You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ba...@apache.org on 2016/07/11 19:00:14 UTC
svn commit: r1752198 - in /jackrabbit/oak/trunk/oak-auth-ldap/src:
main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
test/java/org/apache/jackrabbit/oak/security/authentication/ldap/
Author: baedke
Date: Mon Jul 11 19:00:14 2016
New Revision: 1752198
URL: http://svn.apache.org/viewvc?rev=1752198&view=rev
Log:
OAK-4344: LdapIdentityProvider always retrieves all attributes when looking up an LDAP entity.
Added config option "customattributes" to LdapIdentityProvider.
Modified:
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1752198&r1=1752197&r2=1752198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Mon Jul 11 19:00:14 2016
@@ -215,7 +215,7 @@ public class LdapIdentityProvider implem
LdapConnection connection = connect();
timer.mark("connect");
try {
- Entry entry = getEntry(connection, config.getUserConfig(), userId);
+ Entry entry = getEntry(connection, config.getUserConfig(), userId, config.getCustomAttributes());
timer.mark("lookup");
if (log.isDebugEnabled()) {
log.debug("getUser({}) {}", userId, timer.getString());
@@ -240,7 +240,7 @@ public class LdapIdentityProvider implem
LdapConnection connection = connect();
timer.mark("connect");
try {
- Entry entry = getEntry(connection, config.getGroupConfig(), name);
+ Entry entry = getEntry(connection, config.getGroupConfig(), name, config.getCustomAttributes());
timer.mark("lookup");
if (log.isDebugEnabled()) {
log.debug("getGroup({}) {}", name, timer.getString());
@@ -541,14 +541,18 @@ public class LdapIdentityProvider implem
}
@CheckForNull
- private Entry getEntry(@Nonnull LdapConnection connection, @Nonnull LdapProviderConfig.Identity idConfig, @Nonnull String id)
+ private Entry getEntry(@Nonnull LdapConnection connection, @Nonnull LdapProviderConfig.Identity idConfig, @Nonnull String id, @Nonnull String[] customAttributes)
throws CursorException, LdapException {
String searchFilter = idConfig.getSearchFilter(id);
// Create the SearchRequest object
SearchRequest req = new SearchRequestImpl();
req.setScope(SearchScope.SUBTREE);
- req.addAttributes(SchemaConstants.ALL_USER_ATTRIBUTES);
+ if (customAttributes.length == 0) {
+ req.addAttributes(SchemaConstants.ALL_USER_ATTRIBUTES);
+ } else {
+ req.addAttributes(customAttributes);
+ }
req.setTimeLimit((int) config.getSearchTimeout());
req.setBase(new Dn(idConfig.getBaseDN()));
req.setFilter(searchFilter);
@@ -657,10 +661,14 @@ public class LdapIdentityProvider implem
//-------------------------------------------------------< internal >---
- private SearchRequest createSearchRequest(LdapConnection connection, byte[] cookie) throws LdapException {
+ private SearchRequest createSearchRequest(LdapConnection connection, byte[] cookie, @Nonnull String[] userAttributes) throws LdapException {
SearchRequest req = new SearchRequestImpl();
req.setScope(SearchScope.SUBTREE);
- req.addAttributes(SchemaConstants.ALL_USER_ATTRIBUTES);
+ if (userAttributes.length == 0) {
+ req.addAttributes(SchemaConstants.ALL_USER_ATTRIBUTES);
+ } else {
+ req.addAttributes(userAttributes);
+ }
req.setTimeLimit((int) config.getSearchTimeout());
req.setBase(new Dn(idConfig.getBaseDN()));
req.setFilter(searchFilter);
@@ -684,7 +692,7 @@ public class LdapIdentityProvider implem
timer.mark("connect");
page = new ArrayList<Entry>();
try {
- searchCursor = connection.search(createSearchRequest(connection, cookie));
+ searchCursor = connection.search(createSearchRequest(connection, cookie, config.getCustomAttributes()));
while (searchCursor.next()) {
Response response = searchCursor.get();
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1752198&r1=1752197&r2=1752198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Mon Jul 11 19:00:14 2016
@@ -128,6 +128,18 @@ public class LdapProviderConfig {
)
public static final String PARAM_NO_CERT_CHECK = "host.noCertCheck";
+
+ /**
+ * @see #getSearchAttributes()
+ */
+ @Property(
+ label = "Search attributes",
+ description = "Array of attributes to retrieve when searching LDAP entries. Leave empty to retrieve all available attributes.",
+ value = {},
+ cardinality = Integer.MAX_VALUE
+ )
+ public static final String PARAM_SEARCH_ATTRIBUTES = "search.attributes";
+
/**
* @see #getBindDN()
*/
@@ -403,6 +415,22 @@ public class LdapProviderConfig {
public static final String PARAM_GROUP_MEMBER_ATTRIBUTE = "group.memberAttribute";
/**
+ * @see Identity#getCustomAttributes()
+ */
+ public static final String[] PARAM_CUSTOM_ATTRIBUTES_DEFAULT = {};
+
+ /**
+ * @see Identity#getCustomAttributes()
+ */
+ @Property(
+ label = "Custom Attributes",
+ description = "Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes.",
+ value = {},
+ cardinality = Integer.MAX_VALUE
+ )
+ public static final String PARAM_CUSTOM_ATTRIBUTES = "customattributes";
+
+ /**
* Defines the configuration of an identity (user or group).
