/** {@inheritDoc} */
@Override
public boolean isConfigurationAcceptable(
ConnectionHandlerCfg configuration, List<LocalizableMessage> unacceptableReasons) {
LDAPConnectionHandlerCfg config = (LDAPConnectionHandlerCfg) configuration;
if (currentConfig == null || (!currentConfig.isEnabled() && config.isEnabled())) {
// Attempt to bind to the listen port on all configured addresses to
// verify whether the connection handler will be able to start.
LocalizableMessage errorMessage =
checkAnyListenAddressInUse(
config.getListenAddress(),
config.getListenPort(),
config.isAllowTCPReuseAddress(),
config.dn());
if (errorMessage != null) {
unacceptableReasons.add(errorMessage);
return false;
}
}
if (config.isEnabled()
// Check that the SSL configuration is valid.
&& (config.isUseSSL() || config.isAllowStartTLS())) {
try {
createSSLEngine(config, createSSLContext(config));
} catch (DirectoryException e) {
logger.traceException(e);
unacceptableReasons.add(e.getMessageObject());
return false;
}
}
return true;
}
/** {@inheritDoc} */
@Override
public ConfigChangeResult applyConfigurationChange(LDAPConnectionHandlerCfg config) {
final ConfigChangeResult ccr = new ConfigChangeResult();
// Note that the following properties cannot be modified:
//
// * listen port and addresses
// * use ssl
// * ssl policy
// * ssl cert nickname
// * accept backlog
// * tcp reuse address
// * num request handler
// Clear the stat tracker if LDAPv2 is being enabled.
if (currentConfig.isAllowLDAPV2() != config.isAllowLDAPV2() && config.isAllowLDAPV2()) {
statTracker.clearStatistics();
}
// Apply the changes.
currentConfig = config;
enabled = config.isEnabled();
allowedClients = config.getAllowedClient();
deniedClients = config.getDeniedClient();
// Reconfigure SSL if needed.
try {
configureSSL(config);
} catch (DirectoryException e) {
logger.traceException(e);
ccr.setResultCode(e.getResultCode());
ccr.addMessage(e.getMessageObject());
return ccr;
}
if (config.isAllowLDAPV2()) {
DirectoryServer.registerSupportedLDAPVersion(2, this);
} else {
DirectoryServer.deregisterSupportedLDAPVersion(2, this);
}
return ccr;
}
/**
* Performs the checks and processing necessary for the current bind operation (simple or SASL).
*/
private void processBind() {
// Check to see if the client has permission to perform the
// bind.
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes any controls
// specified.
try {
if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this)) {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get());
return;
}
} catch (DirectoryException e) {
setResultCode(e.getResultCode());
setAuthFailureReason(e.getMessageObject());
return;
}
// Check to see if there are any controls in the request. If so, then see
// if there is any special processing required.
try {
handleRequestControls();
} catch (DirectoryException de) {
logger.traceException(de);
setResponseData(de);
return;
}
// Check to see if this is a simple bind or a SASL bind and process
// accordingly.
try {
switch (getAuthenticationType()) {
case SIMPLE:
processSimpleBind();
break;
case SASL:
processSASLBind();
break;
default:
// Send a protocol error response to the client and disconnect.
// We should never come here.
setResultCode(ResultCode.PROTOCOL_ERROR);
}
} catch (DirectoryException de) {
logger.traceException(de);
if (de.getResultCode() == ResultCode.INVALID_CREDENTIALS) {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(de.getMessageObject());
} else {
setResponseData(de);
}
}
}
/**
* Handles any controls contained in the request.
*
* @throws DirectoryException If there is a problem with any of the request controls.
