Example usage for javax.naming.ldap InitialLdapContext reconnect

List of usage examples for javax.naming.ldap InitialLdapContext reconnect

Introduction

In this page you can find the example usage for javax.naming.ldap InitialLdapContext reconnect.

Prototype

public void reconnect(Control[] connCtls) throws NamingException 

Source Link

Usage

From source file:no.feide.moria.directory.backend.JNDIBackend.java

/**
 * Authenticates the user using the supplied credentials and retrieves the
 * requested attributes.//from w  w w.  j av a  2 s  .c o  m
 * @param userCredentials
 *            User's credentials. Cannot be <code>null</code>.
 * @param attributeRequest
 *            Requested attributes.
 * @return The requested attributes (<code>String</code> names and
 *         <code>String[]</code> values), if they did exist in the
 *         external backend. Otherwise returns those attributes that could
 *         actually be read, this may be an empty <code>HashMap</code>.
 *         Returns an empty <code>HashMap</code> if
 *         <code>attributeRequest</code> is <code>null</code> or an
 *         empty array.
 * @throws AuthenticationFailedException
 *             If the authentication fails.
 * @throws BackendException
 *             If there is a problem accessing the backend.
 * @throws IllegalArgumentException
 *             If <code>userCredentials</code> is <code>null</code>.
 */
public final HashMap<String, String[]> authenticate(final Credentials userCredentials,
        final String[] attributeRequest) throws AuthenticationFailedException, BackendException {

    // Sanity check.
    if (userCredentials == null)
        throw new IllegalArgumentException("Credentials cannot be NULL");

    // Go through all references.
    for (int i = 0; i < myReferences.length; i++) {
        final String[] references = myReferences[i].getReferences();
        final String[] usernames = myReferences[i].getUsernames();
        final String[] passwords = myReferences[i].getPasswords();
        for (int j = 0; j < references.length; j++) {

            // For the benefit of the finally block below.
            InitialLdapContext ldap = null;

            try {

                // Context for this reference.
                try {
                    ldap = connect(references[j]);
                } catch (NamingException e) {
                    // Connection failed, but we might have other sources.
                    log.logWarn("Unable to access the backend on '" + references[j] + "': "
                            + e.getClass().getName(), mySessionTicket, e);
                    continue;
                }

                // Skip search phase if the reference(s) are explicit.
                String rdn = "";
                if (myReferences[i].isExplicitlyIndexed()) {

                    // Add the explicit reference; no search phase, no RDN.
                    ldap.addToEnvironment(Context.SECURITY_PRINCIPAL,
                            references[j].substring(references[j].lastIndexOf('/') + 1));

                } else {

                    // Anonymous search or not?
                    ldap.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
                    if ((usernames[j].length() == 0) && (passwords[j].length() > 0))
                        log.logWarn(
                                "Search username is empty but search password is not - possible index problem",
                                mySessionTicket);
                    else if ((passwords[j].length() == 0) && (usernames[j].length() > 0))
                        log.logWarn(
                                "Search password is empty but search username is not - possible index problem",
                                mySessionTicket);
                    else if ((passwords[j].length() == 0) && (usernames[j].length() == 0)) {
                        log.logDebug("Anonymous search for user element DN on " + references[j],
                                mySessionTicket);
                        ldap.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
                    } else
                        log.logDebug("Non-anonymous search for user element DN on " + references[j],
                                mySessionTicket);
                    ldap.addToEnvironment(Context.SECURITY_PRINCIPAL, usernames[j]);
                    ldap.addToEnvironment(Context.SECURITY_CREDENTIALS, passwords[j]);

                    // Search using the implicit reference.
                    String pattern = usernameAttribute + '=' + userCredentials.getUsername();
                    rdn = ldapSearch(ldap, pattern);
                    if (rdn == null) {

                        // No user element found. Try to guess the RDN.
                        rdn = userCredentials.getUsername();
                        rdn = guessedAttribute + '=' + rdn.substring(0, rdn.indexOf('@'));
                        log.logDebug("No subtree match for " + pattern + " on " + references[j]
                                + " - guessing on RDN " + rdn, mySessionTicket);

                    } else
                        log.logDebug("Matched " + pattern + " to " + rdn + ',' + ldap.getNameInNamespace(),
                                mySessionTicket);
                    ldap.addToEnvironment(Context.SECURITY_PRINCIPAL, rdn + ',' + ldap.getNameInNamespace());
                }

                // Authenticate and get attributes.
                ldap.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
                ldap.addToEnvironment(Context.SECURITY_CREDENTIALS, userCredentials.getPassword());
                try {
                    ldap.reconnect(null);
                    log.logDebug("Successfully authenticated " + userCredentials.getUsername() + " on "
                            + references[j], mySessionTicket);
                    return getAttributes(ldap, rdn, attributeRequest); // Success.
                } catch (AuthenticationException e) {

                    // Authentication failed, but we may have other
                    // references.
                    log.logDebug("Failed to authenticate user " + userCredentials.getUsername() + " on "
                            + references[j] + " - authentication failed", mySessionTicket);
                    continue;

