From 4e8d82137c2dce7145175eacbd225a52227b6f73 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 29 Jun 2022 10:57:40 +0200
Subject: [PATCH] Make multi-referentials support more robust.

---
 .../osgi/useradmin/DirectoryUserAdmin.java    |  4 +-
 .../argeo/util/directory/ldap/LdapDao.java    | 61 +++++++++++--------
 2 files changed, 39 insertions(+), 26 deletions(-)

diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
index e6e3f983b..003aad11d 100644
--- a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
+++ b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
@@ -291,8 +291,10 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 
 			Subject currentSubject = CurrentSubject.current();
 			if (currentSubject != null //
+					&& getRealm().isPresent() //
 					&& !currentSubject.getPrivateCredentials(Authorization.class).isEmpty() //
-					&& !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
+					&& !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) //
+			{
 				// TODO not only Kerberos but also bind scope with kept password ?
 				Authorization auth = currentSubject.getPrivateCredentials(Authorization.class).iterator().next();
 				// bind with authenticating user
diff --git a/org.argeo.util/src/org/argeo/util/directory/ldap/LdapDao.java b/org.argeo.util/src/org/argeo/util/directory/ldap/LdapDao.java
index e15c005be..fac7dd1ac 100644
--- a/org.argeo.util/src/org/argeo/util/directory/ldap/LdapDao.java
+++ b/org.argeo.util/src/org/argeo/util/directory/ldap/LdapDao.java
@@ -13,12 +13,14 @@ import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
+import javax.naming.directory.BasicAttributes;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
 
 import org.argeo.util.directory.HierarchyUnit;
+import org.argeo.util.naming.LdapAttrs;
 import org.argeo.util.naming.LdapObjs;
 
 /** A user admin based on a LDAP server. */
@@ -78,34 +80,43 @@ public class LdapDao extends AbstractLdapDirectoryDao {
 
 	@Override
 	public LdapEntry doGetEntry(LdapName name) throws NameNotFoundException {
-		if (!entryExists(name))
-			throw new NameNotFoundException(name + " was not found in " + getDirectory().getBaseDn());
-//		try {
-//			Attributes attrs = ldapConnection.getAttributes(name);
-//			if (attrs.size() == 0)
-//				return null;
-
-//			int roleType = roleType(name);
+//		if (!entryExists(name))
+//			throw new NameNotFoundException(name + " was not found in " + getDirectory().getBaseDn());
+		try {
+			Attributes attrs = ldapConnection.getAttributes(name);
+
 			LdapEntry res;
 			Rdn technicalRdn = LdapNameUtils.getParentRdn(name);
-			if (getDirectory().getGroupBaseRdn().equals(technicalRdn))
-				res = newGroup(name, null);
-			else if (getDirectory().getSystemRoleBaseRdn().equals(technicalRdn))
-				res = newGroup(name, null);
-			else if (getDirectory().getUserBaseRdn().equals(technicalRdn))
-				res = newUser(name, null);
-			else
-				res = new DefaultLdapEntry(getDirectory(), name, null);
-//			if (isGroup(name))
-//				res = newGroup(name, attrs);
-//			else
-//				res = newUser(name, attrs);
-//			else
-//				throw new IllegalArgumentException("Unsupported LDAP type for " + name);
+			if (getDirectory().getGroupBaseRdn().equals(technicalRdn)) {
+				if (attrs.size() == 0) {// exists but not accessible
+					attrs = new BasicAttributes();
+					attrs.put(LdapAttrs.objectClass.name(), LdapObjs.top.name());
+					attrs.put(LdapAttrs.objectClass.name(), getDirectory().getGroupObjectClass());
+				}
+				res = newGroup(name, attrs);
+			} else if (getDirectory().getSystemRoleBaseRdn().equals(technicalRdn)) {
+				if (attrs.size() == 0) {// exists but not accessible
+					attrs = new BasicAttributes();
+					attrs.put(LdapAttrs.objectClass.name(), LdapObjs.top.name());
+					attrs.put(LdapAttrs.objectClass.name(), getDirectory().getGroupObjectClass());
+				}
+				res = newGroup(name, attrs);
+			} else if (getDirectory().getUserBaseRdn().equals(technicalRdn)) {
+				if (attrs.size() == 0) {// exists but not accessible
+					attrs = new BasicAttributes();
+					attrs.put(LdapAttrs.objectClass.name(), LdapObjs.top.name());
+					attrs.put(LdapAttrs.objectClass.name(), getDirectory().getUserObjectClass());
+				}
+				res = newUser(name, attrs);
+			} else {
+				res = new DefaultLdapEntry(getDirectory(), name, attrs);
+			}
 			return res;
-//		} catch (NameNotFoundException e) {
-//			throw e;
-//		}
+		} catch (NameNotFoundException e) {
+			throw e;
+		} catch (NamingException e) {
+			throw new IllegalStateException("Cannot retrieve entry " + name, e);
+		}
 	}
 
 //	protected boolean isGroup(LdapName dn) {
-- 
2.30.2