You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2013/05/13 16:47:11 UTC
svn commit: r1481894 - in /directory/apacheds/trunk:
core-api/src/main/java/org/apache/directory/server/core/api/
core-integ/src/test/resources/
interceptors/authn/src/main/java/org/apache/directory/server/core/authn/
interceptors/changelog/src/test/ja...
Author: elecharny
Date: Mon May 13 14:47:10 2013
New Revision: 1481894
URL: http://svn.apache.org/r1481894
Log:
o The LDAP principal now stores all the user passwords (we may have moe than one)
o Fixed some logs
o We now check all the userPasswords when processing a simple authentication
o Added a test to see if we can bind using 2 different passwords for a given user
Modified:
directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties
directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java
Modified: directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java (original)
+++ directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java Mon May 13 14:47:10 2013
@@ -49,7 +49,7 @@ public final class LdapPrincipal impleme
/** The userPassword
* @todo security risk remove this immediately
*/
- private byte[] userPassword;
+ private byte[][] userPasswords;
/** The SchemaManager */
private SchemaManager schemaManager;
@@ -77,7 +77,7 @@ public final class LdapPrincipal impleme
}
this.authenticationLevel = authenticationLevel;
- this.userPassword = null;
+ this.userPasswords = null;
}
@@ -95,8 +95,9 @@ public final class LdapPrincipal impleme
{
this.dn = dn;
this.authenticationLevel = authenticationLevel;
- this.userPassword = new byte[userPassword.length];
- System.arraycopy( userPassword, 0, this.userPassword, 0, userPassword.length );
+ this.userPasswords = new byte[1][];
+ this.userPasswords[0] = new byte[userPassword.length];
+ System.arraycopy( userPassword, 0, this.userPasswords[0], 0, userPassword.length );
this.schemaManager = schemaManager;
}
@@ -108,7 +109,7 @@ public final class LdapPrincipal impleme
public LdapPrincipal()
{
authenticationLevel = AuthenticationLevel.NONE;
- userPassword = null;
+ userPasswords = null;
}
@@ -119,7 +120,7 @@ public final class LdapPrincipal impleme
public LdapPrincipal( SchemaManager schemaManager )
{
authenticationLevel = AuthenticationLevel.NONE;
- userPassword = null;
+ userPasswords = null;
this.schemaManager = schemaManager;
}
@@ -156,16 +157,23 @@ public final class LdapPrincipal impleme
}
- public byte[] getUserPassword()
+ public byte[][] getUserPasswords()
{
- return userPassword;
+ return userPasswords;
}
- public void setUserPassword( byte[] userPassword )
+ public void setUserPassword( byte[]... userPasswords )
{
- this.userPassword = new byte[userPassword.length];
- System.arraycopy( userPassword, 0, this.userPassword, 0, userPassword.length );
+ this.userPasswords = new byte[userPasswords.length][];
+ int pos = 0;
+
+ for ( byte[] userPassword : userPasswords )
+ {
+ this.userPasswords[pos] = new byte[userPassword.length];
+ System.arraycopy( userPassword, 0, this.userPasswords[pos], 0, userPassword.length );
+ pos++;
+ }
}
@@ -177,9 +185,9 @@ public final class LdapPrincipal impleme
{
LdapPrincipal clone = ( LdapPrincipal ) super.clone();
- if ( userPassword != null )
+ if ( userPasswords != null )
{
- clone.setUserPassword( userPassword );
+ clone.setUserPassword( userPasswords );
}
return clone;
Modified: directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties (original)
+++ directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties Mon May 13 14:47:10 2013
@@ -23,7 +23,7 @@ log4j.appender.stdout.layout.ConversionP
#log4j.logger.org=FATAL
log4j.logger.jdbm.recman.BaseRecordManager=FATAL
log4j.logger.org.apache.directory.server.OPERATIONS_LOG=FATAL
-log4j.logger.org.apache.directory.server.OPERATION_TIME=DEBUG
+log4j.logger.org.apache.directory.server.OPERATION_TIME=FATAL
log4j.logger.org.apache.directory.api.CODEC_LOG=FATAL
log4j.logger.org.apache.directory.server.ACI_LOG=FATAL
log4j.logger.org.apache.directory.server.PROVIDER_LOG=FATAL
Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java (original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java Mon May 13 14:47:10 2013
@@ -28,7 +28,6 @@ import java.util.Arrays;
import javax.naming.Context;
import org.apache.commons.collections.map.LRUMap;
-import org.apache.commons.lang.ArrayUtils;
import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
@@ -40,7 +39,6 @@ import org.apache.directory.api.ldap.mod
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.password.PasswordUtil;
import org.apache.directory.api.util.Base64;
-import org.apache.directory.api.util.StringConstants;
import org.apache.directory.api.util.Strings;
import org.apache.directory.api.util.UnixCrypt;
import org.apache.directory.server.core.api.DirectoryService;
@@ -133,26 +131,28 @@ public class SimpleAuthenticator extends
}
}
- byte[] storedPassword;
+ byte[][] storedPasswords;
if ( principal == null )
{
// Not found in the cache
// Get the user password from the backend
- storedPassword = lookupUserPassword( bindContext );
+ storedPasswords = lookupUserPassword( bindContext );
// Deal with the special case where the user didn't enter a password
// We will compare the empty array with the credentials. Sometime,
// a user does not set a password. This is bad, but there is nothing
// we can do against that, except education ...
