/** * Returns a list of AD Groups using the service account * * @return list of AD Groups */ public static List<String> getADGroupsByServiceAccount() { String username = MessageUtils.getMessage("ldap.service.account.username"); String password = MessageUtils.getMessage("ldap.service.account.password"); List<String> awsAllGroups = null; logger.debug("Starting....."); if (username == null || password == null) { return new ArrayList<String>(); } Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, MessageUtils.getMessage("ldap.service.account.url")); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, username); env.put(Context.SECURITY_CREDENTIALS, password); DirContext ctx = null; try { logger.debug("Getting AWS groups using service account"); ctx = new InitialDirContext(env); logger.debug("After InitialDirContext"); SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); String attr[] = {"samaccountname"}; controls.setReturningAttributes(attr); NamingEnumeration<SearchResult> result = ctx.search( MessageUtils.getMessage("ldap.service.account.conf.name"), MessageUtils.getMessage("ldap.service.account.conf.filter"), controls); awsAllGroups = new ArrayList<String>(); SearchResult sr = null; // Loop through the search results while (result.hasMoreElements()) { sr = (SearchResult) result.next(); awsAllGroups.add(sr.getName().substring(3)); } return awsAllGroups; } catch (AuthenticationException e) { logger.error("Service account details are not correct." + e.getMessage()); return null; } catch (NamingException e) { logger.error("Unable to connect" + e.getMessage()); return new ArrayList<String>(); } finally { if (ctx != null) { try { ctx.close(); } catch (NamingException e) { } } } }
protected boolean canConnect(VDS vds) { // execute the connectivity and id uniqueness validation for VDS type hosts if (!getParameters().isPending() && !getParameters().isProvisioned() && Config.<Boolean>getValue(ConfigValues.InstallVds)) { try (final EngineSSHClient sshclient = getSSHClient()) { sshclient.connect(); sshclient.authenticate(); String hostUUID = getInstalledVdsIdIfExists(sshclient); if (hostUUID != null && vdsDao.getAllWithUniqueId(hostUUID).size() != 0) { return failValidation(EngineMessage.ACTION_TYPE_FAILED_VDS_WITH_SAME_UUID_EXIST); } return isValidGlusterPeer(sshclient, vds.getClusterId()); } catch (AuthenticationException e) { log.error( "Failed to authenticate session with host '{}': {}", vds.getName(), e.getMessage()); log.debug("Exception", e); return failValidation(EngineMessage.VDS_CANNOT_AUTHENTICATE_TO_SERVER); } catch (SecurityException e) { log.error( "Failed to connect to host '{}', fingerprint '{}': {}", vds.getName(), vds.getSshKeyFingerprint(), e.getMessage()); log.debug("Exception", e); addValidationMessage(EngineMessage.VDS_SECURITY_CONNECTION_ERROR); addValidationMessageVariable("ErrorMessage", e.getMessage()); return failValidation(EngineMessage.VDS_CANNOT_AUTHENTICATE_TO_SERVER); } catch (Exception e) { log.error("Failed to establish session with host '{}': {}", vds.getName(), e.getMessage()); log.debug("Exception", e); return failValidation(EngineMessage.VDS_CANNOT_CONNECT_TO_SERVER); } } return true; }
/** {@inheritDoc} */ public boolean login() throws LoginException { try { final NameCallback nameCb = new NameCallback("Enter user: "******"Enter user password: "******"Authentication failed", authEx); } throw new LoginException(authEx != null ? authEx.getMessage() : "Authentication failed"); } else { if (this.setLdapPrincipal) { final LdapPrincipal lp = new LdapPrincipal(nameCb.getName()); if (attrs != null) { lp.getLdapAttributes().addAttributes(attrs); } this.principals.add(lp); } final String loginDn = this.auth.getDn(nameCb.getName()); if (loginDn != null && this.setLdapDnPrincipal) { final LdapDnPrincipal lp = new LdapDnPrincipal(loginDn); if (attrs != null) { lp.getLdapAttributes().addAttributes(attrs); } this.principals.add(lp); } if (this.setLdapCredential) { this.credentials.add(new LdapCredential(passCb.getPassword())); } this.storeCredentials(nameCb, passCb, loginDn); } } catch (NamingException e) { if (this.logger.isDebugEnabled()) { this.logger.debug("Error occured attempting authentication", e); } this.loginSuccess = false; throw new LoginException(e != null ? e.getMessage() : "Authentication Error"); } finally { this.auth.close(); } return true; }
/** * This method will test if a user has access to the LDAP, if so it will then check the list of * groups and check for is access * * @param String username as named via a uid in the LDAP * @param String password clear text in LDAP * @return Hashtable authenticate object */ public Hashtable authenticate(String username, String password, String keyfob_id) { Hashtable authHT = new Hashtable(); if (keyfob_id != null) { System.out.println("attempted keyfob value: " + keyfob_id); // we need to bind with our anon bind user username = this.AD_ANON_BIND_UNAME; password = this.AD_ANON_BIND_PWORD; } // assume they will not pass the test boolean authenticated = false; // first check to see if we even need to hit LDAP (not overridden) if (this.LDAP_OVERRIDE) { System.out.println("Override Authentication"); // just check against stored username/password, put in all groups if (username.equals(this.LDAP_OVERRIDE_UNAME) && password.equals(this.LDAP_OVERRIDE_PWORD)) { authenticated = true; // just add then to each group for (String key : groups.keySet()) { // push the name of the group and access to it boolean authHT.put(key, true); // method throws NamingException } } } else { // authenticate agianst creditials server System.err.println("Trying " + this.PROVIDER_TYPE + " authentication by: " + username); try { // build a hash table to pass as a bindable event // Set up environment for creating initial context Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, this.INITIAL_CONTEXT_FACTORY); env.put(Context.SECURITY_AUTHENTICATION, this.SECURITY_AUTHENTICATION); // we take the uid to authenticate, pair it with the username, and append the base location env.put(Context.PROVIDER_URL, this.PROVIDER_URL); if (this.PROVIDER_TYPE.equals("AD")) { env.put(Context.SECURITY_PRINCIPAL, username + "@" + this.AD_DOMAIN); } else if (this.PROVIDER_TYPE.equals("LDAP")) { env.put( Context.SECURITY_PRINCIPAL, "uid=" + username + "," + this.USERS_LOC + this.BASE_DN); } // we don't need to throw errors here because first try/catch finds it env.put(Context.SECURITY_CREDENTIALS, password); // send env assigments to console // enumerateContents(env.elements()); /** now that we have our hash values lets go authenticate */ // first we want to connect to the LDAP Server and create initial context // making sure the user name and password are valid ctx = new InitialDirContext( env); // Throws AuthenticationException if not valid username/password // WE NEVER GO PAST HERE IF AuthenticationException THROWN System.err.println("connection and creditials valid"); /** * we just split the two paths of AD and LDAP authentication because the LDAP way worked and * we are migrating to AD. However we want to be able to easily switch back until the LDAP * service is discontinued. Theoretically both services should be 'searchable' the same way * at some point the LDAP code should be removed or universal code written */ if (this.PROVIDER_TYPE.equals("AD")) { /** AD way, get the group list, if they match add */ SearchControls constraints = new SearchControls(); constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); // either search by user name or by keyfob id. either way will return a user if one is // found NamingEnumeration results = null; if (keyfob_id != null) { // we don't challenge on keyfob. assumed if you have keyfob you are that user System.out.println("searching for keyfob id: >" + keyfob_id + "<"); results = ctx.search( this.USERS_LOC + this.BASE_DN, "(" + this.ATTRIBUTE_NAME_KEYFOB_ID + "=" + keyfob_id + ")", constraints); authHT.put("keyfob_id", keyfob_id); // pass it back as proof positive we found it } else { results = ctx.search( this.USERS_LOC + this.BASE_DN, "(" + this.ATTRIBUTE_NAME_UNAME + "=" + username + ")", constraints); } while (results != null && results.hasMore()) { SearchResult sr = (SearchResult) results.next(); String dn = sr.getName() + ", " + this.USERS_LOC + this.BASE_DN; Attributes ar = ctx.getAttributes(dn, MY_ATTRS); if (ar == null) { // we need the user to have attributes throw new Exception("Entry " + dn + " has none of the specified attributes\n"); } for (int i = 0; i < MY_ATTRS.length; i++) { Attribute attr = ar.get(MY_ATTRS[i]); if (attr == null) { continue; } System.out.println(MY_ATTRS[i] + ":"); for (Enumeration vals = attr.getAll(); vals.hasMoreElements(); ) { String temp_next_element = vals.nextElement().toString(); // returns generic Object System.out.println("\t" + temp_next_element); // push the attributes to the auth HT if (!(authHT.containsKey(MY_ATTRS[i]))) { // push the name of the group and access to it boolean authHT.put(MY_ATTRS[i], temp_next_element); } // see if this element value matches any of my groups for (String key : groups.keySet()) { if (temp_next_element .toLowerCase() .startsWith("cn=" + groups.get(key).toLowerCase())) { // push the name of the group and access to it boolean authHT.put(key, true); // if user is found in ANY of the predefined groups they are 'authenticated' to // login. // RolemManager.as handles ACL authenticated = true; } } } } } // now for any groups not found, set them to false for (String key : groups.keySet()) { if (!(authHT.containsKey(key))) { // push the name of the group and access to it boolean authHT.put(key, false); } } // end AD WAY } else if (this.PROVIDER_TYPE.equals("LDAP")) { // authenticated only in the sense they are a valid AD user authenticated = true; // now that we have verified they are a valid user, lets see what type of access they have // groups are specified in the config file as "GROUP_<name>" key=value pairs where value // is the LDAP group name // and key is what we are looking for in the scheduling app for (String key : groups.keySet()) { // push the name of the group and access to it boolean authHT.put( key, new Boolean( userInGroup(username, groups.get(key)))); // method throws NamingException } } else { throw new Exception("Provider type not found."); } // Close the context when we're done ctx.close(); } catch (AuthenticationException e) { // binding to LDAP server with provided username/password failed // e.printStackTrace(); System.err.println( "AuthenticationException: " + e.getMessage()); // outputs -> [LDAP: error code 49 - Invalid Credentials] errorStack += e.getMessage() + "\n"; } catch (NamingException e) { // catches invalid DN. Should not be thrown unless changes made to DN // Could also fail from the context of the called method userInGroup System.err.println("NamingException: " + e.getMessage()); // e.printStackTrace(); errorStack += e.getMessage() + "\n"; } catch (Exception e) { e.printStackTrace(); System.err.println("Exception: " + e.getMessage()); errorStack += e.getMessage() + "\n"; } finally { // make sure our connection is closed if relevant if (ctx != null) { try { ctx.close(); } catch (NamingException e) { throw new RuntimeException(e); } } } } // push whether or not it was authenticated authHT.put("authenticated", new Boolean(authenticated)); // spill contents to catalina.out file enumerateContents(authHT.keys()); enumerateContents(authHT.elements()); return (authHT); }