diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-10-02 00:09:36 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-10-02 18:30:40 +0200 |
commit | 017d582ba50fe4ffc4bedf40a5229fb6aa381b37 (patch) | |
tree | bfb149fc5b290bd1ccbb39d2c170cf08a3c9455e /base/server/cmscore/src | |
parent | 29801060fa86b6f196ef694c6672d909ea5336e4 (diff) | |
download | pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.tar.gz pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.tar.xz pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.zip |
Fixed user search in PasswdUserDBAuthentication.
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
Diffstat (limited to 'base/server/cmscore/src')
-rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java | 80 |
1 files changed, 30 insertions, 50 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java index 692dc49d6..07092aa07 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java @@ -17,12 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.authentication; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.EInvalidCredentials; @@ -38,10 +32,11 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.ldapconn.LdapAnonConnFactory; -import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.usrgrp.UGSubsystem; -import com.netscape.cmscore.util.Debug; + +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPException; /** * Certificate Server admin authentication. @@ -64,8 +59,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu private String mName = null; private String mImplName = null; private IConfigStore mConfig; - private String mBaseDN = null; - private LdapBoundConnFactory mConnFactory = null; private LdapAnonConnFactory mAnonConnFactory = null; private ILogger mLogger = CMS.getLogger(); @@ -94,8 +87,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu if (ldapinfo == null && CMS.isPreOpMode()) return; - mBaseDN = dbs.getBaseDN(); - mConnFactory = new LdapBoundConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo, dbs.getLdapAuthInfo()); mAnonConnFactory = new LdapAnonConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo); log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_AUTH_INIT_AUTH", mName)); @@ -124,76 +115,66 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu // make sure the required credentials are provided String uid = (String) authCred.get(CRED_UID); - CMS.debug("Authentication: UID=" + uid); + CMS.debug("PasswdUserDBAuthentication: UID: " + uid); if (uid == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_MISSING_UID")); throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - String pwd = (String) authCred.get(CRED_PWD); + String pwd = (String) authCred.get(CRED_PWD); if (pwd == null) { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NULL_PW", uid)); throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } + // don't allow anonymous binding if (pwd == "") { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_EMPTY_PW", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - String userdn = null; - LDAPConnection conn = null; + UGSubsystem ug = UGSubsystem.getInstance(); + IUser user; + + try { + user = ug.getUser(uid); + } catch (EBaseException e) { + CMS.debug(e); + // not a user in our user/group database. + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString())); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage()); + } + + if (user == null) { + CMS.debug("PasswdUserDBAuthentication: User not found: " + uid); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", + "Failure in User Group subsystem.")); + } + + String userdn = user.getUserDN(); + CMS.debug("PasswdUserDBAuthentication: DN: " + userdn); + LDAPConnection anonConn = null; try { - conn = mConnFactory.getConn(); - // do anonymous search for the user's dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); - - if (res.hasMoreElements()) { - LDAPEntry entry = (LDAPEntry) res.nextElement(); - - userdn = entry.getDN(); - } - if (userdn == null) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NOT_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } anonConn = mAnonConnFactory.getConn(); anonConn.authenticate(userdn, pwd); + } catch (LDAPException e) { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_AUTH_FAILED", uid, e.toString())); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } finally { - if (conn != null) - mConnFactory.returnConn(conn); if (anonConn != null) mAnonConnFactory.returnConn(anonConn); } - UGSubsystem ug = UGSubsystem.getInstance(); - authToken.set(TOKEN_USERDN, userdn); authToken.set(CRED_UID, uid); // return original uid for info - IUser user = null; - - try { - user = ug.getUser(uid); - } catch (EBaseException e) { - if (Debug.ON) - e.printStackTrace(); - // not a user in our user/group database. - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString())); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage()); - } - if (user == null) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", - "Failure in User Group subsystem.")); - } authToken.set(TOKEN_USERDN, user.getUserDN()); authToken.set(TOKEN_USERID, user.getUserID()); + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); return authToken; @@ -241,7 +222,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu public void shutdown() { try { // disconnect all outstanding connections in the factory - if (mConnFactory != null) mConnFactory.reset(); if (mAnonConnFactory != null) mAnonConnFactory.reset(); } catch (ELdapException e) { log(ILogger.LL_FAILURE, e.toString()); |