From f7441b20aca47be602e0cc8afb66f03f5b9cfa87 Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Mon, 22 Jan 2007 11:25:55 +0000 Subject: [PATCH] Added the ability to explicitedly configure the type of directory back-ending a REALM and the ability to configure the search string that should be utilized when performing a contextless login via the Pwd Authenticate mechanism. --- .../casa/authtoksvc/PwdAuthenticate.java | 34 +++--- .../novell/casa/authtoksvc/RealmsInfo.java | 106 +++++++++++++----- .../server-java/Svc/templates/iaRealms.xml | 3 +- .../package/linux/CASA_auth_token_svc.changes | 10 ++ 4 files changed, 112 insertions(+), 41 deletions(-) diff --git a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java index 6c9daedb..256aaa58 100644 --- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java +++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java @@ -192,27 +192,31 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable searchRoots = new String[] {""}; } - // Determine the search string to be utilized based on the type of directory - // associated with the realm. - String searchString; - String realmType = m_svcConfig.m_realmsInfo.getType(authReqMsg.getRealm()); - if (realmType != null) + // Check if a search string has been configured + String searchString = m_svcConfig.m_realmsInfo.getCntxtlessSearchString(authReqMsg.getRealm()); + if (searchString == null) { - if (realmType.compareToIgnoreCase(RealmsInfo.eDirectoryRealm) == 0) - searchString = "(cn={0})"; - else if (realmType.compareToIgnoreCase(RealmsInfo.ActiveDirectoryRealm) == 0) - searchString = "(sAMAccountName={0})"; + // Determine the search string to be utilized based on the type of directory + // associated with the realm. + String realmType = m_svcConfig.m_realmsInfo.getType(authReqMsg.getRealm()); + if (realmType != null) + { + if (realmType.compareToIgnoreCase(RealmsInfo.eDirectoryRealm) == 0) + searchString = "(cn={0})"; + else if (realmType.compareToIgnoreCase(RealmsInfo.ActiveDirectoryRealm) == 0) + searchString = "(sAMAccountName={0})"; + else + { + System.err.println("PwdAuthenticate.invoke()- Unsupported realm type " + realmType); + throw new Exception("Realm configuration error"); + } + } else { - System.err.println("PwdAuthenticate.invoke()- Unsupported realm type " + realmType); + System.err.println("PwdAuthenticate.invoke()- Failed to obtain realm type for realm " + authReqMsg.getRealm()); throw new Exception("Realm configuration error"); } } - else - { - System.err.println("PwdAuthenticate.invoke()- Failed to obtain realm type for realm " + authReqMsg.getRealm()); - throw new Exception("Realm configuration error"); - } // Go through the search roots stopping if the identity is resolved. for (int i = 0; i < searchRoots.length && identId == null; i++) diff --git a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/RealmsInfo.java b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/RealmsInfo.java index adf6bcbc..9349be69 100644 --- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/RealmsInfo.java +++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/RealmsInfo.java @@ -50,11 +50,12 @@ public class RealmsInfo // Internal constants private final static String RealmUrl = "Url"; private final static String RealmType = "Type"; + private final static String CntxtlessSearchString = "CntxtlessSearchString"; /** * String returned by getType method for Active Directory realms. */ - public final static String ActiveDirectoryRealm = "AD"; + public final static String ActiveDirectoryRealm = "ActiveDir"; /** * String returned by getType method for eDirectory realms. @@ -94,6 +95,7 @@ public class RealmsInfo // We are dealing with a directory realm RealmInfo realmInfo = new RealmInfo(); RealmTypeItem[] realmTypeItems = realm.getRealmTypeItem(); + String principalName = null; for (int ii = 0; ii < realmTypeItems.length; ii++) { // Find the configure Proxy User Name for the realm and any configured @@ -107,30 +109,8 @@ public class RealmsInfo { if (env[iii].getProp().compareToIgnoreCase("java.naming.security.principal") == 0) { - // We found the proxy user, now use it to determine whether or not - // we are dealing with an Active Directory Server. - // - // Open a directory context and use it to read the "sAMAccountName" - // users attribute which theoretically should only be valid on an AD - // server. - Hashtable env2 = new Hashtable(); - env2.