You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ba...@apache.org on 2018/08/22 17:07:03 UTC
svn commit: r1838666 - in /jackrabbit/oak/branches/1.6: ./ oak-auth-ldap/
oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/
oak-a...
Author: baedke
Date: Wed Aug 22 17:07:03 2018
New Revision: 1838666
URL: http://svn.apache.org/viewvc?rev=1838666&view=rev
Log:
OAK-7428: OAK-7428: LdapIdentityProvider doesn't support creating external ids from the uid attribute
Implemented.
Added:
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
Modified:
jackrabbit/oak/branches/1.6/ (props changed)
jackrabbit/oak/branches/1.6/oak-auth-ldap/pom.xml
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authentication/ldap.md
Propchange: jackrabbit/oak/branches/1.6/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Aug 22 17:07:03 2018
@@ -1,3 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
-/jackrabbit/oak/trunk:1781068,1781075,1781248,1781386,1781846,1781907,1782000,1782029,1782196,1782447,1782476,1782770,1782945,1782966,1782973,1782990,1783061,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783731,1783733,1783738,1783742,1783773,1783855,1783891,1784023,1784034,1784130,1784162,1784251,1784401,1784551,1784574,1784689,1785095,1785108,1785161,1785172,1785283,1785652,1785838,1785916-1785917,1785919,1785946,1786122,1787074,1787145,1787151,1787217,1787425,1788056,1788378,1788387-1788389,1788463,1788476,1788850,1789056,1789534,1789925,1789940,1789987,1790006,1790013,1790069,1790077,1790079,1790382,1790502-1790503,1792049,1792463,1792742,1792746,1793013,1793088,1793618,1793627,1793644,1794393,1794417,1794683,1795138,1795314,1795330,1795475,1795488,1795491,1795502,1795594,1795613,1795618,1796144,1796230,1796239,1796274,1796278,1796988,1797378,1798035,1798832,1798834,1799219,1799389,1799393,1799924,1800244,1800269,1800606,1800613,1800974,1801011,1801013,1801118-1801119
,1801675,1802260,1802262,1802286,1802548,1802905,1802934,1802938,1802973,1803026,1803247-1803249,1803951,1803953-1803955,1804437,1805851-1805852,1806668,1807308,1807688,1808022,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809131,1809163,1809178-1809179,1809253,1809255-1809256,1809289,1809745,1811071-1811072,1811155,1811380,1811655,1811952,1811963,1811986,1813192,1813538,1814189,1814332,1814397,1815201,1815438,1815926,1817326,1817919,1817987-1817988,1817990,1818038,1818042,1818056,1818124,1818137,1818554,1818576,1818645,1819048,1819050,1821237,1821325,1821358,1821495,1821516,1821847,1822207,1822850,1823172,1823655,1824896,1825471,1825654,1826237,1826338,1826532,1826640,1826932,1826957,1827472,1827486,1827977,1829527,1829569,1829854,1829864,1829987,1829998,1830019,1830160,1830748,1831374,1832379,1832535,1833308,1834648-1834649,1834681,1835060,1837475,1837998,1838637
+/jackrabbit/oak/trunk:1781068,1781075,1781248,1781386,1781846,1781907,1782000,1782029,1782196,1782447,1782476,1782770,1782945,1782966,1782973,1782990,1783061,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783731,1783733,1783738,1783742,1783773,1783855,1783891,1784023,1784034,1784130,1784162,1784251,1784401,1784551,1784574,1784689,1785095,1785108,1785161,1785172,1785283,1785652,1785838,1785916-1785917,1785919,1785946,1786122,1787074,1787145,1787151,1787217,1787425,1788056,1788378,1788387-1788389,1788463,1788476,1788850,1789056,1789534,1789925,1789940,1789987,1790006,1790013,1790069,1790077,1790079,1790382,1790502-1790503,1792049,1792463,1792742,1792746,1793013,1793088,1793618,1793627,1793644,1794393,1794417,1794683,1795138,1795314,1795330,1795475,1795488,1795491,1795502,1795594,1795613,1795618,1796144,1796230,1796239,1796274,1796278,1796988,1797378,1798035,1798832,1798834,1799219,1799389,1799393,1799924,1800244,1800269,1800606,1800613,1800974,1801011,1801013,1801118-1801119
