ldapConnection * LDAP connection to use if additional information must be queried to * produce the filter, such as groups driving RBAC. * * @return * An LDAP search filter which queries all guacConfigGroup objects * accessible by the user having the given DN. * * @throws LdapException * If an error occurs preventing retrieval of user groups. * * @throws GuacamoleException * If an error occurs retrieving the group base DN. */ private ExprNode getConnectionSearchFilter(Dn userDN, LdapNetworkConnection ldapConnection) throws LdapException, GuacamoleException { AndNode searchFilter = new AndNode(); // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value searchFilter.addNode(new EqualityNode("objectClass","guacConfigGroup")); // Apply group filters OrNode groupFilter = new OrNode(); groupFilter.addNode(new EqualityNode(confService.getMemberAttribute(), userDN.toString())); // Additionally filter by group membership if the current user is a // member of any user groups List<Entry> userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN); if (!userGroups.isEmpty()) { userGroups.forEach(entry -> groupFilter.addNode(new EqualityNode("seeAlso",entry.getDn().toString())) ); } // Complete the search filter. searchFilter.addNode(groupFilter); return searchFilter; }
Example #7
Source File: LDAPConnectionService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Creates a new instance of LdapNetworkConnection, configured as required * to use the given encryption method to communicate with the LDAP server * at the given hostname and port. The returned LdapNetworkConnection is * configured for use but is not yet connected nor bound to the LDAP * server. It will not be bound until a bind operation is explicitly * requested, and will not be connected until it is used in an LDAP * operation (such as a bind). * * @param host * The hostname or IP address of the LDAP server. * * @param port * The TCP port that the LDAP server is listening on. * * @param encryptionMethod * The encryption method that should be used to communicate with the * LDAP server. * * @return * A new instance of LdapNetworkConnection which uses the given * encryption method to communicate with the LDAP server at the given * hostname and port. * * @throws GuacamoleException * If the requested encryption method is actually not implemented (a * bug). */ private LdapNetworkConnection createLDAPConnection(String host, int port, EncryptionMethod encryptionMethod) throws GuacamoleException { LdapConnectionConfig config = new LdapConnectionConfig(); config.setLdapHost(host); config.setLdapPort(port); // Map encryption method to proper connection and socket factory switch (encryptionMethod) { // Unencrypted LDAP connection case NONE: logger.debug("Connection to LDAP server without encryption."); break; // LDAP over SSL (LDAPS) case SSL: logger.debug("Connecting to LDAP server using SSL/TLS."); config.setUseSsl(true); break; // LDAP + STARTTLS case STARTTLS: logger.debug("Connecting to LDAP server using STARTTLS."); config.setUseTls(true); break; // The encryption method, though known, is not actually // implemented. If encountered, this would be a bug. default: throw new GuacamoleUnsupportedException("Unimplemented encryption method: " + encryptionMethod); } return new LdapNetworkConnection(config); }
Example #8
Source File: LDAPConnectionService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Creates a new instance of LdapNetworkConnection, configured as required * to use the given encryption method to communicate with the LDAP server * at the given hostname and port. The returned LdapNetworkConnection is * configured for use but is not yet connected nor bound to the LDAP * server. It will not be bound until a bind operation is explicitly * requested, and will not be connected until it is used in an LDAP * operation (such as a bind). * * @param host * The hostname or IP address of the LDAP server. * * @param port * The TCP port that the LDAP server is listening on. * * @param encryptionMethod * The encryption method that should be used to communicate with the * LDAP server. * * @return * A new instance of LdapNetworkConnection which uses the given * encryption method to communicate with the LDAP server at the given * hostname and port. * * @throws GuacamoleException * If the requested encryption method is actually not implemented (a * bug). */ private LdapNetworkConnection createLDAPConnection(String host, int port, EncryptionMethod encryptionMethod) throws GuacamoleException { LdapConnectionConfig config = new LdapConnectionConfig(); config.setLdapHost(host); config.setLdapPort(port); // Map encryption method to proper connection and socket factory switch (encryptionMethod) { // Unencrypted LDAP connection case NONE: logger.debug("Connection to LDAP server without encryption."); break; // LDAP over SSL (LDAPS) case SSL: logger.debug("Connecting to LDAP server using SSL/TLS."); config.setUseSsl(true); break; // LDAP + STARTTLS case STARTTLS: logger.debug("Connecting to LDAP server using STARTTLS."); config.setUseTls(true); break; // The encryption method, though known, is not actually // implemented. If encountered, this would be a bug. default: throw new GuacamoleUnsupportedException("Unimplemented encryption method: " + encryptionMethod); } return new LdapNetworkConnection(config); }
