diff --git a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java index 51b2b2c0f4..d248712642 100644 --- a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java +++ b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java @@ -46,7 +46,7 @@ public class LDAPAuthentication /** log4j category */ private static Logger log = Logger.getLogger(LDAPAuthentication.class); - /** + /** * Let a real auth method return true if it wants. */ public boolean canSelfRegister(Context context, @@ -95,34 +95,34 @@ public class LDAPAuthentication */ public int[] getSpecialGroups(Context context, HttpServletRequest request) { - // Prevents anonymous users from being added to this group, and the second check - // ensures they are LDAP users - try - { - if (!context.getCurrentUser().getNetid().equals("")) - { - String groupName = ConfigurationManager.getProperty("authentication-ldap", "login.specialgroup"); - if ((groupName != null) && (!groupName.trim().equals(""))) - { - Group ldapGroup = Group.findByName(context, groupName); - if (ldapGroup == null) - { - // Oops - the group isn't there. - log.warn(LogManager.getHeader(context, - "ldap_specialgroup", - "Group defined in login.specialgroup does not exist")); - return new int[0]; - } else - { - return new int[] { ldapGroup.getID() }; - } - } - } - } - catch (Exception npe) { - // The user is not an LDAP user, so we don't need to worry about them - } - return new int[0]; + // Prevents anonymous users from being added to this group, and the second check + // ensures they are LDAP users + try + { + if (!context.getCurrentUser().getNetid().equals("")) + { + String groupName = ConfigurationManager.getProperty("authentication-ldap", "login.specialgroup"); + if ((groupName != null) && (!groupName.trim().equals(""))) + { + Group ldapGroup = Group.findByName(context, groupName); + if (ldapGroup == null) + { + // Oops - the group isn't there. + log.warn(LogManager.getHeader(context, + "ldap_specialgroup", + "Group defined in login.specialgroup does not exist")); + return new int[0]; + } else + { + return new int[] { ldapGroup.getID() }; + } + } + } + } + catch (Exception npe) { + // The user is not an LDAP user, so we don't need to worry about them + } + return new int[0]; } /* @@ -177,40 +177,40 @@ public class LDAPAuthentication EPerson eperson = null; try { - eperson = EPerson.findByNetid(context, netid.toLowerCase()); + eperson = EPerson.findByNetid(context, netid.toLowerCase()); } catch (SQLException e) { } SpeakerToLDAP ldap = new SpeakerToLDAP(log); - // Get the DN of the user - boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous"); - String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user"); - String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password"); - String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context"); - String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field"); - String dn = ""; + // Get the DN of the user + boolean anonymousSearch = ConfigurationManager.getBooleanProperty("authentication-ldap", "search.anonymous"); + String adminUser = ConfigurationManager.getProperty("authentication-ldap", "search.user"); + String adminPassword = ConfigurationManager.getProperty("authentication-ldap", "search.password"); + String objectContext = ConfigurationManager.getProperty("authentication-ldap", "object_context"); + String idField = ConfigurationManager.getProperty("authentication-ldap", "id_field"); + String dn = ""; - // If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it - if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch) - { - dn = idField + "=" + netid + "," + objectContext; - } - else - { - dn = ldap.getDNOfUser(adminUser, adminPassword, context, netid); - } + // If adminUser is blank and anonymous search is not allowed, then we can't search so construct the DN instead of searching it + if ((StringUtils.isBlank(adminUser) || StringUtils.isBlank(adminPassword)) && !anonymousSearch) + { + dn = idField + "=" + netid + "," + objectContext; + } + else + { + dn = ldap.getDNOfUser(adminUser, adminPassword, context, netid); + } - // Check a DN was found - if ((dn == null) || (dn.trim().equals(""))) - { - log.info(LogManager - .getHeader(context, "failed_login", "no DN found for user " + netid)); - return BAD_CREDENTIALS; - } + // Check a DN was found + if ((dn == null) || (dn.trim().equals(""))) + { + log.info(LogManager + .getHeader(context, "failed_login", "no DN found for user " + netid)); + return BAD_CREDENTIALS; + } - // if they entered a netid that matches an eperson + // if they entered a netid that matches an eperson if (eperson != null) { // e-mail address corresponds to active account @@ -239,19 +239,19 @@ public class LDAPAuthentication return BAD_CREDENTIALS; } } - - // the user does not already exist so try and authenticate them - // with ldap and create an eperson for them else { + // the user does not already exist so try and authenticate them + // with ldap and create an eperson for them + if (ldap.ldapAuthenticate(dn, password, context)) { // Register the new user automatically log.info(LogManager.getHeader(context, "autoregister", "netid=" + netid)); - // If there is no email and the email domain is set, add it to the netid - String email = ldap.ldapEmail; + // If there is no email and the email domain is set, add it to the netid + String email = ldap.ldapEmail; if (((email == null) || ("".equals(email))) && (!"".equals(ConfigurationManager.getProperty("authentication-ldap", "netid_email_domain")))) { @@ -259,93 +259,93 @@ public class LDAPAuthentication } if ((email != null) && (!"".equals(email))) - { - try - { - eperson = EPerson.findByEmail(context, email); - if (eperson!=null) - { - log.info(LogManager.getHeader(context, - "type=ldap-login", "type=ldap_but_already_email")); - context.setIgnoreAuthorization(true); - eperson.setNetid(netid.toLowerCase()); - eperson.update(); - context.commit(); - context.setIgnoreAuthorization(false); - context.setCurrentUser(eperson); + { + try + { + eperson = EPerson.findByEmail(context, email); + if (eperson!=null) + { + log.info(LogManager.getHeader(context, + "type=ldap-login", "type=ldap_but_already_email")); + context.setIgnoreAuthorization(true); + eperson.setNetid(netid.toLowerCase()); + eperson.update(); + context.commit(); + context.setIgnoreAuthorization(false); + context.setCurrentUser(eperson); - // assign user to groups based on ldap dn - assignGroupsBasedOnLdapDn(dn, context); + // assign user to groups based on ldap dn + assignGroupsBasedOnLdapDn(dn, context); - return SUCCESS; - } - else - { - if (canSelfRegister(context, request, netid)) - { - // TEMPORARILY turn off authorisation - try - { - context.setIgnoreAuthorization(true); - eperson = EPerson.create(context); - if ((email != null) && (!"".equals(email))) - { - eperson.setEmail(email); - } - if ((ldap.ldapGivenName!=null) && (!ldap.ldapGivenName.equals(""))) - { - eperson.setFirstName(ldap.ldapGivenName); - } - if ((ldap.ldapSurname!=null) && (!ldap.ldapSurname.equals(""))) - { - eperson.setLastName(ldap.ldapSurname); - } - if ((ldap.ldapPhone!=null)&&(!ldap.ldapPhone.equals(""))) - { - eperson.setMetadata("phone", ldap.ldapPhone); - } - eperson.setNetid(netid.toLowerCase()); - eperson.setCanLogIn(true); - AuthenticationManager.initEPerson(context, request, eperson); - eperson.update(); - context.commit(); - context.setCurrentUser(eperson); + return SUCCESS; + } + else + { + if (canSelfRegister(context, request, netid)) + { + // TEMPORARILY turn off authorisation + try + { + context.setIgnoreAuthorization(true); + eperson = EPerson.create(context); + if ((email != null) && (!"".equals(email))) + { + eperson.setEmail(email); + } + if ((ldap.ldapGivenName!=null) && (!ldap.ldapGivenName.equals(""))) + { + eperson.setFirstName(ldap.ldapGivenName); + } + if ((ldap.ldapSurname!=null) && (!ldap.ldapSurname.equals(""))) + { + eperson.setLastName(ldap.ldapSurname); + } + if ((ldap.ldapPhone!