List of usage examples for javax.naming.directory SearchResult getNameInNamespace
public String getNameInNamespace()
From source file:de.acosix.alfresco.mtsupport.repo.auth.ldap.EnhancedLDAPUserRegistry.java
protected Collection<String> lookupGroupChildren(final SearchResult searchResult, final String gid, final boolean disjoint, final LdapName groupDistinguishedNamePrefix, final LdapName userDistinguishedNamePrefix) throws NamingException { final InitialDirContext ctx = this.ldapInitialContextFactory.getDefaultIntialDirContext(); try {/*from w w w. j av a 2s.com*/ LOGGER.debug("Processing group: {}, from source: {}", gid, searchResult.getNameInNamespace()); final Collection<String> children = new HashSet<>(); final Attributes attributes = searchResult.getAttributes(); Attribute memAttribute = this.getRangeRestrictedAttribute(attributes, this.memberAttributeName); int nextStart = this.attributeBatchSize; while (memAttribute != null) { for (int i = 0; i < memAttribute.size(); i++) { final String attribute = (String) memAttribute.get(i); if (attribute != null && attribute.length() > 0) { try { // Attempt to parse the member attribute as a DN. If this fails we have a fallback // in the catch block final LdapName distinguishedNameForComparison = fixedLdapName( attribute.toLowerCase(Locale.ENGLISH)); Attribute nameAttribute; // If the user and group search bases are different we may be able to recognize user // and group DNs without a secondary lookup if (disjoint) { final LdapName distinguishedName = fixedLdapName(attribute); final Attributes nameAttributes = distinguishedName .getRdn(distinguishedName.size() - 1).toAttributes(); // Recognize user DNs if (distinguishedNameForComparison.startsWith(userDistinguishedNamePrefix) && (nameAttribute = nameAttributes.get(this.userIdAttributeName)) != null) { final Collection<String> attributeValues = this.mapAttribute(nameAttribute, String.class); final String personName = attributeValues.iterator().next(); LOGGER.debug("User DN recognized: {}", personName); children.add(personName); continue; } // Recognize group DNs if (distinguishedNameForComparison.startsWith(groupDistinguishedNamePrefix) && (nameAttribute = nameAttributes .get(this.groupIdAttributeName)) != null) { final Collection<String> attributeValues = this.mapAttribute(nameAttribute, String.class); final String groupName = attributeValues.iterator().next(); LOGGER.debug("Group DN recognized: {}{}", AuthorityType.GROUP.getPrefixString(), groupName); children.add(AuthorityType.GROUP.getPrefixString() + groupName); continue; } } // If we can't determine the name and type from the DN alone, try a directory lookup if (distinguishedNameForComparison.startsWith(userDistinguishedNamePrefix) || distinguishedNameForComparison.startsWith(groupDistinguishedNamePrefix)) { try { final Attributes childAttributes = ctx.getAttributes(jndiName(attribute), new String[] { "objectclass", this.groupIdAttributeName, this.userIdAttributeName }); final Attribute objectClass = childAttributes.get("objectclass"); if (this.hasAttributeValue(objectClass, this.personType)) { nameAttribute = childAttributes.get(this.userIdAttributeName); if (nameAttribute == null) { if (this.errorOnMissingUID) { throw new AlfrescoRuntimeException( "User missing user id attribute DN =" + attribute + " att = " + this.userIdAttributeName); } else { LOGGER.warn("User missing user id attribute DN =" + attribute + " att = " + this.userIdAttributeName); continue; } } final Collection<String> attributeValues = this.mapAttribute(nameAttribute, String.class); final String personName = attributeValues.iterator().next(); LOGGER.debug("User DN recognized by directory lookup: {}", personName); children.add(personName); continue; } else if (this.hasAttributeValue(objectClass, this.groupType)) { nameAttribute = childAttributes.get(this.groupIdAttributeName); if (nameAttribute == null) { if (this.errorOnMissingGID) { final Object[] params = { searchResult.getNameInNamespace(), this.groupIdAttributeName }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.get.group.id.missing", params); } else { LOGGER.warn("Missing GID on {}", childAttributes); continue; } } final Collection<String> attributeValues = this.mapAttribute(nameAttribute, String.class); final String groupName = attributeValues.iterator().next(); LOGGER.debug("Group DN recognized by directory lookup: {}{}", AuthorityType.GROUP.getPrefixString(), groupName); children.add(AuthorityType.GROUP.getPrefixString() + groupName); continue; } } catch (final NamingException e) { // Unresolvable name if (this.errorOnMissingMembers) { final Object[] params = { gid, attribute, e.getLocalizedMessage() }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.group.member.missing.exception", params, e); } LOGGER.warn( "Failed to resolve member of group '{}, ' with distinguished name: {}", gid, attribute, e); continue; } } if (this.errorOnMissingMembers) { final Object[] params = { gid, attribute }; throw new AlfrescoRuntimeException("synchronization.err.ldap.group.member.missing", params); } LOGGER.warn("Failed to resolve member of group '{}' with distinguished name: {}", gid, attribute); } catch (final InvalidNameException e) { // The member attribute didn't parse as a DN. So assume we have a group class like // posixGroup (FDS) that directly lists user names LOGGER.debug("Member DN recognized as posixGroup: {}", attribute); children.add(attribute); } } } // If we are using attribute matching and we haven't got to the end (indicated by an asterisk), // fetch the next batch if (nextStart > 0 && !PATTERN_RANGE_END.matcher(memAttribute.getID().toLowerCase(Locale.ENGLISH)).find()) { final Attributes childAttributes = ctx.getAttributes( jndiName(searchResult.getNameInNamespace()), new String[] { this.memberAttributeName + ";range=" + nextStart + '-' + (nextStart + this.attributeBatchSize - 1) }); memAttribute = this.getRangeRestrictedAttribute(childAttributes, this.memberAttributeName); nextStart += this.attributeBatchSize; } else { memAttribute = null; } } return children; } finally { this.commonAfterQueryCleanup(null, null, ctx); } }
From source file:dk.magenta.ldap.LDAPMultiBaseUserRegistry.java
public Collection<String> getPersonNames() { final List<String> personNames = new LinkedList<String>(); processQuery(new SearchCallback() { public void process(SearchResult result) throws NamingException, ParseException { Attribute nameAttribute = result.getAttributes() .get(LDAPMultiBaseUserRegistry.this.userIdAttributeName); if (nameAttribute == null) { if (LDAPMultiBaseUserRegistry.this.errorOnMissingUID) { Object[] params = { result.getNameInNamespace(), LDAPMultiBaseUserRegistry.this.userIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.user.id.missing", params); } else { LDAPMultiBaseUserRegistry.logger .warn("User missing user id attribute DN =" + result.getNameInNamespace() + " att = " + LDAPMultiBaseUserRegistry.this.userIdAttributeName); }/* w w w .j a va 2 s . c o m*/ } else { if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger.debug("Person DN recognized: " + nameAttribute.get()); } personNames.add((String) nameAttribute.get()); } } public void close() throws NamingException { } }, this.userSearchBases, this.personQuery, new String[] { this.userIdAttributeName }); return personNames; }
From source file:dk.magenta.ldap.LDAPMultiBaseUserRegistry.java
public Collection<String> getGroupNames() { final List<String> groupNames = new LinkedList<String>(); processQuery(new SearchCallback() { public void process(SearchResult result) throws NamingException, ParseException { Attribute nameAttribute = result.getAttributes() .get(LDAPMultiBaseUserRegistry.this.groupIdAttributeName); if (nameAttribute == null) { if (LDAPMultiBaseUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPMultiBaseUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.group.id.missing", params); } else { LDAPMultiBaseUserRegistry.logger.warn("Missing GID on " + result.getNameInNamespace()); }/*w ww . ja v a2 s. c o m*/ } else { String authority = "GROUP_" + (String) nameAttribute.get(); if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger.debug("Group DN recognized: " + authority); } groupNames.add(authority); } } public void close() throws NamingException { } }, this.groupSearchBases, this.groupQuery, new String[] { this.groupIdAttributeName }); return groupNames; }
From source file:org.cggh.repo.security.sync.ldap.LDAPUserRegistry.java
public Collection<String> getGroupNames() { final List<String> groupNames = new LinkedList<String>(); processQuery(new AbstractSearchCallback() { protected void doProcess(SearchResult result) throws NamingException, ParseException { Attribute nameAttribute = result.getAttributes().get(LDAPUserRegistry.this.groupIdAttributeName); if (nameAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.group.id.missing", params); } else { LDAPUserRegistry.logger.warn("Missing GID1 on " + result.getNameInNamespace()); }/*from ww w .java 2 s.c o m*/ } else { String authority = "GROUP_" + (String) nameAttribute.get(); if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger.debug("Group DN recognized: " + authority); } groupNames.add(authority); } } public void close() throws NamingException { } }, this.groupSearchBase, this.groupQuery, new String[] { this.groupIdAttributeName }); return groupNames; }
