You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ba...@apache.org on 2018/08/22 16:42:01 UTC
svn commit: r1838659 - in /jackrabbit/oak/branches/1.8: ./
oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/
oak-auth-ldap/src/te...
Author: baedke
Date: Wed Aug 22 16:42:01 2018
New Revision: 1838659
URL: http://svn.apache.org/viewvc?rev=1838659&view=rev
Log:
OAK-7428: LdapIdentityProvider doesn't support creating external ids from the uid attribute
Implemented.
Modified:
jackrabbit/oak/branches/1.8/ (props changed)
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
jackrabbit/oak/branches/1.8/oak-doc/src/site/markdown/security/authentication/ldap.md
Propchange: jackrabbit/oak/branches/1.8/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Aug 22 16:42:01 2018
@@ -1,3 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
-/jackrabbit/oak/trunk:1820660-1820661,1820729,1820734,1820859,1820861,1820878,1820888,1820947,1821027,1821130,1821140-1821141,1821178,1821237,1821240,1821249,1821258,1821325,1821358,1821361-1821362,1821370,1821375,1821393,1821477,1821487,1821516,1821617,1821663,1821665,1821668,1821681,1821847,1821975-1821983,1822121,1822201,1822207,1822527,1822723,1822808,1822850,1822934,1823135,1823163,1823169,1823172,1823655,1823669,1824196,1824198,1824253,1824255,1824896,1824962,1825065,1825362,1825381,1825442,1825448,1825466,1825470-1825471,1825475,1825523,1825525,1825561,1825619-1825621,1825651,1825654,1825992,1826079,1826090,1826096,1826216,1826237,1826338,1826516,1826532,1826551,1826560,1826638,1826640,1826730,1826932,1826957,1827423,1827472,1827486,1827977,1828349,1828439,1828529,1828948,1829527,1829534,1829546,1829569,1829854,1829864,1829978,1829985,1829987,1829998,1830019,1830048,1830160,1830171,1830197,1830209,1830347,1830748,1831157-1831158,1831163,1831374,1831560,1832258,1832376,1832379
,1832535,1833308,1833347,1833833,1834610,1834648-1834649,1834681,1834823,1834857-1834858,1835060,1835518,1835642,1835780,1835819,1836487,1836493,1837475,1837657,1837998,1838076,1838637
+/jackrabbit/oak/trunk:1820660-1820661,1820729,1820734,1820859,1820861,1820878,1820888,1820947,1821027,1821130,1821140-1821141,1821178,1821237,1821240,1821249,1821258,1821325,1821358,1821361-1821362,1821370,1821375,1821393,1821477,1821487,1821516,1821617,1821663,1821665,1821668,1821681,1821847,1821975-1821983,1822121,1822201,1822207,1822527,1822723,1822808,1822850,1822934,1823135,1823163,1823169,1823172,1823655,1823669,1824196,1824198,1824253,1824255,1824896,1824962,1825065,1825362,1825381,1825442,1825448,1825466,1825470-1825471,1825475,1825523,1825525,1825561,1825619-1825621,1825651,1825654,1825992,1826079,1826090,1826096,1826216,1826237,1826338,1826516,1826532,1826551,1826560,1826638,1826640,1826730,1826932,1826957,1827423,1827472,1827486,1827977,1828349,1828439,1828529,1828948,1829527,1829534,1829546,1829569,1829587,1829665,1829854,1829864,1829978,1829985,1829987,1829998,1830019,1830048,1830160,1830171,1830197,1830209,1830239,1830347,1830748,1831157-1831158,1831163,1831190,1831374
,1831560,1832258,1832376,1832379,1832535,1833308,1833347,1833833,1834610,1834648-1834649,1834681,1834823,1834857-1834858,1835060,1835518,1835642,1835780,1835819,1836487,1836493,1837475,1837657,1837998,1838076,1838637
/jackrabbit/trunk:1345480
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java Wed Aug 22 16:42:01 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -28,15 +29,15 @@ public class LdapGroup extends LdapIdent
private Map<String, ExternalIdentityRef> members;
- public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
@Nonnull
@Override
public Iterable<ExternalIdentityRef> getDeclaredMembers() throws ExternalIdentityException {
if (members == null) {
- members = provider.getDeclaredMemberRefs(ref);
+ members = provider.getDeclaredMemberRefs(ref, entry.getDn().getName());
}
return members.values();
}
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java Wed Aug 22 16:42:01 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -37,15 +38,22 @@ public abstract class LdapIdentity imple
protected final String path;
+ protected final Entry entry;
+
private Map<String, ExternalIdentityRef> groups;
private final LdapIdentityProperties properties = new LdapIdentityProperties();
- protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
+ protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
this.provider = provider;
this.ref = ref;
this.id = id;
this.path = path;
+ this.entry = entry;
+ }
+
+ public Entry getEntry() {
+ return entry;
}
/**
@@ -91,7 +99,7 @@ public abstract class LdapIdentity imple
@Override
public Iterable<ExternalIdentityRef> getDeclaredGroups() throws ExternalIdentityException {
if (groups == null) {
- groups = provider.getDeclaredGroupRefs(ref);
+ groups = provider.getDeclaredGroupRefs(ref, entry.getDn().getName());
}
return groups.values();
}
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed Aug 22 16:42:01 2018
@@ -343,7 +343,7 @@ public class LdapIdentityProvider implem
return null;
}
final SimpleCredentials creds = (SimpleCredentials) credentials;
- final ExternalUser user = getUser(creds.getUserID());
+ final LdapUser user = (LdapUser)getUser(creds.getUserID());
if (user != null) {
// OAK-2078: check for non-empty passwords to avoid anonymous bind on weakly configured servers
// see http://tools.ietf.org/html/rfc4513#section-5.1.1 for details.
