X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.enterprise%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FIpaUtils.java;h=d56c06ac0964b8295fcfc655c4dc15ba0cf478a6;hb=73a89e099608a51d9aef814a3f85a62947275f59;hp=1d198c66e19fc7d951281f14e39a62fe09ff1776;hpb=cf53e939cabed54ee2a3074afcf22417fbdf364d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/IpaUtils.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/IpaUtils.java index 1d198c66e..d56c06ac0 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/IpaUtils.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/IpaUtils.java @@ -1,8 +1,19 @@ package org.argeo.osgi.useradmin; +import java.io.IOException; +import java.net.InetAddress; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.Dictionary; +import java.util.Hashtable; +import java.util.List; + import javax.naming.InvalidNameException; +import javax.naming.NamingException; import javax.naming.ldap.LdapName; +import org.argeo.naming.DnsBrowser; import org.argeo.naming.LdapAttrs; /** Free IPA specific conventions. */ @@ -16,8 +27,17 @@ public class IpaUtils { public final static String IPA_USER_DIRECTORY_CONFIG = UserAdminConf.userBase + "=" + IPA_USER_BASE + "&" + UserAdminConf.groupBase + "=" + IPA_GROUP_BASE + "&" + UserAdminConf.readOnly + "=true"; - static String domainToUserDirectoryConfigPath(String domain) { - return domainToBaseDn(domain) + "?" + IPA_USER_DIRECTORY_CONFIG; + @Deprecated + static String domainToUserDirectoryConfigPath(String realm) { + return domainToBaseDn(realm) + "?" + IPA_USER_DIRECTORY_CONFIG + "&" + UserAdminConf.realm.name() + "=" + realm; + } + + public static void addIpaConfig(String realm, Dictionary properties) { + properties.put(UserAdminConf.baseDn.name(), domainToBaseDn(realm)); + properties.put(UserAdminConf.realm.name(), realm); + properties.put(UserAdminConf.userBase.name(), IPA_USER_BASE); + properties.put(UserAdminConf.groupBase.name(), IPA_GROUP_BASE); + properties.put(UserAdminConf.readOnly.name(), Boolean.TRUE.toString()); } public static String domainToBaseDn(String domain) { @@ -51,4 +71,67 @@ public class IpaUtils { private IpaUtils() { } + + public static String kerberosDomainFromDns() { + String kerberosDomain; + try (DnsBrowser dnsBrowser = new DnsBrowser()) { + InetAddress localhost = InetAddress.getLocalHost(); + String hostname = localhost.getHostName(); + String dnsZone = hostname.substring(hostname.indexOf('.') + 1); + kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT"); + return kerberosDomain; + } catch (Exception e) { + throw new UserDirectoryException("Cannot determine Kerberos domain from DNS", e); + } + + } + + public static Dictionary convertIpaUri(URI uri) { + String path = uri.getPath(); + String kerberosRealm; + if (path == null || path.length() <= 1) { + kerberosRealm = kerberosDomainFromDns(); + } else { + kerberosRealm = path.substring(1); + } + + if (kerberosRealm == null) + throw new UserDirectoryException("No Kerberos domain available for " + uri); + // TODO intergrate CA certificate in truststore + // String schemeToUse = SCHEME_LDAPS; + String schemeToUse = UserAdminConf.SCHEME_LDAP; + List ldapHosts; + String ldapHostsStr = uri.getHost(); + if (ldapHostsStr == null || ldapHostsStr.trim().equals("")) { + try (DnsBrowser dnsBrowser = new DnsBrowser()) { + ldapHosts = dnsBrowser.getSrvRecordsAsHosts("_ldap._tcp." + kerberosRealm.toLowerCase(), + schemeToUse.equals(UserAdminConf.SCHEME_LDAP) ? true : false); + if (ldapHosts == null || ldapHosts.size() == 0) { + throw new UserDirectoryException("Cannot configure LDAP for IPA " + uri); + } else { + ldapHostsStr = ldapHosts.get(0); + } + } catch (NamingException | IOException e) { + throw new UserDirectoryException("cannot convert IPA uri " + uri, e); + } + } else { + ldapHosts = new ArrayList<>(); + ldapHosts.add(ldapHostsStr); + } + + StringBuilder uriStr = new StringBuilder(); + try { + for (String host : ldapHosts) { + URI convertedUri = new URI(schemeToUse + "://" + host + "/"); + uriStr.append(convertedUri).append(' '); + } + } catch (URISyntaxException e) { + throw new UserDirectoryException("cannot convert IPA uri " + uri, e); + } + + Hashtable res = new Hashtable<>(); + res.put(UserAdminConf.uri.name(), uriStr.toString()); + addIpaConfig(kerberosRealm, res); + return res; + } }