/** default constructor reads in the configuration file and parses values */
public AuthenticationService() {
// read in the properties file
try {
// go get the properties for this LDAP connection
Properties configFile = new Properties();
// load the file from the class path (moved there by ant task)
configFile.load(this.getClass().getClassLoader().getResourceAsStream("./ldap.properties"));
// send ouput to console
// enumerateContents(configFile.propertyNames());
this.INITIAL_CONTEXT_FACTORY = configFile.getProperty("INITIAL_CONTEXT_FACTORY");
this.SECURITY_AUTHENTICATION = configFile.getProperty("SECURITY_AUTHENTICATION");
this.PROVIDER_TYPE = configFile.getProperty("PROVIDER_TYPE");
if (this.PROVIDER_TYPE.equals("AD")) {
this.PROVIDER_URL = configFile.getProperty("AD_PROVIDER_URL");
this.AD_DOMAIN = configFile.getProperty("AD_DOMAIN");
this.BASE_DN = configFile.getProperty("AD_BASE_DN");
this.GROUPS_LOC = configFile.getProperty("AD_GROUPS_LOC");
this.USERS_LOC = configFile.getProperty("AD_USERS_LOC");
this.AD_ANON_BIND_UNAME = configFile.getProperty("AD_ANON_BIND_UNAME");
this.AD_ANON_BIND_PWORD = configFile.getProperty("AD_ANON_BIND_PWORD");
this.ATTRIBUTE_NAME_KEYFOB_ID = configFile.getProperty("ATTRIBUTE_NAME_KEYFOB_ID");
this.ATTRIBUTE_NAME_UNAME = configFile.getProperty("ATTRIBUTE_NAME_UNAME");
} else if (this.PROVIDER_TYPE.equals("LDAP")) {
this.PROVIDER_URL = configFile.getProperty("LDAP_PROVIDER_URL");
this.BASE_DN = configFile.getProperty("LDAP_BASE_DN");
this.GROUPS_LOC = configFile.getProperty("LDAP_GROUPS_LOC");
this.USERS_LOC = configFile.getProperty("LDAP_USERS_LOC");
} else {
throw new Exception("Provider type not found.");
}
// get override info
this.LDAP_OVERRIDE = Boolean.parseBoolean(configFile.getProperty("LDAP_OVERRIDE"));
this.LDAP_OVERRIDE_UNAME = configFile.getProperty("LDAP_OVERRIDE_UNAME");
this.LDAP_OVERRIDE_PWORD = configFile.getProperty("LDAP_OVERRIDE_PWORD");
// init the array list
groups = new HashMap<String, String>();
// load the groups into a String array
for (Enumeration e = configFile.propertyNames(); e.hasMoreElements(); ) {
String key = e.nextElement().toString();
if (key.indexOf("GROUP_") == 0) { // ie key in key=value pair matches "GROUP_"
// append the group name to the array list for checking later
groups.put(key, configFile.getProperty(key));
}
}
} catch (FileNotFoundException e) {
// e.printStackTrace();
System.err.println("FileNotFoundException: " + e.getMessage());
errorStack += e.getMessage() + "\n";
} catch (IOException e) {
/** @TODO set defaults, or just give up? */
// e.printStackTrace();
System.err.println("IOException: " + e.getMessage());
errorStack += e.getMessage() + "\n";
} catch (Exception e) {
// e.printStackTrace();
System.err.println("Exception: " + e.getMessage());
errorStack += e.getMessage() + "\n";
}
}
@Override
public ResponseType execute(PasswordRequest passwordRequest) throws ConnectorDataException {
ResponseType respType = new ResponseType();
respType.setStatus(StatusCodeType.SUCCESS);
ConnectorConfiguration config =
getConfiguration(passwordRequest.getTargetID(), ConnectorConfiguration.class);
ManagedSysEntity managedSys = config.getManagedSys();
LdapContext ldapctx = this.connect(managedSys);
try {
ManagedSystemObjectMatch matchObj =
getMatchObject(passwordRequest.getTargetID(), ManagedSystemObjectMatch.USER);
String identity = passwordRequest.getObjectIdentity();
// Check identity on CN format or not
String identityPatternStr =
MessageFormat.format(DN_IDENTITY_MATCH_REGEXP, matchObj.getKeyField());
Pattern pattern = Pattern.compile(identityPatternStr);
Matcher matcher = pattern.matcher(identity);
String objectBaseDN;
if (matcher.matches()) {
identity = matcher.group(1);
String CN = matchObj.getKeyField() + "=" + identity;
objectBaseDN = passwordRequest.getObjectIdentity().substring(CN.length() + 1);
} else {
// if identity is not in DN format try to find OU info in attributes
// MVL 20141211 String OU = getOU(passwordRequest.getExtensibleObject());
String OU = getAttrValue(passwordRequest.getExtensibleObject(), OU_ATTRIBUTE);
if (StringUtils.isNotEmpty(OU)) {
objectBaseDN = OU + "," + matchObj.getBaseDn();
} else {
objectBaseDN = matchObj.getBaseDn();
}
}
NamingEnumeration results = null;
try {
log.debug("Looking for user with identity=" + identity + " in " + objectBaseDN);
results = lookupSearch(managedSys, matchObj, ldapctx, identity, null, objectBaseDN);