Example #9
Source File: ConnectionService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns an LDAP search filter which queries all connections accessible * by the user having the given DN. * * @param userDN * DN of the user to search for associated guacConfigGroup connections. * * @param ldapConnection * LDAP connection to use if additional information must be queried to * produce the filter, such as groups driving RBAC. * * @return * An LDAP search filter which queries all guacConfigGroup objects * accessible by the user having the given DN. * * @throws LdapException * If an error occurs preventing retrieval of user groups. * * @throws GuacamoleException * If an error occurs retrieving the group base DN. */ private ExprNode getConnectionSearchFilter(Dn userDN, LdapNetworkConnection ldapConnection) throws LdapException, GuacamoleException { AndNode searchFilter = new AndNode(); // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value searchFilter.addNode(new EqualityNode("objectClass","guacConfigGroup")); // Apply group filters OrNode groupFilter = new OrNode(); groupFilter.addNode(new EqualityNode(confService.getMemberAttribute(), userDN.toString())); // Additionally filter by group membership if the current user is a // member of any user groups List<Entry> userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN); if (!userGroups.isEmpty()) { userGroups.forEach(entry -> groupFilter.addNode(new EqualityNode("seeAlso",entry.getDn().toString())) ); } // Complete the search filter. searchFilter.addNode(groupFilter); return searchFilter; }
Example #10
Source File: UserService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns all Guacamole users accessible to the user currently bound under * the given LDAP connection. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @return * All users accessible to the user currently bound under the given * LDAP connection, as a map of connection identifier to corresponding * user object. * * @throws GuacamoleException * If an error occurs preventing retrieval of users. */ public Map<String, User> getUsers(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Retrieve all visible user objects Collection<String> attributes = confService.getUsernameAttributes(); List<Entry> results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), attributes, null); // Convert retrieved users to map of identifier to Guacamole user object return queryService.asMap(results, entry -> { // Get username from record try { String username = queryService.getIdentifier(entry, attributes); if (username == null) { logger.warn("User \"{}\" is missing a username attribute " + "and will be ignored.", entry.getDn().toString()); return null; } return new SimpleUser(username); } catch (LdapInvalidAttributeValueException e) { return null; } }); }
Example #11
Source File: UserGroupService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns the identifiers of all user groups that the given user is a * member of. Only identifiers of user groups which are readable by the * current user will be retrieved. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @param userDN * The DN of the user whose group membership should be retrieved. * * @return * The identifiers of all readable parent user groups of the user * having the given DN. * * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ public Set<String> getParentUserGroupIdentifiers(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { Collection<String> attributes = confService.getGroupNameAttributes(); List<Entry> userGroups = getParentUserGroupEntries(ldapConnection, userDN); Set<String> identifiers = new HashSet<>(userGroups.size()); userGroups.forEach(entry -> { // Determine unique identifier for user group try { String name = queryService.getIdentifier(entry, attributes); if (name != null) identifiers.add(name); // Ignore user groups which lack a name attribute else logger.debug("User group \"{}\" is missing a name attribute " + "and will be ignored.", entry.getDn().toString()); } catch (LdapInvalidAttributeValueException e) { logger.error("User group missing identifier: {}", e.getMessage()); logger.debug("LDAP exception while getting group identifier.", e); } }); return identifiers; }
Example #12