@@ -361,7 +361,8 @@ public class LdapIdentityProvider implem
connection = userPool.getConnection();
}
timer.mark("connect");
- connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
+ connection.bind(user.getEntry().getDn(), new String(creds.getPassword()));
+ //connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
timer.mark("bind");
if (log.isDebugEnabled()) {
log.debug("authenticate({}) {}", user.getId(), timer.getString());
@@ -394,11 +395,11 @@ public class LdapIdentityProvider implem
* @param ref reference to the identity
* @return map of identities where the key is the DN of the LDAP entity
*/
- Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
- String searchFilter = config.getMemberOfSearchFilter(ref.getId());
+ String searchFilter = config.getMemberOfSearchFilter(dn);
LdapConnection connection = null;
SearchCursor searchCursor = null;
@@ -458,7 +459,7 @@ public class LdapIdentityProvider implem
* @return map of identity refers
* @throws ExternalIdentityException if an error occurs
*/
- Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
@@ -468,7 +469,7 @@ public class LdapIdentityProvider implem
DebugTimer timer = new DebugTimer();
connection = connect();
timer.mark("connect");
- Entry entry = connection.lookup(ref.getId());
+ Entry entry = connection.lookup(dn);
timer.mark("lookup");
Attribute attr = entry.get(config.getGroupMemberAttribute());
if (attr == null) {
@@ -790,46 +791,38 @@ public class LdapIdentityProvider implem
@Nonnull
private ExternalUser createUser(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (id == null) {
- String idAttribute = config.getUserConfig().getIdAttribute();
- Attribute attr = entry.get(idAttribute);
- if (attr == null) {
- throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
- "no value found for attribute '" + idAttribute + "' for entry " + entry);
- }
- id = attr.getString();
- }
- String path = config.getUserConfig().makeDnPath()
- ? createDNPath(entry.getDn())
- : null;
- LdapUser user = new LdapUser(this, ref, id, path);
- Map<String, Object> props = user.getProperties();
- applyAttributes(props, entry);
- return user;
+ return (ExternalUser) createIdentity(entry, id, false);
}
@Nonnull
- private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String name)
+ private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (name == null) {
- String idAttribute = config.getGroupConfig().getIdAttribute();
+ return (ExternalGroup) createIdentity(entry, id, true);
+ }
+
+ @Nonnull
+ private ExternalIdentity createIdentity(@Nonnull Entry entry, @CheckForNull String id, boolean isGroup)
+ throws LdapInvalidAttributeValueException {
+ LdapProviderConfig.Identity cfg = isGroup ? config.getGroupConfig() : config.getUserConfig();
+ if (id == null) {
+ String idAttribute = cfg.getIdAttribute();
Attribute attr = entry.get(idAttribute);
if (attr == null) {
throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
"no value found for attribute '" + idAttribute + "' for entry " + entry);
}
- name = attr.getString();
+ id = attr.getString();
}
- String path = config.getGroupConfig().makeDnPath()
+ String extId = config.getUseUidForExtId() ? id : entry.getDn().getName();
+ ExternalIdentityRef ref = new ExternalIdentityRef(extId, this.getName());
+ String path = cfg.makeDnPath()
? createDNPath(entry.getDn())
: null;
- LdapGroup group = new LdapGroup(this, ref, name, path);
- Map<String, Object> props = group.getProperties();
+ LdapIdentity identity = isGroup ? new LdapGroup(this, ref, id, path, entry)
+ : new LdapUser(this, ref, id, path, entry);
+ Map<String, Object> props = identity.getProperties();
applyAttributes(props, entry);
- return group;
-
+ return identity;
}
private void applyAttributes(Map<String, Object> props, Entry entry)
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed Aug 22 16:42:01 2018
@@ -406,6 +406,21 @@ public class LdapProviderConfig {
public static final String PARAM_GROUP_MEMBER_ATTRIBUTE = "group.memberAttribute";
/**
+ * @see #getUseUidForExtId()
+ */
+ public static final boolean PARAM_USE_UID_FOR_EXT_ID_DEFAULT = false;
+
+ /**
+ * @see #getUseUidForExtId()
+ */
+ @Property(
+ label = "Use user id for external ids",
+ description = "If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead.",
+ boolValue = PARAM_USE_UID_FOR_EXT_ID_DEFAULT
+ )
+ public static final String PARAM_USE_UID_FOR_EXT_ID = "useUidForExtId";
+
+ /**
* @see Identity#getCustomAttributes()
*/
public static final String[] PARAM_CUSTOM_ATTRIBUTES_DEFAULT = {};
@@ -632,6 +647,7 @@ public class LdapProviderConfig {
* Sets the cap on the number of objects that can be allocated by the pool.