} catch (NameNotFoundException nnfe) {
log.debug("results=NULL");
log.debug(" results has more elements=0");
respType.setStatus(StatusCodeType.FAILURE);
return respType;
}
String identityDN = null;
int count = 0;
while (results != null && results.hasMoreElements()) {
SearchResult sr = (SearchResult) results.next();
identityDN = sr.getNameInNamespace();
count++;
}
if (count == 0) {
String err = String.format("User %s was not found in %s", identity, objectBaseDN);
log.error(err);
respType.setStatus(StatusCodeType.FAILURE);
return respType;
} else if (count > 1) {
String err = String.format("More then one user %s was found in %s", identity, objectBaseDN);
log.error(err);
respType.setStatus(StatusCodeType.FAILURE);
return respType;
}
if (StringUtils.isNotEmpty(identityDN)) {
log.debug("New password will be reset for user " + identityDN);
Directory dirSpecificImp =
DirectorySpecificImplFactory.create(config.getManagedSys().getHandler5());
ModificationItem[] mods = dirSpecificImp.resetPassword(passwordRequest);
ldapctx.modifyAttributes(identityDN, mods);
log.debug("New password has been reset for user " + identityDN);
}
} catch (NamingException ne) {
log.error(ne.getMessage(), ne);
log.debug("Returning response object from reset password with Status of Failure...");
ConnectorDataException ex = null;
if (ne instanceof OperationNotSupportedException) {
ex =
new ConnectorDataException(
ErrorCode.OPERATION_NOT_SUPPORTED_EXCEPTION, ne.getMessage());
} else {
ex = new ConnectorDataException(ErrorCode.DIRECTORY_ERROR, ne.getMessage());
}
throw ex;
} catch (Exception ne) {
log.error(ne.getMessage(), ne);
throw new ConnectorDataException(ErrorCode.OTHER_ERROR, ne.getMessage());
} finally {
/* close the connection to the directory */
this.closeContext(ldapctx);
}
return respType;
}
/**
* This method will test if a user has access to the LDAP, if so it will then check the list of
* groups and check for is access
*
* @param String username as named via a uid in the LDAP
* @param String password clear text in LDAP
* @return Hashtable authenticate object
*/
public Hashtable authenticate(String username, String password, String keyfob_id) {
Hashtable authHT = new Hashtable();
if (keyfob_id != null) {
System.out.println("attempted keyfob value: " + keyfob_id);
// we need to bind with our anon bind user
username = this.AD_ANON_BIND_UNAME;
password = this.AD_ANON_BIND_PWORD;
}
// assume they will not pass the test
boolean authenticated = false;
// first check to see if we even need to hit LDAP (not overridden)
if (this.LDAP_OVERRIDE) {
System.out.println("Override Authentication");
// just check against stored username/password, put in all groups
if (username.equals(this.LDAP_OVERRIDE_UNAME) && password.equals(this.LDAP_OVERRIDE_PWORD)) {
authenticated = true;
// just add then to each group
for (String key : groups.keySet()) {
// push the name of the group and access to it boolean
authHT.put(key, true); // method throws NamingException
}
}
} else {
// authenticate agianst creditials server
System.err.println("Trying " + this.PROVIDER_TYPE + " authentication by: " + username);
try {
// build a hash table to pass as a bindable event
// Set up environment for creating initial context
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, this.INITIAL_CONTEXT_FACTORY);
env.put(Context.SECURITY_AUTHENTICATION, this.SECURITY_AUTHENTICATION);
// we take the uid to authenticate, pair it with the username, and append the base location
env.put(Context.PROVIDER_URL, this.PROVIDER_URL);
if (this.PROVIDER_TYPE.equals("AD")) {
env.put(Context.SECURITY_PRINCIPAL, username + "@" + this.AD_DOMAIN);
} else if (this.PROVIDER_TYPE.equals("LDAP")) {
env.put(
Context.SECURITY_PRINCIPAL, "uid=" + username + "," + this.USERS_LOC + this.BASE_DN);
} // we don't need to throw errors here because first try/catch finds it
env.put(Context.SECURITY_CREDENTIALS, password);
// send env assigments to console
// enumerateContents(env.elements());
/** now that we have our hash values lets go authenticate */
// first we want to connect to the LDAP Server and create initial context
// making sure the user name and password are valid
ctx =
new InitialDirContext(
env); // Throws AuthenticationException if not valid username/password
// WE NEVER GO PAST HERE IF AuthenticationException THROWN
System.err.println("connection and creditials valid");
/**
