You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ba...@apache.org on 2018/08/22 17:48:37 UTC
svn commit: r1838669 - in /jackrabbit/oak/branches/1.4: ./ oak-auth-ldap/
oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/
oak-a...
Author: baedke
Date: Wed Aug 22 17:48:37 2018
New Revision: 1838669
URL: http://svn.apache.org/viewvc?rev=1838669&view=rev
Log:
AK-7428: LdapIdentityProvider doesn't support creating external ids from the uid attribute
Implemented.
Added:
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
Modified:
jackrabbit/oak/branches/1.4/ (props changed)
jackrabbit/oak/branches/1.4/oak-auth-ldap/pom.xml
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/ldap.md
Propchange: jackrabbit/oak/branches/1.4/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Aug 22 17:48:37 2018
@@ -1,4 +1,4 @@
/jackrabbit/oak/branches/1.0:1665962
/jackrabbit/oak/branches/1.6:1802566,1819951,1819977,1830228,1835110
-/jackrabbit/oak/trunk:1733615,1733875,1733913,1733929,1734230,1734254,1734279,1734941,1735052,1735081,1735109,1735141,1735267,1735405,1735484,1735549,1735564,1735588,1735622,1735638,1735919,1735983,1736176,1737309-1737310,1737334,1737349,1737998,1738004,1738136,1738138,1738207,1738234,1738252,1738775,1738795,1738833,1738950,1738957,1738963,1739712,1739760,1739867,1739894,1739959-1739960,1740114,1740116,1740250,1740333,1740349,1740360,1740625-1740626,1740774,1740837,1740879,1740971,1741016,1741032,1741339,1741343,1742077,1742117,1742125,1742363,1742520,1742888,1742916,1743097,1743172,1743343,1743674,1744265,1744292,1744589,1744670,1744672,1744959,1745038,1745127,1745197,1745336,1745368,1746086,1746117,1746342,1746345,1746408,1746634,1746696,1746981,1747198,1747200,1747341-1747342,1747380,1747387,1747406,1747492,1747512,1747654,1748505,1748553,1748722,1748870,1749275,1749350,1749424,1749443,1749464,1749475,1749645,1749662,1749815,1749872,1749875,1749899,1750052,1750076-1750077,1750287
,1750457,1750462,1750465,1750495,1750626,1750656,1750809,1750886-1750887,1751396,1751410,1751419,1751445-1751446,1751478,1751748,1751753,1751755,1751871,1752198,1752202,1752259,1752273-1752274,1752283,1752292,1752438,1752447-1752448,1752508,1752596,1752616,1752659,1752672,1753262,1753331-1753332,1753335-1753336,1753355,1753444,1753481,1754117,1754239,1755157,1755191,1756505-1756506,1756520,1756580,1757119,1757166,1758213,1758713,1759433,1759754,1759795,1759826,1760326,1760340,1760373,1760387,1760486,1760492,1760494,1760661-1760662,1760677,1760701,1760709,1760946,1761412,1761444,1761571,1761762,1761787,1761866,1761876,1762453,1762463,1762612,1762632,1762635,1762825,1763347,1763355-1763356,1763378,1763465,1763735,1764475,1764678,1764705,1764814,1764898,1765817,1765983,1766071,1766390,1766423,1766496,1766519,1766554,1766644,1767025,1767265,1767502,1767704,1768446,1768637,1769078,1769939-1769940,1770694,1770982,1771022,1771093,1771098,1771739,1771852,1771870,1771902,1772155,1772162,1772
228,1772593,1772768,1772906,1773190,1774141,1774256,1774445,1774497,1774519,1774787,1775474,1775622,1775628,1775757,1778112,1778423,1778968,1779137,1779478,1780388,1780424,1780538,1780543,1781068,1781075,1781386,1781846,1781907,1782476,1782966,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783738,1783773,1783855,1783891,1784023,1784034,1784130,1784251,1784551,1784574,1784689,1785161,1785172,1785283,1785838,1785946,1787074,1787217,1787425,1789056,1792463,1792742,1793013,1793088,1793644,1795314,1795330,1795475,1795488,1795491,1795613,1795618,1796144,1798035,1798832,1798834,1799219,1799389,1799924,1800974,1801011,1801013,1802548,1802973,1803026,1804437,1807308,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809163,1809745,1811380,1811655,1811952,1811963,1811986,1813538,1814189,1814332,1814397,1815438,1817326,1818645,1819048,1819050,1821325,1821516,1823172,1823655,1826237,1826640,1826932,1826957,1829527,1829987,1830019,1830160,1831374,1833308,1834648-1834649,1834681,1
