import org.argeo.util.directory.DirectoryDigestUtils;
import org.argeo.util.directory.HierarchyUnit;
import org.argeo.util.directory.ldap.AbstractLdapDirectory;
+import org.argeo.util.directory.ldap.LdapDao;
import org.argeo.util.directory.ldap.LdapEntry;
import org.argeo.util.directory.ldap.LdapEntryWorkingCopy;
import org.argeo.util.directory.ldap.LdapNameUtils;
*/
protected AbstractLdapDirectory scope(User user) {
- throw new UnsupportedAddressTypeException();
+ if (getDirectoryDao() instanceof LdapDao) {
+ return scopeLdap(user);
+ } else if (getDirectoryDao() instanceof LdifDao) {
+ return scopeLdif(user);
+ } else {
+ throw new IllegalStateException("Unsupported DAO " + getDirectoryDao().getClass());
+ }
}
protected DirectoryUserAdmin scopeLdap(User user) {
} else {
properties.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
}
- return new DirectoryUserAdmin(null, properties, true);
+ DirectoryUserAdmin scopedDirectory = new DirectoryUserAdmin(null, properties, true);
+ scopedDirectory.init();
+ return scopedDirectory;
}
protected DirectoryUserAdmin scopeLdif(User user) {
// scopedUserAdmin.users = Collections.unmodifiableNavigableMap(users);
// FIXME do it better
((LdifDao) getDirectoryDao()).scope((LdifDao) scopedUserAdmin.getDirectoryDao());
+ scopedUserAdmin.init();
return scopedUserAdmin;
}
@Override
public Role getRoleByPath(String path) {
- return (Role) doGetRole(pathToName(path));
+ LdapEntry entry = doGetRole(pathToName(path));
+ if (!(entry instanceof Role)) {
+ throw new IllegalStateException("Path must be a UserAdmin Role.");
+ } else {
+ return (Role) entry;
+ }
}
protected List<Role> getAllRoles(DirectoryUser user) {
LdapEntry entry = (LdapEntry) user;
collectGroups(entry, allEntries);
for (LdapEntry e : allEntries) {
- allRoles.add((Role) e);
+ if (e instanceof Role)
+ allRoles.add((Role) e);
}
// Attributes attrs = user.getAttributes();
// // TODO centralize attribute name
disabled = Boolean.parseBoolean(disabledStr);
else
disabled = false;
-
- URI u = URI.create(uri);
- if (!getRealm().isEmpty() || DirectoryConf.SCHEME_LDAP.equals(u.getScheme())
- || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+ if (!getRealm().isEmpty()) {
+ // IPA multiple LDAP causes URI parsing to fail
+ // TODO manage generic redundant LDAP case
directoryDao = new LdapDao(this);
- } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
- directoryDao = new LdifDao(this);
- } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
- directoryDao = new OsUserDirectory(this);
- // singleUser = true;
} else {
- throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+ URI u = URI.create(uri);
+ if (DirectoryConf.SCHEME_LDAP.equals(u.getScheme()) || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+ directoryDao = new LdapDao(this);
+ } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
+ directoryDao = new LdifDao(this);
+ } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
+ directoryDao = new OsUserDirectory(this);
+ // singleUser = true;
+ } else {
+ throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+ }
}
xaResource = new WorkingCopyXaResource<>(directoryDao);
}
for (int i = 0; i < segments.length; i++) {
String segment = segments[i];
// TODO make attr names configurable ?