* we just split the two paths of AD and LDAP authentication because the LDAP way worked and
* we are migrating to AD. However we want to be able to easily switch back until the LDAP
* service is discontinued. Theoretically both services should be 'searchable' the same way
* at some point the LDAP code should be removed or universal code written
*/
if (this.PROVIDER_TYPE.equals("AD")) {
/** AD way, get the group list, if they match add */
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// either search by user name or by keyfob id. either way will return a user if one is
// found
NamingEnumeration results = null;
if (keyfob_id != null) {
// we don't challenge on keyfob. assumed if you have keyfob you are that user
System.out.println("searching for keyfob id: >" + keyfob_id + "<");
results =
ctx.search(
this.USERS_LOC + this.BASE_DN,
"(" + this.ATTRIBUTE_NAME_KEYFOB_ID + "=" + keyfob_id + ")",
constraints);
authHT.put("keyfob_id", keyfob_id); // pass it back as proof positive we found it
} else {
results =
ctx.search(
this.USERS_LOC + this.BASE_DN,
"(" + this.ATTRIBUTE_NAME_UNAME + "=" + username + ")",
constraints);
}
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName() + ", " + this.USERS_LOC + this.BASE_DN;
Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
if (ar == null) {
// we need the user to have attributes
throw new Exception("Entry " + dn + " has none of the specified attributes\n");
}
for (int i = 0; i < MY_ATTRS.length; i++) {
Attribute attr = ar.get(MY_ATTRS[i]);
if (attr == null) {
continue;
}
System.out.println(MY_ATTRS[i] + ":");
for (Enumeration vals = attr.getAll(); vals.hasMoreElements(); ) {
String temp_next_element = vals.nextElement().toString(); // returns generic Object
System.out.println("\t" + temp_next_element);
// push the attributes to the auth HT
if (!(authHT.containsKey(MY_ATTRS[i]))) {
// push the name of the group and access to it boolean
authHT.put(MY_ATTRS[i], temp_next_element);
}
// see if this element value matches any of my groups
for (String key : groups.keySet()) {
if (temp_next_element
.toLowerCase()
.startsWith("cn=" + groups.get(key).toLowerCase())) {
// push the name of the group and access to it boolean
authHT.put(key, true);
// if user is found in ANY of the predefined groups they are 'authenticated' to
// login.
// RolemManager.as handles ACL
authenticated = true;
}
}
}
}
}
// now for any groups not found, set them to false
for (String key : groups.keySet()) {
if (!(authHT.containsKey(key))) {
// push the name of the group and access to it boolean
authHT.put(key, false);
}
}
// end AD WAY
} else if (this.PROVIDER_TYPE.equals("LDAP")) {
// authenticated only in the sense they are a valid AD user
authenticated = true;
// now that we have verified they are a valid user, lets see what type of access they have
// groups are specified in the config file as "GROUP_<name>" key=value pairs where value
// is the LDAP group name
// and key is what we are looking for in the scheduling app
for (String key : groups.keySet()) {
// push the name of the group and access to it boolean
authHT.put(
key,
new Boolean(
userInGroup(username, groups.get(key)))); // method throws NamingException
}
} else {
throw new Exception("Provider type not found.");
}
// Close the context when we're done
ctx.close();
} catch (AuthenticationException e) {
// binding to LDAP server with provided username/password failed
// e.printStackTrace();
System.err.println(
"AuthenticationException: "
+ e.getMessage()); // outputs -> [LDAP: error code 49 - Invalid Credentials]
errorStack += e.getMessage() + "\n";
} catch (NamingException e) {
// catches invalid DN. Should not be thrown unless changes made to DN
// Could also fail from the context of the called method userInGroup
System.err.println("NamingException: " + e.getMessage());
// e.printStackTrace();
errorStack += e.getMessage() + "\n";
} catch (Exception e) {
e.printStackTrace();
System.err.println("Exception: " + e.getMessage());
errorStack += e.getMessage() + "\n";
} finally { // make sure our connection is closed if relevant
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
throw new RuntimeException(e);
}
}
}
}
// push whether or not it was authenticated
authHT.put("authenticated", new Boolean(authenticated));
// spill contents to catalina.out file
enumerateContents(authHT.keys());
enumerateContents(authHT.elements());
return (authHT);
}
