 
                        
        
                        
        com.orientechnologies.security.ldap.OLDAPLibrary Maven / Gradle / Ivy
/**
 * Copyright 2010-2016 OrientDB LTD (http://orientdb.com)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * 	http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * For more information: http://www.orientdb.com
 */
package com.orientechnologies.security.ldap;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.Hashtable;
import java.util.List;
import javax.naming.*;
import javax.naming.directory.*; // Attribute, Attributes, DirContext
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.NamingEnumeration;
import javax.security.auth.Subject;
import com.orientechnologies.common.log.OLogManager;
/**
 * LDAP Library
 * 
 * @author S. Colin Leister
 * 
 */
public class OLDAPLibrary
{
	public static DirContext openContext(final Subject subject, final List ldapServers, final boolean debug)
	{
		return Subject.doAs(subject, new PrivilegedAction()
		{
			public DirContext run()
			{
				DirContext dc = null;
				
				// Set up environment for creating initial context
				Hashtable env = new Hashtable();
				env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
				// Request the use of the "GSSAPI" SASL mechanism
				// Authenticate by using already established Kerberos credentials
				env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
				for(OLDAPServer ldap : ldapServers)
				{
					try
					{
						String url = ldap.getURL();
					
						// If the LDAPServer info is marked as an alias, then the real hostname needs to be acquired.
						if(ldap.isAlias()) url = getRealURL(ldap, debug);
					
						// Must use fully qualified hostname
						env.put(Context.PROVIDER_URL, url);
	
						if(debug) OLogManager.instance().info(null, "OLDAPLibrary.openContext() Trying ProviderURL: " + url);
						
						// Create initial context
						dc = new InitialDirContext(env);
						break;
					}
					catch(Exception ex)
					{
						OLogManager.instance().error(null, "OLDAPLibrary.openContext() Exception: ", ex);			
					}
				}
				return dc;
			}
		});
	}
	// If the LDAPServer's isAlias() returns true, then the specified hostname is an alias, requiring a reverse
	// look-up of its IP address to resolve the real hostname to use.  This is often used with DNS round-robin.
	private static String getRealURL(OLDAPServer ldap, final boolean debug) throws UnknownHostException
	{
		String realURL = ldap.getURL();
		
		if(ldap.isAlias())
		{
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.getRealURL() Alias hostname = " + ldap.getHostname());
			
			// Get the returned IP address from the alias.
			// May throw an UnknownHostException		
			InetAddress ipAddress = InetAddress.getByName(ldap.getHostname());
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.getRealURL() IP Address = " + ipAddress.getHostAddress());
			
			// Now that we have the IP address, use it to get the real hostname.
			// We create a new InetAddress object, because hostnames are cached.
			InetAddress realAddress = InetAddress.getByName(ipAddress.getHostAddress());
			
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.getRealURL() Real hostname = " + realAddress.getHostName());
			
			realURL = ldap.getURL(realAddress.getHostName());
			
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.getRealURL() Real URL = " + realURL);
		}
		
		return realURL;
	}
	public static void retrieveUsers(DirContext ctx, final String baseDN, final String filter, final List principalList, final boolean debug)
	{
		try
		{
			if(ctx != null)
			{
				// If we're just obtaining users matching a filterDN, switch to a SearchControl.
//				traverse(ctx, startingDN, filterDN, principalList, debug);
				SearchControls sctls = new SearchControls();
				sctls.setSearchScope(SearchControls.SUBTREE_SCOPE); // Recursive
				String[] attribFilter = {"userPrincipalName", "altSecurityIdentities"};
				sctls.setReturningAttributes(attribFilter);
				
