1 package org
.argeo
.osgi
.useradmin
;
3 import static org
.argeo
.util
.naming
.LdapAttrs
.objectClass
;
5 import java
.util
.ArrayList
;
6 import java
.util
.Dictionary
;
9 import javax
.naming
.AuthenticationNotSupportedException
;
10 import javax
.naming
.Binding
;
11 import javax
.naming
.Context
;
12 import javax
.naming
.InvalidNameException
;
13 import javax
.naming
.NameNotFoundException
;
14 import javax
.naming
.NamingEnumeration
;
15 import javax
.naming
.NamingException
;
16 import javax
.naming
.directory
.Attribute
;
17 import javax
.naming
.directory
.Attributes
;
18 import javax
.naming
.directory
.SearchControls
;
19 import javax
.naming
.directory
.SearchResult
;
20 import javax
.naming
.ldap
.LdapName
;
22 import org
.osgi
.framework
.Filter
;
23 import org
.osgi
.service
.useradmin
.Role
;
24 import org
.osgi
.service
.useradmin
.User
;
26 /** A user admin based on a LDAP server. */
27 public class LdapUserAdmin
extends AbstractUserDirectory
{
28 private LdapConnection ldapConnection
;
30 public LdapUserAdmin(Dictionary
<String
, ?
> properties
) {
31 this(properties
, false);
34 public LdapUserAdmin(Dictionary
<String
, ?
> properties
, boolean scoped
) {
35 super(null, properties
, scoped
);
36 ldapConnection
= new LdapConnection(getUri().toString(), properties
);
39 public void destroy() {
40 ldapConnection
.destroy();
44 protected AbstractUserDirectory
scope(User user
) {
45 Dictionary
<String
, Object
> credentials
= user
.getCredentials();
46 String username
= (String
) credentials
.get(SHARED_STATE_USERNAME
);
48 username
= user
.getName();
49 Dictionary
<String
, Object
> properties
= cloneProperties();
50 properties
.put(Context
.SECURITY_PRINCIPAL
, username
.toString());
51 Object pwdCred
= credentials
.get(SHARED_STATE_PASSWORD
);
52 byte[] pwd
= (byte[]) pwdCred
;
54 char[] password
= DigestUtils
.bytesToChars(pwd
);
55 properties
.put(Context
.SECURITY_CREDENTIALS
, new String(password
));
57 properties
.put(Context
.SECURITY_AUTHENTICATION
, "GSSAPI");
59 return new LdapUserAdmin(properties
, true);
62 // protected InitialLdapContext getLdapContext() {
63 // return initialLdapContext;
67 protected Boolean
daoHasRole(LdapName dn
) {
69 return daoGetRole(dn
) != null;
70 } catch (NameNotFoundException e
) {
76 protected DirectoryUser
daoGetRole(LdapName name
) throws NameNotFoundException
{
78 Attributes attrs
= ldapConnection
.getAttributes(name
);
79 if (attrs
.size() == 0)
81 int roleType
= roleType(name
);
83 if (roleType
== Role
.GROUP
)
84 res
= new LdifGroup(this, name
, attrs
);
85 else if (roleType
== Role
.USER
)
86 res
= new LdifUser(this, name
, attrs
);
88 throw new UserDirectoryException("Unsupported LDAP type for " + name
);
90 } catch (NameNotFoundException e
) {
92 } catch (NamingException e
) {
98 protected List
<DirectoryUser
> doGetRoles(Filter f
) {
99 ArrayList
<DirectoryUser
> res
= new ArrayList
<DirectoryUser
>();
101 String searchFilter
= f
!= null ? f
.toString()
102 : "(|(" + objectClass
+ "=" + getUserObjectClass() + ")(" + objectClass
+ "="
103 + getGroupObjectClass() + "))";
104 SearchControls searchControls
= new SearchControls();
105 searchControls
.setSearchScope(SearchControls
.SUBTREE_SCOPE
);
107 LdapName searchBase
= getBaseDn();
108 NamingEnumeration
<SearchResult
> results
= ldapConnection
.search(searchBase
, searchFilter
, searchControls
);
110 results
: while (results
.hasMoreElements()) {
111 SearchResult searchResult
= results
.next();
112 Attributes attrs
= searchResult
.getAttributes();
113 Attribute objectClassAttr
= attrs
.get(objectClass
.name());
114 LdapName dn
= toDn(searchBase
, searchResult
);
116 if (objectClassAttr
.contains(getGroupObjectClass())
117 || objectClassAttr
.contains(getGroupObjectClass().toLowerCase()))
118 role
= new LdifGroup(this, dn
, attrs
);
119 else if (objectClassAttr
.contains(getUserObjectClass())
120 || objectClassAttr
.contains(getUserObjectClass().toLowerCase()))
121 role
= new LdifUser(this, dn
, attrs
);
123 // log.warn("Unsupported LDAP type for " + searchResult.getName());
129 } catch (AuthenticationNotSupportedException e
) {
130 // ignore (typically an unsupported anonymous bind)
131 // TODO better logging
133 } catch (Exception e
) {
135 throw new UserDirectoryException("Cannot get roles for filter " + f
, e
);
139 private LdapName
toDn(LdapName baseDn
, Binding binding
) throws InvalidNameException
{
140 return new LdapName(binding
.isRelative() ? binding
.getName() + "," + baseDn
: binding
.getName());
144 protected List
<LdapName
> getDirectGroups(LdapName dn
) {
145 List
<LdapName
> directGroups
= new ArrayList
<LdapName
>();
147 String searchFilter
= "(&(" + objectClass
+ "=" + getGroupObjectClass() + ")(" + getMemberAttributeId()
150 SearchControls searchControls
= new SearchControls();
151 searchControls
.setSearchScope(SearchControls
.SUBTREE_SCOPE
);
153 LdapName searchBase
= getBaseDn();
154 NamingEnumeration
<SearchResult
> results
= ldapConnection
.search(searchBase
, searchFilter
, searchControls
);
156 while (results
.hasMoreElements()) {
157 SearchResult searchResult
= (SearchResult
) results
.nextElement();
158 directGroups
.add(toDn(searchBase
, searchResult
));
161 } catch (Exception e
) {
162 throw new UserDirectoryException("Cannot populate direct members of " + dn
, e
);
167 protected void prepare(UserDirectoryWorkingCopy wc
) {
169 ldapConnection
.prepareChanges(wc
);
170 } catch (NamingException e
) {
171 throw new UserDirectoryException("Cannot prepare LDAP", e
);
176 protected void commit(UserDirectoryWorkingCopy wc
) {
178 ldapConnection
.commitChanges(wc
);
179 } catch (NamingException e
) {
180 throw new UserDirectoryException("Cannot commit LDAP", e
);
185 protected void rollback(UserDirectoryWorkingCopy wc
) {
186 // prepare not impacting