protected int authenticate(
long companyId,
long ldapServerId,
String emailAddress,
String screenName,
long userId,
String password)
throws Exception {
String postfix = LDAPSettingsUtil.getPropertyPostfix(ldapServerId);
LdapContext ldapContext = PortalLDAPUtil.getContext(ldapServerId, companyId);
if (ldapContext == null) {
return FAILURE;
}
try {
String baseDN = PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_BASE_DN + postfix);
// Process LDAP auth search filter
String filter =
LDAPSettingsUtil.getAuthSearchFilter(
ldapServerId, companyId, emailAddress, screenName, String.valueOf(userId));
Properties userMappings = LDAPSettingsUtil.getUserMappings(ldapServerId, companyId);
String userMappingsScreenName =
GetterUtil.getString(userMappings.getProperty("screenName")).toLowerCase();
SearchControls searchControls =
new SearchControls(
SearchControls.SUBTREE_SCOPE,
1,
0,
new String[] {userMappingsScreenName},
false,
false);
NamingEnumeration<SearchResult> enu = ldapContext.search(baseDN, filter, searchControls);
if (enu.hasMoreElements()) {
if (_log.isDebugEnabled()) {
_log.debug("Search filter returned at least one result");
}
SearchResult result = enu.nextElement();
String fullUserDN = PortalLDAPUtil.getNameInNamespace(ldapServerId, companyId, result);
Attributes attributes =
PortalLDAPUtil.getUserAttributes(ldapServerId, companyId, ldapContext, fullUserDN);
LDAPAuthResult ldapAuthResult = null;
if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
ldapAuthResult = authenticate(ldapContext, companyId, attributes, fullUserDN, password);
// Process LDAP failure codes
String errorMessage = ldapAuthResult.getErrorMessage();
if (errorMessage != null) {
if (errorMessage.indexOf(
PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
!= -1) {
throw new UserLockoutException();
} else if (errorMessage.indexOf(
PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
!= -1) {
throw new PasswordExpiredException();
}
}
if (!ldapAuthResult.isAuthenticated() && PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
return FAILURE;
}
}
// Get user or create from LDAP
User user =
PortalLDAPImporterUtil.importLDAPUser(
ldapServerId, companyId, ldapContext, attributes, password);
// Process LDAP success codes
if (ldapAuthResult != null) {
String resultCode = ldapAuthResult.getResponseControl();
if (resultCode.equals(LDAPAuth.RESULT_PASSWORD_RESET)) {
UserLocalServiceUtil.updatePasswordReset(user.getUserId(), true);
}
}
} else {
if (_log.isDebugEnabled()) {
_log.debug("Search filter did not return any results");
}
return DNE;
}
enu.close();
} catch (Exception e) {
if (e instanceof PasswordExpiredException || e instanceof UserLockoutException) {
throw e;
}
_log.error("Problem accessing LDAP server", e);
return FAILURE;
} finally {
if (ldapContext != null) {
ldapContext.close();
}
}
return SUCCESS;
}
protected int authenticate(
long ldapServerId,
long companyId,
String emailAddress,
String screenName,
long userId,
String password)
throws Exception {
LdapContext ldapContext = _portalLDAP.getContext(ldapServerId, companyId);
if (ldapContext == null) {
return FAILURE;
