예제 #1
0
 private ChaiProvider makeProxyProvider()
     throws ChaiUnavailableException, PwmUnrecoverableException {
   final LdapProfile profile =
       pwmApplication.getConfig().getLdapProfiles().get(userIdentity.getLdapProfileID());
   final String proxyDN = profile.readSettingAsString(PwmSetting.LDAP_PROXY_USER_DN);
   final PasswordData proxyPassword =
       profile.readSettingAsPassword(PwmSetting.LDAP_PROXY_USER_PASSWORD);
   return LdapOperationsHelper.createChaiProvider(
       sessionLabel, profile, pwmApplication.getConfig(), proxyDN, proxyPassword);
 }
예제 #2
0
  private void testCredentials(final UserIdentity userIdentity, final PasswordData password)
      throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    log(PwmLogLevel.TRACE, "beginning testCredentials process");

    if (userIdentity == null
        || userIdentity.getUserDN() == null
        || userIdentity.getUserDN().length() < 1) {
      final String errorMsg = "attempt to authenticate with null userDN";
      log(PwmLogLevel.DEBUG, errorMsg);
      throw new PwmOperationalException(
          new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }

    if (password == null) {
      final String errorMsg = "attempt to authenticate with null password";
      log(PwmLogLevel.DEBUG, errorMsg);
      throw new PwmOperationalException(
          new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }

    // try authenticating the user using a normal ldap BIND operation.
    log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");

    boolean bindSucceeded = false;
    try {
      // read a provider using the user's DN and password.
      userProvider =
          LdapOperationsHelper.createChaiProvider(
              sessionLabel,
              userIdentity.getLdapProfile(pwmApplication.getConfig()),
              pwmApplication.getConfig(),
              userIdentity.getUserDN(),
              password);

      // issue a read operation to trigger a bind.
      userProvider.readStringAttribute(
          userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);

      bindSucceeded = true;
    } catch (ChaiException e) {
      if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
        final String errorMsg =
            "intruder lockout detected for user "
                + userIdentity
                + " marking session as locked out: "
                + e.getMessage();
        final ErrorInformation errorInformation =
            new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
        log(PwmLogLevel.WARN, errorInformation.toDebugStr());
        throw new PwmUnrecoverableException(errorInformation);
      }
      final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
      final ErrorInformation errorInformation;
      if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
        errorInformation = new ErrorInformation(pwmError, e.getMessage());
      } else {
        errorInformation =
            new ErrorInformation(
                PwmError.ERROR_WRONGPASSWORD,
                "ldap error during password check: " + e.getMessage());
      }
      log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
      throw new PwmOperationalException(errorInformation);
    } finally {
      if (!bindSucceeded && userProvider != null) {
        try {
          userProvider.close();
          userProvider = null;
        } catch (Throwable e) {
          log(
              PwmLogLevel.ERROR,
              "unexpected error closing invalid ldap connection after failed login attempt: "
                  + e.getMessage());
        }
      }
    }
  }