diff options
author | Christina Fu <cfu@redhat.com> | 2015-08-05 16:21:51 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2015-08-07 11:08:19 -0700 |
commit | c13593770108b6d683ab3d3b43b92d67ac64a1ef (patch) | |
tree | da650b5ee643edd5dc7381f20da4623b2a349adf /base/server | |
parent | bcdbc1e2edd66c3506544f0c53f9db3c4fe375b0 (diff) | |
download | pki-c13593770108b6d683ab3d3b43b92d67ac64a1ef.tar.gz pki-c13593770108b6d683ab3d3b43b92d67ac64a1ef.tar.xz pki-c13593770108b6d683ab3d3b43b92d67ac64a1ef.zip |
Ticket 1531 Directory auth plugin requires LDAP anonymous binds
-
This patch adds a feature to allow a directory based authentication plugin
to use bound ldap conneciton instead of anonymous.
Two files need to be edited
1. <instance>/conf/password.conf
add a "tag" and the password of the binding user dn to the file
e.g. externalLDAP=password123
2. <instance>/ca/CS.cfg
add the tag to cms.passwordlist:
e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
add the authPrefix of the auths entry for the authentication instance
e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment
add relevant entries to the authentication instance
e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
Diffstat (limited to 'base/server')
6 files changed, 131 insertions, 12 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java index a8a95284d..d723a5756 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java @@ -84,6 +84,8 @@ public abstract class DirBasedAuthentication protected static final String PROP_DNPATTERN = "dnpattern"; protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes"; protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes"; + protected static final String PROP_LDAP_BOUND_CONN = "ldapBoundConn"; + protected static final String PROP_LDAP_BOUND_TAG = "ldapauth.bindPWPrompt"; // members @@ -110,6 +112,7 @@ public abstract class DirBasedAuthentication /* whether to search for member=<userDN> or member=<mGroupUserIdName>=<uid> */ protected boolean mSearchGroupUserByUserdn = true; + protected boolean mBoundConnEnable = false; /* factory of anonymous ldap connections */ protected ILdapConnFactory mConnFactory = null; @@ -130,6 +133,9 @@ public abstract class DirBasedAuthentication /* the combined list of LDAP attriubutes to retrieve*/ protected String[] mLdapAttrs = null; + /* the password prompt (tag) for the userdn of a bound connection */ + protected String mTag; + /* default dn pattern if left blank or not set in the config */ protected static String DEFAULT_DNPATTERN = "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c"; @@ -255,6 +261,7 @@ public abstract class DirBasedAuthentication mName = name; mImplName = implName; mConfig = config; + String method = "DirBasedAuthentication: init: "; /* initialize ldap server configuration */ mLdapConfig = mConfig.getSubStore(PROP_LDAP); @@ -263,22 +270,31 @@ public abstract class DirBasedAuthentication if (mBaseDN == null || mBaseDN.trim().equals("")) throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn")); mGroupsEnable = mLdapConfig.getBoolean(PROP_GROUPS_ENABLE, false); - CMS.debug("DirBasedAuthentication: mGroupsEnable=" + (mGroupsEnable ? "true" : "false")); + CMS.debug(method + " mGroupsEnable=" + (mGroupsEnable ? "true" : "false")); mGroupsBaseDN = mLdapConfig.getString(PROP_GROUPS_BASEDN, mBaseDN); - CMS.debug("DirBasedAuthentication: mGroupsBaseDN="+ mGroupsBaseDN); + CMS.debug(method + " mGroupsBaseDN="+ mGroupsBaseDN); mGroups= mLdapConfig.getString(PROP_GROUPS, "ou=groups"); - CMS.debug("DirBasedAuthentication: mGroups="+ mGroups); + CMS.debug(method + " mGroups="+ mGroups); mGroupObjectClass = mLdapConfig.getString(PROP_GROUP_OBJECT_CLASS, "groupofuniquenames"); - CMS.debug("DirBasedAuthentication: mGroupObjectClass="+ mGroupObjectClass); + CMS.debug(method + " mGroupObjectClass="+ mGroupObjectClass); mUserIDName = mLdapConfig.getString(PROP_USERID_NAME, "uid"); - CMS.debug("DirBasedAuthentication: mUserIDName="+ mUserIDName); + CMS.debug(method + " mUserIDName="+ mUserIDName); mSearchGroupUserByUserdn = mLdapConfig.getBoolean(PROP_SEARCH_GROUP_USER_BY_USERDN, true); - CMS.debug("DirBasedAuthentication: mSearchGroupUserByUserdn="+ mSearchGroupUserByUserdn); + CMS.debug(method + " mSearchGroupUserByUserdn="+ mSearchGroupUserByUserdn); mGroupUserIDName = mLdapConfig.getString(PROP_GROUP_USERID_NAME, "cn"); - CMS.debug("DirBasedAuthentication: mGroupUserIDName="+ mGroupUserIDName); + CMS.debug(method + " mGroupUserIDName="+ mGroupUserIDName); + } + mBoundConnEnable = mLdapConfig.getBoolean(PROP_LDAP_BOUND_CONN, false); + CMS.debug(method +" mBoundConnEnable =" + (mBoundConnEnable ? "true" : "false")); + if (mBoundConnEnable) { + mTag = mLdapConfig.getString(PROP_LDAP_BOUND_TAG); + CMS.debug(method + " getting ldap bound conn factory using id= " + mTag); + mConnFactory = CMS.getLdapBoundConnFactory(mTag); + } else { + mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication"); } - mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication"); - mConnFactory.init(mLdapConfig); + if (mConnFactory != null) // else can try again later when needed + mConnFactory.init(mLdapConfig); /* initialize dn pattern */ String pattern = mConfig.getString(PROP_DNPATTERN, null); @@ -372,16 +388,34 @@ public abstract class DirBasedAuthentication String userdn = null; LDAPConnection conn = null; AuthToken authToken = new AuthToken(this); + String method = "DirBasedAuthentication: authenticate:"; + CMS.debug(method + " begins...mBoundConnEnable=" + mBoundConnEnable); try { if (mConnFactory == null) { - conn = null; + CMS.debug(method + " mConnFactory null, getting conn factory"); + if (mBoundConnEnable) { + mTag = mLdapConfig.getString(PROP_LDAP_BOUND_TAG); + CMS.debug(method + " getting ldap bound conn factory using id= " + mTag); + mConnFactory = CMS.getLdapBoundConnFactory(mTag); + } else { + mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication"); + } + if (mConnFactory != null) { + mConnFactory.init(mLdapConfig); + CMS.debug(method + " mConnFactory gotten, calling getConn"); + conn = mConnFactory.getConn(); + } } else { + CMS.debug(method + " mConnFactory class name = " + mConnFactory.getClass().getName()); + CMS.debug(method + " mConnFactory not null, calling getConn"); conn = mConnFactory.getConn(); } // authenticate the user and get a user entry. + CMS.debug(method + " before authenticate() call"); userdn = authenticate(conn, authCred, authToken); + CMS.debug(method + " after authenticate() call"); authToken.set(USER_DN, userdn); // formulate the cert info. diff --git a/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java index 2f9fc43bd..e7313526a 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java @@ -134,10 +134,22 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication { return userdn; } catch (ELdapException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } log(ILogger.LL_FAILURE, "Couldn't get ldap connection. Error: " + e.toString()); throw e; } catch (LDAPException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } switch (e.getLDAPResultCode()) { case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java index 21e024fc4..26bfaab81 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java @@ -235,10 +235,22 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { CMS.debug("Authenticating: User authentication failure: "+e); + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { CMS.debug("Authenticating: User authentication failure: "+e); + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } switch (e.getLDAPResultCode()) { case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java index ed2074053..82331dade 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java @@ -247,9 +247,21 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } switch (e.getLDAPResultCode()) { case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java index 7bcab25d3..a95dd8665 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java +++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java @@ -187,9 +187,21 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication return userdn; } catch (ELdapException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString())); throw e; } catch (LDAPException e) { + CMS.debug("Authenticating: closing bad connection"); + try { + conn.disconnect(); + } catch (Exception f) { + CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString()); + } switch (e.getLDAPResultCode()) { case LDAPException.NO_SUCH_OBJECT: case LDAPException.LDAP_PARTIAL_RESULTS: diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index fa2c8147f..467836bfc 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -331,6 +331,7 @@ public class CMSEngine implements ICMSEngine { } public void initializePasswordStore(IConfigStore config) throws EBaseException, IOException { + System.out.println("CMSEngine.initializePasswordStore() begins"); // create and initialize mPasswordStore getPasswordStore(); @@ -345,6 +346,7 @@ public class CMSEngine implements ICMSEngine { String binddn; String authType; LdapConnInfo connInfo = null; + System.out.println("CMSEngine.initializePasswordStore(): tag=" + tag); if (tag.equals("internaldb")) { authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth"); @@ -382,8 +384,43 @@ public class CMSEngine implements ICMSEngine { binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN"); } else { - // ignore any others for now - continue; + /* + * This section assumes a generic format of + * <authPrefix>.ldap.xxx + * where <authPrefix> is specified under the tag substore + * + * e.g. if tag = "externalLDAP" + * cms.passwordlist=...,externalLDAP + * externalLDAP.authPrefix=auths.instance.UserDirEnrollment + * + * auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP + * auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com + * auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 + * auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false + */ + String authPrefix = config.getString(tag + ".authPrefix", null); + if (authPrefix == null) { + System.out.println("CMSEngine.initializePasswordStore(): authPrefix not found...skipping"); + continue; + } + System.out.println("CMSEngine.initializePasswordStore(): authPrefix=" + authPrefix); + authType = config.getString(authPrefix +".ldap.ldapauth.authtype", "BasicAuth"); + System.out.println("CMSEngine.initializePasswordStore(): authType " + authType); + if (!authType.equals("BasicAuth")) + continue; + + connInfo = new LdapConnInfo( + config.getString(authPrefix + ".ldap.ldapconn.host"), + config.getInteger(authPrefix + ".ldap.ldapconn.port"), + config.getBoolean(authPrefix + ".ldap.ldapconn.secureConn")); + + binddn = config.getString(authPrefix + ".ldap.ldapauth.bindDN", null); + if (binddn == null) { + System.out.println("CMSEngine.initializePasswordStore(): binddn not found...skipping"); + continue; + } } do { |