,1801675,1802260,1802262,1802286,1802548,1802905,1802934,1802938,1802973,1803026,1803247-1803249,1803951,1803953-1803955,1804437,1805851-1805852,1806668,1807308,1807688,1808022,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809131,1809163,1809178-1809179,1809253,1809255-1809256,1809289,1809745,1811071-1811072,1811155,1811380,1811655,1811952,1811963,1811986,1813192,1813538,1814189,1814332,1814397,1815201,1815438,1815926,1817326,1817919,1817987-1817988,1817990,1818038,1818042,1818056,1818124,1818137,1818554,1818576,1818645,1819048,1819050,1821237,1821325,1821358,1821495,1821516,1821847,1822207,1822850,1823172,1823655,1824896,1825471,1825654,1826237,1826338,1826532,1826640,1826932,1826957,1827472,1827486,1827977,1829527,1829569,1829587,1829665,1829854,1829864,1829987,1829998,1830019,1830160,1830239,1830748,1831190,1831374,1832379,1832535,1833308,1834648-1834649,1834681,1835060,1837475,1837998,1838637
/jackrabbit/trunk:1345480
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/pom.xml?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/pom.xml (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/pom.xml Wed Aug 22 17:07:03 2018
@@ -399,5 +399,17 @@
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.testing.osgi-mock</artifactId>
+ <version>2.3.6</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-core</artifactId>
+ <version>2.21.0</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapGroup.java Wed Aug 22 17:07:03 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -28,15 +29,15 @@ public class LdapGroup extends LdapIdent
private Map<String, ExternalIdentityRef> members;
- public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapGroup(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
@Nonnull
@Override
public Iterable<ExternalIdentityRef> getDeclaredMembers() throws ExternalIdentityException {
if (members == null) {
- members = provider.getDeclaredMemberRefs(ref);
+ members = provider.getDeclaredMemberRefs(ref, entry.getDn().getName());
}
return members.values();
}
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentity.java Wed Aug 22 17:07:03 2018
@@ -20,6 +20,7 @@ import java.util.Map;
import javax.annotation.Nonnull;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
@@ -37,15 +38,22 @@ public abstract class LdapIdentity imple
protected final String path;
+ protected final Entry entry;
+
private Map<String, ExternalIdentityRef> groups;
private final LdapIdentityProperties properties = new LdapIdentityProperties();
- protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
+ protected LdapIdentity(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
this.provider = provider;
this.ref = ref;
this.id = id;
this.path = path;
+ this.entry = entry;
+ }
+
+ public Entry getEntry() {
+ return entry;
}
/**
@@ -91,7 +99,7 @@ public abstract class LdapIdentity imple
@Override
public Iterable<ExternalIdentityRef> getDeclaredGroups() throws ExternalIdentityException {
if (groups == null) {
- groups = provider.getDeclaredGroupRefs(ref);
+ groups = provider.getDeclaredGroupRefs(ref, entry.getDn().getName());
}
return groups.values();
}
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed Aug 22 17:07:03 2018
@@ -351,7 +351,7 @@ public class LdapIdentityProvider implem
return null;
}
final SimpleCredentials creds = (SimpleCredentials) credentials;
- final ExternalUser user = getUser(creds.getUserID());
+ final LdapUser user = (LdapUser)getUser(creds.getUserID());
if (user != null) {
// OAK-2078: check for non-empty passwords to avoid anonymous bind on weakly configured servers
// see http://tools.ietf.org/html/rfc4513#section-5.1.1 for details.