                } catch (AuthenticationNotSupportedException e) {

                    // Password authentication not supported for the DN.
                    // We may still have other references.
                    log.logDebug("Failed to authenticate user " + userCredentials.getUsername() + " on "
                            + references[j] + " - authentication not supported", mySessionTicket);
                    continue;

                }

            } catch (ConfigurationException e) {
                throw new BackendException("Backend configuration problem with " + references[j], e);
            } catch (NamingException e) {
                throw new BackendException("Unable to access the backend on " + references[j], e);
            } finally {

                // Close the LDAP connection.
                if (ldap != null) {
                    try {
                        ldap.close();
                    } catch (NamingException e) {
                        // Ignored.
                        log.logWarn(
                                "Unable to close the backend connection to " + references[j] + " - ignoring",
                                mySessionTicket, e);
                    }
                }
            }

        }
    }

    // No user was found.
    throw new AuthenticationFailedException(
            "Failed to authenticate user " + userCredentials.getUsername() + " - no user found");

}

From source file:org.atricore.idbus.idojos.ldapidentitystore.LDAPBindIdentityStore.java

/**
 * This store performs a bind to the configured LDAP server and closes the connection immediately.
 * If the connection fails, an exception is thrown, otherwise this method returns silentrly
 *
 * @return true if the bind is successful
 *///from w  ww. ja v a 2  s  . c o m
public boolean bind(String username, String password, BindContext bindCtx) throws SSOAuthenticationException {

    String dn = null;

    try {

        // first try to retrieve the user using an known user
        dn = selectUserDN(username);
        if (dn == null || "".equals(dn)) {
            if (logger.isDebugEnabled())
                logger.debug("No DN found for user : " + username);
            return false;
        }
        logger.debug("user dn = " + dn);

        // Create context without binding!
        InitialLdapContext ctx = this.createLdapInitialContext(null, null);
        Control[] ldapControls = null;

        try {

            ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
            ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);

            if (isPasswordPolicySupport()) {
                // Configure request control for password policy:
                ctx.reconnect(new Control[] { new BasicControl(PasswordPolicyResponseControl.CONTROL_OID) });
            } else {
                ctx.reconnect(new Control[] {});
            }

            // Get response controls from reconnect BEFORE dn search, or they're lost
            ldapControls = ctx.getResponseControls();

            // Bind to LDAP an check for authentication warning/errors reported in password policy control:
            if (validateBindWithSearch) {
                selectUserDN(ctx, username);

                // Perhaps controls are not send during reconnet, try to get them now
                if (ldapControls == null || ldapControls.length == 0)
                    ldapControls = ctx.getResponseControls();
            }

            if (logger.isTraceEnabled())
                logger.trace("LDAP Bind with user credentials succeeded");

        } catch (AuthenticationException e) {

            if (logger.isDebugEnabled())
                logger.debug("LDAP Bind Authentication error : " + e.getMessage(), e);

            return false;

        } finally {

            if (isPasswordPolicySupport()) {

                // If an exception occurred, controls are not retrieved yet
                if (ldapControls == null || ldapControls.length == 0)
                    ldapControls = ctx.getResponseControls();

                // Check password policy LDAP Control
                PasswordPolicyResponseControl ppolicyCtrl = decodePasswordPolicyControl(ldapControls);
                if (ppolicyCtrl != null)
                    addPasswordPolicyToBindCtx(ppolicyCtrl, bindCtx);

            }

            ctx.close();
        }

        return true;

    } catch (Exception e) {
        throw new SSOAuthenticationException(
                "Cannot bind as user : " + username + " [" + dn + "]" + e.getMessage(), e);
    }

}

From source file:org.nuxeo.ecm.directory.ldap.LDAPSession.java

@Override
public boolean authenticate(String username, String password) throws DirectoryException {

    if (password == null || "".equals(password.trim())) {
        // never use anonymous bind as a way to authenticate a user in
        // Nuxeo EP
        return false;
    }/*from   w  ww . ja v  a  2 s .co m*/

    // lookup the user: fetch its dn
    SearchResult entry;
    try {
        entry = getLdapEntry(username);
    } catch (NamingException e) {
        throw new DirectoryException("failed to fetch the ldap entry for " + username, e);
    }
    if (entry == null) {
        // no such user => authentication failed
        return false;
    }
    String dn = entry.getNameInNamespace();
    Properties env = (Properties) getDirectory().getContextProperties().clone();
    env.put(Context.SECURITY_PRINCIPAL, dn);
    env.put(Context.SECURITY_CREDENTIALS, password);