835060,1837475,1837998,1838637
+/jackrabbit/oak/trunk:1733615,1733875,1733913,1733929,1734230,1734254,1734279,1734941,1735052,1735081,1735109,1735141,1735267,1735405,1735484,1735549,1735564,1735588,1735622,1735638,1735919,1735983,1736176,1737309-1737310,1737334,1737349,1737998,1738004,1738136,1738138,1738207,1738234,1738252,1738775,1738795,1738833,1738950,1738957,1738963,1739712,1739760,1739867,1739894,1739959-1739960,1740114,1740116,1740250,1740333,1740349,1740360,1740625-1740626,1740774,1740837,1740879,1740971,1741016,1741032,1741339,1741343,1742077,1742117,1742125,1742363,1742520,1742888,1742916,1743097,1743172,1743343,1743674,1744265,1744292,1744589,1744670,1744672,1744959,1745038,1745127,1745197,1745336,1745368,1746086,1746117,1746342,1746345,1746408,1746634,1746696,1746981,1747198,1747200,1747341-1747342,1747380,1747387,1747406,1747492,1747512,1747654,1748505,1748553,1748722,1748870,1749275,1749350,1749424,1749443,1749464,1749475,1749645,1749662,1749815,1749872,1749875,1749899,1750052,1750076-1750077,1750287
,1750457,1750462,1750465,1750495,1750626,1750656,1750809,1750886-1750887,1751396,1751410,1751419,1751445-1751446,1751478,1751748,1751753,1751755,1751871,1752198,1752202,1752259,1752273-1752274,1752283,1752292,1752438,1752447-1752448,1752508,1752596,1752616,1752659,1752672,1753262,1753331-1753332,1753335-1753336,1753355,1753444,1753481,1754117,1754239,1755157,1755191,1756505-1756506,1756520,1756580,1757119,1757166,1758213,1758713,1759433,1759754,1759795,1759826,1760326,1760340,1760373,1760387,1760486,1760492,1760494,1760661-1760662,1760677,1760701,1760709,1760946,1761412,1761444,1761571,1761762,1761787,1761866,1761876,1762453,1762463,1762612,1762632,1762635,1762825,1763347,1763355-1763356,1763378,1763465,1763735,1764475,1764678,1764705,1764814,1764898,1765817,1765983,1766071,1766390,1766423,1766496,1766519,1766554,1766644,1767025,1767265,1767502,1767704,1768446,1768637,1769078,1769939-1769940,1770694,1770982,1771022,1771093,1771098,1771739,1771852,1771870,1771902,1772155,1772162,1772
228,1772593,1772768,1772906,1773190,1774141,1774256,1774445,1774497,1774519,1774787,1775474,1775622,1775628,1775757,1778112,1778423,1778968,1779137,1779478,1780388,1780424,1780538,1780543,1781068,1781075,1781386,1781846,1781907,1782476,1782966,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783738,1783773,1783855,1783891,1784023,1784034,1784130,1784251,1784551,1784574,1784689,1785161,1785172,1785283,1785838,1785946,1787074,1787217,1787425,1789056,1792463,1792742,1793013,1793088,1793644,1795314,1795330,1795475,1795488,1795491,1795613,1795618,1796144,1798035,1798832,1798834,1799219,1799389,1799924,1800974,1801011,1801013,1802548,1802973,1803026,1804437,1807308,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809163,1809745,1811380,1811655,1811952,1811963,1811986,1813538,1814189,1814332,1814397,1815438,1817326,1818645,1819048,1819050,1821325,1821516,1823172,1823655,1826237,1826640,1826932,1826957,1829527,1829587,1829665,1829987,1830019,1830160,1830239,1831190,1831374,1
833308,1834648-1834649,1834681,1835060,1837475,1837998,1838637
/jackrabbit/trunk:1345480
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/pom.xml?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/pom.xml (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/pom.xml Wed Aug 22 17:48:37 2018
@@ -399,5 +399,17 @@
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.testing.osgi-mock</artifactId>