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns parameter tokens generated from LDAP attributes on the user * currently bound under the given LDAP connection. The attributes to be * converted into parameter tokens must be explicitly listed in * guacamole.properties. If no attributes are specified or none are * found on the LDAP user object, an empty map is returned. * * @param ldapConnection * LDAP connection to use to read the attributes of the user. * * @param username * The username of the user whose attributes are to be queried. * * @return * A map of parameter tokens generated from attributes on the user * currently bound under the given LDAP connection, as a map of token * name to corresponding value, or an empty map if no attributes are * specified or none are found on the user object. * * @throws GuacamoleException * If an error occurs retrieving the user DN or the attributes. */ private Map<String, String> getAttributeTokens(LdapNetworkConnection ldapConnection, Dn userDn) throws GuacamoleException { // Get attributes from configuration information List<String> attrList = confService.getAttributes(); // If there are no attributes there is no reason to search LDAP if (attrList.isEmpty()) return Collections.<String, String>emptyMap(); // Build LDAP query parameters String[] attrArray = attrList.toArray(new String[attrList.size()]); Map<String, String> tokens = new HashMap<>(); try { // Get LDAP attributes by querying LDAP Entry userEntry = ldapConnection.lookup(userDn, attrArray); if (userEntry == null) return Collections.<String, String>emptyMap(); Collection<Attribute> attributes = userEntry.getAttributes(); if (attributes == null) return Collections.<String, String>emptyMap(); // Convert each retrieved attribute into a corresponding token for (Attribute attr : attributes) { tokens.put(TokenName.canonicalize(attr.getId(), LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getString()); } } catch (LdapException e) { throw new GuacamoleServerException("Could not query LDAP user attributes.", e); } return tokens; }
Example #13
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns a UserContext object initialized with data accessible to the * given AuthenticatedUser. * * @param authenticatedUser * The AuthenticatedUser to retrieve data for. * * @return * A UserContext object initialized with data accessible to the given * AuthenticatedUser. * * @throws GuacamoleException * If the UserContext cannot be created due to an error. */ public LDAPUserContext getUserContext(AuthenticatedUser authenticatedUser) throws GuacamoleException { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); if (authenticatedUser instanceof LDAPAuthenticatedUser) { Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); if (ldapConnection == null) { logger.debug("LDAP bind succeeded for \"{}\" during " + "authentication but failed during data retrieval.", authenticatedUser.getIdentifier()); throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD); } try { // Build user context by querying LDAP LDAPUserContext userContext = userContextProvider.get(); userContext.init(authenticatedUser, ldapConnection); return userContext; } // Always disconnect finally { ldapConnection.close(); } } return null; }
Example #14
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns parameter tokens generated from LDAP attributes on the user * currently bound under the given LDAP connection. The attributes to be * converted into parameter tokens must be explicitly listed in * guacamole.properties. If no attributes are specified or none are * found on the LDAP user object, an empty map is returned. * * @param ldapConnection * LDAP connection to use to read the attributes of the user. * * @param username * The username of the user whose attributes are to be queried. * * @return * A map of parameter tokens generated from attributes on the user * currently bound under the given LDAP connection, as a map of token * name to corresponding value, or an empty map if no attributes are * specified or none are found on the user object. * * @throws GuacamoleException * If an error occurs retrieving the user DN or the attributes. */ private Map<String, String> getAttributeTokens(LdapNetworkConnection ldapConnection, Dn userDn) throws GuacamoleException { // Get attributes from configuration information List<String> attrList = confService.getAttributes(); // If there are no attributes there is no reason to search LDAP if (attrList.isEmpty()) return Collections.<String, String>emptyMap(); // Build LDAP query parameters String[] attrArray = attrList.toArray(new String[attrList.size()]); Map<String, String> tokens = new HashMap<>(); try { // Get LDAP attributes by querying LDAP Entry userEntry = ldapConnection.lookup(userDn, attrArray); if (userEntry == null) return Collections.<String, String>emptyMap(); Collection<Attribute> attributes = userEntry.getAttributes(); if (attributes == null) return Collections.<String, String>emptyMap(); // Convert each retrieved attribute into a corresponding token for (Attribute attr : attributes) { tokens.put(TokenName.canonicalize(attr.getId(), LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getString()); } } catch (LdapException e) { throw new GuacamoleServerException("Could not query LDAP user attributes.", e); } return tokens; }
