Issue #2691 replace static dn by subtee based ldap lookup for an entry inside _userBaseDn (#2842)

* replace static dn by subtee based ldap lookup for an entry inside _userBaseDn
* additional ldap tests to cover enhancement of #2842

Signed-off-by: Alexei Pastuchov <alexei.pastuchov@telecolumbus.de>
This commit is contained in:
Алексей Пастухов 2018-09-11 07:57:48 +02:00 committed by Olivier Lamy
parent 2dd5fec4f4
commit 04941fd44c
2 changed files with 101 additions and 24 deletions

View File

@ -329,9 +329,16 @@ public class LdapLoginModule extends AbstractLoginModule
}
}
String userDn = _userRdnAttribute + "=" + rdnValue + "," + _userBaseDn;
String filter = "({0}={1})";
return getUserRolesByDn(dirContext, userDn);
Object[] filterArguments = new Object[]{
_userRdnAttribute,
rdnValue
};
SearchResult searchResult = findUser(dirContext, filter, filterArguments);
return getUserRolesByDn(dirContext, searchResult.getNameInNamespace());
}
private List<String> getUserRolesByDn(DirContext dirContext, String userDn) throws NamingException
@ -547,11 +554,6 @@ public class LdapLoginModule extends AbstractLoginModule
private SearchResult findUser(String username) throws LoginException
{
SearchControls ctls = new SearchControls();
ctls.setCountLimit(1);
ctls.setDerefLinkFlag(true);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(&(objectClass={0})({1}={2}))";
if (LOG.isDebugEnabled())
@ -563,24 +565,36 @@ public class LdapLoginModule extends AbstractLoginModule
username
};
return findUser(_rootContext, filter, filterArguments);
}
private SearchResult findUser(DirContext dirContext, String filter, Object[] filterArguments) throws LoginException
{
SearchControls ctls = new SearchControls();
ctls.setDerefLinkFlag(true);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results;
try
{
NamingEnumeration<SearchResult> results = _rootContext.search(_userBaseDn, filter, filterArguments, ctls);
if (LOG.isDebugEnabled())
LOG.debug("Found user?: " + results.hasMoreElements());
if (!results.hasMoreElements())
{
throw new FailedLoginException("User not found.");
}
return results.nextElement();
results = _rootContext.search(_userBaseDn, filter, filterArguments, ctls);
}
catch (NamingException ne)
{
throw new FailedLoginException(ne.getMessage());
}
if (LOG.isDebugEnabled())
LOG.debug("Found user?: " + results.hasMoreElements());
if (!results.hasMoreElements())
throw new FailedLoginException("User not found.");
SearchResult searchResult = (SearchResult)results.nextElement();
if (results.hasMoreElements())
throw new FailedLoginException("Search result contains ambiguous entries");
return searchResult;
}

View File

@ -58,13 +58,13 @@ import static org.junit.Assert.*;
"objectClass: top",
"ou: people",
// Entry # 2
"dn:uid=someone, ou=people,dc=jetty,dc=org",
"dn:uid=someone,ou=people,dc=jetty,dc=org",
"objectClass: inetOrgPerson",
"cn: someone",
"sn: sn test",
"userPassword: complicatedpassword",
// Entry # 3
"dn:uid=someoneelse, ou=people,dc=jetty,dc=org",
"dn:uid=someoneelse,ou=people,dc=jetty,dc=org",
"objectClass: inetOrgPerson",
"cn: someoneelse",
"sn: sn test",
@ -75,27 +75,67 @@ import static org.junit.Assert.*;
"objectClass: top",
"ou: groups",
// Entry 5
"dn: ou=subdir,ou=people,dc=jetty,dc=org",
"objectClass: organizationalunit",
"objectClass: top",
"ou: subdir",
// Entry # 6
"dn:uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
"objectClass: inetOrgPerson",
"cn: uniqueuser",
"sn: unique user",
"userPassword: hello123",
// Entry # 7
"dn:uid=ambiguousone,ou=people,dc=jetty,dc=org",
"objectClass: inetOrgPerson",
"cn: ambiguous1",
"sn: ambiguous user",
"userPassword: foobar",
// Entry # 8
"dn:uid=ambiguousone,ou=subdir,ou=people,dc=jetty,dc=org",
"objectClass: inetOrgPerson",
"cn: ambiguous2",
"sn: ambiguous subdir user",
"userPassword: barfoo",
// Entry 9
"dn: cn=developers,ou=groups,dc=jetty,dc=org",
"objectClass: groupOfUniqueNames",
"objectClass: top",
"ou: groups",
"description: People who try to build good software",
"uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
"uniquemember: uid=someone,ou=people,dc=jetty,dc=org",
"uniquemember: uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
"cn: developers",
// Entry 6
// Entry 10
"dn: cn=admin,ou=groups,dc=jetty,dc=org",
"objectClass: groupOfUniqueNames",
"objectClass: top",
"ou: groups",
"description: People who try to run software build by developers",
"uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
"uniquemember: uid=someoneelse, ou=people, dc=jetty,dc=org",
"uniquemember: uid=someone,ou=people,dc=jetty,dc=org",
"uniquemember: uid=someoneelse,ou=people,dc=jetty,dc=org",
"uniquemember: uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
"cn: admin"
})
public class JAASLdapLoginServiceTest
{
private static LdapServer _ldapServer;
private JAASLoginService jaasLoginService(String name) {
JAASLoginService ls = new JAASLoginService("foo");
ls.setCallbackHandlerClass("org.eclipse.jetty.jaas.callback.DefaultCallbackHandler");
ls.setIdentityService(new DefaultIdentityService());
ls.setConfiguration(new TestConfiguration(true));
return ls;
}
private UserIdentity doLogin(String username, String password) throws Exception
{
JAASLoginService ls = jaasLoginService("foo");
Request request = new Request(null, null);
return ls.login( username, password, request);
}
public static LdapServer getLdapServer() {
return _ldapServer;
}
@ -174,4 +214,27 @@ public class JAASLdapLoginServiceTest
}
@Test
public void testLdapBindingSubdirUniqueUserName() throws Exception
{
UserIdentity userIdentity = doLogin("uniqueuser", "hello123");
assertNotNull( userIdentity );
assertTrue( userIdentity.isUserInRole( "developers", null) );
assertTrue( userIdentity.isUserInRole( "admin", null) );
assertFalse( userIdentity.isUserInRole( "blabla", null) );
}
@Test
public void testLdapBindingAmbiguousUserName() throws Exception
{
UserIdentity userIdentity = doLogin( "ambiguousone", "foobar");
assertNull( userIdentity );
}
@Test
public void testLdapBindingSubdirAmbiguousUserName() throws Exception
{
UserIdentity userIdentity = doLogin( "ambiguousone", "barfoo");
assertNull( userIdentity );
}
}