/**
* Performs the checks and processing necessary for the current bind operation (simple or SASL).
*/
private void processBind() {
// Check to see if the client has permission to perform the
// bind.
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes any controls
// specified.
try {
if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this)) {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get());
return;
}
} catch (DirectoryException e) {
setResultCode(e.getResultCode());
setAuthFailureReason(e.getMessageObject());
return;
}
// Check to see if there are any controls in the request. If so, then see
// if there is any special processing required.
try {
handleRequestControls();
} catch (DirectoryException de) {
logger.traceException(de);
setResponseData(de);
return;
}
// Check to see if this is a simple bind or a SASL bind and process
// accordingly.
try {
switch (getAuthenticationType()) {
case SIMPLE:
processSimpleBind();
break;
case SASL:
processSASLBind();
break;
default:
// Send a protocol error response to the client and disconnect.
// We should never come here.
setResultCode(ResultCode.PROTOCOL_ERROR);
}
} catch (DirectoryException de) {
logger.traceException(de);
if (de.getResultCode() == ResultCode.INVALID_CREDENTIALS) {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(de.getMessageObject());
} else {
setResponseData(de);
}
}
}
/**
* Performs the processing necessary for a simple bind operation.
*
* @return {@code true} if processing should continue for the operation, or {@code false} if not.
* @throws DirectoryException If a problem occurs that should cause the bind operation to fail.
*/
protected boolean processSimpleBind() throws DirectoryException {
// See if this is an anonymous bind. If so, then determine whether
// to allow it.
ByteString simplePassword = getSimplePassword();
if (simplePassword == null || simplePassword.length() == 0) {
return processAnonymousSimpleBind();
}
// See if the bind DN is actually one of the alternate root DNs
// defined in the server. If so, then replace it with the actual DN
// for that user.
DN actualRootDN = DirectoryServer.getActualRootBindDN(bindDN);
if (actualRootDN != null) {
bindDN = actualRootDN;
}
Entry userEntry;
try {
userEntry = backend.getEntry(bindDN);
} catch (DirectoryException de) {
logger.traceException(de);
userEntry = null;
if (de.getResultCode() == ResultCode.REFERRAL) {
// Re-throw referral exceptions - these should be passed back
// to the client.
throw de;
} else {
// Replace other exceptions in case they expose any sensitive
// information.
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, de.getMessageObject());
}
}
if (userEntry == null) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_UNKNOWN_USER.get());
} else {
setUserEntryDN(userEntry.getName());
}
// Check to see if the user has a password. If not, then fail.
// FIXME -- We need to have a way to enable/disable debugging.
authPolicyState = AuthenticationPolicyState.forUser(userEntry, false);
if (authPolicyState.isPasswordPolicy()) {
// Account is managed locally.
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();
AttributeType pwType = policy.getPasswordAttribute();
List<Attribute> pwAttr = userEntry.getAttribute(pwType);
if (pwAttr == null || pwAttr.isEmpty()) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_NO_PASSWORD.get());
}
// Perform a number of password policy state checks for the
// non-authenticated user.
checkUnverifiedPasswordPolicyState(userEntry, null);
// Invoke pre-operation plugins.
if (!invokePreOpPlugins()) {
return false;
}
// Determine whether the provided password matches any of the stored
// passwords for the user.
if (pwPolicyState.passwordMatches(simplePassword)) {
setResultCode(ResultCode.SUCCESS);
checkVerifiedPasswordPolicyState(userEntry, null);
if (DirectoryServer.lockdownMode()
&& !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
}
setAuthenticationInfo(
new AuthenticationInfo(
userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));
// Set resource limits for the authenticated user.
setResourceLimits(userEntry);
// Perform any remaining processing for a successful simple
// authentication.
pwPolicyState.handleDeprecatedStorageSchemes(simplePassword);
pwPolicyState.clearFailureLockout();
if (isFirstWarning) {
pwPolicyState.setWarnedTime();
int numSeconds = pwPolicyState.getSecondsUntilExpiration();
LocalizableMessage m = WARN_BIND_PASSWORD_EXPIRING.get(secondsToTimeString(numSeconds));
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.PASSWORD_EXPIRING,
userEntry,
m,
AccountStatusNotification.createProperties(
pwPolicyState, false, numSeconds, null, null));
}
if (isGraceLogin) {
pwPolicyState.updateGraceLoginTimes();
}
pwPolicyState.setLastLoginTime();
} else {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());
if (policy.getLockoutFailureCount() > 0) {
generateAccountStatusNotificationForLockedBindAccount(userEntry, pwPolicyState);
}
}
} else {
// Check to see if the user is administratively disabled or locked.
if (authPolicyState.isDisabled()) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
}
// Invoke pre-operation plugins.
if (!invokePreOpPlugins()) {
return false;
}
if (authPolicyState.passwordMatches(simplePassword)) {
setResultCode(ResultCode.SUCCESS);
if (DirectoryServer.lockdownMode()
&& !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
}
setAuthenticationInfo(
new AuthenticationInfo(
userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));
// Set resource limits for the authenticated user.
setResourceLimits(userEntry);
} else {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());
}
}
return true;
}