*/
private void handleRequestControls() throws DirectoryException {
LocalBackendWorkflowElement.removeAllDisallowedControls(baseDN, this);
List<Control> requestControls = getRequestControls();
if (requestControls != null && !requestControls.isEmpty()) {
for (Control c : requestControls) {
String oid = c.getOID();
if (OID_LDAP_ASSERTION.equals(oid)) {
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
SearchFilter assertionFilter;
try {
assertionFilter = assertControl.getSearchFilter();
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()),
de);
}
Entry entry;
try {
entry = DirectoryServer.getEntry(baseDN);
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(de.getMessageObject()));
}
if (entry == null) {
throw new DirectoryException(
ResultCode.NO_SUCH_OBJECT, ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
}
// Check if the current user has permission to make
// this determination.
if (!AccessControlConfigManager.getInstance()
.getAccessControlHandler()
.isAllowed(this, entry, assertionFilter)) {
throw new DirectoryException(
ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
}
try {
if (!assertionFilter.matchesEntry(entry)) {
throw new DirectoryException(
ResultCode.ASSERTION_FAILED, ERR_SEARCH_ASSERTION_FAILED.get());
}
} catch (DirectoryException de) {
if (de.getResultCode() == ResultCode.ASSERTION_FAILED) {
throw de;
}
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()),
de);
}
} else if (OID_PROXIED_AUTH_V1.equals(oid)) {
// Log usage of legacy proxy authz V1 control.
addAdditionalLogItem(
AdditionalLogItem.keyOnly(getClass(), "obsoleteProxiedAuthzV1Control"));
// The requester must have the PROXIED_AUTH privilege in order to be
// able to use this control.
if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) {
throw new DirectoryException(
ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV1Control proxyControl = getRequestControl(ProxiedAuthV1Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
setProxiedAuthorizationDN(getDN(authorizationEntry));
} else if (OID_PROXIED_AUTH_V2.equals(oid)) {
// The requester must have the PROXIED_AUTH privilege in order to be
// able to use this control.
if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) {
throw new DirectoryException(
ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV2Control proxyControl = getRequestControl(ProxiedAuthV2Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
setProxiedAuthorizationDN(getDN(authorizationEntry));
} else if (OID_PERSISTENT_SEARCH.equals(oid)) {
final PersistentSearchControl ctrl = getRequestControl(PersistentSearchControl.DECODER);
persistentSearch =
new PersistentSearch(
this, ctrl.getChangeTypes(), ctrl.getChangesOnly(), ctrl.getReturnECs());
} else if (OID_LDAP_SUBENTRIES.equals(oid)) {
SubentriesControl subentriesControl = getRequestControl(SubentriesControl.DECODER);
setReturnSubentriesOnly(subentriesControl.getVisibility());
} else if (OID_LDUP_SUBENTRIES.equals(oid)) {
// Support for legacy draft-ietf-ldup-subentry.
addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(), "obsoleteSubentryControl"));
setReturnSubentriesOnly(true);
} else if (OID_MATCHED_VALUES.equals(oid)) {
MatchedValuesControl matchedValuesControl =
getRequestControl(MatchedValuesControl.DECODER);
setMatchedValuesControl(matchedValuesControl);
} else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid)) {
setIncludeUsableControl(true);
} else if (OID_REAL_ATTRS_ONLY.equals(oid)) {
setRealAttributesOnly(true);
} else if (OID_VIRTUAL_ATTRS_ONLY.equals(oid)) {
setVirtualAttributesOnly(true);
} else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid)
&& DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS)) {
// Do nothing here and let AciHandler deal with it.
}
// NYI -- Add support for additional controls.
else if (c.isCritical() && !backendSupportsControl(oid)) {
throw new DirectoryException(
ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
}
}
}
}
private void processSearch(BooleanHolder executePostOpPlugins) throws CanceledOperationException {
// Process the search base and filter to convert them from their raw forms
// as provided by the client to the forms required for the rest of the
// search processing.
baseDN = getBaseDN();
filter = getFilter();
if (baseDN == null || filter == null) {
return;
}
// Check to see if there are any controls in the request. If so, then
// see if there is any special processing required.
try {
handleRequestControls();
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
setResponseData(de);
return;
}
// Check to see if the client has permission to perform the
// search.
