aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAbyss777 <abyss@fox5.ru>2017-11-14 12:44:59 +0500
committerAbyss777 <abyss@fox5.ru>2017-11-14 12:44:59 +0500
commite0f16f7f797a3ce1bfae3be2625690ad4b048240 (patch)
tree8f3d464afc02df1a67a28c43cd1b4aaf89e92fb7
parent0a8f30a572b1e64ff3e1d67281bf9fa3f40b9ccb (diff)
downloadtrackermap-server-e0f16f7f797a3ce1bfae3be2625690ad4b048240.tar.gz
trackermap-server-e0f16f7f797a3ce1bfae3be2625690ad4b048240.tar.bz2
trackermap-server-e0f16f7f797a3ce1bfae3be2625690ad4b048240.zip
Improve LDAP
-rw-r--r--setup/default.xml2
-rw-r--r--src/org/traccar/Context.java2
-rw-r--r--src/org/traccar/database/DataManager.java11
-rw-r--r--src/org/traccar/database/LdapProvider.java143
4 files changed, 142 insertions, 16 deletions
diff --git a/setup/default.xml b/setup/default.xml
index 6d8bd278f..bb51472c1 100644
--- a/setup/default.xml
+++ b/setup/default.xml
@@ -35,7 +35,7 @@
<entry key='database.loginUser'>
SELECT * FROM users
- WHERE email = :email
+ WHERE email = :email OR login = :email
</entry>
<entry key='database.selectPositions'>
diff --git a/src/org/traccar/Context.java b/src/org/traccar/Context.java
index 9a48b2740..511ec980e 100644
--- a/src/org/traccar/Context.java
+++ b/src/org/traccar/Context.java
@@ -329,7 +329,7 @@ public final class Context {
}
if (config.getBoolean("ldap.enable")) {
- ldapProvider = new LdapProvider(config.getString("ldap.url"), config.getString("ldap.context"));
+ ldapProvider = new LdapProvider(config);
}
if (config.hasKey("media.path")) {
diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java
index f71e3e538..abc424ff9 100644
--- a/src/org/traccar/database/DataManager.java
+++ b/src/org/traccar/database/DataManager.java
@@ -76,9 +76,13 @@ public class DataManager {
private boolean generateQueries;
+ private boolean forceLdap;
+
public DataManager(Config config) throws Exception {
this.config = config;
+ forceLdap = config.getBoolean("ldap.force");
+
initDatabase();
initDatabaseSchema();
}
@@ -304,15 +308,12 @@ public class DataManager {
LdapProvider ldapProvider = Context.getLdapProvider();
if (user != null) {
if (ldapProvider != null && ldapProvider.login(user.getLogin(), password)
- || user.isPasswordValid(password)) {
+ || !forceLdap && user.isPasswordValid(password)) {
return user;
}
} else {
if (ldapProvider != null && ldapProvider.login(email, password)) {
- user = new User();
- user.setName(email);
- user.setEmail(email);
- user.setLogin(email);
+ user = ldapProvider.getUser(email);
Context.getUsersManager().addItem(user);
return user;
}
diff --git a/src/org/traccar/database/LdapProvider.java b/src/org/traccar/database/LdapProvider.java
index 6a4c244f8..b193b87c1 100644
--- a/src/org/traccar/database/LdapProvider.java
+++ b/src/org/traccar/database/LdapProvider.java
@@ -16,36 +16,161 @@
package org.traccar.database;
import javax.naming.Context;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+
+import org.traccar.Config;
+import org.traccar.helper.Log;
+import org.traccar.model.User;
+
import java.util.Hashtable;
public class LdapProvider {
private String url;
- private String context;
+ private String searchBase;
+ private String idAttribute;
+ private String nameAttribute;
+ private String mailAttribute;
+ private String searchFilter;
+ private String adminFilter;
+ private String serviceUser;
+ private String servicePassword;
- public LdapProvider(String url, String context) {
- this.url = url;
- this.context = context;
+ public LdapProvider(Config config) {
+ String url = config.getString("ldap.url");
+ if (url != null) {
+ this.url = url;
+ } else {
+ this.url = "ldap://" + config.getString("ldap.server") + ":" + config.getInteger("ldap.port", 389);
+ }
+ this.searchBase = config.getString("ldap.base");
+ this.idAttribute = config.getString("ldap.idAttribute", "uid");
+ this.nameAttribute = config.getString("ldap.nameAttribute", "cn");