From source file:de.acosix.alfresco.mtsupport.repo.auth.ldap.EnhancedLDAPUserRegistry.java
protected UidNodeDescription mapToNode(final SearchResult searchResult, final String idAttributeName, final Map<String, String> attributeMapping, final Map<String, String> attributeDefaults) throws NamingException { final Attributes attributes = searchResult.getAttributes(); final Collection<String> uidValues = this.mapAttribute(attributes.get(idAttributeName), String.class); final String uid = uidValues.iterator().next(); final UidNodeDescription nodeDescription = new UidNodeDescription(searchResult.getNameInNamespace(), uid); final Attribute modifyTimestamp = attributes.get(this.modifyTimestampAttributeName); if (modifyTimestamp != null) { try {/*from www.ja v a 2s .c o m*/ nodeDescription.setLastModified(this.timestampFormat.parse(modifyTimestamp.get().toString())); LOGGER.debug("Setting last modified of node {} to {}", uid, nodeDescription.getLastModified()); } catch (final ParseException e) { throw new AlfrescoRuntimeException("Failed to parse timestamp.", e); } } final PropertyMap properties = nodeDescription.getProperties(); for (final String key : attributeMapping.keySet()) { final QName keyQName = QName.createQName(key, this.namespaceService); final String attributeName = attributeMapping.get(key); if (attributeName != null) { final Attribute attribute = attributes.get(attributeName); final String defaultAttribute = attributeDefaults.get(key); if (attribute != null) { final Collection<Object> mappedAttributeValue = this.mapAttribute(attribute); if (mappedAttributeValue.size() == 1) { final Object singleValue = mappedAttributeValue.iterator().next(); if (singleValue instanceof Serializable) { properties.put(keyQName, (Serializable) singleValue); } else { properties.put(keyQName, DefaultTypeConverter.INSTANCE.convert(String.class, singleValue)); } } else if (!mappedAttributeValue.isEmpty()) { final ArrayList<Serializable> values = new ArrayList<>(); mappedAttributeValue.forEach((x) -> { if (x instanceof Serializable) { values.add((Serializable) x); } else { values.add(DefaultTypeConverter.INSTANCE.convert(String.class, x)); } }); properties.put(keyQName, values); } else if (defaultAttribute != null) { properties.put(keyQName, defaultAttribute); } else { // Make sure that a 2nd sync, updates deleted ldap attributes (MNT-14026) properties.put(keyQName, null); } } else if (defaultAttribute != null) { LOGGER.debug("Node {} does not provide attriute {} - using default value", uid, attributeName); properties.put(keyQName, defaultAttribute); } else { LOGGER.debug("Node {} does not provide attriute {} - setting to null", uid, attributeName); // Make sure that a 2nd sync, updates deleted ldap attributes (MNT-14026) properties.put(keyQName, null); } } else { LOGGER.debug("No attribute name has been configured for property {}", keyQName); final String defaultValue = attributeDefaults.get(key); if (defaultValue != null) { LOGGER.debug("Using default value for {} on node {}", keyQName, uid); properties.put(keyQName, defaultValue); } } } return nodeDescription; }
From source file:org.lsc.jndi.JndiServices.java
public Map<String, LscDatasets> doGetAttrsList(final String base, final String filter, final int scope, final List<String> attrsNames) throws NamingException { // sanity checks String searchBase = base == null ? "" : rewriteBase(base); String searchFilter = filter == null ? DEFAULT_FILTER : filter; Map<String, LscDatasets> res = new LinkedHashMap<String, LscDatasets>(); if (attrsNames == null || attrsNames.size() == 0) { LOGGER.error("No attribute names to read! Check configuration."); return res; }/*from w ww. j ava 2 s.c o m*/ String[] attributes = new String[attrsNames.size()]; attributes = attrsNames.toArray(attributes); SearchControls constraints = new SearchControls(); constraints.setDerefLinkFlag(false); constraints.setReturningAttributes(attributes); constraints.setSearchScope(scope); constraints.setReturningObjFlag(true); try { boolean requestPagedResults = false; List<Control> extControls = new ArrayList<Control>(); if (pageSize > 0) { requestPagedResults = true; LOGGER.debug("Using pagedResults control for {} entries at a time", pageSize); } if (requestPagedResults) { extControls.add(new PagedResultsControl(pageSize, Control.CRITICAL)); } if (sortedBy != null) { extControls.add(new SortControl(sortedBy, Control.CRITICAL)); } if (extControls.size() > 0) { ctx.setRequestControls(extControls.toArray(new Control[extControls.size()])); } byte[] pagedResultsResponse = null; do { NamingEnumeration<SearchResult> results = ctx.search(searchBase, searchFilter, constraints); if (results != null) { Map<String, Object> attrsValues = null; while (results.hasMoreElements()) { attrsValues = new HashMap<String, Object>(); SearchResult ldapResult = (SearchResult) results.next(); // get the value for each attribute requested for (String attributeName : attrsNames) { Attribute attr = ldapResult.getAttributes().get(attributeName); if (attr != null && attr.get() != null) { attrsValues.put(attributeName, attr.get()); } } res.put(ldapResult.getNameInNamespace(), new LscDatasets(attrsValues)); } } Control[] respCtls = ctx.getResponseControls(); if (respCtls != null) { for (Control respCtl : respCtls) { if (requestPagedResults && respCtl instanceof PagedResultsResponseControl) { pagedResultsResponse = ((PagedResultsResponseControl) respCtl).getCookie(); } } } if (requestPagedResults && pagedResultsResponse != null) { ctx.setRequestControls(new Control[] { new PagedResultsControl(pageSize, pagedResultsResponse, Control.CRITICAL) }); } } while (pagedResultsResponse != null); // clear requestControls for future use of the JNDI context if (requestPagedResults) { ctx.setRequestControls(null); } } catch (CommunicationException e) { // Avoid handling the communication exception as a generic one throw e; } catch (ServiceUnavailableException e) { // Avoid handling the service unavailable exception as a generic one throw e; } catch (NamingException e) { // clear requestControls for future use of the JNDI context ctx.setRequestControls(null); LOGGER.error(e.toString()); LOGGER.debug(e.toString(), e); } catch (IOException e) { // clear requestControls for future use of the JNDI context ctx.setRequestControls(null); LOGGER.error(e.toString()); LOGGER.debug(e.toString(), e); } return res; }
From source file:org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.java
public Collection<String> getPersonNames() { final List<String> personNames = new LinkedList<String>(); processQuery(new AbstractSearchCallback() { protected void doProcess(SearchResult result) throws NamingException, ParseException { Attribute nameAttribute = result.getAttributes().get(LDAPUserRegistry.this.userIdAttributeName); if (nameAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingUID) { Object[] params = { result.getNameInNamespace(), LDAPUserRegistry.this.userIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.user.id.missing", params); } else { LDAPUserRegistry.logger .warn("User missing user id attribute DN =" + result.getNameInNamespace() + " att = " + LDAPUserRegistry.this.userIdAttributeName); }/*w w w.ja va2s. c o m*/ } else { if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger.debug("Person DN recognized: " + nameAttribute.get()); } personNames.add((String) nameAttribute.get()); } } public void close() throws NamingException { } }, this.userSearchBase, this.personQuery, new String[] { this.userIdAttributeName }); return personNames; }
From source file:org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.java
public Collection<String> getGroupNames() { final List<String> groupNames = new LinkedList<String>(); processQuery(new AbstractSearchCallback() { protected void doProcess(SearchResult result) throws NamingException, ParseException { Attribute nameAttribute = result.getAttributes().get(LDAPUserRegistry.this.groupIdAttributeName); if (nameAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.group.id.missing", params); } else { LDAPUserRegistry.logger.warn("Missing GID on " + result.getNameInNamespace()); }// w w w .ja va2 s .c o m } else { String authority = "GROUP_" + (String) nameAttribute.get(); if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger.debug("Group DN recognized: " + authority); } groupNames.add(authority); } } public void close() throws NamingException { } }, this.groupSearchBase, this.groupQuery, new String[] { this.groupIdAttributeName }); return groupNames; }
From source file:dk.magenta.ldap.LDAPMultiBaseUserRegistry.java
