public ChaiUser getProxiedChaiUser(final UserIdentity userIdentity)
throws PwmUnrecoverableException {
try {
final ChaiProvider proxiedProvider = getProxyChaiProvider(userIdentity.getLdapProfileID());
return ChaiFactory.createChaiUser(userIdentity.getUserDN(), proxiedProvider);
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
}
private PasswordData setTempUserPassword()
throws ChaiUnavailableException, ImpossiblePasswordPolicyException,
PwmUnrecoverableException {
final boolean configAlwaysUseProxy =
pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
final ChaiProvider chaiProvider =
pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
final ChaiUser chaiUser = ChaiFactory.createChaiUser(userIdentity.getUserDN(), chaiProvider);
// try setting a random password on the account to authenticate.
if (!configAlwaysUseProxy && requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
log(PwmLogLevel.DEBUG, "attempting to set temporary random password");
PwmPasswordPolicy passwordPolicy =
PasswordUtility.readPasswordPolicyForUser(
pwmApplication, sessionLabel, userIdentity, chaiUser, PwmConstants.DEFAULT_LOCALE);
// create random password for user
RandomPasswordGenerator.RandomGeneratorConfig randomGeneratorConfig =
new RandomPasswordGenerator.RandomGeneratorConfig();
randomGeneratorConfig.setSeedlistPhrases(RandomPasswordGenerator.DEFAULT_SEED_PHRASES);
randomGeneratorConfig.setPasswordPolicy(passwordPolicy);
final PasswordData currentPass =
RandomPasswordGenerator.createRandomPassword(
sessionLabel, randomGeneratorConfig, pwmApplication);
try {
final String oracleDS_PrePasswordAllowChangeTime =
oraclePreTemporaryPwHandler(chaiProvider, chaiUser);
// write the random password for the user.
chaiUser.setPassword(currentPass.getStringValue());
oraclePostTemporaryPwHandler(chaiProvider, chaiUser, oracleDS_PrePasswordAllowChangeTime);
log(
PwmLogLevel.INFO,
"user "
+ userIdentity
+ " password has been set to random value to use for user authentication");
} catch (ChaiOperationException e) {
final String errorStr =
"error setting random password for user " + userIdentity + " " + e.getMessage();
log(PwmLogLevel.ERROR, errorStr);
throw new PwmUnrecoverableException(
new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
}
return currentPass;
}
return null;
}
private PasswordData learnUserPassword()
throws ChaiUnavailableException, PwmUnrecoverableException {
log(PwmLogLevel.TRACE, "beginning auth processes for user with unknown password");
if (userIdentity == null
|| userIdentity.getUserDN() == null
|| userIdentity.getUserDN().length() < 1) {
throw new NullPointerException("invalid user (null)");
}
final ChaiProvider chaiProvider =
pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
final ChaiUser chaiUser = ChaiFactory.createChaiUser(userIdentity.getUserDN(), chaiProvider);
// use chai (nmas) to retrieve user password
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.EDIRECTORY_READ_USER_PWD)) {
String currentPass = null;
try {
final String readPassword = chaiUser.readPassword();
if (readPassword != null && readPassword.length() > 0) {
currentPass = readPassword;
log(
PwmLogLevel.DEBUG,
"successfully retrieved user's current password from ldap, now conducting standard authentication");
}
} catch (Exception e) {
log(PwmLogLevel.ERROR, "unable to retrieve user password from ldap: " + e.getMessage());
}
// actually do the authentication since we have user pw.
if (currentPass != null && currentPass.length() > 0) {
return new PasswordData(currentPass);
}
} else {
log(PwmLogLevel.TRACE, "skipping attempt to read user password, option disabled");
}
return null;
}
private void testCredentials(final UserIdentity userIdentity, final PasswordData password)
throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
log(PwmLogLevel.TRACE, "beginning testCredentials process");
if (userIdentity == null
|| userIdentity.getUserDN() == null
|| userIdentity.getUserDN().length() < 1) {
final String errorMsg = "attempt to authenticate with null userDN";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(
new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
if (password == null) {
final String errorMsg = "attempt to authenticate with null password";
log(PwmLogLevel.DEBUG, errorMsg);
throw new PwmOperationalException(
new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
}
// try authenticating the user using a normal ldap BIND operation.
log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");
boolean bindSucceeded = false;
try {
// read a provider using the user's DN and password.
userProvider =
LdapOperationsHelper.createChaiProvider(
sessionLabel,
userIdentity.getLdapProfile(pwmApplication.getConfig()),
pwmApplication.getConfig(),
userIdentity.getUserDN(),
password);
// issue a read operation to trigger a bind.
userProvider.readStringAttribute(
userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);
bindSucceeded = true;
} catch (ChaiException e) {
if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
final String errorMsg =
"intruder lockout detected for user "
+ userIdentity
+ " marking session as locked out: "
+ e.getMessage();
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
log(PwmLogLevel.WARN, errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation errorInformation;
if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
errorInformation = new ErrorInformation(pwmError, e.getMessage());
} else {
errorInformation =
new ErrorInformation(
PwmError.ERROR_WRONGPASSWORD,
"ldap error during password check: " + e.getMessage());
}
log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
throw new PwmOperationalException(errorInformation);
} finally {
if (!bindSucceeded && userProvider != null) {
try {
userProvider.close();
userProvider = null;
} catch (Throwable e) {
log(
PwmLogLevel.ERROR,
"unexpected error closing invalid ldap connection after failed login attempt: "
+ e.getMessage());
}
}
}
}