@@ -369,7 +369,8 @@ public class LdapIdentityProvider implem
connection = userPool.getConnection();
}
timer.mark("connect");
- connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
+ connection.bind(user.getEntry().getDn(), new String(creds.getPassword()));
+ //connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
timer.mark("bind");
if (log.isDebugEnabled()) {
log.debug("authenticate({}) {}", user.getId(), timer.getString());
@@ -402,11 +403,11 @@ public class LdapIdentityProvider implem
* @param ref reference to the identity
* @return map of identities where the key is the DN of the LDAP entity
*/
- Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredGroupRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
- String searchFilter = config.getMemberOfSearchFilter(ref.getId());
+ String searchFilter = config.getMemberOfSearchFilter(dn);
LdapConnection connection = null;
SearchCursor searchCursor = null;
@@ -466,7 +467,7 @@ public class LdapIdentityProvider implem
* @return map of identity refers
* @throws ExternalIdentityException if an error occurs
*/
- Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref) throws ExternalIdentityException {
+ Map<String, ExternalIdentityRef> getDeclaredMemberRefs(ExternalIdentityRef ref, String dn) throws ExternalIdentityException {
if (!isMyRef(ref)) {
return Collections.emptyMap();
}
@@ -476,7 +477,7 @@ public class LdapIdentityProvider implem
DebugTimer timer = new DebugTimer();
connection = connect();
timer.mark("connect");
- Entry entry = connection.lookup(ref.getId());
+ Entry entry = connection.lookup(dn);
timer.mark("lookup");
Attribute attr = entry.get(config.getGroupMemberAttribute());
if (attr == null) {
@@ -802,46 +803,38 @@ public class LdapIdentityProvider implem
@Nonnull
private ExternalUser createUser(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (id == null) {
- String idAttribute = config.getUserConfig().getIdAttribute();
- Attribute attr = entry.get(idAttribute);
- if (attr == null) {
- throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
- "no value found for attribute '" + idAttribute + "' for entry " + entry);
- }
- id = attr.getString();
- }
- String path = config.getUserConfig().makeDnPath()
- ? createDNPath(entry.getDn())
- : null;
- LdapUser user = new LdapUser(this, ref, id, path);
- Map<String, Object> props = user.getProperties();
- applyAttributes(props, entry);
- return user;
+ return (ExternalUser) createIdentity(entry, id, false);
}
@Nonnull
- private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String name)
+ private ExternalGroup createGroup(@Nonnull Entry entry, @CheckForNull String id)
throws LdapInvalidAttributeValueException {
- ExternalIdentityRef ref = new ExternalIdentityRef(entry.getDn().getName(), this.getName());
- if (name == null) {
- String idAttribute = config.getGroupConfig().getIdAttribute();
+ return (ExternalGroup) createIdentity(entry, id, true);
+ }
+
+ @Nonnull
+ private ExternalIdentity createIdentity(@Nonnull Entry entry, @CheckForNull String id, boolean isGroup)
+ throws LdapInvalidAttributeValueException {
+ LdapProviderConfig.Identity cfg = isGroup ? config.getGroupConfig() : config.getUserConfig();
+ if (id == null) {
+ String idAttribute = cfg.getIdAttribute();
Attribute attr = entry.get(idAttribute);
if (attr == null) {
throw new LdapInvalidAttributeValueException(ResultCodeEnum.CONSTRAINT_VIOLATION,
"no value found for attribute '" + idAttribute + "' for entry " + entry);
}
- name = attr.getString();
+ id = attr.getString();
}
- String path = config.getGroupConfig().makeDnPath()
+ String extId = config.getUseUidForExtId() ? id : entry.getDn().getName();
+ ExternalIdentityRef ref = new ExternalIdentityRef(extId, this.getName());
+ String path = cfg.makeDnPath()
? createDNPath(entry.getDn())
: null;
- LdapGroup group = new LdapGroup(this, ref, name, path);
- Map<String, Object> props = group.getProperties();
+ LdapIdentity identity = isGroup ? new LdapGroup(this, ref, id, path, entry)
+ : new LdapUser(this, ref, id, path, entry);
+ Map<String, Object> props = identity.getProperties();
applyAttributes(props, entry);
- return group;
-
+ return identity;
}
private void applyAttributes(Map<String, Object> props, Entry entry)
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed Aug 22 17:07:03 2018
@@ -406,6 +406,21 @@ public class LdapProviderConfig {
public static final String PARAM_GROUP_MEMBER_ATTRIBUTE = "group.memberAttribute";
/**
+ * @see #getUseUidForExtId()
+ */
+ public static final boolean PARAM_USE_UID_FOR_EXT_ID_DEFAULT = false;
+
+ /**
+ * @see #getUseUidForExtId()
+ */
+ @Property(
+ label = "Use user id for external ids",
+ description = "If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead.",
+ boolValue = PARAM_USE_UID_FOR_EXT_ID_DEFAULT
+ )
+ public static final String PARAM_USE_UID_FOR_EXT_ID = "useUidForExtId";
+
+ /**
* @see Identity#getCustomAttributes()
*/
public static final String[] PARAM_CUSTOM_ATTRIBUTES_DEFAULT = {};
@@ -632,6 +647,7 @@ public class LdapProviderConfig {
* Sets the cap on the number of objects that can be allocated by the pool.
