From e0f16f7f797a3ce1bfae3be2625690ad4b048240 Mon Sep 17 00:00:00 2001 From: Abyss777 Date: Tue, 14 Nov 2017 12:44:59 +0500 Subject: Improve LDAP --- src/org/traccar/Context.java | 2 +- src/org/traccar/database/DataManager.java | 11 ++- src/org/traccar/database/LdapProvider.java | 143 +++++++++++++++++++++++++++-- 3 files changed, 141 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/org/traccar/Context.java b/src/org/traccar/Context.java index 9a48b2740..511ec980e 100644 --- a/src/org/traccar/Context.java +++ b/src/org/traccar/Context.java @@ -329,7 +329,7 @@ public final class Context { } if (config.getBoolean("ldap.enable")) { - ldapProvider = new LdapProvider(config.getString("ldap.url"), config.getString("ldap.context")); + ldapProvider = new LdapProvider(config); } if (config.hasKey("media.path")) { diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java index f71e3e538..abc424ff9 100644 --- a/src/org/traccar/database/DataManager.java +++ b/src/org/traccar/database/DataManager.java @@ -76,9 +76,13 @@ public class DataManager { private boolean generateQueries; + private boolean forceLdap; + public DataManager(Config config) throws Exception { this.config = config; + forceLdap = config.getBoolean("ldap.force"); + initDatabase(); initDatabaseSchema(); } @@ -304,15 +308,12 @@ public class DataManager { LdapProvider ldapProvider = Context.getLdapProvider(); if (user != null) { if (ldapProvider != null && ldapProvider.login(user.getLogin(), password) - || user.isPasswordValid(password)) { + || !forceLdap && user.isPasswordValid(password)) { return user; } } else { if (ldapProvider != null && ldapProvider.login(email, password)) { - user = new User(); - user.setName(email); - user.setEmail(email); - user.setLogin(email); + user = ldapProvider.getUser(email); Context.getUsersManager().addItem(user); return user; } diff --git a/src/org/traccar/database/LdapProvider.java b/src/org/traccar/database/LdapProvider.java index 6a4c244f8..b193b87c1 100644 --- a/src/org/traccar/database/LdapProvider.java +++ b/src/org/traccar/database/LdapProvider.java @@ -16,36 +16,161 @@ package org.traccar.database; import javax.naming.Context; +import javax.naming.NamingEnumeration; import javax.naming.NamingException; +import javax.naming.directory.Attribute; import javax.naming.directory.InitialDirContext; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; + +import org.traccar.Config; +import org.traccar.helper.Log; +import org.traccar.model.User; + import java.util.Hashtable; public class LdapProvider { private String url; - private String context; + private String searchBase; + private String idAttribute; + private String nameAttribute; + private String mailAttribute; + private String searchFilter; + private String adminFilter; + private String serviceUser; + private String servicePassword; - public LdapProvider(String url, String context) { - this.url = url; - this.context = context; + public LdapProvider(Config config) { + String url = config.getString("ldap.url"); + if (url != null) { + this.url = url; + } else { + this.url = "ldap://" + config.getString("ldap.server") + ":" + config.getInteger("ldap.port", 389); + } + this.searchBase = config.getString("ldap.base"); + this.idAttribute = config.getString("ldap.idAttribute", "uid"); + this.nameAttribute = config.getString("ldap.nameAttribute", "cn"); + this.mailAttribute = config.getString("ldap.mailAttribute", "mail"); + this.searchFilter = config.getString("ldap.searchFilter", "(" + idAttribute + "=:login)"); + String adminGroup = config.getString("ldap.adminGroup"); + this.adminFilter = config.getString("ldap.adminFilter"); + if (this.adminFilter == null && adminGroup != null) { + this.adminFilter = "(&(" + idAttribute + "=:login)(memberOf=" + adminGroup + "))"; + } + this.serviceUser = config.getString("ldap.user"); + this.servicePassword = config.getString("ldap.password"); } - public boolean login(String username, String password) { - + private InitialDirContext auth(String accountName, String password) throws NamingException { Hashtable env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, url); env.put(Context.SECURITY_AUTHENTICATION, "simple"); - env.put(Context.SECURITY_PRINCIPAL, "uid=" + username + "," + context); + env.put(Context.SECURITY_PRINCIPAL, accountName); env.put(Context.SECURITY_CREDENTIALS, password); + return new InitialDirContext(env); + } + + private boolean isAdmin(String accountName) { + if (this.adminFilter != null) { + try { + InitialDirContext context = initContext(); + String searchString = new String(adminFilter).replace(":login", accountName); + SearchControls searchControls = new SearchControls(); + searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); + NamingEnumeration results = context.search(searchBase, searchString, searchControls); + if (results.hasMoreElements()) { + results.nextElement(); + if (results.hasMoreElements()) { + Log.warning("Matched multiple users for the accountName: " + accountName); + return false; + } + return true; + } + } catch (NamingException e) { + return false; + } + } + return false; + } + + public InitialDirContext initContext() throws NamingException { + return auth(serviceUser, servicePassword); + } + + private SearchResult lookupUser(String accountName) throws NamingException { + InitialDirContext context = initContext(); + + String searchString = new String(searchFilter).replace(":login", accountName); + + SearchControls searchControls = new SearchControls(); + String[] attributeFilter = {idAttribute, nameAttribute, mailAttribute}; + searchControls.setReturningAttributes(attributeFilter); + searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); + + NamingEnumeration results = context.search(searchBase, searchString, searchControls); + + SearchResult searchResult = null; + if (results.hasMoreElements()) { + searchResult = (SearchResult) results.nextElement(); + if (results.hasMoreElements()) { + Log.warning("Matched multiple users for the accountName: " + accountName); + return null; + } + } + + return searchResult; + } + + public User getUser(String accountName) { + SearchResult ldapUser; + User user = new User(); + try { + ldapUser = lookupUser(accountName); + if (ldapUser != null) { + Attribute attribute = ldapUser.getAttributes().get(idAttribute); + if (attribute != null) { + user.setLogin((String) attribute.get()); + } else { + user.setLogin(accountName); + } + attribute = ldapUser.getAttributes().get(nameAttribute); + if (attribute != null) { + user.setName((String) attribute.get()); + } else { + user.setName(accountName); + } + attribute = ldapUser.getAttributes().get(mailAttribute); + if (attribute != null) { + user.setEmail((String) attribute.get()); + } else { + user.setEmail(accountName); + } + } + user.setAdmin(isAdmin(accountName)); + } catch (NamingException e) { + user.setLogin(accountName); + user.setName(accountName); + user.setEmail(accountName); + Log.warning(e); + } + return user; + } + + public boolean login(String username, String password) { try { - new InitialDirContext(env).close(); - return true; + SearchResult ldapUser = lookupUser(username); + if (ldapUser != null) { + auth(ldapUser.getNameInNamespace(), password).close(); + return true; + } } catch (NamingException e) { return false; } + return false; } } -- cgit v1.2.3