- if ( storedPassword == null )
+ if ( storedPasswords == null )
{
- storedPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
+ storedPasswords = new byte[][]
+ {};
}
// Create the new principal before storing it in the cache
principal = new LdapPrincipal( getDirectoryService().getSchemaManager(), bindContext.getDn(),
- AuthenticationLevel.SIMPLE, storedPassword );
+ AuthenticationLevel.SIMPLE );
+ principal.setUserPassword( storedPasswords );
// Now, update the local cache ONLY if pwdpolicy is not enabled.
if ( !getDirectoryService().isPwdPolicyEnabled() )
@@ -198,25 +198,26 @@ public class SimpleAuthenticator extends
}
// Get the stored password, either from cache or from backend
- byte[] storedPassword = principal.getUserPassword();
+ byte[][] storedPasswords = principal.getUserPasswords();
- // Now, compare the two passwords.
- if ( PasswordUtil.compareCredentials( credentials, storedPassword ) )
+ // Now, compare the passwords.
+ for ( byte[] storedPassword : storedPasswords )
{
- if ( IS_DEBUG )
+ if ( PasswordUtil.compareCredentials( credentials, storedPassword ) )
{
- LOG.debug( "{} Authenticated", bindContext.getDn() );
- }
+ if ( IS_DEBUG )
+ {
+ LOG.debug( "{} Authenticated", bindContext.getDn() );
+ }
- return principal;
- }
- else
- {
- // Bad password ...
- String message = I18n.err( I18n.ERR_230, bindContext.getDn().getName() );
- LOG.info( message );
- throw new LdapAuthenticationException( message );
+ return principal;
+ }
}
+
+ // Bad password ...
+ String message = I18n.err( I18n.ERR_230, bindContext.getDn().getName() );
+ LOG.info( message );
+ throw new LdapAuthenticationException( message );
}
@@ -226,7 +227,7 @@ public class SimpleAuthenticator extends
* @return the credentials from the backend
* @throws Exception if there are problems accessing backend
*/
- private byte[] lookupUserPassword( BindOperationContext bindContext ) throws LdapException
+ private byte[][] lookupUserPassword( BindOperationContext bindContext ) throws LdapException
{
// ---- lookup the principal entry's userPassword attribute
Entry userEntry;
@@ -277,8 +278,6 @@ public class SimpleAuthenticator extends
}
- Value<?> userPassword;
-
Attribute userPasswordAttr = userEntry.get( userPasswordAttribute );
bindContext.setEntry( new ClonedServerEntry( userEntry ) );
@@ -286,13 +285,21 @@ public class SimpleAuthenticator extends
// ---- assert that credentials match
if ( userPasswordAttr == null )
{
- return StringConstants.EMPTY_BYTES;
+ return new byte[][]
+ {};
}
else
{
- userPassword = userPasswordAttr.get();
+ byte[][] userPasswords = new byte[userPasswordAttr.size()][];
+ int pos = 0;
+
+ for ( Value<?> userPassword : userPasswordAttr )
+ {
+ userPasswords[pos] = userPassword.getBytes();
+ pos++;
+ }
- return userPassword.getBytes();
+ return userPasswords;
}
}
Modified: directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java (original)
+++ directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java Mon May 13 14:47:10 2013
@@ -144,7 +144,7 @@ public class MemoryChangeLogStoreTest
assertEquals( principal.getAuthenticationLevel(), readPrincipal.getAuthenticationLevel() );
assertEquals( principal.getName(), readPrincipal.getName() );
assertEquals( principal.getDn(), readPrincipal.getDn() );
- assertNull( readPrincipal.getUserPassword() );
+ assertNull( readPrincipal.getUserPasswords() );
assertEquals( zuluTime, read.getZuluTime() );
assertEquals( revision, read.getRevision() );
Modified: directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java (original)
+++ directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java Mon May 13 14:47:10 2013
@@ -77,7 +77,21 @@ import org.junit.runner.RunWith;
"sn: administrator",
"displayName: Directory Superuser",
"uid: superuser",
- "userPassword: test" })
+ "userPassword: test",
+ "",
+ // Entry # 2
+ "dn: uid=superuser2,ou=system",
+ "objectClass: person",
+ "objectClass: organizationalPerson",
+ "objectClass: inetOrgPerson",
+ "objectClass: top",
+ "cn: superuser2",
+ "sn: administrator",
+ "displayName: Directory Superuser",
+ "uid: superuser2",
+ "userPassword: test1",
+ "userPassword: test2"
+ })
public class SimpleBindRequestTest extends AbstractLdapTestUnit
{
private LdapAsyncConnection connection;
@@ -90,6 +104,7 @@ public class SimpleBindRequestTest exten
public void setup() throws Exception
{
connection = new LdapNetworkConnection( "localhost", getLdapServer().getPort() );
+ connection.setTimeOut( 0L );
}
@@ -163,6 +178,34 @@ public class SimpleBindRequestTest exten
/**
+ * Test a successful simple bind request when the user has 2 passwords.