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); - env2.put(Realm.REALM_CONFIG_LOCATION, realmConfigFilePath); - env2.put(Realm.REALM_SELECTOR, realm.getId()); - - DirContext ctx = new InitialDirContext(env2); - String[] attributesNeeded = new String[1]; - attributesNeeded[0] = "sAMAccountName"; - Attributes attributes = ctx.getAttributes(env[iii].getValue(), attributesNeeded); - NamingEnumeration ae = attributes.getAll(); - if (ae != null && ae.hasMore()) - { - realmInfo.m_keyValueMap.put(RealmType, ActiveDirectoryRealm); - } - else - { - realmInfo.m_keyValueMap.put(RealmType, eDirectoryRealm); - } + // We found the proxy user name. Save it in case it is needed later. + principalName = env[iii].getValue(); } else if (env[iii].getProp().compareToIgnoreCase("com.novell.casa.authtoksvc.searchroot") == 0) { @@ -149,6 +129,29 @@ public class RealmsInfo realmInfo.m_searchRoots = newSearchRoots; } } + else if (env[iii].getProp().compareToIgnoreCase("com.novell.casa.authtoksvc.directory_type") == 0) + { + // We are dealing with a directory type, decode it and record the result. + String realmDirectoryType = env[iii].getValue();; + if (realmDirectoryType.compareToIgnoreCase("eDir") == 0) + { + realmInfo.m_keyValueMap.put(RealmType, eDirectoryRealm); + } + else if (realmDirectoryType.compareToIgnoreCase("ActiveDirectory") == 0) + { + realmInfo.m_keyValueMap.put(RealmType, ActiveDirectoryRealm); + } + else + { + // Ignore parameter + System.err.println("RealmsInfo: Unknown directory type"); + } + } + else if (env[iii].getProp().compareToIgnoreCase("com.novell.casa.authtoksvc.contextless_search_string") == 0) + { + // We are dealing with the contextless search string, keep track of it. + realmInfo.m_keyValueMap.put(CntxtlessSearchString, env[iii].getValue()); + } } } } @@ -159,6 +162,44 @@ public class RealmsInfo } } + // Check if we must try to determine the directory type + if (realmInfo.m_keyValueMap.get(RealmType) == null) + { + // The directory type has not been determined, check if the proxy username was configured. + if (principalName != null) + { + // The proxy user name was configured, use it to determine whether or not + // we are dealing with an Active Directory Server. + // + // Open a directory context and use it to read the "sAMAccountName" + // users attribute which theoretically should only be valid on an AD + // server. + Hashtable env = new Hashtable(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); + env.put(Realm.REALM_CONFIG_LOCATION, realmConfigFilePath); + env.put(Realm.REALM_SELECTOR, realm.getId()); + + DirContext ctx = new InitialDirContext(env); + String[] attributesNeeded = new String[1]; + attributesNeeded[0] = "sAMAccountName"; + Attributes attributes = ctx.getAttributes(principalName, attributesNeeded); + NamingEnumeration ae = attributes.getAll(); + if (ae != null && ae.hasMore()) + { + realmInfo.m_keyValueMap.put(RealmType, ActiveDirectoryRealm); + } + else + { + realmInfo.m_keyValueMap.put(RealmType, eDirectoryRealm); + } + } + else + { + // The principal name was not configured, default to eDir. + realmInfo.m_keyValueMap.put(RealmType, eDirectoryRealm); + } + } + m_realmsMap.put(realm.getId(), realmInfo); } } @@ -208,4 +249,19 @@ public class RealmsInfo else return null; } + + /** + * Get Contexless Search String. + * + * @param realmId Realm id. + * @return ContextlessSearchString or null if no match found. + */ + final String getCntxtlessSearchString(String realmId) + { + RealmInfo realmInfo = m_realmsMap.get(realmId); + if (realmInfo != null) + return realmInfo.m_keyValueMap.get(CntxtlessSearchString); + else + return null; + } } diff --git a/CASA-auth-token/server-java/Svc/templates/iaRealms.xml b/CASA-auth-token/server-java/Svc/templates/iaRealms.xml index 9b54ded6..a783be9d 100644 --- a/CASA-auth-token/server-java/Svc/templates/iaRealms.xml +++ b/CASA-auth-token/server-java/Svc/templates/iaRealms.xml @@ -11,8 +11,9 @@ > + - ldaps://LDAP_HOST_NAME:LDAP_LISTEN_PORT + ldaps://LDAP_HOST_NAME:LDAP_LISTEN_PORT diff --git a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.changes b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.changes index 9970900a..c9ed57b1 100644 --- a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.changes +++ b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jan 22 16:10:36 MST 2007 - jluciani@novell.com + +- Added the ability to explicitedly configure the type of + directory back-ending a realm. + +- Added the ability to configure the search string that should + be utilized when performing contextless-login as part of + the Password authentication process. + ------------------------------------------------------------------- Fri Jan 19 16:30:03 MST 2007 - jluciani@novell.com