				NamingEnumeration ne = ctx.search(baseDN, filter, sctls);  // "(userPrincipalName=*)"
				
				while(ne.hasMore())
				{
					SearchResult sr = (SearchResult)ne.next();
					
					addPrincipal(sr, principalList, debug);
				}
			}
			else
			{
				if(debug) OLogManager.instance().error(null, "OLDAPLibrary.retrieveUsers() DirContext is null", null);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.retrieveUsers() Exception: ", ex);
		}
	}
	private static void addPrincipal(SearchResult sr, List principalList, final boolean debug)
	{
		try
		{
			Attributes attrs = sr.getAttributes();
			
			if(attrs != null)
			{
/*				
				// userPrincipalName	
				String upn = getUserPrincipalName(attrs);
				
				if(debug) OLogManager.instance().info(null, "OLDAPLibrary.addPrincipal() userPrincipalName: " + upn);
				if(upn != null)
				{
					// Some UPNs, especially in 'altSecurityIdentities' will store the UPNs as such "Kerberos: [email protected]"
					upn = removeKerberos(upn, debug);
					
					principalList.add(upn); //upn.toLowerCase());
				}
	*/			
				fillAttributeList(attrs, "userPrincipalName", principalList, debug);
				
				fillAttributeList(attrs, "altSecurityIdentities", principalList, debug);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.addPrincipal() Exception: ", ex);
		}
	}
	private static void traverse(DirContext ctx, String startingDN, String memberOfFilter, List principalList, final boolean debug)
	{
		try
		{
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.traverse() startingDN: %s, memberOfFilter: %s", startingDN, memberOfFilter);
			
			Attributes attrs = ctx.getAttributes(startingDN);
			if(attrs != null)
			{
				if(debug) OLogManager.instance().info(null, "OLDAPLibrary.traverse() Found attributes for startingDN: %s", startingDN);
				Attribute member = attrs.get("member");
						
				if(member != null)
				{
					for(NamingEnumeration ae = member.getAll(); ae.hasMore();)
					{
						String path = (String)ae.next();
							
						findMembers(ctx, path, memberOfFilter, principalList, debug);
					}
				}
				else
				{
					if(debug) OLogManager.instance().info(null, "OLDAPLibrary.traverse() startingDN: %s has no \"member\" attributes.", startingDN);
				}
			}
			else
			{
				if(debug) OLogManager.instance().error(null,
						"OLDAPLibrary.traverse() Unable to find attributes for startingDN: %s", null, startingDN);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.traverse() Exception: ", ex);
		}
	}
	private static void findMembers(DirContext ctx, String startingDN, String memberOfFilter, List principalList, final boolean debug)
	{
		try
		{
			Attributes attrs = ctx.getAttributes(startingDN);
			
			if(attrs != null)
			{
				if(debug) OLogManager.instance().info(null, "OLDAPLibrary.findMembers() Found attributes for startingDN: %s", startingDN);
				
				if(isGroup(attrs))
				{
					if(debug) OLogManager.instance().info(null, "OLDAPLibrary.findMembers() Found group for startingDN: %s", startingDN);
					
					Attribute member = attrs.get("member");
					
					if(member != null)
					{
						for(NamingEnumeration ae = member.getAll(); ae.hasMore();)
						{
							String path = (String)ae.next();
							findMembers(ctx, path, memberOfFilter, principalList, debug);
						}
					}
				}
				else
				if(isUser(attrs))
				{
					if(debug) OLogManager.instance().info(null, "OLDAPLibrary.findMembers() Found user for startingDN: %s", startingDN);
					if(isMemberOf(attrs, memberOfFilter))
					{					
						// userPrincipalName	
						String upn = getUserPrincipalName(attrs);
						
						if(debug) OLogManager.instance().info(null, "OLDAPLibrary.findMembers() StartingDN: " + startingDN + ", userPrincipalName: " + upn);
						if(upn != null)
						{
							// Some UPNs, especially in 'altSecurityIdentities' will store the UPNs as such "Kerberos: [email protected]"
							upn = removeKerberos(upn, debug);
							principalList.add(upn); //upn.toLowerCase());
						}
						
						fillAttributeList(attrs, "altSecurityIdentities", principalList, debug);
					}
				}
			}
			else
			{
				OLogManager.instance().error(null,
						"OLDAPLibrary.findMembers() Unable to find attributes for startingDN: %s", null, startingDN);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.findMembers() Exception: ", ex);
		}
	}
	
