X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Futil%2Fdirectory%2Fldap%2FAbstractLdapDirectory.java;h=54d9776b5fd15106bf6de8b560ef81f863f1d470;hb=285c23f26c4d634cd139d393ebcb708187d5e960;hp=55449a70748f3a0f7b4bf079123adc70988b4b7b;hpb=3066d79e3ced9339679672242bdf2340a03e1f29;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java b/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java index 55449a707..54d9776b5 100644 --- a/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java +++ b/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java @@ -19,6 +19,7 @@ import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; +import javax.naming.directory.BasicAttributes; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; import javax.transaction.xa.XAResource; @@ -33,12 +34,13 @@ import org.argeo.util.transaction.WorkControl; import org.argeo.util.transaction.WorkingCopyXaResource; import org.argeo.util.transaction.XAResourceProvider; +/** A {@link Directory} based either on LDAP or LDIF. */ public abstract class AbstractLdapDirectory implements Directory, XAResourceProvider { protected static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name"; protected static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password"; - protected final LdapName baseDn; - protected final Hashtable configProperties; + private final LdapName baseDn; + private final Hashtable configProperties; private final Rdn userBaseRdn, groupBaseRdn, systemRoleBaseRdn; private final String userObjectClass, groupObjectClass; private String memberAttributeId = "member"; @@ -65,7 +67,11 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv String key = keys.nextElement(); configProperties.put(key, props.get(key)); } - baseDn = toLdapName(DirectoryConf.baseDn.getValue(configProperties)); + + String baseDnStr = DirectoryConf.baseDn.getValue(configProperties); + if (baseDnStr == null) + throw new IllegalArgumentException("Base DN must be specified: " + configProperties); + baseDn = toLdapName(baseDnStr); this.scoped = scoped; if (uriArg != null) { @@ -113,40 +119,35 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv disabled = Boolean.parseBoolean(disabledStr); else disabled = false; - - URI u = URI.create(uri); - if (!getRealm().isEmpty() || DirectoryConf.SCHEME_LDAP.equals(u.getScheme()) - || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) { + if (!getRealm().isEmpty()) { + // IPA multiple LDAP causes URI parsing to fail + // TODO manage generic redundant LDAP case directoryDao = new LdapDao(this); - } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) { - directoryDao = new LdifDao(this); - } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) { - directoryDao = new OsUserDirectory(this); - // singleUser = true; } else { - throw new IllegalArgumentException("Unsupported scheme " + u.getScheme()); + if (uri != null) { + URI u = URI.create(uri); + if (DirectoryConf.SCHEME_LDAP.equals(u.getScheme()) + || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) { + directoryDao = new LdapDao(this); + } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) { + directoryDao = new LdifDao(this); + } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) { + directoryDao = new OsUserDirectory(this); + // singleUser = true; + } else { + throw new IllegalArgumentException("Unsupported scheme " + u.getScheme()); + } + } else { + // in memory + directoryDao = new LdifDao(this); + } } - xaResource = new WorkingCopyXaResource<>(directoryDao); + if (directoryDao != null) + xaResource = new WorkingCopyXaResource<>(directoryDao); } /* - * ABSTRACT METHODS - */ - -// public abstract HierarchyUnit doGetHierarchyUnit(LdapName dn); -// -// public abstract Iterable doGetDirectHierarchyUnits(LdapName searchBase, boolean functionalOnly); -// -// protected abstract Boolean daoHasEntry(LdapName dn); -// -// protected abstract LdapEntry daoGetEntry(LdapName key) throws NameNotFoundException; -// -// protected abstract List doGetEntries(LdapName searchBase, Filter f, boolean deep); -// -// /** Returns the groups this user is a direct member of. */ -// protected abstract List getDirectGroups(LdapName dn); - /* - * INITIALIZATION + * INITIALISATION */ public void init() { @@ -160,9 +161,9 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv /* * CREATION */ - protected abstract LdapEntry newUser(LdapName name, Attributes attrs); + protected abstract LdapEntry newUser(LdapName name); - protected abstract LdapEntry newGroup(LdapName name, Attributes attrs); + protected abstract LdapEntry newGroup(LdapName name); /* * EDITION @@ -249,17 +250,30 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv Object value = values.next(); LdapName groupDn = new LdapName(value.toString()); LdapEntry group = doGetRole(groupDn); - if (group != null) + if (group != null) { + allRoles.add(group); + } else { + // user doesn't have the right to retrieve role, but we know it exists + // otherwise memberOf would not work +// Attributes a = new BasicAttributes(); +// a.put(LdapNameUtils.getLastRdn(groupDn).getType(), +// LdapNameUtils.getLastRdn(groupDn).getValue()); +// a.put(LdapAttrs.objectClass.name(), LdapObjs.groupOfNames.name()); + group = newGroup(groupDn); allRoles.add(group); + } } } catch (NamingException e) { throw new IllegalStateException("Cannot get memberOf groups for " + user, e); } } else { - for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) { - // TODO check for loops + directGroups: for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) { LdapEntry group = doGetRole(groupDn); if (group != null) { + if (allRoles.contains(group)) { + // important in order to avoi loops + continue directGroups; + } allRoles.add(group); collectGroups(group, allRoles); } @@ -301,12 +315,31 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv return this; } + @Override + public HierarchyUnit createHierarchyUnit(String path) { + checkEdit(); + LdapEntryWorkingCopy wc = getWorkingCopy(); + LdapName dn = pathToName(path); + if ((getDirectoryDao().entryExists(dn) && !wc.getDeletedData().containsKey(dn)) + || wc.getNewData().containsKey(dn)) + throw new IllegalArgumentException("Already a hierarchy unit " + path); + BasicAttributes attrs = new BasicAttributes(true); + attrs.put(LdapAttrs.objectClass.name(), LdapObjs.organizationalUnit.name()); + Rdn nameRdn = dn.getRdn(dn.size() - 1); + // TODO deal with multiple attr RDN + attrs.put(nameRdn.getType(), nameRdn.getValue()); + wc.getModifiedData().put(dn, attrs); + LdapHierarchyUnit newHierarchyUnit = new LdapHierarchyUnit(this, dn); + wc.getNewData().put(dn, newHierarchyUnit); + return newHierarchyUnit; + } + /* * PATHS */ @Override - public String getContext() { + public String getBase() { return getBaseDn().toString(); } @@ -338,7 +371,7 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv for (int i = 0; i < segments.length; i++) { String segment = segments[i]; // TODO make attr names configurable ? - String attr = LdapAttrs.ou.name(); + String attr = path.startsWith("accounts/")/* IPA */ ? LdapAttrs.cn.name() : LdapAttrs.ou.name(); if (parentRdn != null) { if (getUserBaseRdn().equals(parentRdn)) attr = LdapAttrs.uid.name(); @@ -361,6 +394,10 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv /* * UTILITIES */ + protected boolean isExternal(LdapName name) { + return !name.startsWith(baseDn); + } + protected static boolean hasObjectClass(Attributes attrs, LdapObjs objectClass) { return hasObjectClass(attrs, objectClass.name()); }