+ <version>2.3.6</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-core</artifactId>
+ <version>2.21.0</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java Wed Aug 22 17:48:37 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -28,15 +29,15 @@ public class LdapGroup extends LdapIdent
private Map<String, ExternalIdentityRef> members;
- public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
@Nonnull
@Override
public Iterable<ExternalIdentityRef> getDeclaredMembers() throws ExternalIdentityException {
if (members == null) {
- members = provider.getDeclaredMemberRefs(ref);
+ members = provider.getDeclaredMemberRefs(ref, entry.getDn().getName());
}
return members.values();
}
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java Wed Aug 22 17:48:37 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -37,15 +38,22 @@ public abstract class LdapIdentity imple
protected final String path;
+ protected final Entry entry;
+
private Map<String, ExternalIdentityRef> groups;
private final LdapIdentityProperties properties = new LdapIdentityProperties();
- protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
+ protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
this.provider = provider;
this.ref = ref;
this.id = id;
this.path = path;
+ this.entry = entry;
+ }
+
+ public Entry getEntry() {
+ return entry;
}
/**
@@ -91,7 +99,7 @@ public abstract class LdapIdentity imple
@Override
public Iterable<ExternalIdentityRef> getDeclaredGroups() throws ExternalIdentityException {
if (groups == null) {
- groups = provider.getDeclaredGroupRefs(ref);
+ groups = provider.getDeclaredGroupRefs(ref, entry.getDn().getName());
}
return groups.values();
}
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed Aug 22 17:48:37 2018
@@ -334,7 +334,7 @@ public class LdapIdentityProvider implem
return null;
}
final SimpleCredentials creds = (SimpleCredentials) credentials;
- final ExternalUser user = getUser(creds.getUserID());
+ final LdapUser user = (LdapUser)getUser(creds.getUserID());
if (user != null) {
// OAK-2078: check for non-empty passwords to avoid anonymous bind on weakly configured servers
// see http://tools.ietf.org/html/rfc4513#section-5.1.1 for details.
@@ -352,7 +352,8 @@ public class LdapIdentityProvider implem
connection = userPool.getConnection();
}
timer.mark("connect");
- connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
+ connection.bind(user.getEntry().getDn(), new String(creds.getPassword()));
+ //connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
timer.mark("bind");
if (log.isDebugEnabled()) {
log.debug("authenticate({}) {}", user.getId(), timer.getString());
@@ -385,11 +386,11 @@ public class LdapIdentityProvider implem
* @param ref reference to the identity
* @return map of identities where the key is the DN of the LDAP entity
*/
- Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
- String searchFilter = config.getMemberOfSearchFilter(ref.getId());
+ String searchFilter = config.getMemberOfSearchFilter(dn);
LdapConnection connection = null;
SearchCursor searchCursor = null;
@@ -445,7 +446,7 @@ public class LdapIdentityProvider implem
* @return map of identity refers
* @throws ExternalIdentityException if an error occurs
*/
- Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
@@ -455,7 +456,7 @@ public class LdapIdentityProvider implem
DebugTimer timer = new DebugTimer();
connection = connect();
timer.mark("connect");
- Entry entry = connection.lookup(ref.getId());
+ Entry entry = connection.lookup(dn);
timer.mark("lookup");
Attribute attr = entry.get(config.getGroupMemberAttribute());
if (attr == null) {
@@ -773,46 +774,38 @@ public class LdapIdentityProvider implem
@Nonnull