*
* @see #getMaxActive
+ * @param maxActive the new upper limit of the pool size
* @return this
*/
@Nonnull
@@ -644,7 +660,7 @@ public class LdapProviderConfig {
* Defines if the lookup on validate flag is enabled. If enable a connection that taken from the
* pool are validated before used. currently this is done by performing a lookup to the ROOT DSE, which
* might not be allowed on all LDAP servers.
-
+ *
* @return {@code true} if the flag is enabled.
*/
public boolean lookupOnValidate() {
@@ -655,6 +671,7 @@ public class LdapProviderConfig {
* Sets the lookup on validate flag.
*
* @see #lookupOnValidate()
+ * @param lookupOnValidate the new value of the lookup on validate flag
* @return this
*/
@Nonnull
@@ -689,7 +706,8 @@ public class LdapProviderConfig {
.setBindDN(params.getConfigValue(PARAM_BIND_DN, PARAM_BIND_DN_DEFAULT))
.setBindPassword(params.getConfigValue(PARAM_BIND_PASSWORD, PARAM_BIND_PASSWORD_DEFAULT))
.setGroupMemberAttribute(params.getConfigValue(PARAM_GROUP_MEMBER_ATTRIBUTE, PARAM_GROUP_MEMBER_ATTRIBUTE_DEFAULT))
- .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT));
+ .setCustomAttributes(params.getConfigValue(PARAM_CUSTOM_ATTRIBUTES, PARAM_CUSTOM_ATTRIBUTES_DEFAULT))
+ .setUseUidForExtId(params.getConfigValue(PARAM_USE_UID_FOR_EXT_ID, PARAM_USE_UID_FOR_EXT_ID_DEFAULT));
ConfigurationParameters.Milliseconds ms = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_SEARCH_TIMEOUT, PARAM_SEARCH_TIMEOUT_DEFAULT));
if (ms != null) {
@@ -741,6 +759,8 @@ public class LdapProviderConfig {
private String groupMemberAttribute = PARAM_GROUP_MEMBER_ATTRIBUTE;
+ private boolean useUidForExtId = PARAM_USE_UID_FOR_EXT_ID_DEFAULT;
+
private String memberOfFilterTemplate;
private String[] customAttributes = PARAM_CUSTOM_ATTRIBUTES_DEFAULT;
@@ -988,6 +1008,29 @@ public class LdapProviderConfig {
}
/**
+ * If true, the value of the user id (resp. group name) attribute will be used to create external identifiers. Otherwise the DN will be used, which is the default.
+ *
+ * @return true iff the value of the user id (resp. group name) attribute will be used to create external identifiers
+ */
+ @Nonnull
+ public boolean getUseUidForExtId() {
+ return useUidForExtId;
+ }
+
+ /**
+ * Sets the flag that controls if the user id (resp. gruop name) will be used instead of the DN to create external ids.
+ *
+ * @see #getUseUidForExtId()
+ * @param useUidForExtId the new value of #useUidForExtId
+ * @return {@code this}
+ */
+ @Nonnull
+ public LdapProviderConfig setUseUidForExtId(boolean useUidForExtId) {
+ this.useUidForExtId = useUidForExtId;
+ return this;
+ }
+
+ /**
* Optionally configures an array of attribute names that will be retrieved when looking up LDAP entries.
* Defaults to the empty array indicating that all attributes will be retrieved.
