1 files changed, 199 insertions, 0 deletions

diff --git a/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
new file mode 100644
index 000000000..07f072914
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
@@ -0,0 +1,199 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authentication;
+
+
+// ldap java sdk
+import netscape.ldap.*;
+
+// cert server imports.
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.LdapResources;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.authentication.*;
+import com.netscape.certsrv.apps.*;
+
+// cert server x509 imports
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.CertificateSubjectName;
+import java.security.cert.CertificateException;
+
+// java sdk imports.
+import java.util.Hashtable;
+import java.util.Vector;
+import java.io.IOException;
+
+
+/**
+ * udn/pwd directory based authentication manager
+ * <P>
+ *
+ * @version $Revision$, $Date$
+ */
+public class UdnPwdDirAuthentication extends DirBasedAuthentication {
+
+    /* required credentials to authenticate. udn and pwd are strings. */
+    public static final String CRED_UDN = "udn";
+    public static final String CRED_PWD = "pwd";
+    protected static String[] mRequiredCreds = { CRED_UDN, CRED_PWD };
+
+    /* Holds configuration parameters accepted by this implementation.
+     * This list is passed to the configuration console so configuration
+     * for instances of this implementation can be configured through the
+     * console.
+     */
+    protected static String[] mConfigParams = 
+        new String[] {	PROP_DNPATTERN,
+            PROP_LDAPSTRINGATTRS,
+            PROP_LDAPBYTEATTRS,
+            "ldap.ldapconn.host",
+            "ldap.ldapconn.port",
+            "ldap.ldapconn.secureConn",
+            "ldap.ldapconn.version",
+            "ldap.minConns", 
+            "ldap.maxConns",
+        };
+
+    static {
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TEXT +
+            ";Authenticate the user distinguished name and password provided " +
+            "by the user against an LDAP directory. Works with the " +
+            "Dir Based Enrollment HTML form");
+        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+            ";configuration-authentication");
+    };
+
+    /**
+     * Default constructor, initialization must follow.
+     */
+    public UdnPwdDirAuthentication() {
+        super();
+    }
+
+    /**
+     * Initializes the UdnPwdDirAuthentication auth manager.
+     * <p>
+     * @param name - The name for this authentication manager instance.
+     * @param implName - The name of the authentication manager plugin.
+     * @param config - The configuration store for this instance.
+     * @exception EBaseException If an error occurs during initialization.
+     */
+    public void init(String name, String implName, IConfigStore config)
+        throws EBaseException {
+        super.init(name, implName, config, false);
+    }
+
+    /**
+     * Authenticates a user based on udn, pwd in the directory.
+     * 
+     * @param authCreds The authentication credentials.
+     * @return The user's ldap entry dn.
+     * @exception EInvalidCredentials If the udn and password are not valid
+     * @exception EBaseException If an internal error occurs. 
+     */
+    protected String authenticate(LDAPConnection conn, 
+        IAuthCredentials authCreds,
+        AuthToken token)
+        throws EBaseException {
+        String userdn = null;
+
+        // authenticate by binding to ldap server with password.
+        try {
+            // get the udn.
+            userdn = (String) authCreds.get(CRED_UDN);
+            if (userdn == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UDN));
+            }
+	
+            // get the password.
+            String pwd = (String) authCreds.get(CRED_PWD);
+
+            if (pwd == null) {
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
+            }
+            if (pwd.equals("")) {
+                // anonymous binding not allowed
+                log(ILogger.LL_FAILURE, 
+                    "user " + userdn + " attempted login with empty password.");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+            }
+
+            // bind as user dn and pwd - authenticates user with pwd.
+            conn.authenticate(userdn, pwd);
+            // set userdn in the token.
+            token.set(CRED_UDN, userdn);
+
+            return userdn;
+        } catch (ELdapException e) {
+            log(ILogger.LL_FAILURE, 
+                "Couldn't get ldap connection. Error: " + e.toString());
+            throw e;
+        } catch (LDAPException e) {
+            switch (e.getLDAPResultCode()) {
+            case LDAPException.NO_SUCH_OBJECT: 
+            case LDAPException.LDAP_PARTIAL_RESULTS: 
+                log(ILogger.LL_SECURITY, 
+                    "user " + userdn + " does not exist in ldap server host " +
+                    conn.getHost() + ", port " + conn.getPort() + ".");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.INVALID_CREDENTIALS:
+                log(ILogger.LL_SECURITY, 
+                    "authenticate user " + userdn + " with bad password.");
+                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
+            case LDAPException.SERVER_DOWN:
+                log(ILogger.LL_FAILURE, "Ldap server is down.");
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+
+            default: 
+                log(ILogger.LL_FAILURE, 
+                    "Ldap error encountered. " + e.getMessage());
+                throw new ELdapException(
+                        CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION", 
+                            e.errorCodeToString()));
+            }
+        } 
+    }
+
+    /**
+     * Returns a list of configuration parameter names. 
+     * The list is passed to the configuration console so instances of 
+     * this implementation can be configured through the console.
+     *
+     * @return String array of configuration parameter names.
+     */
+    public String[] getConfigParams() {
+        return (mConfigParams);
+    }
+
+    /**
+     * Returns array of required credentials for this authentication manager.
+     * @return Array of required credentials.
+     */
+    public String[] getRequiredCreds() {
+        return mRequiredCreds;
+    }
+
+}
+