Introduce IPA support.

[lgpl/argeo-commons.git] / org.argeo.enterprise / src / org / argeo / osgi / useradmin / LdapUserAdmin.java

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
index f78da0af0d29aed943c3cda8831bb9d97bffef47..456342e04e35f06b432f1f7c91193d28cba85914 100644 (file)
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
@@ -26,6 +26,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.naming.LdapAttrs;
 import org.osgi.framework.Filter;
+import org.osgi.service.useradmin.Role;
+import org.osgi.service.useradmin.User;
 
 /**
  * A user admin based on a LDAP server. Requires a {@link TransactionManager}
@@ -48,7 +50,11 @@ public class LdapUserAdmin extends AbstractUserDirectory {
                        // StartTlsResponse tls = (StartTlsResponse) ctx
                        // .extendedOperation(new StartTlsRequest());
                        // tls.negotiate();
-                       initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
+                       Object securityAuthentication = properties.get(Context.SECURITY_AUTHENTICATION);
+                       if (securityAuthentication != null)
+                               initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, securityAuthentication);
+                       else
+                               initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
                        Object principal = properties.get(Context.SECURITY_PRINCIPAL);
                        if (principal != null) {
                                initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, principal.toString());
@@ -58,10 +64,6 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 
                                }
                        }
-                       // initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL,
-                       // "uid=admin,ou=system");
-                       // initialLdapContext.addToEnvironment(Context.SECURITY_CREDENTIALS,
-                       // "secret");
                } catch (Exception e) {
                        throw new UserDirectoryException("Cannot connect to LDAP", e);
                }
@@ -76,6 +78,23 @@ public class LdapUserAdmin extends AbstractUserDirectory {
                }
        }
 
+       @SuppressWarnings("unchecked")
+       @Override
+       protected AbstractUserDirectory scope(User user) {
+               Dictionary<String, Object> credentials = user.getCredentials();
+               // FIXME use arrays
+               String username = (String) credentials.get(SHARED_STATE_USERNAME);
+               if (username == null)
+                       username = user.getName();
+               // byte[] pwd = (byte[]) credentials.get(SHARED_STATE_PASSWORD);
+               // char[] password = DigestUtils.bytesToChars(pwd);
+               Dictionary<String, Object> properties = cloneProperties();
+               properties.put(Context.SECURITY_PRINCIPAL, username.toString());
+               // properties.put(Context.SECURITY_CREDENTIALS, password);
+               properties.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+               return new LdapUserAdmin(properties);
+       }
+
        protected InitialLdapContext getLdapContext() {
                return initialLdapContext;
        }
@@ -91,15 +110,17 @@ public class LdapUserAdmin extends AbstractUserDirectory {
                        Attributes attrs = getLdapContext().getAttributes(name);
                        if (attrs.size() == 0)
                                return null;
+                       int roleType = roleType(name);
                        LdifUser res;
-                       if (attrs.get(objectClass.name()).contains(getGroupObjectClass()))
+                       if (roleType == Role.GROUP)
                                res = new LdifGroup(this, name, attrs);
-                       else if (attrs.get(objectClass.name()).contains(getUserObjectClass()))
+                       else if (roleType == Role.USER)
                                res = new LdifUser(this, name, attrs);
                        else
                                throw new UserDirectoryException("Unsupported LDAP type for " + name);
                        return res;
                } catch (NamingException e) {
+                       log.error("Cannot get role: "+e.getMessage());
                        return null;
                }
        }