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes proxy authorization
// and any other controls specified.
try {
if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this)) {
setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
appendErrorMessage(ERR_SEARCH_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(String.valueOf(baseDN)));
return;
}
} catch (DirectoryException e) {
setResultCode(e.getResultCode());
appendErrorMessage(e.getMessageObject());
return;
}
// Check for a request to cancel this operation.
checkIfCanceled(false);
// Invoke the pre-operation search plugins.
executePostOpPlugins.value = true;
PluginResult.PreOperation preOpResult =
DirectoryServer.getPluginConfigManager().invokePreOperationSearchPlugins(this);
if (!preOpResult.continueProcessing()) {
setResultCode(preOpResult.getResultCode());
appendErrorMessage(preOpResult.getErrorMessage());
setMatchedDN(preOpResult.getMatchedDN());
setReferralURLs(preOpResult.getReferralURLs());
return;
}
// Check for a request to cancel this operation.
checkIfCanceled(false);
// Get the backend that should hold the search base. If there is none,
// then fail.
if (backend == null) {
setResultCode(ResultCode.NO_SUCH_OBJECT);
appendErrorMessage(ERR_SEARCH_BASE_DOESNT_EXIST.get(String.valueOf(baseDN)));
return;
}
// We'll set the result code to "success". If a problem occurs, then it
// will be overwritten.
setResultCode(ResultCode.SUCCESS);
try {
// If there's a persistent search, then register it with the server.
boolean processSearchNow = true;
if (persistentSearch != null) {
// If we're only interested in changes, then we do not actually want
// to process the search now.
processSearchNow = !persistentSearch.isChangesOnly();
// The Core server maintains the count of concurrent persistent searches
// so that all the backends (Remote and Local) are aware of it. Verify
// with the core if we have already reached the threshold.
if (!DirectoryServer.allowNewPersistentSearch()) {
setResultCode(ResultCode.ADMIN_LIMIT_EXCEEDED);
appendErrorMessage(ERR_MAX_PSEARCH_LIMIT_EXCEEDED.get());
return;
}
backend.registerPersistentSearch(persistentSearch);
persistentSearch.enable();
}
if (processSearchNow) {
// Process the search in the backend and all its subordinates.
backend.search(this);
}
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.VERBOSE, de);
}
setResponseData(de);
if (persistentSearch != null) {
persistentSearch.cancel();
setSendResponse(true);
}
return;
} catch (CanceledOperationException coe) {
if (persistentSearch != null) {
persistentSearch.cancel();
setSendResponse(true);
}
throw coe;
} catch (Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
setResultCode(DirectoryServer.getServerErrorResultCode());
appendErrorMessage(ERR_SEARCH_BACKEND_EXCEPTION.get(getExceptionMessage(e)));
if (persistentSearch != null) {
persistentSearch.cancel();
setSendResponse(true);
}
}
}
/** Test EntryChangeNotificationControl. */
@Test(dataProvider = "entryChangeNotificationControl")
public void checkEntryChangeNotificationControlTest(
boolean isCritical, long changeNumber, String dnString) throws Exception {
// Test constructor EntryChangeNotificationControl
// (PersistentSearchChangeType changeType,long changeNumber)
PersistentSearchChangeType[] types = PersistentSearchChangeType.values();
EntryChangeNotificationControl ecnc = null;
EntryChangeNotificationControl newEcnc;
ByteStringBuilder bsb = new ByteStringBuilder();
ASN1Writer writer = ASN1.getWriter(bsb);
for (PersistentSearchChangeType type : types) {
ecnc = new EntryChangeNotificationControl(type, changeNumber);
