import java.util.Enumeration;
import java.util.Hashtable;
import java.util.List;
+import java.util.Locale;
import java.util.Optional;
import java.util.StringJoiner;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
+import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.transaction.xa.XAResource;
import org.argeo.util.transaction.WorkingCopyXaResource;
import org.argeo.util.transaction.XAResourceProvider;
+/** A {@link Directory} based either on LDAP or LDIF. */
public abstract class AbstractLdapDirectory implements Directory, XAResourceProvider {
protected static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name";
protected static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password";
- protected final LdapName baseDn;
- protected final Hashtable<String, Object> properties;
+ private final LdapName baseDn;
+ private final Hashtable<String, Object> configProperties;
private final Rdn userBaseRdn, groupBaseRdn, systemRoleBaseRdn;
private final String userObjectClass, groupObjectClass;
private String memberAttributeId = "member";
private LdapDirectoryDao directoryDao;
public AbstractLdapDirectory(URI uriArg, Dictionary<String, ?> props, boolean scoped) {
- this.properties = new Hashtable<String, Object>();
+ this.configProperties = new Hashtable<String, Object>();
for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
String key = keys.nextElement();
- properties.put(key, props.get(key));
+ configProperties.put(key, props.get(key));
}
- baseDn = toLdapName(DirectoryConf.baseDn.getValue(properties));
+
+ String baseDnStr = DirectoryConf.baseDn.getValue(configProperties);
+ if (baseDnStr == null)
+ throw new IllegalArgumentException("Base DN must be specified: " + configProperties);
+ baseDn = toLdapName(baseDnStr);
this.scoped = scoped;
if (uriArg != null) {
uri = uriArg.toString();
// uri from properties is ignored
} else {
- String uriStr = DirectoryConf.uri.getValue(properties);
+ String uriStr = DirectoryConf.uri.getValue(configProperties);
if (uriStr == null)
uri = null;
else
uri = uriStr;
}
- forcedPassword = DirectoryConf.forcedPassword.getValue(properties);
+ forcedPassword = DirectoryConf.forcedPassword.getValue(configProperties);
- userObjectClass = DirectoryConf.userObjectClass.getValue(properties);
- groupObjectClass = DirectoryConf.groupObjectClass.getValue(properties);
+ userObjectClass = DirectoryConf.userObjectClass.getValue(configProperties);
+ groupObjectClass = DirectoryConf.groupObjectClass.getValue(configProperties);
- String userBase = DirectoryConf.userBase.getValue(properties);
- String groupBase = DirectoryConf.groupBase.getValue(properties);
- String systemRoleBase = DirectoryConf.systemRoleBase.getValue(properties);
+ String userBase = DirectoryConf.userBase.getValue(configProperties);
+ String groupBase = DirectoryConf.groupBase.getValue(configProperties);
+ String systemRoleBase = DirectoryConf.systemRoleBase.getValue(configProperties);
try {
// baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties));
userBaseRdn = new Rdn(userBase);
// groupBaseDn = new LdapName(groupBase + "," + baseDn);
systemRoleBaseRdn = new Rdn(systemRoleBase);
} catch (InvalidNameException e) {
- throw new IllegalArgumentException("Badly formated base DN " + DirectoryConf.baseDn.getValue(properties),
- e);
+ throw new IllegalArgumentException(
+ "Badly formated base DN " + DirectoryConf.baseDn.getValue(configProperties), e);
}
// read only
- String readOnlyStr = DirectoryConf.readOnly.getValue(properties);
+ String readOnlyStr = DirectoryConf.readOnly.getValue(configProperties);
if (readOnlyStr == null) {
readOnly = readOnlyDefault(uri);
- properties.put(DirectoryConf.readOnly.name(), Boolean.toString(readOnly));
