X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.enterprise%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FLdapUserAdmin.java;h=58f6eb1face2b1c92a76fad634abeeb9db918adb;hb=438237c2b8c995d4f9562d53bfe4ea63c4442054;hp=f78da0af0d29aed943c3cda8831bb9d97bffef47;hpb=0243aa5633af84d8608ba912483dbaaaefac42f1;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
index f78da0af0..58f6eb1fa 100644
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
@@ -22,22 +22,20 @@ import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapName;
 import javax.transaction.TransactionManager;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.argeo.naming.LdapAttrs;
 import org.osgi.framework.Filter;
+import org.osgi.service.useradmin.Role;
+import org.osgi.service.useradmin.User;
 
 /**
  * A user admin based on a LDAP server. Requires a {@link TransactionManager}
  * and an open transaction for write access.
  */
 public class LdapUserAdmin extends AbstractUserDirectory {
-	private final static Log log = LogFactory.getLog(LdapUserAdmin.class);
-
 	private InitialLdapContext initialLdapContext = null;
 
 	public LdapUserAdmin(Dictionary<String, ?> properties) {
-		super(properties);
+		super(null, properties);
 		try {
 			Hashtable<String, Object> connEnv = new Hashtable<String, Object>();
 			connEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
@@ -48,7 +46,11 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 			// StartTlsResponse tls = (StartTlsResponse) ctx
 			// .extendedOperation(new StartTlsRequest());
 			// tls.negotiate();
-			initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
+			Object securityAuthentication = properties.get(Context.SECURITY_AUTHENTICATION);
+			if (securityAuthentication != null)
+				initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, securityAuthentication);
+			else
+				initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
 			Object principal = properties.get(Context.SECURITY_PRINCIPAL);
 			if (principal != null) {
 				initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, principal.toString());
@@ -58,10 +60,6 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 
 				}
 			}
-			// initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL,
-			// "uid=admin,ou=system");
-			// initialLdapContext.addToEnvironment(Context.SECURITY_CREDENTIALS,
-			// "secret");
 		} catch (Exception e) {
 			throw new UserDirectoryException("Cannot connect to LDAP", e);
 		}
@@ -72,8 +70,27 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 			// tls.close();
 			initialLdapContext.close();
 		} catch (NamingException e) {
-			log.error("Cannot destroy LDAP user admin", e);
+			e.printStackTrace();
+		}
+	}
+
+	@Override
+	protected AbstractUserDirectory scope(User user) {
+		Dictionary<String, Object> credentials = user.getCredentials();
+		String username = (String) credentials.get(SHARED_STATE_USERNAME);
+		if (username == null)
+			username = user.getName();
+		Dictionary<String, Object> properties = cloneProperties();
+		properties.put(Context.SECURITY_PRINCIPAL, username.toString());
+		Object pwdCred = credentials.get(SHARED_STATE_PASSWORD);
+		byte[] pwd = (byte[]) pwdCred;
+		if (pwd != null) {
+			char[] password = DigestUtils.bytesToChars(pwd);
+			properties.put(Context.SECURITY_CREDENTIALS, new String(password));
+		} else {
+			properties.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
 		}
+		return new LdapUserAdmin(properties);
 	}
 
 	protected InitialLdapContext getLdapContext() {
@@ -82,23 +99,30 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 
 	@Override
 	protected Boolean daoHasRole(LdapName dn) {
-		return daoGetRole(dn) != null;
+		try {
+			return daoGetRole(dn) != null;
+		} catch (NameNotFoundException e) {
+			return false;
+		}
 	}
 
 	@Override
-	protected DirectoryUser daoGetRole(LdapName name) {
+	protected DirectoryUser daoGetRole(LdapName name) throws NameNotFoundException {
 		try {
 			Attributes attrs = getLdapContext().getAttributes(name);
 			if (attrs.size() == 0)
 				return null;
+			int roleType = roleType(name);
 			LdifUser res;
-			if (attrs.get(objectClass.name()).contains(getGroupObjectClass()))
+			if (roleType == Role.GROUP)
 				res = new LdifGroup(this, name, attrs);
-			else if (attrs.get(objectClass.name()).contains(getUserObjectClass()))
+			else if (roleType == Role.USER)
 				res = new LdifUser(this, name, attrs);
 			else
 				throw new UserDirectoryException("Unsupported LDAP type for " + name);
 			return res;
+		} catch (NameNotFoundException e) {
+			throw e;
 		} catch (NamingException e) {
 			return null;
 		}
@@ -123,12 +147,14 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 				Attribute objectClassAttr = attrs.get(objectClass.name());
 				LdapName dn = toDn(searchBase, searchResult);
 				LdifUser role;
-				if (objectClassAttr.contains(getGroupObjectClass()))
+				if (objectClassAttr.contains(getGroupObjectClass())
+						|| objectClassAttr.contains(getGroupObjectClass().toLowerCase()))
 					role = new LdifGroup(this, dn, attrs);
-				else if (objectClassAttr.contains(getUserObjectClass()))
+				else if (objectClassAttr.contains(getUserObjectClass())
+						|| objectClassAttr.contains(getUserObjectClass().toLowerCase()))
 					role = new LdifUser(this, dn, attrs);
 				else {
-					log.warn("Unsupported LDAP type for " + searchResult.getName());
+//					log.warn("Unsupported LDAP type for " + searchResult.getName());
 					continue results;
 				}
 				res.add(role);