}
NamingEnumeration<SearchResult> enu = null;
try {
LDAPServerConfiguration ldapServerConfiguration =
_ldapServerConfigurationProvider.getConfiguration(companyId, ldapServerId);
String baseDN = ldapServerConfiguration.baseDN();
// Process LDAP auth search filter
String filter =
_ldapSettings.getAuthSearchFilter(
ldapServerId, companyId, emailAddress, screenName, String.valueOf(userId));
Properties userMappings = _ldapSettings.getUserMappings(ldapServerId, companyId);
String userMappingsScreenName = GetterUtil.getString(userMappings.getProperty("screenName"));
userMappingsScreenName = StringUtil.toLowerCase(userMappingsScreenName);
SearchControls searchControls =
new SearchControls(
SearchControls.SUBTREE_SCOPE,
1,
0,
new String[] {userMappingsScreenName},
false,
false);
enu = ldapContext.search(baseDN, filter, searchControls);
if (enu.hasMoreElements()) {
if (_log.isDebugEnabled()) {
_log.debug("Search filter returned at least one result");
}
SearchResult result = enu.nextElement();
String fullUserDN = _portalLDAP.getNameInNamespace(ldapServerId, companyId, result);
Attributes attributes =
_portalLDAP.getUserAttributes(ldapServerId, companyId, ldapContext, fullUserDN);
// Get user or create from LDAP
User user =
_ldapUserImporter.importUser(
ldapServerId, companyId, ldapContext, attributes, password);
// Authenticate
LDAPAuthResult ldapAuthResult =
authenticate(ldapContext, companyId, attributes, fullUserDN, password);
// Process LDAP failure codes
String errorMessage = ldapAuthResult.getErrorMessage();
if (errorMessage != null) {
SystemLDAPConfiguration systemLDAPConfiguration =
_systemLDAPConfigurationProvider.getConfiguration(companyId);
int pos = errorMessage.indexOf(systemLDAPConfiguration.errorUserLockout());
if (pos != -1) {
throw new UserLockoutException.LDAPLockout(fullUserDN, errorMessage);
}
pos = errorMessage.indexOf(systemLDAPConfiguration.errorPasswordExpired());
if (pos != -1) {
throw new PasswordExpiredException();
}
}
if (!ldapAuthResult.isAuthenticated()) {
return FAILURE;
}
// Process LDAP success codes
String resultCode = ldapAuthResult.getResponseControl();
if (resultCode.equals(LDAPAuth.RESULT_PASSWORD_RESET)) {
_userLocalService.updatePasswordReset(user.getUserId(), true);
}
} else {
if (_log.isDebugEnabled()) {
_log.debug("Search filter did not return any results");
}
return DNE;
}
} catch (Exception e) {
if (e instanceof LDAPFilterException
|| e instanceof PasswordExpiredException
|| e instanceof UserLockoutException) {
throw e;
}
_log.error("Problem accessing LDAP server", e);
return FAILURE;
} finally {
if (enu != null) {
enu.close();
}
if (ldapContext != null) {
ldapContext.close();
}
}
return SUCCESS;
}
protected LDAPAuthResult authenticate(
LdapContext ctx, long companyId, Attributes attributes, String userDN, String password)
throws Exception {
LDAPAuthResult ldapAuthResult = new LDAPAuthResult();
// Check passwords by either doing a comparison between the passwords or
// by binding to the LDAP server. If using LDAP password policies, bind
// auth method must be used in order to get the result control codes.
