From e1ce6198725dcfe07d1c22c8a96a58642fef5392 Mon Sep 17 00:00:00 2001
From: Bosanac Dejan <dejanb@apache.org>
Date: Mon, 16 May 2011 14:19:46 +0000
Subject: [PATCH] https://issues.apache.org/jira/browse/AMQ-3323 -
 LDAPLoginModule more debuging and exception messages

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1103745 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/activemq/jaas/LDAPLoginModule.java | 70 ++++++++++++++-----
 .../src/test/resources/activemq-ldap.xml      | 41 +++++++++++
 activemq-jaas/src/test/resources/login.config | 24 +++++++
 3 files changed, 116 insertions(+), 19 deletions(-)
 create mode 100644 activemq-jaas/src/test/resources/activemq-ldap.xml

diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
index 323fb0f101..eedabe562e 100644
--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
+++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
@@ -131,16 +131,10 @@ public class LDAPLoginModule implements LoginModule {
         else
         	password="";
 
-        try {
-            boolean result = authenticate(username, password);
-            if (!result) {
-                throw new FailedLoginException();
-            } else {
-                return true;
-            }
-        } catch (Exception e) {
-            throw (LoginException)new LoginException("LDAP Error").initCause(e);
-        }
+        // authenticate will throw LoginException
+        // in case of failed authentication
+        authenticate(username, password);
+        return true;
     }
 
     @Override
@@ -173,13 +167,23 @@ public class LDAPLoginModule implements LoginModule {
         }
     }
 
-    protected boolean authenticate(String username, String password) throws Exception {
+    protected boolean authenticate(String username, String password) throws LoginException {
 
         MessageFormat userSearchMatchingFormat;
         boolean userSearchSubtreeBool;
         
         DirContext context = null;
-        context = open();
+
+        if (log.isDebugEnabled()) {
+            log.debug("Create the LDAP initial context.");
+        }
+        try {
+            context = open();
+        } catch (NamingException ne) {
+            FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
+            ex.initCause(ne);
+            throw ex;
+        }
         
         if (!isLoginPropertySet(USER_SEARCH_MATCHING))
         	return false;
@@ -208,10 +212,18 @@ public class LDAPLoginModule implements LoginModule {
             list.toArray(attribs);
             constraints.setReturningAttributes(attribs);
 
+            if (log.isDebugEnabled()) {
+                log.debug("Get the user DN.");
+                log.debug("Looking for the user in LDAP with ");
+                log.debug("  base DN: " + getLDAPPropertyValue(USER_BASE));
+                log.debug("  filter: " + filter);
+            }
+
             NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(USER_BASE), filter, constraints);
 
             if (results == null || !results.hasMore()) {
-                return false;
+                log.warn("User " + username + " not found in LDAP.");
+                throw new FailedLoginException("User " + username + " not found in LDAP.");
             }
 
             SearchResult result = results.next();
@@ -229,7 +241,7 @@ public class LDAPLoginModule implements LoginModule {
 
             Attributes attrs = result.getAttributes();
             if (attrs == null) {
-                return false;
+                throw new FailedLoginException("User found, but LDAP entry malformed: " + username);
             }
             List<String> roles = null;
             if (isLoginPropertySet(USER_ROLE_NAME)) {
@@ -240,19 +252,26 @@ public class LDAPLoginModule implements LoginModule {
             if (bindUser(context, dn, password)) {
                 // if authenticated add more roles
                 roles = getRoles(context, dn, username, roles);
+                if (log.isDebugEnabled()) {
+                    log.debug("Roles " + roles + " for user " + username);
+                }
                 for (int i = 0; i < roles.size(); i++) {
                     groups.add(new GroupPrincipal(roles.get(i)));
                 }
             } else {
-                return false;
+                throw new FailedLoginException("Password does not match for user: " + username);
             }
         } catch (CommunicationException e) {
-
+            FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
+            ex.initCause(e);
+            throw ex;
         } catch (NamingException e) {
             if (context != null) {
                 close(context);
             }
-            return false;
+            FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
+            ex.initCause(e);
+            throw ex;
         }
 