Example #15
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns a UserContext object initialized with data accessible to the * given AuthenticatedUser. * * @param authenticatedUser * The AuthenticatedUser to retrieve data for. * * @return * A UserContext object initialized with data accessible to the given * AuthenticatedUser. * * @throws GuacamoleException * If the UserContext cannot be created due to an error. */ public LDAPUserContext getUserContext(AuthenticatedUser authenticatedUser) throws GuacamoleException { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); if (authenticatedUser instanceof LDAPAuthenticatedUser) { Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); if (ldapConnection == null) { logger.debug("LDAP bind succeeded for \"{}\" during " + "authentication but failed during data retrieval.", authenticatedUser.getIdentifier()); throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD); } try { // Build user context by querying LDAP LDAPUserContext userContext = userContextProvider.get(); userContext.init(authenticatedUser, ldapConnection); return userContext; } // Always disconnect finally { ldapConnection.close(); } } return null; }
Example #16
Source File: UserGroupService.java From guacamole-client with Apache License 2.0 | 5 votes |
/** * Returns the identifiers of all user groups that the given user is a * member of. Only identifiers of user groups which are readable by the * current user will be retrieved. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @param userDN * The DN of the user whose group membership should be retrieved. * * @return * The identifiers of all readable parent user groups of the user * having the given DN. * * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ public Set<String> getParentUserGroupIdentifiers(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { Collection<String> attributes = confService.getGroupNameAttributes(); List<Entry> userGroups = getParentUserGroupEntries(ldapConnection, userDN); Set<String> identifiers = new HashSet<>(userGroups.size()); userGroups.forEach(entry -> { // Determine unique identifier for user group try { String name = queryService.getIdentifier(entry, attributes); if (name != null) identifiers.add(name); // Ignore user groups which lack a name attribute else logger.debug("User group \"{}\" is missing a name attribute " + "and will be ignored.", entry.getDn().toString()); } catch (LdapInvalidAttributeValueException e) { logger.error("User group missing identifier: {}", e.getMessage()); logger.debug("LDAP exception while getting group identifier.", e); } }); return identifiers; }
Example #17
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Determines the DN which corresponds to the user having the given * username. The DN will either be derived directly from the user base DN, * or queried from the LDAP server, depending on how LDAP authentication * has been configured. * * @param username * The username of the user whose corresponding DN should be returned. * * @return * The DN which corresponds to the user having the given username. * * @throws GuacamoleException * If required properties are missing, and thus the user DN cannot be * determined. */ private Dn getUserBindDN(String username) throws GuacamoleException { // If a search DN is provided, search the LDAP directory for the DN // corresponding to the given username Dn searchBindDN = confService.getSearchBindDN(); if (searchBindDN != null) { // Create an LDAP connection using the search account LdapNetworkConnection searchConnection = ldapService.bindAs( searchBindDN, confService.getSearchBindPassword() ); // Warn of failure to find if (searchConnection == null) { logger.error("Unable to bind using search DN \"{}\"", searchBindDN); return null; } try { // Retrieve all DNs associated with the given username List<Dn> userDNs = userService.getUserDNs(searchConnection, username); if (userDNs.isEmpty()) return null; // Warn if multiple DNs exist for the same user if (userDNs.size() != 1) { logger.warn("Multiple DNs possible for user \"{}\": {}", username, userDNs); return null; } // Return the single possible DN return userDNs.get(0); } // Always disconnect finally { searchConnection.close(); } } // Otherwise, derive user DN from base DN return userService.deriveUserDN(username); }
Example #18