private ExternalUser createUser(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (id == null) {
- String idAttribute = config.getUserConfig().getIdAttribute();
- Attribute attr = entry.get(idAttribute);
- if (attr == null) {
- throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
- "no value found for attribute '" + idAttribute + "' for entry " + entry);
- }
- id = attr.getString();
- }
- String path = config.getUserConfig().makeDnPath()
- ? createDNPath(entry.getDn())
- : null;
- LdapUser user = new LdapUser(this, ref, id, path);
- Map<String, Object> props = user.getProperties();
- applyAttributes(props, entry);
- return user;
+ return (ExternalUser) createIdentity(entry, id, false);
}
@Nonnull
- private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String name)
+ private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (name == null) {
- String idAttribute = config.getGroupConfig().getIdAttribute();
+ return (ExternalGroup) createIdentity(entry, id, true);
+ }
+
+ @Nonnull
+ private ExternalIdentity createIdentity(@Nonnull Entry entry, @CheckForNull String id, boolean isGroup)
+ throws LdapInvalidAttributeValueException {
+ LdapProviderConfig.Identity cfg = isGroup ? config.getGroupConfig() : config.getUserConfig();
+ if (id == null) {
+ String idAttribute = cfg.getIdAttribute();
Attribute attr = entry.get(idAttribute);
if (attr == null) {
throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
"no value found for attribute '" + idAttribute + "' for entry " + entry);
}
- name = attr.getString();
+ id = attr.getString();
}
- String path = config.getGroupConfig().makeDnPath()
+ String extId = config.getUseUidForExtId() ? id : entry.getDn().getName();
+ ExternalIdentityRef ref = new ExternalIdentityRef(extId, this.getName());
+ String path = cfg.makeDnPath()
? createDNPath(entry.getDn())
: null;
- LdapGroup group = new LdapGroup(this, ref, name, path);
- Map<String, Object> props = group.getProperties();
+ LdapIdentity identity = isGroup ? new LdapGroup(this, ref, id, path, entry)
+ : new LdapUser(this, ref, id, path, entry);
+ Map<String, Object> props = identity.getProperties();
applyAttributes(props, entry);
- return group;
-
+ return identity;
}
private void applyAttributes(Map<String, Object> props, Entry entry)
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed Aug 22 17:48:37 2018
@@ -403,6 +403,21 @@ public class LdapProviderConfig {
public static final String PARAM_GROUP_MEMBER_ATTRIBUTE = "group.memberAttribute";
/**
+ * @see #getUseUidForExtId()
+ */
+ public static final boolean PARAM_USE_UID_FOR_EXT_ID_DEFAULT = false;
+
+ /**
+ * @see #getUseUidForExtId()
+ */
+ @Property(
+ label = "Use user id for external ids",
+ description = "If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead.",
+ boolValue = PARAM_USE_UID_FOR_EXT_ID_DEFAULT
+ )
+ public static final String PARAM_USE_UID_FOR_EXT_ID = "useUidForExtId";
+
+ /**
* @see Identity#getCustomAttributes()
*/
public static final String[] PARAM_CUSTOM_ATTRIBUTES_DEFAULT = {};
@@ -629,6 +644,7 @@ public class LdapProviderConfig {
* Sets the cap on the number of objects that can be allocated by the pool.
*
* @see #getMaxActive
+ * @param maxActive the new upper limit of the pool size
* @return this
*/
@Nonnull
@@ -641,7 +657,7 @@ public class LdapProviderConfig {
* Defines if the lookup on validate flag is enabled. If enable a connection that taken from the
* pool are validated before used. currently this is done by performing a lookup to the ROOT DSE, which
* might not be allowed on all LDAP servers.
-
+ *
* @return {@code true} if the flag is enabled.
*/
public boolean lookupOnValidate() {
@@ -652,6 +668,7 @@ public class LdapProviderConfig {
* Sets the lookup on validate flag.