*
* @see #getMaxActive
+ * @param maxActive the new upper limit of the pool size
* @return this
*/
@Nonnull
@@ -644,7 +660,7 @@ public class LdapProviderConfig {
* Defines if the lookup on validate flag is enabled. If enable a connection that taken from the
* pool are validated before used. currently this is done by performing a lookup to the ROOT DSE, which
* might not be allowed on all LDAP servers.
-
+ *
* @return {@code true} if the flag is enabled.
*/
public boolean lookupOnValidate() {
@@ -655,6 +671,7 @@ public class LdapProviderConfig {
* Sets the lookup on validate flag.
*
* @see #lookupOnValidate()
+ * @param lookupOnValidate the new value of the lookup on validate flag
* @return this
*/
@Nonnull
@@ -689,7 +706,8 @@ public class LdapProviderConfig {
.setBindDN(params.getConfigValue(PARAM_BIND_DN, PARAM_BIND_DN_DEFAULT))
.setBindPassword(params.getConfigValue(PARAM_BIND_PASSWORD, PARAM_BIND_PASSWORD_DEFAULT))
.setGroupMemberAttribute(params.getConfigValue(PARAM_GROUP_MEMBER_ATTRIBUTE, PARAM_GROUP_MEMBER_ATTRIBUTE_DEFAULT))
- .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT));
+ .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT))
+ .setUseUidForExtId(params.getConfigValue(PARAM_USE_UID_FOR_EXT_ID, PARAM_USE_UID_FOR_EXT_ID_DEFAULT));
ConfigurationParameters.Milliseconds ms = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_SEARCH_TIMEOUT, PARAM_SEARCH_TIMEOUT_DEFAULT));
if (ms != null) {
@@ -741,6 +759,8 @@ public class LdapProviderConfig {
private String groupMemberAttribute = PARAM_GROUP_MEMBER_ATTRIBUTE;
+ private boolean useUidForExtId = PARAM_USE_UID_FOR_EXT_ID_DEFAULT;
+
private String memberOfFilterTemplate;
private String[] customAttributes = PARAM_CUSTOM_ATTRIBUTES_DEFAULT;
@@ -988,6 +1008,29 @@ public class LdapProviderConfig {
}
/**
+ * If true, the value of the user id (resp. group name) attribute will be used to create external identifiers. Otherwise the DN will be used, which is the default.
+ *
+ * @return true iff the value of the user id (resp. group name) attribute will be used to create external identifiers
+ */
+ @Nonnull
+ public boolean getUseUidForExtId() {
+ return useUidForExtId;
+ }
+
+ /**
+ * Sets the flag that controls if the user id (resp. gruop name) will be used instead of the DN to create external ids.
+ *
+ * @see #getUseUidForExtId()
+ * @param useUidForExtId the new value of #useUidForExtId
+ * @return {@code this}
+ */
+ @Nonnull
+ public LdapProviderConfig setUseUidForExtId(boolean useUidForExtId) {
+ this.useUidForExtId = useUidForExtId;
+ return this;
+ }
+
+ /**
* Optionally configures an array of attribute names that will be retrieved when looking up LDAP entries.
* Defaults to the empty array indicating that all attributes will be retrieved.