	// Separates the distinguished name and returns the top-level name.
	private static String getName(final String dn)
	{
		String name = null;
		
		String[] names = dn.split(",");
		
		if(names.length >= 1)
		{
			// >= 4 because "CN=" is 3
			if(names[0].length() >= 4)
			{
				name = names[0].substring(3);
			}	
		}
		
		return name;
	}
	private static void fillAttributeList(Attributes attrs, String name, List list, final boolean debug)
	{
		try
		{
			Attribute attribute = attrs.get(name);
			
			if(attribute != null && attribute.size() > 0)
			{
				NamingEnumeration> ne = attribute.getAll();
				while(ne.hasMore())
				{
					String value = (String)ne.next();
					
					// Some UPNs, especially in 'altSecurityIdentities' will store the UPNs as such "Kerberos: [email protected]"
					value = removeKerberos(value, debug);
					
					list.add(value); //value.toLowerCase());
				}
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary fillAttributeList(" + name + ")", ex);
		}
	}
	
	private static String getFirstValue(Attributes attrs, String name)
	{
		try
		{
			Attribute attribute = attrs.get(name);
			
			if(attribute != null && attribute.size() > 0)
			{
				return (String)attribute.get(0);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.getFirstValue(" + name + ") ", ex);
		}
		
		return null;
	}
	private static String getUserPrincipalName(Attributes attrs)
	{
		return getFirstValue(attrs, "userPrincipalName");
	}
	private static boolean isGroup(Attributes attrs)
	{
		String objCategoryDN = getFirstValue(attrs, "objectCategory");
		
		if(objCategoryDN != null)
		{
			String objCategory = getName(objCategoryDN);
			
			if(objCategory.equalsIgnoreCase("Group")) return true;
		}
		
		return false;
	}
	private static boolean isUser(Attributes attrs)
	{
		String objCategoryDN = getFirstValue(attrs, "objectCategory");
		
		if(objCategoryDN != null)
		{
			String objCategory = getName(objCategoryDN);
			
			if(objCategory.equalsIgnoreCase("User") || objCategory.equalsIgnoreCase("Person")) return true;
		}
		
		return false;
	}
	private static boolean isMemberOf(Attributes attrs, String memberOfFilter)
	{
		try
		{
			Attribute memberOfAttr = attrs.get("memberOf");
			
			if(memberOfAttr != null)
			{
				for(NamingEnumeration mo = memberOfAttr.getAll(); mo.hasMore();)
				{
					String value = (String)mo.next();
					
					if(value.equalsIgnoreCase(memberOfFilter))
					{
						return true;
					}
				}
			}
			else
			{
				OLogManager.instance().error(null, "OLDAPLibrary.isMemberOf() Has no 'memberOf' attribute.", null);
			}
		}
		catch(Exception ex)
		{
			OLogManager.instance().error(null, "OLDAPLibrary.isMemberOf()", ex);
		}
		
		return false;	
	}
	// Some UPNs, especially in 'altSecurityIdentities' will store the UPNs as such "Kerberos: [email protected]"
	private static String removeKerberos(String upn, final boolean debug)
	{
		if((upn.startsWith("kerberos:") || upn.startsWith("Kerberos:")) && upn.length() > 9)
		{
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.removeKerberos() upn before: %s", upn);
			upn = upn.substring(9);
			upn.trim();
			
			if(debug) OLogManager.instance().info(null, "OLDAPLibrary.removeKerberos() upn after: %s", upn);
		}
		
		return upn;
	}
}
         © 2015 - 2025 Weber Informatics LLC | Privacy Policy