Beispiel #1
0
 public ChaiUser getProxiedChaiUser(final UserIdentity userIdentity)
     throws PwmUnrecoverableException {
   try {
     final ChaiProvider proxiedProvider = getProxyChaiProvider(userIdentity.getLdapProfileID());
     return ChaiFactory.createChaiUser(userIdentity.getUserDN(), proxiedProvider);
   } catch (ChaiUnavailableException e) {
     throw PwmUnrecoverableException.fromChaiException(e);
   }
 }
  private PasswordData setTempUserPassword()
      throws ChaiUnavailableException, ImpossiblePasswordPolicyException,
          PwmUnrecoverableException {

    final boolean configAlwaysUseProxy =
        pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);

    final ChaiProvider chaiProvider =
        pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
    final ChaiUser chaiUser = ChaiFactory.createChaiUser(userIdentity.getUserDN(), chaiProvider);

    // try setting a random password on the account to authenticate.
    if (!configAlwaysUseProxy && requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
      log(PwmLogLevel.DEBUG, "attempting to set temporary random password");

      PwmPasswordPolicy passwordPolicy =
          PasswordUtility.readPasswordPolicyForUser(
              pwmApplication, sessionLabel, userIdentity, chaiUser, PwmConstants.DEFAULT_LOCALE);

      // create random password for user
      RandomPasswordGenerator.RandomGeneratorConfig randomGeneratorConfig =
          new RandomPasswordGenerator.RandomGeneratorConfig();
      randomGeneratorConfig.setSeedlistPhrases(RandomPasswordGenerator.DEFAULT_SEED_PHRASES);
      randomGeneratorConfig.setPasswordPolicy(passwordPolicy);

      final PasswordData currentPass =
          RandomPasswordGenerator.createRandomPassword(
              sessionLabel, randomGeneratorConfig, pwmApplication);

      try {
        final String oracleDS_PrePasswordAllowChangeTime =
            oraclePreTemporaryPwHandler(chaiProvider, chaiUser);

        // write the random password for the user.
        chaiUser.setPassword(currentPass.getStringValue());

        oraclePostTemporaryPwHandler(chaiProvider, chaiUser, oracleDS_PrePasswordAllowChangeTime);

        log(
            PwmLogLevel.INFO,
            "user "
                + userIdentity
                + " password has been set to random value to use for user authentication");
      } catch (ChaiOperationException e) {
        final String errorStr =
            "error setting random password for user " + userIdentity + " " + e.getMessage();
        log(PwmLogLevel.ERROR, errorStr);
        throw new PwmUnrecoverableException(
            new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
      }

      return currentPass;
    }
    return null;
  }
  private PasswordData learnUserPassword()
      throws ChaiUnavailableException, PwmUnrecoverableException {
    log(PwmLogLevel.TRACE, "beginning auth processes for user with unknown password");

    if (userIdentity == null
        || userIdentity.getUserDN() == null
        || userIdentity.getUserDN().length() < 1) {
      throw new NullPointerException("invalid user (null)");
    }

    final ChaiProvider chaiProvider =
        pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
    final ChaiUser chaiUser = ChaiFactory.createChaiUser(userIdentity.getUserDN(), chaiProvider);

    // use chai (nmas) to retrieve user password
    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.EDIRECTORY_READ_USER_PWD)) {
      String currentPass = null;
      try {
        final String readPassword = chaiUser.readPassword();
        if (readPassword != null && readPassword.length() > 0) {
          currentPass = readPassword;
          log(
              PwmLogLevel.DEBUG,
              "successfully retrieved user's current password from ldap, now conducting standard authentication");
        }
      } catch (Exception e) {
        log(PwmLogLevel.ERROR, "unable to retrieve user password from ldap: " + e.getMessage());
      }

      // actually do the authentication since we have user pw.
      if (currentPass != null && currentPass.length() > 0) {
        return new PasswordData(currentPass);
      }
    } else {
      log(PwmLogLevel.TRACE, "skipping attempt to read user password, option disabled");
    }
    return null;
  }
  private void testCredentials(final UserIdentity userIdentity, final PasswordData password)
      throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    log(PwmLogLevel.TRACE, "beginning testCredentials process");

    if (userIdentity == null
        || userIdentity.getUserDN() == null
        || userIdentity.getUserDN().length() < 1) {
      final String errorMsg = "attempt to authenticate with null userDN";
      log(PwmLogLevel.DEBUG, errorMsg);
      throw new PwmOperationalException(
          new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }

    if (password == null) {
      final String errorMsg = "attempt to authenticate with null password";
      log(PwmLogLevel.DEBUG, errorMsg);
      throw new PwmOperationalException(
          new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }

    // try authenticating the user using a normal ldap BIND operation.
    log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");

    boolean bindSucceeded = false;
    try {
      // read a provider using the user's DN and password.
      userProvider =
          LdapOperationsHelper.createChaiProvider(
              sessionLabel,
              userIdentity.getLdapProfile(pwmApplication.getConfig()),
              pwmApplication.getConfig(),
              userIdentity.getUserDN(),
              password);

      // issue a read operation to trigger a bind.
      userProvider.readStringAttribute(
          userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);

      bindSucceeded = true;
    } catch (ChaiException e) {
      if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
        final String errorMsg =
            "intruder lockout detected for user "
                + userIdentity
                + " marking session as locked out: "
                + e.getMessage();
        final ErrorInformation errorInformation =
            new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
        log(PwmLogLevel.WARN, errorInformation.toDebugStr());
        throw new PwmUnrecoverableException(errorInformation);
      }
      final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
      final ErrorInformation errorInformation;
      if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
        errorInformation = new ErrorInformation(pwmError, e.getMessage());
      } else {
        errorInformation =
            new ErrorInformation(
                PwmError.ERROR_WRONGPASSWORD,
                "ldap error during password check: " + e.getMessage());
      }
      log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
      throw new PwmOperationalException(errorInformation);
    } finally {
      if (!bindSucceeded && userProvider != null) {
        try {
          userProvider.close();
          userProvider = null;
        } catch (Throwable e) {
          log(
              PwmLogLevel.ERROR,
              "unexpected error closing invalid ldap connection after failed login attempt: "
                  + e.getMessage());
        }
      }
    }
  }