+ configProperties.put(DirectoryConf.readOnly.name(), Boolean.toString(readOnly));
} else
readOnly = Boolean.parseBoolean(readOnlyStr);
// disabled
- String disabledStr = DirectoryConf.disabled.getValue(properties);
+ String disabledStr = DirectoryConf.disabled.getValue(configProperties);
if (disabledStr != null)
disabled = Boolean.parseBoolean(disabledStr);
else
disabled = false;
-
- URI u = URI.create(uri);
- if (!getRealm().isEmpty() || DirectoryConf.SCHEME_LDAP.equals(u.getScheme())
- || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+ if (!getRealm().isEmpty()) {
+ // IPA multiple LDAP causes URI parsing to fail
+ // TODO manage generic redundant LDAP case
directoryDao = new LdapDao(this);
- } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
- directoryDao = new LdifDao(this);
- } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
- directoryDao = new OsUserDirectory(this);
- // singleUser = true;
} else {
- throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+ if (uri != null) {
+ URI u = URI.create(uri);
+ if (DirectoryConf.SCHEME_LDAP.equals(u.getScheme())
+ || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+ directoryDao = new LdapDao(this);
+ } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
+ directoryDao = new LdifDao(this);
+ } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
+ directoryDao = new OsUserDirectory(this);
+ // singleUser = true;
+ } else {
+ throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+ }
+ } else {
+ // in memory
+ directoryDao = new LdifDao(this);
+ }
}
- xaResource = new WorkingCopyXaResource<>(directoryDao);
+ if (directoryDao != null)
+ xaResource = new WorkingCopyXaResource<>(directoryDao);
}
/*
- * ABSTRACT METHODS
- */
-
-// public abstract HierarchyUnit doGetHierarchyUnit(LdapName dn);
-//
-// public abstract Iterable<HierarchyUnit> doGetDirectHierarchyUnits(LdapName searchBase, boolean functionalOnly);
-//
-// protected abstract Boolean daoHasEntry(LdapName dn);
-//
-// protected abstract LdapEntry daoGetEntry(LdapName key) throws NameNotFoundException;
-//
-// protected abstract List<LdapEntry> doGetEntries(LdapName searchBase, Filter f, boolean deep);
-//
-// /** Returns the groups this user is a direct member of. */
-// protected abstract List<LdapName> getDirectGroups(LdapName dn);
- /*
- * INITIALIZATION
+ * INITIALISATION
*/
public void init() {
/*
* CREATION
*/
- protected abstract LdapEntry newUser(LdapName name, Attributes attrs);
+ protected abstract LdapEntry newUser(LdapName name);
- protected abstract LdapEntry newGroup(LdapName name, Attributes attrs);
+ protected abstract LdapEntry newGroup(LdapName name);
/*
* EDITION
checkEdit();
LdapEntryWorkingCopy wc = getWorkingCopy();
boolean actuallyDeleted;
- if (getDirectoryDao().daoHasEntry(dn) || wc.getNewData().containsKey(dn)) {
+ if (getDirectoryDao().entryExists(dn) || wc.getNewData().containsKey(dn)) {
LdapEntry user = doGetRole(dn);
wc.getDeletedData().put(dn, user);
actuallyDeleted = true;
LdapEntryWorkingCopy wc = getWorkingCopy();
LdapEntry user;
try {
- user = getDirectoryDao().daoGetEntry(dn);
+ user = getDirectoryDao().doGetEntry(dn);
} catch (NameNotFoundException e) {
user = null;
}
Object value = values.next();
LdapName groupDn = new LdapName(value.toString());
LdapEntry group = doGetRole(groupDn);
- if (group != null)
+ if (group != null) {
+ allRoles.add(group);
+ } else {
+ // user doesn't have the right to retrieve role, but we know it exists
+ // otherwise memberOf would not work
+ group = newGroup(groupDn);
allRoles.add(group);
+ }
}
} catch (NamingException e) {
throw new IllegalStateException("Cannot get memberOf groups for " + user, e);
}
} else {
- for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) {
- // TODO check for loops