assertNotNull(ecnc);
assertEquals(OID_ENTRY_CHANGE_NOTIFICATION, ecnc.getOID());
assertEquals(changeNumber, ecnc.getChangeNumber());
assertEquals(type, ecnc.getChangeType());
assertNull(ecnc.getPreviousDN());
assertEquals(false, ecnc.isCritical());
checkEntryChangeNotificationControlToString(ecnc);
// also check encode/decode
try {
bsb.clear();
ecnc.write(writer);
LDAPControl control = LDAPReader.readControl(ASN1.getReader(bsb));
newEcnc =
EntryChangeNotificationControl.DECODER.decode(control.isCritical(), control.getValue());
assertNotNull(newEcnc);
assertEquals(ecnc.getOID(), newEcnc.getOID());
assertEquals(ecnc.getChangeNumber(), newEcnc.getChangeNumber());
assertEquals(ecnc.getChangeType(), newEcnc.getChangeType());
assertNull(newEcnc.getPreviousDN());
assertEquals(ecnc.isCritical(), newEcnc.isCritical());
} catch (DirectoryException e) {
fail();
}
}
// Test constructor EntryChangeNotificationControl
// (PersistentSearchChangeType changeType, DN previousDN, long
// changeNumber)
DN dn = DN.valueOf(dnString);
for (PersistentSearchChangeType type : types) {
ecnc = new EntryChangeNotificationControl(type, dn, changeNumber);
assertNotNull(ecnc);
assertEquals(OID_ENTRY_CHANGE_NOTIFICATION, ecnc.getOID());
assertEquals(changeNumber, ecnc.getChangeNumber());
assertEquals(type, ecnc.getChangeType());
assertEquals(dn, ecnc.getPreviousDN());
assertEquals(false, ecnc.isCritical());
checkEntryChangeNotificationControlToString(ecnc);
// also check encode/decode
try {
bsb.clear();
ecnc.write(writer);
LDAPControl control = LDAPReader.readControl(ASN1.getReader(bsb));
newEcnc =
EntryChangeNotificationControl.DECODER.decode(control.isCritical(), control.getValue());
assertNotNull(newEcnc);
assertEquals(ecnc.getOID(), newEcnc.getOID());
assertEquals(ecnc.getChangeNumber(), newEcnc.getChangeNumber());
assertEquals(ecnc.getChangeType(), newEcnc.getChangeType());
assertEquals(ecnc.getPreviousDN(), newEcnc.getPreviousDN());
assertEquals(ecnc.isCritical(), newEcnc.isCritical());
} catch (DirectoryException e) {
assertNotEquals(
type.compareTo(MODIFY_DN),
0,
"couldn't decode a control with previousDN not null and type=modDN");
}
}
// Test constructor EntryChangeNotificationControl(boolean
// isCritical, PersistentSearchChangeType changeType,
// DN previousDN, long changeNumber)
for (PersistentSearchChangeType type : types) {
ecnc = new EntryChangeNotificationControl(isCritical, type, dn, changeNumber);
assertNotNull(ecnc);
assertEquals(OID_ENTRY_CHANGE_NOTIFICATION, ecnc.getOID());
assertEquals(changeNumber, ecnc.getChangeNumber());
assertEquals(type, ecnc.getChangeType());
assertEquals(dn, ecnc.getPreviousDN());
assertEquals(isCritical, ecnc.isCritical());
checkEntryChangeNotificationControlToString(ecnc);
// also check encode/decode
try {
bsb.clear();
ecnc.write(writer);
LDAPControl control = LDAPReader.readControl(ASN1.getReader(bsb));
newEcnc =
EntryChangeNotificationControl.DECODER.decode(control.isCritical(), control.getValue());
assertNotNull(newEcnc);
assertEquals(ecnc.getOID(), newEcnc.getOID());
assertEquals(ecnc.getChangeNumber(), newEcnc.getChangeNumber());
assertEquals(ecnc.getChangeType(), newEcnc.getChangeType());
assertEquals(ecnc.getPreviousDN(), newEcnc.getPreviousDN());
assertEquals(ecnc.isCritical(), newEcnc.isCritical());
} catch (DirectoryException e) {
assertNotEquals(
type.compareTo(PersistentSearchChangeType.MODIFY_DN),
0,
"couldn't decode a control with previousDN not null and type=modDN");
}
}
// Check error on decode
try {
LDAPControl control = new LDAPControl(OID_ENTRY_CHANGE_NOTIFICATION, isCritical);