Source File: LDAPUserContext.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Initializes this UserContext using the provided AuthenticatedUser and * LdapNetworkConnection. * * @param user * The AuthenticatedUser representing the user that authenticated. This * user may have been authenticated by a different authentication * provider (not LDAP). * * @param ldapConnection * The connection to the LDAP server to use when querying accessible * Guacamole users and connections. * * @throws GuacamoleException * If associated data stored within the LDAP directory cannot be * queried due to an error. */ public void init(AuthenticatedUser user, LdapNetworkConnection ldapConnection) throws GuacamoleException { // Query all accessible users userDirectory = new SimpleDirectory<>( userService.getUsers(ldapConnection) ); // Query all accessible user groups userGroupDirectory = new SimpleDirectory<>( userGroupService.getUserGroups(ldapConnection) ); // Query all accessible connections connectionDirectory = new SimpleDirectory<>( connectionService.getConnections(user, ldapConnection) ); // Root group contains only connections rootGroup = new SimpleConnectionGroup( LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP, LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP, connectionDirectory.getIdentifiers(), Collections.<String>emptyList() ); // Init self with basic permissions self = new SimpleUser(user.getIdentifier()) { @Override public ObjectPermissionSet getUserPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(userDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(userGroupDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP)); } }; }
Example #19
Source File: AuthenticationProviderService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Returns an AuthenticatedUser representing the user authenticated by the * given credentials. Also adds custom LDAP attributes to the * AuthenticatedUser. * * @param credentials * The credentials to use for authentication. * * @return * An AuthenticatedUser representing the user authenticated by the * given credentials. * * @throws GuacamoleException * If an error occurs while authenticating the user, or if access is * denied. */ public LDAPAuthenticatedUser authenticateUser(Credentials credentials) throws GuacamoleException { String username = credentials.getUsername(); String password = credentials.getPassword(); // Username and password are required if (username == null || username.isEmpty() || password == null || password.isEmpty()) { throw new GuacamoleInvalidCredentialsException( "Anonymous bind is not currently allowed by the LDAP" + " authentication provider.", CredentialsInfo.USERNAME_PASSWORD); } Dn bindDn = getUserBindDN(username); if (bindDn == null || bindDn.isEmpty()) { throw new GuacamoleInvalidCredentialsException("Unable to determine" + " DN of user " + username, CredentialsInfo.USERNAME_PASSWORD); } // Attempt bind LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password); if (ldapConnection == null) throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD); try { // Retrieve group membership of the user that just authenticated Set<String> effectiveGroups = userGroupService.getParentUserGroupIdentifiers(ldapConnection, bindDn); // Return AuthenticatedUser if bind succeeds LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); authenticatedUser.init(credentials, getAttributeTokens(ldapConnection, bindDn), effectiveGroups, bindDn); return authenticatedUser; } // Always disconnect finally { ldapConnection.close(); } }
Example #20
Source File: LdapDirectoryServerConnectionTest.java From cloudstack with Apache License 2.0 | 4 votes |
public void testUserCreation() { LdapConnection connection = new LdapNetworkConnection( "localhost", 10389 ); try { connection.bind( "uid=admin,ou=system", "secret" ); connection.add(new DefaultEntry( "ou=acsadmins,ou=users,ou=system", "objectClass: organizationalUnit", // might also need to be objectClass: top "ou: acsadmins" )); connection.add(new DefaultEntry( "uid=dahn,ou=acsadmins,ou=users,ou=system", "objectClass: inetOrgPerson", "objectClass: top", "cn: dahn", "sn: Hoogland", "givenName: Daan", "mail: d@b.c", "uid: dahn" )); connection.add( new DefaultEntry( "cn=JuniorAdmins,ou=groups,ou=system", // The Dn "objectClass: groupOfUniqueNames", "ObjectClass: top", "cn: JuniorAdmins", "uniqueMember: uid=dahn,ou=acsadmins,ou=system,ou=users") ); assertTrue( connection.exists( "cn=JuniorAdmins,ou=groups,ou=system" ) ); assertTrue( connection.exists( "uid=dahn,ou=acsadmins,ou=users,ou=system" ) ); Entry ourUser = connection.lookup("uid=dahn,ou=acsadmins,ou=users,ou=system"); ourUser.add("memberOf", "cn=JuniorAdmins,ou=groups,ou=system"); AddRequest addRequest = new AddRequestImpl(); addRequest.setEntry( ourUser ); AddResponse response = connection.add( addRequest ); assertNotNull( response ); // We would need to either // assertEquals( ResultCodeEnum.SUCCESS, response.getLdapResult().getResultCode() ); // or have the automatic virtual attribute List<LdapUser> usahs = ldapManager.getUsers(1L); assertEquals("now an admin and a normal user should be present",2, usahs.size()); } catch (LdapException | NoLdapUserMatchingQueryException e) { fail(e.getLocalizedMessage()); } }
Example #21
