/**
* Validate User
*
* @param ldapURL provider url - e.g. ldap://dc.compiere.org
* @param domain domain name = e.g. compiere.org
* @param userName user name - e.g. jjanke
* @param password password
* @return true if validated with ldap
*/
public static boolean validate(String ldapURL, String domain, String userName, String password) {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// ldap://dc.compiere.org
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// [email protected]
StringBuffer principal = new StringBuffer(userName).append("@").append(domain);
env.put(Context.SECURITY_PRINCIPAL, principal.toString());
env.put(Context.SECURITY_CREDENTIALS, password);
//
try {
// Create the initial context
InitialLdapContext ctx = new InitialLdapContext(env, null);
// DirContext ctx = new InitialDirContext(env);
// Test - Get the attributes
Attributes answer = ctx.getAttributes("");
// Print the answer
if (false) dump(answer);
} catch (AuthenticationException e) {
log.info("Error: " + principal + " - " + e.getLocalizedMessage());
return false;
} catch (Exception e) {
log.log(Level.SEVERE, ldapURL + " - " + principal, e);
return false;
}
log.info("OK: " + principal);
return true;
} // validate
/**
* Returns a list of AD Groups using the service account
*
* @return list of AD Groups
*/
public static List<String> getADGroupsByServiceAccount() {
String username = MessageUtils.getMessage("ldap.service.account.username");
String password = MessageUtils.getMessage("ldap.service.account.password");
List<String> awsAllGroups = null;
logger.debug("Starting.....");
if (username == null || password == null) {
return new ArrayList<String>();
}
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, MessageUtils.getMessage("ldap.service.account.url"));
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
DirContext ctx = null;
try {
logger.debug("Getting AWS groups using service account");
ctx = new InitialDirContext(env);
logger.debug("After InitialDirContext");
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String attr[] = {"samaccountname"};
controls.setReturningAttributes(attr);
NamingEnumeration<SearchResult> result =
ctx.search(
MessageUtils.getMessage("ldap.service.account.conf.name"),
MessageUtils.getMessage("ldap.service.account.conf.filter"),
controls);
awsAllGroups = new ArrayList<String>();
SearchResult sr = null;
// Loop through the search results
while (result.hasMoreElements()) {
sr = (SearchResult) result.next();
awsAllGroups.add(sr.getName().substring(3));
}
return awsAllGroups;
} catch (AuthenticationException e) {
logger.error("Service account details are not correct." + e.getMessage());
return null;
} catch (NamingException e) {
logger.error("Unable to connect" + e.getMessage());
return new ArrayList<String>();
} finally {
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
}
}
}
}
private Subject login() throws AuthenticationException {
try {
LoginContext lc =
new LoginContext(
KerberosLdapContextSource.class.getSimpleName(), null, null, this.loginConfig);
lc.login();
return lc.getSubject();
} catch (LoginException e) {
AuthenticationException ae = new AuthenticationException(e.getMessage());
ae.initCause(e);
throw ae;
}
}
// Code to add comments for Jira Issue
public static void RestAddComment(String strComment, String strIssueID) {
try {
String auth = new String(Base64.encode("admin:admin"));
String createCommentData = "{\"body\": \"" + strComment + "\"}\"";
String comment =
invokePostMethod(
auth, BASE_URL + "/rest/api/2/issue/" + strIssueID + "/comment", createCommentData);
System.out.println(comment);
JSONObject issueObj = new JSONObject(comment);
String newKey = issueObj.getString("id");
System.out.println("id:" + newKey);
} catch (AuthenticationException e) {
System.out.println("Username or Password wrong!");
e.printStackTrace();
} catch (ClientHandlerException e) {
System.out.println("Error invoking REST method");
e.printStackTrace();
} catch (JSONException e) {
System.out.println("Invalid JSON output");
e.printStackTrace();
}
}
protected boolean canConnect(VDS vds) {
// execute the connectivity and id uniqueness validation for VDS type hosts
if (!getParameters().isPending()
&& !getParameters().isProvisioned()
&& Config.<Boolean>getValue(ConfigValues.InstallVds)) {
try (final EngineSSHClient sshclient = getSSHClient()) {
sshclient.connect();
sshclient.authenticate();
String hostUUID = getInstalledVdsIdIfExists(sshclient);
if (hostUUID != null && vdsDao.getAllWithUniqueId(hostUUID).size() != 0) {
return failValidation(EngineMessage.ACTION_TYPE_FAILED_VDS_WITH_SAME_UUID_EXIST);
}
return isValidGlusterPeer(sshclient, vds.getClusterId());
} catch (AuthenticationException e) {
log.error(
"Failed to authenticate session with host '{}': {}", vds.getName(), e.getMessage());
