1 package org
.argeo
.osgi
.useradmin
;
3 import static org
.argeo
.naming
.LdapAttrs
.objectClass
;
5 import java
.util
.ArrayList
;
6 import java
.util
.Dictionary
;
9 import javax
.naming
.AuthenticationNotSupportedException
;
10 import javax
.naming
.Binding
;
11 import javax
.naming
.Context
;
12 import javax
.naming
.InvalidNameException
;
13 import javax
.naming
.NameNotFoundException
;
14 import javax
.naming
.NamingEnumeration
;
15 import javax
.naming
.NamingException
;
16 import javax
.naming
.directory
.Attribute
;
17 import javax
.naming
.directory
.Attributes
;
18 import javax
.naming
.directory
.SearchControls
;
19 import javax
.naming
.directory
.SearchResult
;
20 import javax
.naming
.ldap
.LdapName
;
21 import javax
.transaction
.TransactionManager
;
23 import org
.osgi
.framework
.Filter
;
24 import org
.osgi
.service
.useradmin
.Role
;
25 import org
.osgi
.service
.useradmin
.User
;
28 * A user admin based on a LDAP server. Requires a {@link TransactionManager}
29 * and an open transaction for write access.
31 public class LdapUserAdmin
extends AbstractUserDirectory
{
32 private LdapConnection ldapConnection
;
34 public LdapUserAdmin(Dictionary
<String
, ?
> properties
) {
35 this(properties
, false);
38 public LdapUserAdmin(Dictionary
<String
, ?
> properties
, boolean scoped
) {
39 super(null, properties
, scoped
);
40 ldapConnection
= new LdapConnection(getUri().toString(), properties
);
43 public void destroy() {
44 ldapConnection
.destroy();
48 protected AbstractUserDirectory
scope(User user
) {
49 Dictionary
<String
, Object
> credentials
= user
.getCredentials();
50 String username
= (String
) credentials
.get(SHARED_STATE_USERNAME
);
52 username
= user
.getName();
53 Dictionary
<String
, Object
> properties
= cloneProperties();
54 properties
.put(Context
.SECURITY_PRINCIPAL
, username
.toString());
55 Object pwdCred
= credentials
.get(SHARED_STATE_PASSWORD
);
56 byte[] pwd
= (byte[]) pwdCred
;
58 char[] password
= DigestUtils
.bytesToChars(pwd
);
59 properties
.put(Context
.SECURITY_CREDENTIALS
, new String(password
));
61 properties
.put(Context
.SECURITY_AUTHENTICATION
, "GSSAPI");
63 return new LdapUserAdmin(properties
, true);
66 // protected InitialLdapContext getLdapContext() {
67 // return initialLdapContext;
71 protected Boolean
daoHasRole(LdapName dn
) {
73 return daoGetRole(dn
) != null;
74 } catch (NameNotFoundException e
) {
80 protected DirectoryUser
daoGetRole(LdapName name
) throws NameNotFoundException
{
82 Attributes attrs
= ldapConnection
.getAttributes(name
);
83 if (attrs
.size() == 0)
85 int roleType
= roleType(name
);
87 if (roleType
== Role
.GROUP
)
88 res
= new LdifGroup(this, name
, attrs
);
89 else if (roleType
== Role
.USER
)
90 res
= new LdifUser(this, name
, attrs
);
92 throw new UserDirectoryException("Unsupported LDAP type for " + name
);
94 } catch (NameNotFoundException e
) {
96 } catch (NamingException e
) {
102 protected List
<DirectoryUser
> doGetRoles(Filter f
) {
103 ArrayList
<DirectoryUser
> res
= new ArrayList
<DirectoryUser
>();
105 String searchFilter
= f
!= null ? f
.toString()
106 : "(|(" + objectClass
+ "=" + getUserObjectClass() + ")(" + objectClass
+ "="
107 + getGroupObjectClass() + "))";
108 SearchControls searchControls
= new SearchControls();
109 searchControls
.setSearchScope(SearchControls
.SUBTREE_SCOPE
);
111 LdapName searchBase
= getBaseDn();
112 NamingEnumeration
<SearchResult
> results
= ldapConnection
.search(searchBase
, searchFilter
, searchControls
);
114 results
: while (results
.hasMoreElements()) {
115 SearchResult searchResult
= results
.next();
116 Attributes attrs
= searchResult
.getAttributes();
117 Attribute objectClassAttr
= attrs
.get(objectClass
.name());
118 LdapName dn
= toDn(searchBase
, searchResult
);
120 if (objectClassAttr
.contains(getGroupObjectClass())
121 || objectClassAttr
.contains(getGroupObjectClass().toLowerCase()))
122 role
= new LdifGroup(this, dn
, attrs
);
123 else if (objectClassAttr
.contains(getUserObjectClass())
124 || objectClassAttr
.contains(getUserObjectClass().toLowerCase()))
125 role
= new LdifUser(this, dn
, attrs
);
127 // log.warn("Unsupported LDAP type for " + searchResult.getName());
133 } catch (AuthenticationNotSupportedException e
) {
134 // ignore (typically an unsupported anonymous bind)
135 // TODO better logging
137 } catch (Exception e
) {
139 throw new UserDirectoryException("Cannot get roles for filter " + f
, e
);
143 private LdapName
toDn(LdapName baseDn
, Binding binding
) throws InvalidNameException
{
144 return new LdapName(binding
.isRelative() ? binding
.getName() + "," + baseDn
: binding
.getName());
148 protected List
<LdapName
> getDirectGroups(LdapName dn
) {
149 List
<LdapName
> directGroups
= new ArrayList
<LdapName
>();
151 String searchFilter
= "(&(" + objectClass
+ "=" + getGroupObjectClass() + ")(" + getMemberAttributeId()
154 SearchControls searchControls
= new SearchControls();
155 searchControls
.setSearchScope(SearchControls
.SUBTREE_SCOPE
);
157 LdapName searchBase
= getBaseDn();
158 NamingEnumeration
<SearchResult
> results
= ldapConnection
.search(searchBase
, searchFilter
, searchControls
);
160 while (results
.hasMoreElements()) {
161 SearchResult searchResult
= (SearchResult
) results
.nextElement();
162 directGroups
.add(toDn(searchBase
, searchResult
));
165 } catch (Exception e
) {
166 throw new UserDirectoryException("Cannot populate direct members of " + dn
, e
);
171 protected void prepare(UserDirectoryWorkingCopy wc
) {
173 ldapConnection
.prepareChanges(wc
);
174 } catch (NamingException e
) {
175 throw new UserDirectoryException("Cannot prepare LDAP", e
);
180 protected void commit(UserDirectoryWorkingCopy wc
) {
182 ldapConnection
.commitChanges(wc
);
183 } catch (NamingException e
) {
184 throw new UserDirectoryException("Cannot commit LDAP", e
);
189 protected void rollback(UserDirectoryWorkingCopy wc
) {
190 // prepare not impacting