Source File: UserGroupService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Returns all Guacamole user groups accessible to the user currently bound * under the given LDAP connection. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @return * All user groups accessible to the user currently bound under the * given LDAP connection, as a map of user group identifier to * corresponding UserGroup object. * * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ public Map<String, UserGroup> getUserGroups(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Do not return any user groups if base DN is not specified Dn groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN == null) return Collections.emptyMap(); // Retrieve all visible user groups which are not guacConfigGroups Collection<String> attributes = confService.getGroupNameAttributes(); List<Entry> results = queryService.search( ldapConnection, groupBaseDN, getGroupSearchFilter(), attributes, null ); // Convert retrieved user groups to map of identifier to Guacamole // user group object return queryService.asMap(results, entry -> { // Translate entry into UserGroup object having proper identifier try { String name = queryService.getIdentifier(entry, attributes); if (name != null) return new SimpleUserGroup(name); } catch (LdapInvalidAttributeValueException e) { return null; } // Ignore user groups which lack a name attribute logger.debug("User group \"{}\" is missing a name attribute " + "and will be ignored.", entry.getDn().toString()); return null; }); }
Example #22
Source File: UserGroupService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Returns the LDAP entries representing all user groups that the given * user is a member of. Only user groups which are readable by the current * user will be retrieved. * * @param ldapConnection * The current connection to the LDAP server, associated with the * current user. * * @param userDN * The DN of the user whose group membership should be retrieved. * * @return * The LDAP entries representing all readable parent user groups of the * user having the given DN. * * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ public List<Entry> getParentUserGroupEntries(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { // Do not return any user groups if base DN is not specified Dn groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN == null) return Collections.emptyList(); // memberAttribute specified in properties could contain DN or username MemberAttributeType memberAttributeType = confService.getMemberAttributeType(); String userIDorDN = userDN.toString(); if (memberAttributeType == MemberAttributeType.UID) { // Retrieve user objects with userDN List<Entry> userEntries = queryService.search( ldapConnection, userDN, confService.getUserSearchFilter(), 0); // ... there can surely only be one if (userEntries.size() != 1) logger.warn("user DN \"{}\" does not return unique value " + "and will be ignored", userDN.toString()); else { // determine unique identifier for user Entry userEntry = userEntries.get(0); Collection<String> userAttributes = confService.getUsernameAttributes(); try { userIDorDN = queryService.getIdentifier(userEntry, userAttributes); } catch (LdapInvalidAttributeValueException e) { logger.error("User group missing identifier: {}", e.getMessage()); logger.debug("LDAP exception while getting " + "group identifier.", e); } } } // Get all groups the user is a member of starting at the groupBaseDN, // excluding guacConfigGroups return queryService.search( ldapConnection, groupBaseDN, getGroupSearchFilter(), Collections.singleton(confService.getMemberAttribute()), userIDorDN ); }
Example #23
Source File: CachedLDAPAuthorizationModuleLegacyTest.java From activemq-artemis with Apache License 2.0 | 4 votes |
@Override protected LdapConnection getLdapConnection() throws LdapException, IOException { LdapConnection connection = new LdapNetworkConnection("localhost", getLdapServer().getPort()); connection.bind(new Dn("uid=admin,ou=system"), "secret"); return connection; }
Example #24
Source File: CachedLDAPAuthorizationModuleOpenLDAPTest.java From activemq-artemis with Apache License 2.0 | 4 votes |
@Override protected LdapConnection getLdapConnection() throws LdapException, IOException { LdapConnection connection = new LdapNetworkConnection(LDAP_HOST, LDAP_PORT); connection.bind(new Dn(LDAP_USER), LDAP_PASS); return connection; }
Example #25
Source File: CachedLDAPAuthorizationModuleLegacyOpenLDAPTest.java From activemq-artemis with Apache License 2.0 | 4 votes |
@Override protected LdapConnection getLdapConnection() throws LdapException, IOException { LdapConnection connection = new LdapNetworkConnection(LDAP_HOST, LDAP_PORT); connection.bind(new Dn(LDAP_USER), LDAP_PASS); return connection; }
Example #26
Source File: CachedLDAPAuthorizationModuleTest.java From activemq-artemis with Apache License 2.0 | 4 votes |