public Collection<NodeDescription> getGroups(Date modifiedSince) { // Work out whether the user and group trees are disjoint. This may allow us to optimize reverse DN // resolution. final Set<LdapName> groupDistinguishedNamePrefixes = new LinkedHashSet<>(); for (String groupSearchBase : this.groupSearchBases) { try {//from w w w .j a v a 2s.c o m final LdapName groupDistinguishedNamePrefix = fixedLdapName(groupSearchBase.toLowerCase()); groupDistinguishedNamePrefixes.add(groupDistinguishedNamePrefix); } catch (InvalidNameException e) { Object[] params = { groupSearchBase.toLowerCase(), e.getLocalizedMessage() }; throw new AlfrescoRuntimeException("synchronization.err.ldap.search.base.invalid", params, e); } } final Set<LdapName> userDistinguishedNamePrefixes = new LinkedHashSet<>(); for (String userSearchBase : this.userSearchBases) { try { final LdapName userDistinguishedNamePrefix = fixedLdapName(userSearchBase.toLowerCase()); userDistinguishedNamePrefixes.add(userDistinguishedNamePrefix); } catch (InvalidNameException e) { Object[] params = { userSearchBase.toLowerCase(), e.getLocalizedMessage() }; throw new AlfrescoRuntimeException("synchronization.err.ldap.search.base.invalid", params, e); } } final Set<LdapName> distinctGroupDNPrefixes = new LinkedHashSet<>(groupDistinguishedNamePrefixes); final Set<LdapName> distinctUserDNPrefixes = new LinkedHashSet<>(userDistinguishedNamePrefixes); removeCommonPrefixedNamesFromSets(distinctGroupDNPrefixes, distinctUserDNPrefixes); // If there exist either distinct user DNs or group DNs, then the // sets are disjoint, and we may be able to recognize user or group // DNs without secondary lookup final boolean disjoint = !distinctUserDNPrefixes.isEmpty() || !distinctGroupDNPrefixes.isEmpty(); if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { if (disjoint) { LDAPMultiBaseUserRegistry.logger.debug("Distinct user " + "DN prefixes: " + distinctUserDNPrefixes); LDAPMultiBaseUserRegistry.logger .debug("Distinct group " + "DN prefixes: " + distinctGroupDNPrefixes); } } // Choose / generate the query String query; if (modifiedSince == null) { query = this.groupQuery; } else { query = MessageFormat.format(this.groupDifferentialQuery, this.timestampFormat.format(modifiedSince)); } // Run the query and process the results final Map<String, NodeDescription> lookup = new TreeMap<String, NodeDescription>(); processQuery(new SearchCallback() { // We get a whole new context to avoid interference with cookies from paged results private DirContext ctx = LDAPMultiBaseUserRegistry.this.ldapInitialContextFactory .getDefaultIntialDirContext(); public void process(SearchResult result) throws NamingException, ParseException { Attributes attributes = result.getAttributes(); Attribute gidAttribute = attributes.get(LDAPMultiBaseUserRegistry.this.groupIdAttributeName); if (gidAttribute == null) { if (LDAPMultiBaseUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPMultiBaseUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.group.id.missing", params); } else { LDAPMultiBaseUserRegistry.logger.warn("Missing GID on " + attributes); return; } } String groupShortName = gidAttribute.get(0).toString(); String gid = "GROUP_" + groupShortName; NodeDescription group = lookup.get(gid); if (group == null) { // Apply the mapped properties to the node description group = mapToNode(LDAPMultiBaseUserRegistry.this.groupAttributeMapping, LDAPMultiBaseUserRegistry.this.groupAttributeDefaults, result); // Make sure the "GROUP_" prefix is applied group.getProperties().put(ContentModel.PROP_AUTHORITY_NAME, gid); lookup.put(gid, group); } else if (LDAPMultiBaseUserRegistry.this.errorOnDuplicateGID) { throw new AlfrescoRuntimeException("Duplicate group id found for " + gid); } else { LDAPMultiBaseUserRegistry.logger .warn("Duplicate gid found for " + gid + " -> merging definitions"); } Set<String> childAssocs = group.getChildAssociations(); // Get the repeating (and possibly range restricted) member attribute Attribute memAttribute = getRangeRestrictedAttribute(attributes, LDAPMultiBaseUserRegistry.this.memberAttributeName); int nextStart = LDAPMultiBaseUserRegistry.this.attributeBatchSize; if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger .debug("Processing group: " + gid + ", from source: " + group.getSourceId()); } // Loop until we get to the end of the range while (memAttribute != null) { for (int i = 0; i < memAttribute.size(); i++) { String attribute = (String) memAttribute.get(i); if (attribute != null && attribute.length() > 0) { try { // Attempt to parse the member attribute as a DN. If this fails we have a fallback // in the catch block LdapName distinguishedNameForComparison = fixedLdapName(attribute.toLowerCase()); Attribute nameAttribute; // If the user and group search bases are different we may be able to recognize user // and group DNs without a secondary lookup if (disjoint) { LdapName distinguishedName = fixedLdapName(attribute); Attributes nameAttributes = distinguishedName .getRdn(distinguishedName.size() - 1).toAttributes(); // Recognize user DNs if (nameStartsWithNameInSet(distinguishedNameForComparison, distinctUserDNPrefixes) && (nameAttribute = nameAttributes.get( LDAPMultiBaseUserRegistry.this.userIdAttributeName)) != null) { if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger .debug("User DN recognized: " + nameAttribute.get()); } childAssocs.add((String) nameAttribute.get()); continue; } // Recognize group DNs if (nameStartsWithNameInSet(distinguishedNameForComparison, distinctGroupDNPrefixes) && (nameAttribute = nameAttributes.get( LDAPMultiBaseUserRegistry.this.groupIdAttributeName)) != null) { if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger.debug( "Group DN recognized: " + "GROUP_" + nameAttribute.get()); } childAssocs.add("GROUP_" + nameAttribute.get()); continue; } } // If we can't determine the name and type from the DN alone, try a directory lookup if (nameStartsWithNameInSet(distinguishedNameForComparison, userDistinguishedNamePrefixes) || nameStartsWithNameInSet(distinguishedNameForComparison, groupDistinguishedNamePrefixes)) { try { Attributes childAttributes = this.ctx.getAttributes(jndiName(attribute), new String[] { "objectclass", LDAPMultiBaseUserRegistry.this.groupIdAttributeName, LDAPMultiBaseUserRegistry.this.userIdAttributeName }); Attribute objectClass = childAttributes.get("objectclass"); if (hasAttributeValue(objectClass, LDAPMultiBaseUserRegistry.this.personType)) { nameAttribute = childAttributes .get(LDAPMultiBaseUserRegistry.this.userIdAttributeName); if (nameAttribute == null) { if (LDAPMultiBaseUserRegistry.this.errorOnMissingUID) { throw new AlfrescoRuntimeException( "User missing user id attribute DN =" + attribute + " att = " + LDAPMultiBaseUserRegistry.this.userIdAttributeName); } else { LDAPMultiBaseUserRegistry.logger .warn("User missing user id attribute DN =" + attribute + " att = " + LDAPMultiBaseUserRegistry.this.userIdAttributeName); continue; } } if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger .debug("User DN recognized by directory lookup: " + nameAttribute.get()); } childAssocs.add((String) nameAttribute.get()); continue; } else if (hasAttributeValue(objectClass, LDAPMultiBaseUserRegistry.this.groupType)) { nameAttribute = childAttributes .get(LDAPMultiBaseUserRegistry.this.groupIdAttributeName); if (nameAttribute == null) { if (LDAPMultiBaseUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPMultiBaseUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.get.group.id.missing", params); } else { LDAPMultiBaseUserRegistry.logger .warn("Missing GID on " + childAttributes); continue; } } if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger .debug("Group DN recognized by directory lookup: " + "GROUP_" + nameAttribute.get()); } childAssocs.add("GROUP_" + nameAttribute.get()); continue; } } catch (NamingException e) { // Unresolvable name if (LDAPMultiBaseUserRegistry.this.errorOnMissingMembers) { Object[] params = { groupShortName, attribute, e.getLocalizedMessage() }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.group.member.missing.exception", params, e); } LDAPMultiBaseUserRegistry.logger.warn("Failed to resolve member of group '" + groupShortName + "' with distinguished name: " + attribute, e); continue; } } if (LDAPMultiBaseUserRegistry.this.errorOnMissingMembers) { Object[] params = { groupShortName, attribute }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.group.member.missing", params); } LDAPMultiBaseUserRegistry.logger.warn("Failed to resolve member of group '" + groupShortName + "' with distinguished name: " + attribute); } catch (InvalidNameException e) { // The member attribute didn't parse as a DN. So assume we have a group class like // posixGroup (FDS) that directly lists user names if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger .debug("Member DN recognized as posixGroup: " + attribute); } childAssocs.add(attribute); } } } // If we are using attribute matching and we haven't got to the end (indicated by an asterisk), // fetch the next batch if (nextStart > 0 && !LDAPMultiBaseUserRegistry.PATTERN_RANGE_END .matcher(memAttribute.getID().toLowerCase()).find()) { Attributes childAttributes = this.ctx.getAttributes(jndiName(result.getNameInNamespace()), new String[] { LDAPMultiBaseUserRegistry.this.memberAttributeName + ";range=" + nextStart + '-' + (nextStart + LDAPMultiBaseUserRegistry.this.attributeBatchSize - 1) }); memAttribute = getRangeRestrictedAttribute(childAttributes, LDAPMultiBaseUserRegistry.this.memberAttributeName); nextStart += LDAPMultiBaseUserRegistry.this.attributeBatchSize; } else { memAttribute = null; } } } public void close() throws NamingException { this.ctx.close(); } }, this.groupSearchBases, query, this.groupKeys.getFirst()); if (LDAPMultiBaseUserRegistry.logger.isDebugEnabled()) { LDAPMultiBaseUserRegistry.logger.debug("Found " + lookup.size()); } return lookup.values(); }