newEcnc =
EntryChangeNotificationControl.DECODER.decode(control.isCritical(), control.getValue());
fail();
} catch (DirectoryException expected) {
assertEquals(expected.getMessage(), CANNOT_DECODE_CHANGE_NOTIF_CONTROL_NO_VALUE);
}
}
/** Test PersistentSearchControl. */
@Test(dataProvider = "persistentSearchControl")
public void checkPersistentSearchControlTest(
boolean isCritical, boolean changesOnly, boolean returnECs) throws Exception {
// Test constructor
// CheclPersistentSearchControlTest(Set<PersistentSearchChangeType>
// changeTypes, boolean changesOnly, boolean returnECs
for (int i = 1; i <= 15; i++) {
Set<PersistentSearchChangeType> returnTypes = PersistentSearchChangeType.intToTypes(i);
PersistentSearchControl psc =
new PersistentSearchControl(returnTypes, changesOnly, returnECs);
assertNotNull(psc);
assertEquals(changesOnly, psc.getChangesOnly());
assertEquals(returnECs, psc.getReturnECs());
assertEquals(returnTypes.size(), psc.getChangeTypes().size());
assertEquals(OID_PERSISTENT_SEARCH, psc.getOID());
}
// Test constructor
// CString oid, boolean isCritical,
// Set<PersistentSearchChangeType> changeTypes,
// boolean changesOnly, boolean returnECs
for (int i = 1; i <= 15; i++) {
Set<PersistentSearchChangeType> returnTypes = PersistentSearchChangeType.intToTypes(i);
PersistentSearchControl psc =
new PersistentSearchControl(isCritical, returnTypes, changesOnly, returnECs);
assertNotNull(psc);
assertEquals(isCritical, psc.isCritical());
assertEquals(OID_PERSISTENT_SEARCH, psc.getOID());
assertEquals(changesOnly, psc.getChangesOnly());
assertEquals(returnECs, psc.getReturnECs());
assertEquals(returnTypes.size(), psc.getChangeTypes().size());
}
// Test encode/decode
ByteStringBuilder bsb = new ByteStringBuilder();
ASN1Writer writer = ASN1.getWriter(bsb);
for (int i = 1; i <= 15; i++) {
bsb.clear();
Set<PersistentSearchChangeType> returnTypes = PersistentSearchChangeType.intToTypes(i);
PersistentSearchControl psc =
new PersistentSearchControl(isCritical, returnTypes, changesOnly, returnECs);
psc.write(writer);
LDAPControl control = LDAPReader.readControl(ASN1.getReader(bsb));
psc = PersistentSearchControl.DECODER.decode(control.isCritical(), control.getValue());
assertNotNull(psc);
assertEquals(isCritical, psc.isCritical());
assertEquals(OID_PERSISTENT_SEARCH, psc.getOID());
assertEquals(changesOnly, psc.getChangesOnly());
assertEquals(returnECs, psc.getReturnECs());
assertEquals(returnTypes.size(), psc.getChangeTypes().size());
// Check the toString
String changeTypes = PersistentSearchChangeType.changeTypesToString(psc.getChangeTypes());
String toString =
"PersistentSearchControl(changeTypes=\""
+ changeTypes
+ "\",changesOnly="
+ psc.getChangesOnly()
+ ",returnECs="
+ psc.getReturnECs()
+ ")";
assertEquals(psc.toString(), toString);
// check null value for the control
try {
control = new LDAPControl(OID_PERSISTENT_SEARCH, isCritical);
psc = PersistentSearchControl.DECODER.decode(control.isCritical(), control.getValue());
fail();
} catch (DirectoryException expected) {
assertEquals(expected.getMessage(), CANNOT_DECODE_PERSISTENT_SEARCH_CONTROL_NO_VALUE);
}
// check invalid value for the control
try {
control =
new LDAPControl(OID_PERSISTENT_SEARCH, isCritical, ByteString.valueOf("invalid value"));
psc = PersistentSearchControl.DECODER.decode(control.isCritical(), control.getValue());
fail();
} catch (DirectoryException expected) {
assertThat(expected.getMessage())
.contains("Cannot decode the provided persistent search control");
}
}
}
/**
* Performs the processing necessary for a simple bind operation.