@Override protected LdapConnection getLdapConnection() throws Exception { LdapConnection connection = new LdapNetworkConnection("localhost", getLdapServer().getPort()); connection.bind(new Dn("uid=admin,ou=system"), "secret"); return connection; }
Example #27
Source File: LdapUserManager.java From azkaban-ldap-usermanager with MIT License | 4 votes |
private LdapConnection getLdapConnection() throws LdapException { LdapConnection connection = new LdapNetworkConnection(ldapHost, ldapPort, useSsl); connection.bind(ldapBindAccount, ldapBindPassword); return connection; }
Example #28
Source File: UserService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Returns a list of all DNs corresponding to the users having the given * username. If multiple username attributes are defined, or if uniqueness * is not enforced across the username attribute, it is possible that this * will return multiple DNs. * * @param ldapConnection * The connection to the LDAP server to use when querying user DNs. * * @param username * The username of the user whose corresponding user account DNs are * to be retrieved. * * @return * A list of all DNs corresponding to the users having the given * username. If no such DNs exist, this list will be empty. * * @throws GuacamoleException * If an error occurs while querying the user DNs, or if the username * attribute property cannot be parsed within guacamole.properties. */ public List<Dn> getUserDNs(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Retrieve user objects having a matching username List<Entry> results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), confService.getUsernameAttributes(), username); // Build list of all DNs for retrieved users List<Dn> userDNs = new ArrayList<>(results.size()); results.forEach(entry -> userDNs.add(entry.getDn())); return userDNs; }
Example #29
Source File: UserService.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Returns a list of all DNs corresponding to the users having the given * username. If multiple username attributes are defined, or if uniqueness * is not enforced across the username attribute, it is possible that this * will return multiple DNs. * * @param ldapConnection * The connection to the LDAP server to use when querying user DNs. * * @param username * The username of the user whose corresponding user account DNs are * to be retrieved. * * @return * A list of all DNs corresponding to the users having the given * username. If no such DNs exist, this list will be empty. * * @throws GuacamoleException * If an error occurs while querying the user DNs, or if the username * attribute property cannot be parsed within guacamole.properties. */ public List<Dn> getUserDNs(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Retrieve user objects having a matching username List<Entry> results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), confService.getUsernameAttributes(), username); // Build list of all DNs for retrieved users List<Dn> userDNs = new ArrayList<>(results.size()); results.forEach(entry -> userDNs.add(entry.getDn())); return userDNs; }
Example #30
Source File: LDAPUserContext.java From guacamole-client with Apache License 2.0 | 4 votes |
/** * Initializes this UserContext using the provided AuthenticatedUser and * LdapNetworkConnection. * * @param user * The AuthenticatedUser representing the user that authenticated. This * user may have been authenticated by a different authentication * provider (not LDAP). * * @param ldapConnection * The connection to the LDAP server to use when querying accessible * Guacamole users and connections. * * @throws GuacamoleException * If associated data stored within the LDAP directory cannot be * queried due to an error. */ public void init(AuthenticatedUser user, LdapNetworkConnection ldapConnection) throws GuacamoleException { // Query all accessible users userDirectory = new SimpleDirectory<>( userService.getUsers(ldapConnection) ); // Query all accessible user groups userGroupDirectory = new SimpleDirectory<>( userGroupService.getUserGroups(ldapConnection) ); // Query all accessible connections connectionDirectory = new SimpleDirectory<>( connectionService.getConnections(user, ldapConnection) ); // Root group contains only connections rootGroup = new SimpleConnectionGroup( LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP, LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP, connectionDirectory.getIdentifiers(), Collections.<String>emptyList() ); // Init self with basic permissions self = new SimpleUser(user.getIdentifier()) { @Override public ObjectPermissionSet getUserPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(userDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(userGroupDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); } @Override public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { return new SimpleObjectPermissionSet(Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP)); } }; }