*
@@ -1158,6 +1201,7 @@ public class LdapProviderConfig {
sb.append(", bindPassword='***'");
sb.append(", searchTimeout=").append(searchTimeout);
sb.append(", groupMemberAttribute='").append(groupMemberAttribute).append('\'');
+ sb.append(", useUidForExtId='").append(useUidForExtId).append('\'');
sb.append(", memberOfFilterTemplate='").append(memberOfFilterTemplate).append('\'');
sb.append(", adminPoolConfig=").append(adminPoolConfig);
sb.append(", userPoolConfig=").append(userPoolConfig);
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java Wed Aug 22 16:42:01 2018
@@ -16,13 +16,14 @@
*/
package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
public class LdapUser extends LdapIdentity implements ExternalUser {
- public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
}
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java Wed Aug 22 16:42:01 2018
@@ -39,8 +39,10 @@ import javax.security.auth.login.LoginEx
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentity;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
@@ -199,7 +201,7 @@ public class LdapProviderTest {
public void testGetUserByUserId() throws Exception {
ExternalUser user = idp.getUser(TEST_USER1_UID);
assertNotNull("User 1 must exist", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
}
@Test
@@ -220,12 +222,32 @@ public class LdapProviderTest {
assertThat(properties, Matchers.not(Matchers.<String, Object>hasEntry("mail", "hhornblo@royalnavy.mod.uk")));
}
- @Test
- public void testAuthenticate() throws Exception {
+ private void authenticateInternal(LdapIdentityProvider idp, String id) throws Exception {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
+
+ @Test
+ public void testAuthenticate() throws Exception {
+ authenticateInternal(idp, TEST_USER1_DN);
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateInternal(idp, TEST_USER1_UID);
+ }
+
+ private void authenticateValidateInternal(LdapIdentityProvider idp, String id) throws Exception {
+ SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
+ for (int i=0; i<8; i++) {
+ ExternalUser user = this.idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate (i=" + i + ")", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
}
@Test
@@ -238,13 +260,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -257,13 +278,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -276,13 +296,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -295,13 +314,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -309,7 +327,16 @@ public class LdapProviderTest {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID.toUpperCase(), "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ user = idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", TEST_USER1_UID.toUpperCase(), user.getExternalId().getId());
}
@Test
@@ -356,10 +383,9 @@ public class LdapProviderTest {
public void testGetGroupByName() throws Exception {
ExternalGroup group = idp.getGroup(TEST_GROUP1_NAME);
assertNotNull("Group 1 must exist", group);
- assertEquals("Group Ref", TEST_GROUP1_DN, group.getExternalId().getId());
+ assertEquals("Group Ref", TEST_GROUP1_DN, ((LdapIdentity)group).getEntry().getDn().getName());
}
-
@Test
public void testGetMembers() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME);
Modified: jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java (original)
+++ jackrabbit/oak/branches/1.8/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java Wed Aug 22 16:42:01 2018
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import javax.jcr.GuestCredentials;
+import org.apache.jackrabbit.oak.security.authentication.ldap.LdapProviderTest;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
@@ -70,13 +71,13 @@ public class LdapIdentityProviderOsgiTes
@Test
public void testGetDeclaredGroupRefsForeignRef() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
- assertTrue(provider.getDeclaredGroupRefs(ref).isEmpty());
+ assertTrue(provider.getDeclaredGroupRefs(ref, LdapProviderTest.TEST_USER1_DN).isEmpty());
}
@Test
public void testGetDeclaredMemberRefsForeignRef() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
- assertTrue(provider.getDeclaredMemberRefs(ref).isEmpty());
+ assertTrue(provider.getDeclaredMemberRefs(ref, LdapProviderTest.TEST_GROUP1_DN).isEmpty());
}
@Test(expected = ExternalIdentityException.class)
Modified: jackrabbit/oak/branches/1.8/oak-doc/src/site/markdown/security/authentication/ldap.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.8/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1838659&r1=1838658&r2=1838659&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.8/oak-doc/src/site/markdown/security/authentication/ldap.md (original)
+++ jackrabbit/oak/branches/1.8/oak-doc/src/site/markdown/security/authentication/ldap.md Wed Aug 22 16:42:01 2018
@@ -74,28 +74,30 @@ Oak repository:
The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
which is populated either via OSGi or during manual [Repository Construction](../../construct.html).
-| Name | Property | Description |
-|------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
-| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
-| Bind Password | `bind.password` | Password of the user for authentication. |
-| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
-| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
-| LDAP Server Port | `host.port` | Port of the LDAP server |
-| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
-| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
-| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
-| User base DN | `user.baseDN` | The base DN for user searches. |
-| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
-| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
-| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
-| Group base DN | `group.baseDN` | The base DN for group searches. |
-| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
-| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
-| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
-| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Name | Property | Description |
+|-------------------------------|-------------------------|------------------------------------------|
+| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
+| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
+| Bind Password | `bind.password` | Password of the user for authentication. |
+| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
+| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
+| LDAP Server Port | `host.port` | Port of the LDAP server |
+| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
+| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
+| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
+| User base DN | `user.baseDN` | The base DN for user searches. |
+| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
+| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
+| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
+| Group base DN | `group.baseDN` | The base DN for group searches. |
+| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
+| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
+| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
+| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. |
+| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. |
| | | |
#### SyncHandler and External Login Module