*/
public class Identity {
@@ -413,6 +441,8 @@ public class LdapProviderConfig {
private String idAttribute;
+ private String[] customAttributes = {};
+
private String extraFilter;
private String filterTemplate;
@@ -575,6 +605,7 @@ public class LdapProviderConfig {
sb.append("baseDN='").append(baseDN).append('\'');
sb.append(", objectClasses=").append(Arrays.toString(objectClasses));
sb.append(", idAttribute='").append(idAttribute).append('\'');
+ sb.append(", userAttributes='").append(Arrays.toString(customAttributes));
sb.append(", extraFilter='").append(extraFilter).append('\'');
sb.append(", filterTemplate='").append(filterTemplate).append('\'');
sb.append(", makeDnPath=").append(makeDnPath);
@@ -666,14 +697,14 @@ public class LdapProviderConfig {
.setNoCertCheck(params.getConfigValue(PARAM_NO_CERT_CHECK, PARAM_NO_CERT_CHECK_DEFAULT))
.setBindDN(params.getConfigValue(PARAM_BIND_DN, PARAM_BIND_DN_DEFAULT))
.setBindPassword(params.getConfigValue(PARAM_BIND_PASSWORD, PARAM_BIND_PASSWORD_DEFAULT))
- .setGroupMemberAttribute(params.getConfigValue(PARAM_GROUP_MEMBER_ATTRIBUTE, PARAM_GROUP_MEMBER_ATTRIBUTE_DEFAULT));
+ .setGroupMemberAttribute(params.getConfigValue(PARAM_GROUP_MEMBER_ATTRIBUTE, PARAM_GROUP_MEMBER_ATTRIBUTE_DEFAULT))
+ .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT));
ConfigurationParameters.Milliseconds ms = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_SEARCH_TIMEOUT, PARAM_SEARCH_TIMEOUT_DEFAULT));
if (ms != null) {
cfg.setSearchTimeout(ms.value);
}
-
cfg.getUserConfig()
.setBaseDN(params.getConfigValue(PARAM_USER_BASE_DN, PARAM_USER_BASE_DN))
.setIdAttribute(params.getConfigValue(PARAM_USER_ID_ATTRIBUTE, PARAM_USER_ID_ATTRIBUTE_DEFAULT))
@@ -721,6 +752,8 @@ public class LdapProviderConfig {
private String memberOfFilterTemplate;
+ private String[] customAttributes = PARAM_CUSTOM_ATTRIBUTES_DEFAULT;
+
private final PoolConfig adminPoolConfig = new PoolConfig()
.setMaxActive(PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT);
@@ -963,6 +996,29 @@ public class LdapProviderConfig {
return this;
}
+ /**
+ * Optionally configures an array of attribute names that will be retrieved when looking up LDAP entries.
+ * Defaults to the empty array indicating that all attributes will be retrieved.
+ *
+ * @return an array of attribute names. The empty array indicates that all attributes will be retrieved.
+ */
+ @Nonnull
+ public String[] getCustomAttributes() {
+ return customAttributes;
+ }
+
+ /**
+ * Sets the attribute names to be retrieved when looking up LDAP entries. The empty array indicates that all attributes will be retrieved.
+ *
+ * @param customAttributes an array of attribute names
+ * @return the Identity instance
+ */
+ @Nonnull
+ public LdapProviderConfig setCustomAttributes(@Nonnull String[] customAttributes) {
+ this.customAttributes = customAttributes;
+ return this;
+ }
+
/**
* Returns the LDAP filter that is used when searching for groups where an identity is member of.
* The filter is based on the configuration and has the following format:
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java?rev=1752198&r1=1752197&r2=1752198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java Mon Jul 11 19:00:14 2016
@@ -29,7 +29,6 @@ import java.util.Map;
import javax.jcr.SimpleCredentials;
import javax.security.auth.login.LoginException;
-import com.google.common.collect.ImmutableMap;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig;
@@ -44,7 +43,6 @@ import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
-import org.junit.Ignore;
import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertNotNull;
@@ -105,13 +103,19 @@ public class LdapProviderTest {
}
protected LdapIdentityProvider createIDP() {
+ //The attribute "mail" is excluded deliberately
+ return createIDP(new String[] { "objectclass", "uid", "givenname", "description", "sn"});
+ }
+
+ protected LdapIdentityProvider createIDP(String[] userProperties) {
providerConfig = new LdapProviderConfig()
.setName(IDP_NAME)
.setHostname("127.0.0.1")
.setPort(LDAP_SERVER.getPort())
.setBindDN(ServerDNConstants.ADMIN_SYSTEM_DN)
.setBindPassword(InternalLdapServer.ADMIN_PW)
- .setGroupMemberAttribute("uniquemember");
+ .setGroupMemberAttribute("uniquemember")
+ .setCustomAttributes(userProperties);
providerConfig.getUserConfig()
.setBaseDN(ServerDNConstants.USERS_SYSTEM_DN)
@@ -205,10 +209,11 @@ public class LdapProviderTest {
Matchers.equalTo("objectclass"),
Matchers.containsInAnyOrder( "inetOrgPerson", "top", "person", "organizationalPerson")));
assertThat(properties, Matchers.<String, Object>hasEntry("uid", "hhornblo"));
- assertThat(properties, Matchers.<String, Object>hasEntry("mail", "hhornblo@royalnavy.mod.uk"));
assertThat(properties, Matchers.<String, Object>hasEntry("givenname", "Horatio"));
assertThat(properties, Matchers.<String, Object>hasEntry("description", "Capt. Horatio Hornblower, R.N"));
assertThat(properties, Matchers.<String, Object>hasEntry("sn", "Hornblower"));
+
+ assertThat(properties, Matchers.not(Matchers.<String, Object>hasEntry("mail", "hhornblo@royalnavy.mod.uk")));
}
@Test