         return true;
@@ -281,6 +300,12 @@ public class LDAPLoginModule implements LoginModule {
         } else {
             constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
         }
+        if (log.isDebugEnabled()) {
+            log.debug("Get user roles.");
+            log.debug("Looking for the user roles in LDAP with ");
+            log.debug("  base DN: " + getLDAPPropertyValue(ROLE_BASE));
+            log.debug("  filter: " + filter);
+        }
         NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints);
         while (results.hasMore()) {
             SearchResult result = results.next();
@@ -325,14 +350,22 @@ public class LDAPLoginModule implements LoginModule {
     protected boolean bindUser(DirContext context, String dn, String password) throws NamingException {
         boolean isValid = false;
 
+        if (log.isDebugEnabled()) {
+            log.debug("Binding the user.");
+        }
         context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
         context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
         try {
             context.getAttributes("", null);
             isValid = true;
+            if (log.isDebugEnabled()) {
+                log.debug("User " + dn + " successfully bound.");
+            }
         } catch (AuthenticationException e) {
             isValid = false;
-            log.debug("Authentication failed for dn=" + dn);
+            if (log.isDebugEnabled()) {
+                log.debug("Authentication failed for dn=" + dn);
+            }
         }
 
         if (isLoginPropertySet(CONNECTION_USERNAME)) {
@@ -340,7 +373,6 @@ public class LDAPLoginModule implements LoginModule {
         } else {
             context.removeFromEnvironment(Context.SECURITY_PRINCIPAL);
         }
-
         if (isLoginPropertySet(CONNECTION_PASSWORD)) {
             context.addToEnvironment(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
         } else {
diff --git a/activemq-jaas/src/test/resources/activemq-ldap.xml b/activemq-jaas/src/test/resources/activemq-ldap.xml
new file mode 100644
index 0000000000..d6e6d5c50a
--- /dev/null
+++ b/activemq-jaas/src/test/resources/activemq-ldap.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: xbean -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+  <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
+
+    <plugins>
+        <jaasAuthenticationPlugin configuration="OpenLdapConfiguration"/>
+    </plugins>
+
+    <transportConnectors>
+      <transportConnector uri="tcp://localhost:61616" />
+    </transportConnectors>
+
+  </broker>
+
+</beans>
+<!-- END SNIPPET: xbean -->
diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config
index 7dd4f00b57..b588c25bed 100644
--- a/activemq-jaas/src/test/resources/login.config
+++ b/activemq-jaas/src/test/resources/login.config
@@ -52,3 +52,27 @@ GuestLoginWithDefaults {
     org.apache.activemq.jaas.GuestLoginModule required
         debug=true;
 };
+
+OpenLdapConfiguration {
+  org.apache.activemq.jaas.LDAPLoginModule required
+        debug=true
+        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+        connectionURL="ldap://localhost:389"
+        connectionUsername="cn=mqbroker,ou=Services,ou=system,dc=fusesource,dc=com"
+        connectionPassword="sunflower"
+        connectionProtocol="s"
+        topicSearchMatchingFormat="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system,dc=fusesource,dc=com"
+        topicSearchSubtreeBool=true
+        authentication=simple
+        userBase="ou=User,ou=ActiveMQ,ou=system,dc=fusesource,dc=com"
+        userSearchMatching="(uid={0})"
+        userSearchSubtree=false
+        roleSearchMatching="(uid={1})"
+        queueSearchMatchingFormat="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system,dc=fusesource,dc=com"
+        queueSearchSubtreeBool=true
+        roleBase="ou=Group,ou=ActiveMQ,ou=system,dc=fusesource,dc=com"
+        roleName=cn
+        roleSearchMatching="(member:=uid={1})"
+        roleSearchSubtree=tru
+        ;
+};