log.debug("Exception", e);
return failValidation(EngineMessage.VDS_CANNOT_AUTHENTICATE_TO_SERVER);
} catch (SecurityException e) {
log.error(
"Failed to connect to host '{}', fingerprint '{}': {}",
vds.getName(),
vds.getSshKeyFingerprint(),
e.getMessage());
log.debug("Exception", e);
addValidationMessage(EngineMessage.VDS_SECURITY_CONNECTION_ERROR);
addValidationMessageVariable("ErrorMessage", e.getMessage());
return failValidation(EngineMessage.VDS_CANNOT_AUTHENTICATE_TO_SERVER);
} catch (Exception e) {
log.error("Failed to establish session with host '{}': {}", vds.getName(), e.getMessage());
log.debug("Exception", e);
return failValidation(EngineMessage.VDS_CANNOT_CONNECT_TO_SERVER);
}
}
return true;
}
public User getUser(String uid) throws DataSourceException, ConfigException {
try {
String s =
"(&(objectClass="
+ source.getUsersObjectClassValue()
+ ")("
+ source.getUsersIdKey()
+ "="
+ uid
+ "))";
List<SearchResult> r = this.search(s, SecurityEntityType.USER);
if (!r.isEmpty()) {
return newUser(r.get(0).getAttributes());
} else {
return null;
}
} catch (javax.naming.AuthenticationException e) {
e.printStackTrace();
throw new ConfigException(e, "LDAP connection failed, please check your settings");
} catch (NamingException e) {
throw new DataSourceException(e, "LDAP Exception : " + e.getMessage());
}
}
/** {@inheritDoc} */
public boolean login() throws LoginException {
try {
final NameCallback nameCb = new NameCallback("Enter user: "******"Enter user password: "******"Authentication failed", authEx);
}
throw new LoginException(authEx != null ? authEx.getMessage() : "Authentication failed");
} else {
if (this.setLdapPrincipal) {
final LdapPrincipal lp = new LdapPrincipal(nameCb.getName());
if (attrs != null) {
lp.getLdapAttributes().addAttributes(attrs);
}
this.principals.add(lp);
}
final String loginDn = this.auth.getDn(nameCb.getName());
if (loginDn != null && this.setLdapDnPrincipal) {
final LdapDnPrincipal lp = new LdapDnPrincipal(loginDn);
if (attrs != null) {
lp.getLdapAttributes().addAttributes(attrs);
}
this.principals.add(lp);
}
if (this.setLdapCredential) {
this.credentials.add(new LdapCredential(passCb.getPassword()));
}
this.storeCredentials(nameCb, passCb, loginDn);
}
} catch (NamingException e) {
if (this.logger.isDebugEnabled()) {
this.logger.debug("Error occured attempting authentication", e);
}
this.loginSuccess = false;
throw new LoginException(e != null ? e.getMessage() : "Authentication Error");
} finally {
this.auth.close();
}
return true;
}
/**
* This method will test if a user has access to the LDAP, if so it will then check the list of
* groups and check for is access
*
* @param String username as named via a uid in the LDAP
* @param String password clear text in LDAP
* @return Hashtable authenticate object
*/
public Hashtable authenticate(String username, String password, String keyfob_id) {
Hashtable authHT = new Hashtable();
if (keyfob_id != null) {
System.out.println("attempted keyfob value: " + keyfob_id);
// we need to bind with our anon bind user
username = this.AD_ANON_BIND_UNAME;
password = this.AD_ANON_BIND_PWORD;
}
// assume they will not pass the test
boolean authenticated = false;
// first check to see if we even need to hit LDAP (not overridden)
if (this.LDAP_OVERRIDE) {
System.out.println("Override Authentication");
// just check against stored username/password, put in all groups
if (username.equals(this.LDAP_OVERRIDE_UNAME) && password.equals(this.LDAP_OVERRIDE_PWORD)) {
authenticated = true;
// just add then to each group
for (String key : groups.keySet()) {
// push the name of the group and access to it boolean
authHT.put(key, true); // method throws NamingException
}
}
} else {
// authenticate agianst creditials server
System.err.println("Trying " + this.PROVIDER_TYPE + " authentication by: " + username);
try {
// build a hash table to pass as a bindable event
// Set up environment for creating initial context
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, this.INITIAL_CONTEXT_FACTORY);
env.put(Context.SECURITY_AUTHENTICATION, this.SECURITY_AUTHENTICATION);
// we take the uid to authenticate, pair it with the username, and append the base location
env.put(Context.PROVIDER_URL, this.PROVIDER_URL);
if (this.PROVIDER_TYPE.equals("AD")) {
env.put(Context.SECURITY_PRINCIPAL, username + "@" + this.AD_DOMAIN);
} else if (this.PROVIDER_TYPE.equals("LDAP")) {
env.put(
Context.SECURITY_PRINCIPAL, "uid=" + username + "," + this.USERS_LOC + this.BASE_DN);
} // we don't need to throw errors here because first try/catch finds it
env.put(Context.SECURITY_CREDENTIALS, password);
// send env assigments to console
// enumerateContents(env.elements());
/** now that we have our hash values lets go authenticate */