*
* @see #lookupOnValidate()
+ * @param lookupOnValidate the new value of the lookup on validate flag
* @return this
*/
@Nonnull
@@ -686,7 +703,8 @@ public class LdapProviderConfig {
.setBindDN(params.getConfigValue(PARAM_BIND_DN, PARAM_BIND_DN_DEFAULT))
.setBindPassword(params.getConfigValue(PARAM_BIND_PASSWORD, PARAM_BIND_PASSWORD_DEFAULT))
.setGroupMemberAttribute(params.getConfigValue(PARAM_GROUP_MEMBER_ATTRIBUTE, PARAM_GROUP_MEMBER_ATTRIBUTE_DEFAULT))
- .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT));
+ .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT))
+ .setUseUidForExtId(params.getConfigValue(PARAM_USE_UID_FOR_EXT_ID, PARAM_USE_UID_FOR_EXT_ID_DEFAULT));
ConfigurationParameters.Milliseconds ms = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_SEARCH_TIMEOUT, PARAM_SEARCH_TIMEOUT_DEFAULT));
if (ms != null) {
@@ -738,6 +756,8 @@ public class LdapProviderConfig {
private String groupMemberAttribute = PARAM_GROUP_MEMBER_ATTRIBUTE;
+ private boolean useUidForExtId = PARAM_USE_UID_FOR_EXT_ID_DEFAULT;
+
private String memberOfFilterTemplate;
private String[] customAttributes = PARAM_CUSTOM_ATTRIBUTES_DEFAULT;
@@ -985,6 +1005,29 @@ public class LdapProviderConfig {
}
/**
+ * If true, the value of the user id (resp. group name) attribute will be used to create external identifiers. Otherwise the DN will be used, which is the default.
+ *
+ * @return true iff the value of the user id (resp. group name) attribute will be used to create external identifiers
+ */
+ @Nonnull
+ public boolean getUseUidForExtId() {
+ return useUidForExtId;
+ }
+
+ /**
+ * Sets the flag that controls if the user id (resp. gruop name) will be used instead of the DN to create external ids.
+ *
+ * @see #getUseUidForExtId()
+ * @param useUidForExtId the new value of #useUidForExtId
+ * @return {@code this}
+ */
+ @Nonnull
+ public LdapProviderConfig setUseUidForExtId(boolean useUidForExtId) {
+ this.useUidForExtId = useUidForExtId;
+ return this;
+ }
+
+ /**
* Optionally configures an array of attribute names that will be retrieved when looking up LDAP entries.
* Defaults to the empty array indicating that all attributes will be retrieved.
*
@@ -1141,6 +1184,7 @@ public class LdapProviderConfig {
sb.append(", bindPassword='***'");
sb.append(", searchTimeout=").append(searchTimeout);
sb.append(", groupMemberAttribute='").append(groupMemberAttribute).append('\'');
+ sb.append(", useUidForExtId='").append(useUidForExtId).append('\'');
sb.append(", memberOfFilterTemplate='").append(memberOfFilterTemplate).append('\'');
sb.append(", adminPoolConfig=").append(adminPoolConfig);
sb.append(", userPoolConfig=").append(userPoolConfig);
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java Wed Aug 22 17:48:37 2018
@@ -16,13 +16,14 @@
*/
package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
public class LdapUser extends LdapIdentity implements ExternalUser {
- public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
}
Modified: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java (original)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java Wed Aug 22 17:48:37 2018
@@ -37,8 +37,10 @@ import javax.jcr.SimpleCredentials;
import javax.security.auth.login.LoginException;
import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentity;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -196,7 +198,7 @@ public class LdapProviderTest {
public void testGetUserByUserId() throws Exception {
ExternalUser user = idp.getUser(TEST_USER1_UID);
assertNotNull("User 1 must exist", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
}
@Test
@@ -217,12 +219,32 @@ public class LdapProviderTest {
assertThat(properties, Matchers.not(Matchers.<String, Object>hasEntry("mail", "hhornblo@royalnavy.mod.uk")));
}
- @Test
- public void testAuthenticate() throws Exception {
+ private void authenticateInternal(LdapIdentityProvider idp, String id) throws Exception {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
+
+ @Test
+ public void testAuthenticate() throws Exception {
+ authenticateInternal(idp, TEST_USER1_DN);
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateInternal(idp, TEST_USER1_UID);
+ }
+
+ private void authenticateValidateInternal(LdapIdentityProvider idp, String id) throws Exception {
+ SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
+ for (int i=0; i<8; i++) {
+ ExternalUser user = this.idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate (i=" + i + ")", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
}
@Test
@@ -235,13 +257,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -254,13 +275,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -273,13 +293,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -292,13 +311,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -306,7 +324,16 @@ public class LdapProviderTest {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID.toUpperCase(), "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ user = idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", TEST_USER1_UID.toUpperCase(), user.getExternalId().getId());
}
@Test
@@ -353,10 +380,9 @@ public class LdapProviderTest {
public void testGetGroupByName() throws Exception {
ExternalGroup group = idp.getGroup(TEST_GROUP1_NAME);
assertNotNull("Group 1 must exist", group);
- assertEquals("Group Ref", TEST_GROUP1_DN, group.getExternalId().getId());