+ */
+ @Test
+ public void testSimpleBindRequest2Passwords() throws Exception
+ {
+ BindRequest bindRequest = new BindRequestImpl();
+ bindRequest.setDn( new Dn( "uid=superUser2,ou=system" ) );
+ bindRequest.setCredentials( "test1" );
+
+ BindResponse bindResponse = connection.bind( bindRequest );
+
+ assertNotNull( bindResponse );
+ assertEquals( ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode() );
+ assertTrue( connection.isAuthenticated() );
+
+ bindRequest = new BindRequestImpl();
+ bindRequest.setDn( new Dn( "uid=superUser2,ou=system" ) );
+ bindRequest.setCredentials( "test2" );
+
+ bindResponse = connection.bind( bindRequest );
+
+ assertNotNull( bindResponse );
+ assertEquals( ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode() );
+ assertTrue( connection.isAuthenticated() );
+ }
+
+
+ /**
* Test a successful blank (anonymous) bind request.
*/
@Test
Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java (original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java Mon May 13 14:47:10 2013
@@ -318,8 +318,15 @@ public class BindRequestHandler extends
{
DirectoryService ds = ldapSession.getLdapServer().getDirectoryService();
String saslMechanism = bindRequest.getSaslMechanism();
- CoreSession userSession = ds.getSession( ldapPrincipal.getDn(), ldapPrincipal.getUserPassword(),
- saslMechanism, null );
+ byte[] password = null;
+
+ if ( ldapPrincipal.getUserPasswords() != null )
+ {
+ password = ldapPrincipal.getUserPasswords()[0];
+ }
+
+ CoreSession userSession = ds.getSession( ldapPrincipal.getDn(),
+ password, saslMechanism, null );
// Set the user session into the ldap session
ldapSession.setCoreSession( userSession );
Modified: directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java (original)
+++ directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java Mon May 13 14:47:10 2013
@@ -38,6 +38,14 @@ public class DelegatingAuthenticatorBean
@ConfigurationElement(attributeType = "ads-delegatePort")
private int delegatePort;
+ /** Tells if we use SSL to connect */
+ @ConfigurationElement(attributeType = "ads-delegateSsl")
+ private boolean delegateSsl;
+
+ /** The base DN which will be the starting point from which we use the delegator authenticator */
+ @ConfigurationElement(attributeType = "ads-delegateBaseDn")
+ private String delegateBaseDn;
+
/**
* @return the delegateHost
@@ -87,6 +95,8 @@ public class DelegatingAuthenticatorBean
sb.append( tabs ).append( " delegate host : " ).append( delegateHost ).append( '\n' );
sb.append( tabs ).append( " delegate port : " ).append( delegatePort ).append( '\n' );
+ sb.append( tabs ).append( " delegate base DN : " ).append( delegateBaseDn ).append( '\n' );
+ sb.append( tabs ).append( " delegate SSL : " ).append( delegateSsl ).append( '\n' );
return sb.toString();
}
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java Mon May 13 14:47:10 2013
@@ -45,7 +45,7 @@ import org.junit.runner.RunWith;
/**
- * Tests the server to make sure standard compare operations work properly.
+ * Tests the Delegated authenticator
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
@@ -100,6 +100,8 @@ public class DelegatedAuthIT extends Abs
assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", getLdapServer()
.getPort() );
+
+ ldapConnection.setTimeOut( 0L );
ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
assertTrue( ldapConnection.isAuthenticated() );