+ directGroups: for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) {
LdapEntry group = doGetRole(groupDn);
if (group != null) {
+ if (allRoles.contains(group)) {
+ // important in order to avoi loops
+ continue directGroups;
+ }
allRoles.add(group);
collectGroups(group, allRoles);
}
return directoryDao.doGetDirectHierarchyUnits(baseDn, functionalOnly);
}
+ @Override
+ public String getHierarchyUnitName() {
+ return getName();
+ }
+
+ @Override
+ public String getHierarchyUnitLabel(Locale locale) {
+ String key = LdapNameUtils.getLastRdn(getBaseDn()).getType();
+ Object value = LdapEntry.getLocalized(asLdapEntry().getProperties(), key, locale);
+ if (value == null)
+ value = getHierarchyUnitName();
+ assert value != null;
+ return value.toString();
+ }
+
+ @Override
+ public HierarchyUnit getParent() {
+ return null;
+ }
+
+ @Override
+ public boolean isFunctional() {
+ return true;
+ }
+
+ @Override
+ public Directory getDirectory() {
+ return this;
+ }
+
+ @Override
+ public HierarchyUnit createHierarchyUnit(String path) {
+ checkEdit();
+ LdapEntryWorkingCopy wc = getWorkingCopy();
+ LdapName dn = pathToName(path);
+ if ((getDirectoryDao().entryExists(dn) && !wc.getDeletedData().containsKey(dn))
+ || wc.getNewData().containsKey(dn))
+ throw new IllegalArgumentException("Already a hierarchy unit " + path);
+ BasicAttributes attrs = new BasicAttributes(true);
+ attrs.put(LdapAttrs.objectClass.name(), LdapObjs.organizationalUnit.name());
+ Rdn nameRdn = dn.getRdn(dn.size() - 1);
+ // TODO deal with multiple attr RDN
+ attrs.put(nameRdn.getType(), nameRdn.getValue());
+ wc.getModifiedData().put(dn, attrs);
+ LdapHierarchyUnit newHierarchyUnit = new LdapHierarchyUnit(this, dn);
+ wc.getNewData().put(dn, newHierarchyUnit);
+ return newHierarchyUnit;
+ }
+
/*
* PATHS
*/
@Override
- public String getContext() {
+ public String getBase() {
return getBaseDn().toString();
}
LdapName name = (LdapName) getBaseDn().clone();
String[] segments = path.split("/");
Rdn parentRdn = null;
- for (String segment : segments) {
+ // segments[0] is the directory itself
+ for (int i = 0; i < segments.length; i++) {
+ String segment = segments[i];
// TODO make attr names configurable ?
- String attr = LdapAttrs.ou.name();
+ String attr = path.startsWith("accounts/")/* IPA */ ? LdapAttrs.cn.name() : LdapAttrs.ou.name();
if (parentRdn != null) {
if (getUserBaseRdn().equals(parentRdn))
attr = LdapAttrs.uid.name();
/*
* UTILITIES
*/
+ protected boolean isExternal(LdapName name) {
+ return !name.startsWith(baseDn);
+ }
+
protected static boolean hasObjectClass(Attributes attrs, LdapObjs objectClass) {
return hasObjectClass(attrs, objectClass.name());
}
return true;// read only by default
}
+ /*
+ * AS AN ENTRY
+ */
+ public LdapEntry asLdapEntry() {
+ try {
+ return directoryDao.doGetEntry(baseDn);
+ } catch (NameNotFoundException e) {
+ throw new IllegalStateException("Cannot get " + baseDn + " entry", e);
+ }
+ }
+
+ public Dictionary<String, Object> getProperties() {
+ return asLdapEntry().getProperties();
+ }
+
/*
* ACCESSORS
*/
@Override
public Optional<String> getRealm() {
- Object realm = getProperties().get(DirectoryConf.realm.name());
+ Object realm = configProperties.get(DirectoryConf.realm.name());
if (realm == null)
return Optional.empty();
return Optional.of(realm.toString());
return systemRoleBaseRdn;
}
- public Dictionary<String, Object> getProperties() {
- return properties;
- }
+// public Dictionary<String, Object> getConfigProperties() {
+// return configProperties;
+// }
- public Dictionary<String, Object> cloneProperties() {
- return new Hashtable<>(properties);
+ public Dictionary<String, Object> cloneConfigProperties() {
+ return new Hashtable<>(configProperties);
}
public String getForcedPassword() {