*
@@ -1158,6 +1201,7 @@ public class LdapProviderConfig {
sb.append(", bindPassword='***'");
sb.append(", searchTimeout=").append(searchTimeout);
sb.append(", groupMemberAttribute='").append(groupMemberAttribute).append('\'');
+ sb.append(", useUidForExtId='").append(useUidForExtId).append('\'');
sb.append(", memberOfFilterTemplate='").append(memberOfFilterTemplate).append('\'');
sb.append(", adminPoolConfig=").append(adminPoolConfig);
sb.append(", userPoolConfig=").append(userPoolConfig);
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapUser.java Wed Aug 22 17:07:03 2018
@@ -16,13 +16,14 @@
*/
package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
+import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
public class LdapUser extends LdapIdentity implements ExternalUser {
- public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path) {
- super(provider, ref, id, path);
+ public LdapUser(LdapIdentityProvider provider, ExternalIdentityRef ref, String id, String path, Entry entry) {
+ super(provider, ref, id, path, entry);
}
}
Modified: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java (original)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/LdapProviderTest.java Wed Aug 22 17:07:03 2018
@@ -39,8 +39,10 @@ import javax.security.auth.login.LoginEx
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentity;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider;
import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig;
+import org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
@@ -199,7 +201,7 @@ public class LdapProviderTest {
public void testGetUserByUserId() throws Exception {
ExternalUser user = idp.getUser(TEST_USER1_UID);
assertNotNull("User 1 must exist", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
}
@Test
@@ -220,12 +222,32 @@ public class LdapProviderTest {
assertThat(properties, Matchers.not(Matchers.<String, Object>hasEntry("mail", "hhornblo@royalnavy.mod.uk")));
}
- @Test
- public void testAuthenticate() throws Exception {
+ private void authenticateInternal(LdapIdentityProvider idp, String id) throws Exception {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
+
+ @Test
+ public void testAuthenticate() throws Exception {
+ authenticateInternal(idp, TEST_USER1_DN);
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateInternal(idp, TEST_USER1_UID);
+ }
+
+ private void authenticateValidateInternal(LdapIdentityProvider idp, String id) throws Exception {
+ SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
+ for (int i=0; i<8; i++) {
+ ExternalUser user = this.idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate (i=" + i + ")", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", id, user.getExternalId().getId());
+ }
}
@Test
@@ -238,13 +260,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -257,13 +278,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -276,13 +296,12 @@ public class LdapProviderTest {
.setLookupOnValidate(false);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -295,13 +314,12 @@ public class LdapProviderTest {
.setLookupOnValidate(true);
idp.close();
idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_DN);
- SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID, "pass".toCharArray());
- for (int i=0; i<8; i++) {
- ExternalUser user = idp.authenticate(creds);
- assertNotNull("User 1 must authenticate (i=" + i + ")", user);
- assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
- }
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ authenticateValidateInternal(idp, TEST_USER1_UID);
}
@Test
@@ -309,7 +327,16 @@ public class LdapProviderTest {
SimpleCredentials creds = new SimpleCredentials(TEST_USER1_UID.toUpperCase(), "pass".toCharArray());
ExternalUser user = idp.authenticate(creds);
assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
assertEquals("User Ref", TEST_USER1_DN, user.getExternalId().getId());
+
+ providerConfig.setUseUidForExtId(true);
+ idp.close();
+ idp = new LdapIdentityProvider(providerConfig);
+ user = idp.authenticate(creds);
+ assertNotNull("User 1 must authenticate", user);
+ assertEquals("User Ref", TEST_USER1_DN, ((LdapUser)user).getEntry().getDn().getName());
+ assertEquals("User Ref", TEST_USER1_UID.toUpperCase(), user.getExternalId().getId());
}
@Test
@@ -356,10 +383,9 @@ public class LdapProviderTest {
public void testGetGroupByName() throws Exception {
ExternalGroup group = idp.getGroup(TEST_GROUP1_NAME);
assertNotNull("Group 1 must exist", group);
- assertEquals("Group Ref", TEST_GROUP1_DN, group.getExternalId().getId());
+ assertEquals("Group Ref", TEST_GROUP1_DN, ((LdapIdentity)group).getEntry().getDn().getName());
}
-
@Test
public void testGetMembers() throws Exception {
ExternalIdentityRef ref = new ExternalIdentityRef(TEST_GROUP1_DN, IDP_NAME);
Added: jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java?rev=1838666&view=auto
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java (added)
+++ jackrabbit/oak/branches/1.6/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderOsgiTest.java Wed Aug 22 17:07:03 2018
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
+
+import javax.jcr.GuestCredentials;
+
+import org.apache.jackrabbit.oak.security.authentication.ldap.LdapProviderTest;