String authMethod = PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_AUTH_METHOD);
InitialLdapContext innerCtx = null;
if (authMethod.equals(AUTH_METHOD_BIND)) {
try {
Hashtable<String, Object> env = (Hashtable<String, Object>) ctx.getEnvironment();
env.put(Context.SECURITY_PRINCIPAL, userDN);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.REFERRAL, PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_REFERRAL));
// Do not use pooling because principal changes
env.put("com.sun.jndi.ldap.connect.pool", "false");
innerCtx = new InitialLdapContext(env, null);
// Get LDAP bind results
Control[] responseControls = innerCtx.getResponseControls();
ldapAuthResult.setAuthenticated(true);
ldapAuthResult.setResponseControl(responseControls);
} catch (Exception e) {
if (_log.isDebugEnabled()) {
_log.debug(
"Failed to bind to the LDAP server with userDN "
+ userDN
+ " and password "
+ password);
}
_log.error("Failed to bind to the LDAP server", e);
ldapAuthResult.setAuthenticated(false);
ldapAuthResult.setErrorMessage(e.getMessage());
} finally {
if (innerCtx != null) {
innerCtx.close();
}
}
} else if (authMethod.equals(AUTH_METHOD_PASSWORD_COMPARE)) {
Attribute userPassword = attributes.get("userPassword");
if (userPassword != null) {
String ldapPassword = new String((byte[]) userPassword.get());
String encryptedPassword = password;
String algorithm =
PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_AUTH_PASSWORD_ENCRYPTION_ALGORITHM);
if (Validator.isNotNull(algorithm)) {
encryptedPassword =
"******" + algorithm + "}" + PwdEncryptor.encrypt(algorithm, password, ldapPassword);
}
if (ldapPassword.equals(encryptedPassword)) {
ldapAuthResult.setAuthenticated(true);
} else {
ldapAuthResult.setAuthenticated(false);
if (_log.isWarnEnabled()) {
_log.warn("Passwords do not match for userDN " + userDN);
}
}
}
}
return ldapAuthResult;
}
protected LDAPAuthResult authenticate(
LdapContext ctx, long companyId, Attributes attributes, String userDN, String password)
throws Exception {
LDAPAuthResult ldapAuthResult = null;
// Check passwords by either doing a comparison between the passwords or
// by binding to the LDAP server. If using LDAP password policies, bind
// auth method must be used in order to get the result control codes.
LDAPAuthConfiguration ldapAuthConfiguration =
_ldapAuthConfigurationProvider.getConfiguration(companyId);
String authMethod = ldapAuthConfiguration.method();
SystemLDAPConfiguration systemLDAPConfiguration =
_systemLDAPConfigurationProvider.getConfiguration(companyId);
if (authMethod.equals(AUTH_METHOD_BIND)) {
Hashtable<String, Object> env = (Hashtable<String, Object>) ctx.getEnvironment();
env.put(Context.REFERRAL, systemLDAPConfiguration.referral());
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.SECURITY_PRINCIPAL, userDN);
// Do not use pooling because principal changes
env.put("com.sun.jndi.ldap.connect.pool", "false");
ldapAuthResult = getFailedLDAPAuthResult(env);
if (ldapAuthResult != null) {
return ldapAuthResult;
}
ldapAuthResult = new LDAPAuthResult();
InitialLdapContext initialLdapContext = null;
try {
initialLdapContext = new InitialLdapContext(env, null);
// Get LDAP bind results
Control[] responseControls = initialLdapContext.getResponseControls();
ldapAuthResult.setAuthenticated(true);
ldapAuthResult.setResponseControl(responseControls);
} catch (Exception e) {
if (_log.isDebugEnabled()) {
_log.debug(
"Failed to bind to the LDAP server with userDN "
+ userDN
+ " and password "
+ password,
e);
}
ldapAuthResult.setAuthenticated(false);
ldapAuthResult.setErrorMessage(e.getMessage());
setFailedLDAPAuthResult(env, ldapAuthResult);
} finally {
if (initialLdapContext != null) {
initialLdapContext.close();
}
}
} else if (authMethod.equals(AUTH_METHOD_PASSWORD_COMPARE)) {
ldapAuthResult = new LDAPAuthResult();
Attribute userPassword = attributes.get("userPassword");
if (userPassword != null) {
String ldapPassword = new String((byte[]) userPassword.get());
String encryptedPassword = password;
String algorithm = ldapAuthConfiguration.passwordEncryptionAlgorithm();
if (Validator.isNotNull(algorithm)) {
encryptedPassword = _passwordEncryptor.encrypt(algorithm, password, ldapPassword);
}
if (ldapPassword.equals(encryptedPassword)) {
ldapAuthResult.setAuthenticated(true);
} else {
ldapAuthResult.setAuthenticated(false);
if (_log.isDebugEnabled()) {
_log.debug("Passwords do not match for userDN " + userDN);
}
}
}
}
return ldapAuthResult;
}