+ assertEquals("Group Ref", TEST_GROUP1_DN, ((LdapIdentity)group).getEntry().getDn().getName());
}
-
@Test
public void testGetMembers() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME);
Added: jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java?rev=1838669&view=auto
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java (added)
+++ jackrabbit/oak/branches/1.4/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java Wed Aug 22 17:48:37 2018
@@ -0,0 +1,92 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
+
+import javax.jcr.GuestCredentials;
+
+import org.apache.jackrabbit.oak.security.authentication.ldap.LdapProviderTest;
+import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
+import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
+import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class LdapIdentityProviderOsgiTest {
+
+ @Rule
+ public final OsgiContext context = new OsgiContext();
+
+ private LdapIdentityProvider provider = new LdapIdentityProvider();
+
+ @Before
+ public void before() throws Exception {
+ context.registerInjectActivateService(provider);
+ }
+
+ @Test
+ public void testGetName() {
+ assertEquals(LdapProviderConfig.PARAM_NAME_DEFAULT, provider.getName());
+ }
+
+ @Test
+ public void testAuthenticateOtherCredentials() throws Exception {
+ assertNull(provider.authenticate(new GuestCredentials()));
+ }
+
+ @Test
+ public void testGetIdentityForeingRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertNull(provider.getIdentity(ref));
+ }
+
+ @Test
+ public void testGetDeclaredGroupRefsForeignRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertTrue(provider.getDeclaredGroupRefs(ref, LdapProviderTest.TEST_USER1_DN).isEmpty());
+ }
+
+ @Test
+ public void testGetDeclaredMemberRefsForeignRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertTrue(provider.getDeclaredMemberRefs(ref, LdapProviderTest.TEST_GROUP1_DN).isEmpty());
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testGetUserMissingConnection() throws Exception {
+ provider.getUser("user");
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testGetGroupMissingConnection() throws Exception {
+ provider.getGroup("gr");
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testListGroupsMissingConnections() throws Exception {
+ provider.listGroups().hasNext();
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testListUsersMissingConnections() throws Exception {
+ provider.listUsers().hasNext();
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/ldap.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1838669&r1=1838668&r2=1838669&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/ldap.md (original)
+++ jackrabbit/oak/branches/1.4/oak-doc/src/site/markdown/security/authentication/ldap.md Wed Aug 22 17:48:37 2018
@@ -71,28 +71,30 @@ Oak repository:
The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
which is populated either via OSGi or during manual [Repository Construction](../construct.html).
-| Name | Property | Description |
-|------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
-| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
-| Bind Password | `bind.password` | Password of the user for authentication. |
-| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
-| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
-| LDAP Server Port | `host.port` | Port of the LDAP server |
-| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
-| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
-| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
-| User base DN | `user.baseDN` | The base DN for user searches. |
-| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
-| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
-| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
-| Group base DN | `group.baseDN` | The base DN for group searches. |
-| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
-| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
-| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
-| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Name | Property | Description |
+|-------------------------------|-------------------------|------------------------------------------|
+| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
+| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
+| Bind Password | `bind.password` | Password of the user for authentication. |
+| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
+| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
+| LDAP Server Port | `host.port` | Port of the LDAP server |
+| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
+| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
+| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
+| User base DN | `user.baseDN` | The base DN for user searches. |
+| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
+| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
+| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
+| Group base DN | `group.baseDN` | The base DN for group searches. |
+| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
+| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
+| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
+| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. |
+| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. |
| | | |
#### SyncHandler and External Login Module