*
* @return {@code true} if processing should continue for the operation, or {@code false} if not.
* @throws DirectoryException If a problem occurs that should cause the bind operation to fail.
*/
protected boolean processSimpleBind() throws DirectoryException {
// See if this is an anonymous bind. If so, then determine whether
// to allow it.
ByteString simplePassword = getSimplePassword();
if (simplePassword == null || simplePassword.length() == 0) {
return processAnonymousSimpleBind();
}
// See if the bind DN is actually one of the alternate root DNs
// defined in the server. If so, then replace it with the actual DN
// for that user.
DN actualRootDN = DirectoryServer.getActualRootBindDN(bindDN);
if (actualRootDN != null) {
bindDN = actualRootDN;
}
Entry userEntry;
try {
userEntry = backend.getEntry(bindDN);
} catch (DirectoryException de) {
logger.traceException(de);
userEntry = null;
if (de.getResultCode() == ResultCode.REFERRAL) {
// Re-throw referral exceptions - these should be passed back
// to the client.
throw de;
} else {
// Replace other exceptions in case they expose any sensitive
// information.
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, de.getMessageObject());
}
}
if (userEntry == null) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_UNKNOWN_USER.get());
} else {
setUserEntryDN(userEntry.getName());
}
// Check to see if the user has a password. If not, then fail.
// FIXME -- We need to have a way to enable/disable debugging.
authPolicyState = AuthenticationPolicyState.forUser(userEntry, false);
if (authPolicyState.isPasswordPolicy()) {
// Account is managed locally.
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();
AttributeType pwType = policy.getPasswordAttribute();
List<Attribute> pwAttr = userEntry.getAttribute(pwType);
if (pwAttr == null || pwAttr.isEmpty()) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_NO_PASSWORD.get());
}
// Perform a number of password policy state checks for the
// non-authenticated user.
checkUnverifiedPasswordPolicyState(userEntry, null);
// Invoke pre-operation plugins.
if (!invokePreOpPlugins()) {
return false;
}
// Determine whether the provided password matches any of the stored
// passwords for the user.
if (pwPolicyState.passwordMatches(simplePassword)) {
setResultCode(ResultCode.SUCCESS);
checkVerifiedPasswordPolicyState(userEntry, null);
if (DirectoryServer.lockdownMode()
&& !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
}
setAuthenticationInfo(
new AuthenticationInfo(
userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));
// Set resource limits for the authenticated user.
setResourceLimits(userEntry);
// Perform any remaining processing for a successful simple
// authentication.
pwPolicyState.handleDeprecatedStorageSchemes(simplePassword);
pwPolicyState.clearFailureLockout();
if (isFirstWarning) {
pwPolicyState.setWarnedTime();
int numSeconds = pwPolicyState.getSecondsUntilExpiration();
LocalizableMessage m = WARN_BIND_PASSWORD_EXPIRING.get(secondsToTimeString(numSeconds));
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.PASSWORD_EXPIRING,
userEntry,
m,
AccountStatusNotification.createProperties(
pwPolicyState, false, numSeconds, null, null));
}
if (isGraceLogin) {
pwPolicyState.updateGraceLoginTimes();
}
pwPolicyState.setLastLoginTime();
} else {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());
if (policy.getLockoutFailureCount() > 0) {
generateAccountStatusNotificationForLockedBindAccount(userEntry, pwPolicyState);
}
}
} else {
// Check to see if the user is administratively disabled or locked.
if (authPolicyState.isDisabled()) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
}
// Invoke pre-operation plugins.
if (!invokePreOpPlugins()) {
return false;
}
if (authPolicyState.passwordMatches(simplePassword)) {
setResultCode(ResultCode.SUCCESS);
if (DirectoryServer.lockdownMode()
&& !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
}
setAuthenticationInfo(
new AuthenticationInfo(
userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));
// Set resource limits for the authenticated user.