// first we want to connect to the LDAP Server and create initial context
// making sure the user name and password are valid
ctx =
new InitialDirContext(
env); // Throws AuthenticationException if not valid username/password
// WE NEVER GO PAST HERE IF AuthenticationException THROWN
System.err.println("connection and creditials valid");
/**
* we just split the two paths of AD and LDAP authentication because the LDAP way worked and
* we are migrating to AD. However we want to be able to easily switch back until the LDAP
* service is discontinued. Theoretically both services should be 'searchable' the same way
* at some point the LDAP code should be removed or universal code written
*/
if (this.PROVIDER_TYPE.equals("AD")) {
/** AD way, get the group list, if they match add */
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// either search by user name or by keyfob id. either way will return a user if one is
// found
NamingEnumeration results = null;
if (keyfob_id != null) {
// we don't challenge on keyfob. assumed if you have keyfob you are that user
System.out.println("searching for keyfob id: >" + keyfob_id + "<");
results =
ctx.search(
this.USERS_LOC + this.BASE_DN,
"(" + this.ATTRIBUTE_NAME_KEYFOB_ID + "=" + keyfob_id + ")",
constraints);
authHT.put("keyfob_id", keyfob_id); // pass it back as proof positive we found it
} else {
results =
ctx.search(
this.USERS_LOC + this.BASE_DN,
"(" + this.ATTRIBUTE_NAME_UNAME + "=" + username + ")",
constraints);
}
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName() + ", " + this.USERS_LOC + this.BASE_DN;
Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
if (ar == null) {
// we need the user to have attributes
throw new Exception("Entry " + dn + " has none of the specified attributes\n");
}
for (int i = 0; i < MY_ATTRS.length; i++) {
Attribute attr = ar.get(MY_ATTRS[i]);
if (attr == null) {
continue;
}
System.out.println(MY_ATTRS[i] + ":");
for (Enumeration vals = attr.getAll(); vals.hasMoreElements(); ) {
String temp_next_element = vals.nextElement().toString(); // returns generic Object
System.out.println("\t" + temp_next_element);
// push the attributes to the auth HT
if (!(authHT.containsKey(MY_ATTRS[i]))) {
// push the name of the group and access to it boolean
authHT.put(MY_ATTRS[i], temp_next_element);
}
// see if this element value matches any of my groups
for (String key : groups.keySet()) {
if (temp_next_element
.toLowerCase()
.startsWith("cn=" + groups.get(key).toLowerCase())) {
// push the name of the group and access to it boolean
authHT.put(key, true);
// if user is found in ANY of the predefined groups they are 'authenticated' to
// login.
// RolemManager.as handles ACL
authenticated = true;
}
}
}
}
}
// now for any groups not found, set them to false
for (String key : groups.keySet()) {
if (!(authHT.containsKey(key))) {
// push the name of the group and access to it boolean
authHT.put(key, false);
}
}
// end AD WAY
} else if (this.PROVIDER_TYPE.equals("LDAP")) {
// authenticated only in the sense they are a valid AD user
authenticated = true;
// now that we have verified they are a valid user, lets see what type of access they have
// groups are specified in the config file as "GROUP_<name>" key=value pairs where value
// is the LDAP group name
// and key is what we are looking for in the scheduling app
for (String key : groups.keySet()) {
// push the name of the group and access to it boolean
authHT.put(
key,
new Boolean(
userInGroup(username, groups.get(key)))); // method throws NamingException
}
} else {
throw new Exception("Provider type not found.");
}
// Close the context when we're done
ctx.close();
} catch (AuthenticationException e) {
// binding to LDAP server with provided username/password failed
// e.printStackTrace();
System.err.println(
"AuthenticationException: "
+ e.getMessage()); // outputs -> [LDAP: error code 49 - Invalid Credentials]
errorStack += e.getMessage() + "\n";
} catch (NamingException e) {
// catches invalid DN. Should not be thrown unless changes made to DN
// Could also fail from the context of the called method userInGroup
System.err.println("NamingException: " + e.getMessage());
// e.printStackTrace();
errorStack += e.getMessage() + "\n";
} catch (Exception e) {
e.printStackTrace();
System.err.println("Exception: " + e.getMessage());
errorStack += e.getMessage() + "\n";
} finally { // make sure our connection is closed if relevant
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
throw new RuntimeException(e);
}
}
}
}
// push whether or not it was authenticated
authHT.put("authenticated", new Boolean(authenticated));
// spill contents to catalina.out file
enumerateContents(authHT.keys());
enumerateContents(authHT.elements());
return (authHT);
}