+import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
+import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
+import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class LdapIdentityProviderOsgiTest {
+
+ @Rule
+ public final OsgiContext context = new OsgiContext();
+
+ private LdapIdentityProvider provider = new LdapIdentityProvider();
+
+ @Before
+ public void before() throws Exception {
+ context.registerInjectActivateService(provider);
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testFromExternalIdentityRefForeign() throws Exception {
+ provider.fromExternalIdentityRef(new ExternalIdentityRef("id", "anotherName"));
+ }
+
+ @Test
+ public void testFromExternalIdentityRef() throws Exception {
+ assertEquals("id", provider.fromExternalIdentityRef(new ExternalIdentityRef("id", provider.getName())));
+ }
+
+ @Test
+ public void testGetName() {
+ assertEquals(LdapProviderConfig.PARAM_NAME_DEFAULT, provider.getName());
+ }
+
+ @Test
+ public void testAuthenticateOtherCredentials() throws Exception {
+ assertNull(provider.authenticate(new GuestCredentials()));
+ }
+
+ @Test
+ public void testGetIdentityForeingRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertNull(provider.getIdentity(ref));
+ }
+
+ @Test
+ public void testGetDeclaredGroupRefsForeignRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertTrue(provider.getDeclaredGroupRefs(ref, LdapProviderTest.TEST_USER1_DN).isEmpty());
+ }
+
+ @Test
+ public void testGetDeclaredMemberRefsForeignRef() throws Exception {
+ ExternalIdentityRef ref = new ExternalIdentityRef("id", "anotherName");
+ assertTrue(provider.getDeclaredMemberRefs(ref, LdapProviderTest.TEST_GROUP1_DN).isEmpty());
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testGetUserMissingConnection() throws Exception {
+ provider.getUser("user");
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testGetGroupMissingConnection() throws Exception {
+ provider.getGroup("gr");
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testListGroupsMissingConnections() throws Exception {
+ provider.listGroups().hasNext();
+ }
+
+ @Test(expected = ExternalIdentityException.class)
+ public void testListUsersMissingConnections() throws Exception {
+ provider.listUsers().hasNext();
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authentication/ldap.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1838666&r1=1838665&r2=1838666&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authentication/ldap.md (original)
+++ jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authentication/ldap.md Wed Aug 22 17:07:03 2018
@@ -74,28 +74,30 @@ Oak repository:
The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
which is populated either via OSGi or during manual [Repository Construction](../../construct.html).
-| Name | Property | Description |
-|------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
-| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
-| Bind Password | `bind.password` | Password of the user for authentication. |
-| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
-| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
-| LDAP Server Port | `host.port` | Port of the LDAP server |
-| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
-| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
-| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
-| User base DN | `user.baseDN` | The base DN for user searches. |
-| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
-| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
-| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
-| Group base DN | `group.baseDN` | The base DN for group searches. |
-| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
-| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
-| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
-| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Name | Property | Description |
+|-------------------------------|-------------------------|------------------------------------------|
+| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
+| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
+| Bind Password | `bind.password` | Password of the user for authentication. |
+| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
+| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
+| LDAP Server Port | `host.port` | Port of the LDAP server |
+| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
+| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
+| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
+| User base DN | `user.baseDN` | The base DN for user searches. |
+| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
+| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
+| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
+| Group base DN | `group.baseDN` | The base DN for group searches. |
+| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
+| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
+| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
+| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. |
+| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. |
| | | |
#### SyncHandler and External Login Module