org.apache.cloudstack.ldap.ADLdapUserManagerImpl.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.cloudstack.ldap.ADLdapUserManagerImpl.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.cloudstack.ldap;

import java.util.ArrayList;
import java.util.List;

import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;

import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;

public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements LdapUserManager {
    public static final Logger s_logger = Logger.getLogger(ADLdapUserManagerImpl.class.getName());
    private static final String MICROSOFT_AD_NESTED_MEMBERS_FILTER = "memberOf:1.2.840.113556.1.4.1941:";
    private static final String MICROSOFT_AD_MEMBERS_FILTER = "memberOf";

    @Override
    public List<LdapUser> getUsersInGroup(String groupName, LdapContext context) throws NamingException {
        if (StringUtils.isBlank(groupName)) {
            throw new IllegalArgumentException("ldap group name cannot be blank");
        }

        String basedn = _ldapConfiguration.getBaseDn();
        if (StringUtils.isBlank(basedn)) {
            throw new IllegalArgumentException("ldap basedn is not configured");
        }

        final SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(_ldapConfiguration.getScope());
        searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes());

        NamingEnumeration<SearchResult> results = context.search(basedn, generateADGroupSearchFilter(groupName),
                searchControls);
        final List<LdapUser> users = new ArrayList<LdapUser>();
        while (results.hasMoreElements()) {
            final SearchResult result = results.nextElement();
            users.add(createUser(result));
        }
        return users;
    }

    private String generateADGroupSearchFilter(String groupName) {
        final StringBuilder userObjectFilter = new StringBuilder();
        userObjectFilter.append("(objectClass=");
        userObjectFilter.append(_ldapConfiguration.getUserObject());
        userObjectFilter.append(")");

        final StringBuilder memberOfFilter = new StringBuilder();
        String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" + groupName + ","
                + _ldapConfiguration.getBaseDn();
        memberOfFilter.append("(").append(getMemberOfAttribute()).append("=");
        memberOfFilter.append(groupCnName);
        memberOfFilter.append(")");

        final StringBuilder result = new StringBuilder();
        result.append("(&");
        result.append(userObjectFilter);
        result.append(memberOfFilter);
        result.append(")");

        s_logger.debug("group search filter = " + result);
        return result.toString();
    }

    protected boolean isUserDisabled(SearchResult result) throws NamingException {
        boolean isDisabledUser = false;
        String userAccountControl = LdapUtils.getAttributeValue(result.getAttributes(),
                _ldapConfiguration.getUserAccountControlAttribute());
        if (userAccountControl != null) {
            int control = Integer.parseInt(userAccountControl);
            // second bit represents disabled user flag in AD
            if ((control & 2) > 0) {
                isDisabledUser = true;
            }
        }
        return isDisabledUser;
    }

    protected String getMemberOfAttribute() {
        if (_ldapConfiguration.isNestedGroupsEnabled()) {
            return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
        } else {
            return MICROSOFT_AD_MEMBERS_FILTER;
        }
    }
}