+ this.mailAttribute = config.getString("ldap.mailAttribute", "mail");
+ this.searchFilter = config.getString("ldap.searchFilter", "(" + idAttribute + "=:login)");
+ String adminGroup = config.getString("ldap.adminGroup");
+ this.adminFilter = config.getString("ldap.adminFilter");
+ if (this.adminFilter == null && adminGroup != null) {
+ this.adminFilter = "(&(" + idAttribute + "=:login)(memberOf=" + adminGroup + "))";
+ }
+ this.serviceUser = config.getString("ldap.user");
+ this.servicePassword = config.getString("ldap.password");
}
- public boolean login(String username, String password) {
-
+ private InitialDirContext auth(String accountName, String password) throws NamingException {
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
- env.put(Context.SECURITY_PRINCIPAL, "uid=" + username + "," + context);
+ env.put(Context.SECURITY_PRINCIPAL, accountName);
env.put(Context.SECURITY_CREDENTIALS, password);
+ return new InitialDirContext(env);
+ }
+
+ private boolean isAdmin(String accountName) {
+ if (this.adminFilter != null) {
+ try {
+ InitialDirContext context = initContext();
+ String searchString = new String(adminFilter).replace(":login", accountName);
+ SearchControls searchControls = new SearchControls();
+ searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+ NamingEnumeration<SearchResult> results = context.search(searchBase, searchString, searchControls);
+ if (results.hasMoreElements()) {
+ results.nextElement();
+ if (results.hasMoreElements()) {
+ Log.warning("Matched multiple users for the accountName: " + accountName);
+ return false;
+ }
+ return true;
+ }
+ } catch (NamingException e) {
+ return false;
+ }
+ }
+ return false;
+ }
+
+ public InitialDirContext initContext() throws NamingException {
+ return auth(serviceUser, servicePassword);
+ }
+
+ private SearchResult lookupUser(String accountName) throws NamingException {
+ InitialDirContext context = initContext();
+
+ String searchString = new String(searchFilter).replace(":login", accountName);
+
+ SearchControls searchControls = new SearchControls();
+ String[] attributeFilter = {idAttribute, nameAttribute, mailAttribute};
+ searchControls.setReturningAttributes(attributeFilter);
+ searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+
+ NamingEnumeration<SearchResult> results = context.search(searchBase, searchString, searchControls);
+
+ SearchResult searchResult = null;
+ if (results.hasMoreElements()) {
+ searchResult = (SearchResult) results.nextElement();
+ if (results.hasMoreElements()) {
+ Log.warning("Matched multiple users for the accountName: " + accountName);
+ return null;
+ }
+ }
+
+ return searchResult;
+ }
+
+ public User getUser(String accountName) {
+ SearchResult ldapUser;
+ User user = new User();
+ try {
+ ldapUser = lookupUser(accountName);
+ if (ldapUser != null) {
+ Attribute attribute = ldapUser.getAttributes().get(idAttribute);
+ if (attribute != null) {
+ user.setLogin((String) attribute.get());
+ } else {
+ user.setLogin(accountName);
+ }
+ attribute = ldapUser.getAttributes().get(nameAttribute);
+ if (attribute != null) {
+ user.setName((String) attribute.get());
+ } else {
+ user.setName(accountName);
+ }
+ attribute = ldapUser.getAttributes().get(mailAttribute);
+ if (attribute != null) {
+ user.setEmail((String) attribute.get());
+ } else {
+ user.setEmail(accountName);
+ }
+ }
+ user.setAdmin(isAdmin(accountName));
+ } catch (NamingException e) {
+ user.setLogin(accountName);
+ user.setName(accountName);
+ user.setEmail(accountName);
+ Log.warning(e);
+ }
+ return user;
+ }
+
+ public boolean login(String username, String password) {
try {
- new InitialDirContext(env).close();
- return true;
+ SearchResult ldapUser = lookupUser(username);
+ if (ldapUser != null) {
+ auth(ldapUser.getNameInNamespace(), password).close();
+ return true;
+ }
} catch (NamingException e) {
return false;
}
+ return false;
}
}