- String attr = LdapAttrs.ou.name();
+ String attr = path.startsWith("accounts/")/* IPA */ ? LdapAttrs.cn.name() : LdapAttrs.ou.name();
if (parentRdn != null) {
if (getUserBaseRdn().equals(parentRdn))
attr = LdapAttrs.uid.name();
import javax.naming.InvalidNameException;
import javax.naming.NamingException;
import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
import org.argeo.util.directory.DirectoryConf;
import org.argeo.util.naming.LdapAttrs;
/** Free IPA specific conventions. */
public class IpaUtils {
- public final static String IPA_USER_BASE = "cn=users,cn=accounts";
- public final static String IPA_GROUP_BASE = "cn=groups,cn=accounts";
- public final static String IPA_ROLE_BASE = "cn=roles,cn=accounts";
+ public final static String IPA_USER_BASE = "cn=users";
+ public final static String IPA_GROUP_BASE = "cn=groups";
+ public final static String IPA_ROLE_BASE = "cn=roles";
public final static String IPA_SERVICE_BASE = "cn=services,cn=accounts";
+ public final static Rdn IPA_ACCOUNTS_RDN;
+ static {
+ try {
+ IPA_ACCOUNTS_RDN = new Rdn(LdapAttrs.cn.name(), "accounts");
+ } catch (InvalidNameException e) {
+ // should not happen
+ throw new IllegalStateException(e);
+ }
+ }
+
private final static String KRB_PRINCIPAL_NAME = LdapAttrs.krbPrincipalName.name().toLowerCase();
public final static String IPA_USER_DIRECTORY_CONFIG = DirectoryConf.userBase + "=" + IPA_USER_BASE + "&"
- + DirectoryConf.groupBase + "=" + IPA_GROUP_BASE + "&" + DirectoryConf.readOnly + "=true";
+ + DirectoryConf.groupBase + "=" + IPA_GROUP_BASE + "&" + DirectoryConf.systemRoleBase + "=" + IPA_ROLE_BASE
+ + "&" + DirectoryConf.readOnly + "=true";
@Deprecated
static String domainToUserDirectoryConfigPath(String realm) {
String baseDn = domainToBaseDn(kname[1]);
String dn;
if (!username.contains("/"))
- dn = LdapAttrs.uid + "=" + username + "," + IPA_USER_BASE + "," + baseDn;
+ dn = LdapAttrs.uid + "=" + username + "," + IPA_USER_BASE + "," + IPA_ACCOUNTS_RDN + "," + baseDn;
else
dn = KRB_PRINCIPAL_NAME + "=" + kerberosName + "," + IPA_SERVICE_BASE + "," + baseDn;
try {
// int roleType = roleType(name);
LdapEntry res;
Rdn technicalRdn = LdapNameUtils.getParentRdn(name);
- if (getDirectory().getGroupBaseRdn().equals(technicalRdn)
- || getDirectory().getSystemRoleBaseRdn().equals(technicalRdn))
+ if (getDirectory().getGroupBaseRdn().equals(technicalRdn))
+ res = newGroup(name, attrs);
+ else if (getDirectory().getSystemRoleBaseRdn().equals(technicalRdn))
res = newGroup(name, attrs);
else if (getDirectory().getUserBaseRdn().equals(technicalRdn))
res = newUser(name, attrs);
try {
String searchFilter = "(|(" + objectClass + "=" + LdapObjs.organizationalUnit.name() + ")(" + objectClass
+ "=" + LdapObjs.organization.name() + "))";
+// String searchFilter = "(|(" + objectClass + "=" + LdapObjs.organizationalUnit.name() + ")(" + objectClass
+// + "=" + LdapObjs.organization.name() + ")(cn=accounts)(cn=users)(cn=groups))";
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
if (getDirectory().getBaseDn().equals(dn))
return getDirectory();
if (!dn.startsWith(getDirectory().getBaseDn()))
- throw new IllegalArgumentException(dn + " does not start with abse DN " + getDirectory().getBaseDn());
+ throw new IllegalArgumentException(dn + " does not start with base DN " + getDirectory().getBaseDn());
Attributes attrs = ldapConnection.getAttributes(dn);
return new LdapHierarchyUnit(getDirectory(), dn, attrs);
} catch (NamingException e) {
Rdn rdn = LdapNameUtils.getLastRdn(dn);
functional = !(directory.getUserBaseRdn().equals(rdn) || directory.getGroupBaseRdn().equals(rdn)
- || directory.getSystemRoleBaseRdn().equals(rdn));
+ || directory.getSystemRoleBaseRdn().equals(rdn) );
}
@Override