    InitialLdapContext authenticationDirContext = null;
    try {
        // creating a context does a bind
        log.debug(String.format("LDAP bind dn='%s'", dn));
        // noinspection ResultOfObjectAllocationIgnored
        authenticationDirContext = new InitialLdapContext(env, null);
        // force reconnection to prevent from using a previous connection
        // with an obsolete password (after an user has changed his
        // password)
        authenticationDirContext.reconnect(null);
        log.debug("Bind succeeded, authentication ok");
        return true;
    } catch (NamingException e) {
        log.debug("Bind failed: " + e.getMessage());
        // authentication failed
        return false;
    } finally {
        try {
            if (authenticationDirContext != null) {
                authenticationDirContext.close();
            }
        } catch (NamingException e) {
            log.error("Error closing authentication context when biding dn " + dn, e);
            return false;
        }
    }
}

From source file:org.rhq.enterprise.server.core.jaas.LdapLoginModule.java

/**
 * @see org.jboss.security.auth.spi.UsernamePasswordLoginModule#validatePassword(java.lang.String,java.lang.String)
 *//*from  w  w  w  .j a va2s. co  m*/
protected boolean validatePassword(String inputPassword, String expectedPassword) {
    // Load our LDAP specific properties
    Properties env = getProperties();

    // Load the BaseDN
    String baseDN = (String) options.get("BaseDN");
    if (baseDN == null) {
        // If the BaseDN is not specified, log an error and refuse the login attempt
        log.info("BaseDN is not set, refusing login");
        return false;
    }

    // Many LDAP servers allow bind's with an emtpy password. We will deny all requests with empty passwords
    if ((inputPassword == null) || inputPassword.equals("")) {
        log.debug("Empty password, refusing login");
        return false;
    }

    // Load the LoginProperty
    String loginProperty = (String) options.get("LoginProperty");
    if (loginProperty == null) {
        // Use the default
        loginProperty = "cn";
    }

    // Load any search filter
    String searchFilter = (String) options.get("Filter");

    // Find the user that is calling us
    String userName = getUsername();

    // Load any information we may need to bind
    String bindDN = (String) options.get("BindDN");
    String bindPW = (String) options.get("BindPW");
    if (bindDN != null) {
        env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
        env.setProperty(Context.SECURITY_CREDENTIALS, bindPW);
        env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
    }

    try {
        InitialLdapContext ctx = new InitialLdapContext(env, null);
        SearchControls searchControls = getSearchControls();

        // Add the search filter if specified.  This only allows for a single search filter.. i.e. foo=bar.
        String filter;
        if ((searchFilter != null) && (searchFilter.length() != 0)) {
            filter = "(&(" + loginProperty + "=" + userName + ")" + "(" + searchFilter + "))";
        } else {
            filter = "(" + loginProperty + "=" + userName + ")";
        }

        log.debug("Using LDAP filter=" + filter);

        // Loop through each configured base DN.  It may be useful
        // in the future to allow for a filter to be configured for
        // each BaseDN, but for now the filter will apply to all.
        String[] baseDNs = baseDN.split(BASEDN_DELIMITER);
        for (int x = 0; x < baseDNs.length; x++) {
            NamingEnumeration answer = ctx.search(baseDNs[x], filter, searchControls);
            boolean ldapApiNpeFound = false;
            if (!answer.hasMoreElements()) {//BZ:582471- ldap api bug
                log.debug("User " + userName + " not found for BaseDN " + baseDNs[x]);

                // Nothing found for this DN, move to the next one if we have one.
                continue;
            }

            // We use the first match
            SearchResult si = (SearchResult) answer.next();

            // Construct the UserDN
            String userDN = si.getName() + "," + baseDNs[x];

            ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN);
            ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, inputPassword);
            ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");

            //if successful then verified that user and pw are valid ldap credentials
            ctx.reconnect(null);

            return true;
        }

        // If we try all the BaseDN's and have not found a match, return false
        return false;
    } catch (Exception e) {
        log.info("Failed to validate password: " + e.getMessage());
        return false;
    }
}

From source file:org.sonar.plugins.ldap.LdapContextFactory.java

private InitialDirContext createInitialDirContext(String principal, String credentials, boolean pooling)
        throws NamingException {
    final InitialLdapContext ctx;
    if (startTLS) {
        // Note that pooling is not enabled for such connections, because "Stop TLS" is not performed.
        Properties env = new Properties();
        env.put(Context.INITIAL_CONTEXT_FACTORY, factory);
        env.put(Context.PROVIDER_URL, providerUrl);
        env.put(Context.REFERRAL, DEFAULT_REFERRAL);
        // At this point env should not contain properties SECURITY_AUTHENTICATION, SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to avoid "bind" operation prior to StartTLS:
        ctx = new InitialLdapContext(env, null);
        // http://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html
        StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
        try {/*from   ww w. jav a  2s  .  c om*/
            tls.negotiate();
        } catch (IOException e) {
            NamingException ex = new NamingException("StartTLS failed");
            ex.initCause(e);
            throw ex;
        }
        // Explicitly initiate "bind" operation:
        ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, authentication);
        ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, principal);
        ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);
        ctx.reconnect(null);
    } else {
        ctx = new InitialLdapContext(getEnvironment(principal, credentials, pooling), null);
    }
    return ctx;
}