setResourceLimits(userEntry);
} else {
setResultCode(ResultCode.INVALID_CREDENTIALS);
setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());
}
}
return true;
}
/** {@inheritDoc} */
@Override
public void initializeConnectionHandler(LDAPConnectionHandlerCfg config)
throws ConfigException, InitializationException {
if (friendlyName == null) {
friendlyName = config.dn().rdn().getAttributeValue(0).toString();
}
// Open the selector.
try {
selector = Selector.open();
} catch (Exception e) {
logger.traceException(e);
LocalizableMessage message =
ERR_LDAP_CONNHANDLER_OPEN_SELECTOR_FAILED.get(
config.dn(), stackTraceToSingleLineString(e));
throw new InitializationException(message, e);
}
// Save this configuration for future reference.
currentConfig = config;
enabled = config.isEnabled();
requestHandlerIndex = 0;
allowedClients = config.getAllowedClient();
deniedClients = config.getDeniedClient();
// Configure SSL if needed.
try {
// This call may disable the connector if wrong SSL settings
configureSSL(config);
} catch (DirectoryException e) {
logger.traceException(e);
throw new InitializationException(e.getMessageObject());
}
// Save properties that cannot be dynamically modified.
allowReuseAddress = config.isAllowTCPReuseAddress();
backlog = config.getAcceptBacklog();
listenAddresses = config.getListenAddress();
listenPort = config.getListenPort();
numRequestHandlers = getNumRequestHandlers(config.getNumRequestHandlers(), friendlyName);
// Construct a unique name for this connection handler, and put
// together the set of listeners.
listeners = new LinkedList<>();
StringBuilder nameBuffer = new StringBuilder();
nameBuffer.append(friendlyName);
for (InetAddress a : listenAddresses) {
listeners.add(new HostPort(a.getHostAddress(), listenPort));
nameBuffer.append(" ");
nameBuffer.append(a.getHostAddress());
}
nameBuffer.append(" port ");
nameBuffer.append(listenPort);
handlerName = nameBuffer.toString();
// Attempt to bind to the listen port on all configured addresses to
// verify whether the connection handler will be able to start.
LocalizableMessage errorMessage =
checkAnyListenAddressInUse(listenAddresses, listenPort, allowReuseAddress, config.dn());
if (errorMessage != null) {
logger.error(errorMessage);
throw new InitializationException(errorMessage);
}
// Create a system property to store the LDAP(S) port the server is
// listening to. This information can be displayed with jinfo.
System.setProperty(protocol + "_port", String.valueOf(listenPort));
// Create and start a connection finalizer thread for this
// connection handler.
connectionFinalizer =
Executors.newSingleThreadScheduledExecutor(
new DirectoryThread.Factory(
"LDAP Connection Finalizer for connection handler " + toString()));
connectionFinalizerActiveJobQueue = new ArrayList<>();
connectionFinalizerPendingJobQueue = new ArrayList<>();
connectionFinalizer.scheduleWithFixedDelay(
new ConnectionFinalizerRunnable(), 100, 100, TimeUnit.MILLISECONDS);
// Create and start the request handlers.
requestHandlers = new LDAPRequestHandler[numRequestHandlers];
for (int i = 0; i < numRequestHandlers; i++) {
requestHandlers[i] = new LDAPRequestHandler(this, i);
}
for (int i = 0; i < numRequestHandlers; i++) {
requestHandlers[i].start();
}
// Register the set of supported LDAP versions.
DirectoryServer.registerSupportedLDAPVersion(3, this);
if (config.isAllowLDAPV2()) {
DirectoryServer.registerSupportedLDAPVersion(2, this);
}
// Create and register monitors.
statTracker = new LDAPStatistics(handlerName + " Statistics");
DirectoryServer.registerMonitorProvider(statTracker);
connMonitor = new ClientConnectionMonitorProvider(this);
DirectoryServer.registerMonitorProvider(connMonitor);
// Register this as a change listener.
config.addLDAPChangeListener(this);
}