From source file:org.cggh.repo.security.sync.ldap.LDAPUserRegistry.java
public Collection<NodeDescription> getGroups(Date modifiedSince) { // Work out whether the user and group trees are disjoint. This may allow us to optimize reverse DN // resolution. final LdapName groupDistinguishedNamePrefix; try {/*from w w w .j a v a2 s . c o m*/ groupDistinguishedNamePrefix = fixedLdapName(this.groupSearchBase.toLowerCase()); } catch (InvalidNameException e) { Object[] params = { this.groupSearchBase.toLowerCase(), e.getLocalizedMessage() }; throw new AlfrescoRuntimeException("synchronization.err.ldap.search.base.invalid", params, e); } final LdapName userDistinguishedNamePrefix; try { userDistinguishedNamePrefix = fixedLdapName(this.userSearchBase.toLowerCase()); } catch (InvalidNameException e) { Object[] params = { this.userSearchBase.toLowerCase(), e.getLocalizedMessage() }; throw new AlfrescoRuntimeException("synchronization.err.ldap.search.base.invalid", params, e); } final boolean disjoint = !groupDistinguishedNamePrefix.startsWith(userDistinguishedNamePrefix) && !userDistinguishedNamePrefix.startsWith(groupDistinguishedNamePrefix); // Choose / generate the query String query; if (modifiedSince == null) { query = this.groupQuery; } else { query = MessageFormat.format(this.groupDifferentialQuery, this.timestampFormat.format(modifiedSince)); } // Run the query and process the results final Map<String, NodeDescription> lookup = new TreeMap<String, NodeDescription>(); processQuery(new AbstractSearchCallback() { // We get a whole new context to avoid interference with cookies from paged results private DirContext ctx = LDAPUserRegistry.this.ldapInitialContextFactory.getDefaultIntialDirContext(); protected void doProcess(SearchResult result) throws NamingException, ParseException { Attributes attributes = result.getAttributes(); Attribute gidAttribute = attributes.get(LDAPUserRegistry.this.groupIdAttributeName); if (gidAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException("synchronization.err.ldap.get.group.id.missing", params); } else { LDAPUserRegistry.logger.warn( "Missing GID2 on " + result.getNameInNamespace() + " attributes:" + attributes); return; } } String groupShortName = gidAttribute.get(0).toString(); String gid = "GROUP_" + groupShortName; NodeDescription group = lookup.get(gid); if (group == null) { // Apply the mapped properties to the node description group = mapToNode(LDAPUserRegistry.this.groupAttributeMapping, LDAPUserRegistry.this.groupAttributeDefaults, result); // Make sure the "GROUP_" prefix is applied group.getProperties().put(ContentModel.PROP_AUTHORITY_NAME, gid); lookup.put(gid, group); } else if (LDAPUserRegistry.this.errorOnDuplicateGID) { throw new AlfrescoRuntimeException("Duplicate group id found for " + gid); } else { LDAPUserRegistry.logger.warn("Duplicate gid found for " + gid + " -> merging definitions"); } Set<String> childAssocs = group.getChildAssociations(); // Get the repeating (and possibly range restricted) member attribute Attribute memAttribute = getRangeRestrictedAttribute(attributes, LDAPUserRegistry.this.memberAttributeName); int nextStart = LDAPUserRegistry.this.attributeBatchSize; if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger .debug("Processing group: " + gid + ", from source: " + group.getSourceId()); } // Loop until we get to the end of the range while (memAttribute != null) { for (int i = 0; i < memAttribute.size(); i++) { String attribute = (String) memAttribute.get(i); if (attribute != null && attribute.length() > 0) { try { // Attempt to parse the member attribute as a DN. If this fails we have a fallback // in the catch block LdapName distinguishedNameForComparison = fixedLdapName(attribute.toLowerCase()); Attribute nameAttribute; // If the user and group search bases are different we may be able to recognize user // and group DNs without a secondary lookup if (disjoint) { LdapName distinguishedName = fixedLdapName(attribute); Attributes nameAttributes = distinguishedName .getRdn(distinguishedName.size() - 1).toAttributes(); // Recognize user DNs if (distinguishedNameForComparison.startsWith(userDistinguishedNamePrefix) && (nameAttribute = nameAttributes .get(LDAPUserRegistry.this.userIdAttributeName)) != null) { if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger .debug("User DN recognized: " + nameAttribute.get()); } childAssocs.add((String) nameAttribute.get()); continue; } // Recognize group DNs if (distinguishedNameForComparison.startsWith(groupDistinguishedNamePrefix) && (nameAttribute = nameAttributes .get(LDAPUserRegistry.this.groupIdAttributeName)) != null) { if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger.debug( "Group DN recognized: " + "GROUP_" + nameAttribute.get()); } childAssocs.add("GROUP_" + nameAttribute.get()); continue; } } // If we can't determine the name and type from the DN alone, try a directory lookup if (distinguishedNameForComparison.startsWith(userDistinguishedNamePrefix) || distinguishedNameForComparison .startsWith(groupDistinguishedNamePrefix)) { try { Attributes childAttributes = this.ctx.getAttributes(jndiName(attribute), new String[] { "objectclass", LDAPUserRegistry.this.groupIdAttributeName, LDAPUserRegistry.this.userIdAttributeName }); Attribute objectClass = childAttributes.get("objectclass"); if (hasAttributeValue(objectClass, LDAPUserRegistry.this.personType)) { nameAttribute = childAttributes .get(LDAPUserRegistry.this.userIdAttributeName); if (nameAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingUID) { throw new AlfrescoRuntimeException( "User missing user id attribute DN =" + attribute + " att = " + LDAPUserRegistry.this.userIdAttributeName); } else { LDAPUserRegistry.logger .warn("User missing user id attribute DN =" + attribute + " att = " + LDAPUserRegistry.this.userIdAttributeName); continue; } } if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger .debug("User DN recognized by directory lookup: " + nameAttribute.get()); } childAssocs.add((String) nameAttribute.get()); continue; } else if (hasAttributeValue(objectClass, LDAPUserRegistry.this.groupType)) { nameAttribute = childAttributes .get(LDAPUserRegistry.this.groupIdAttributeName); if (nameAttribute == null) { if (LDAPUserRegistry.this.errorOnMissingGID) { Object[] params = { result.getNameInNamespace(), LDAPUserRegistry.this.groupIdAttributeName }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.get.group.id.missing", params); } else { LDAPUserRegistry.logger.warn( "Missing GID3 on " + distinguishedNameForComparison + " attributes:" + childAttributes); continue; } } if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger .debug("Group DN recognized by directory lookup: " + "GROUP_" + nameAttribute.get()); } childAssocs.add("GROUP_" + nameAttribute.get()); continue; } } catch (NamingException e) { // Unresolvable name if (LDAPUserRegistry.this.errorOnMissingMembers) { Object[] params = { groupShortName, attribute, e.getLocalizedMessage() }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.group.member.missing.exception", params, e); } LDAPUserRegistry.logger.warn("Failed to resolve member of group '" + groupShortName + "' with distinguished name: " + attribute, e); continue; } } if (LDAPUserRegistry.this.errorOnMissingMembers) { Object[] params = { groupShortName, attribute }; throw new AlfrescoRuntimeException( "synchronization.err.ldap.group.member.missing", params); } LDAPUserRegistry.logger.warn("Failed to resolve member of group '" + groupShortName + "' with distinguished name: " + attribute); } catch (InvalidNameException e) { // The member attribute didn't parse as a DN. So assume we have a group class like // posixGroup (FDS) that directly lists user names if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger .debug("Member DN recognized as posixGroup: " + attribute); } childAssocs.add(attribute); } } } // If we are using attribute matching and we haven't got to the end (indicated by an asterisk), // fetch the next batch if (nextStart > 0 && !LDAPUserRegistry.PATTERN_RANGE_END .matcher(memAttribute.getID().toLowerCase()).find()) { Attributes childAttributes = this.ctx.getAttributes(jndiName(result.getNameInNamespace()), new String[] { LDAPUserRegistry.this.memberAttributeName + ";range=" + nextStart + '-' + (nextStart + LDAPUserRegistry.this.attributeBatchSize - 1) }); memAttribute = getRangeRestrictedAttribute(childAttributes, LDAPUserRegistry.this.memberAttributeName); nextStart += LDAPUserRegistry.this.attributeBatchSize; } else { memAttribute = null; } } } public void close() throws NamingException { this.ctx.close(); } }, this.groupSearchBase, query, this.groupKeys.getFirst()); if (LDAPUserRegistry.logger.isDebugEnabled()) { LDAPUserRegistry.logger.debug("Found " + lookup.size()); } return lookup.values(); }