=null)&&(!ldap.ldapPhone.equals(""))) + { + eperson.setMetadata("phone", ldap.ldapPhone); + } + eperson.setNetid(netid.toLowerCase()); + eperson.setCanLogIn(true); + AuthenticationManager.initEPerson(context, request, eperson); + eperson.update(); + context.commit(); + context.setCurrentUser(eperson); - // assign user to groups based on ldap dn - assignGroupsBasedOnLdapDn(dn, context); - } - catch (AuthorizeException e) - { - return NO_SUCH_USER; - } - finally - { - context.setIgnoreAuthorization(false); - } + // assign user to groups based on ldap dn + assignGroupsBasedOnLdapDn(dn, context); + } + catch (AuthorizeException e) + { + return NO_SUCH_USER; + } + finally + { + context.setIgnoreAuthorization(false); + } - log.info(LogManager.getHeader(context, "authenticate", - "type=ldap-login, created ePerson")); - return SUCCESS; - } - else - { - // No auto-registration for valid certs - log.info(LogManager.getHeader(context, - "failed_login", "type=ldap_but_no_record")); - return NO_SUCH_USER; - } - } - } - catch (AuthorizeException e) - { - eperson = null; - } - finally - { - context.setIgnoreAuthorization(false); - } - } - } + log.info(LogManager.getHeader(context, "authenticate", + "type=ldap-login, created ePerson")); + return SUCCESS; + } + else + { + // No auto-registration for valid certs + log.info(LogManager.getHeader(context, + "failed_login", "type=ldap_but_no_record")); + return NO_SUCH_USER; + } + } + } + catch (AuthorizeException e) + { + eperson = null; + } + finally + { + context.setIgnoreAuthorization(false); + } + } + } } return BAD_ARGS; } @@ -363,47 +363,47 @@ public class LDAPAuthentication protected String ldapSurname = null; protected String ldapPhone = null; - /** LDAP settings */ - String ldap_provider_url = ConfigurationManager.getProperty("authentication-ldap", "provider_url"); - String ldap_id_field = ConfigurationManager.getProperty("authentication-ldap", "id_field"); - String ldap_search_context = ConfigurationManager.getProperty("authentication-ldap", "search_context"); - String ldap_search_scope = ConfigurationManager.getProperty("authentication-ldap", "search_scope"); + /** LDAP settings */ + String ldap_provider_url = ConfigurationManager.getProperty("authentication-ldap", "provider_url"); + String ldap_id_field = ConfigurationManager.getProperty("authentication-ldap", "id_field"); + String ldap_search_context = ConfigurationManager.getProperty("authentication-ldap", "search_context"); + String ldap_search_scope = ConfigurationManager.getProperty("authentication-ldap", "search_scope"); - String ldap_email_field = ConfigurationManager.getProperty("authentication-ldap", "email_field"); - String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap", "givenname_field"); - String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap", "surname_field"); - String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap", "phone_field"); + String ldap_email_field = ConfigurationManager.getProperty("authentication-ldap", "email_field"); + String ldap_givenname_field = ConfigurationManager.getProperty("authentication-ldap", "givenname_field"); + String ldap_surname_field = ConfigurationManager.getProperty("authentication-ldap", "surname_field"); + String ldap_phone_field = ConfigurationManager.getProperty("authentication-ldap", "phone_field"); - SpeakerToLDAP(Logger thelog) + SpeakerToLDAP(Logger thelog) { log = thelog; } - protected String getDNOfUser(String adminUser, String adminPassword, Context context, String netid) - { - // The resultant DN - String resultDN; + protected String getDNOfUser(String adminUser, String adminPassword, Context context, String netid) + { + // The resultant DN + String resultDN; - // The search scope to use (default to 0) - int ldap_search_scope_value = 0; - try - { - ldap_search_scope_value = Integer.parseInt(ldap_search_scope.trim()); - } - catch (NumberFormatException e) - { - // Log the error if it has been set but is invalid - if (ldap_search_scope != null) - { - log.warn(LogManager.getHeader(context, - "ldap_authentication", "invalid search scope: " + ldap_search_scope)); - } - } + // The search scope to use (default to 0) + int ldap_search_scope_value = 0; + try + { + ldap_search_scope_value = Integer.parseInt(ldap_search_scope.trim()); + } + catch (NumberFormatException e) + { + // Log the error if it has been set but is invalid + if (ldap_search_scope != null) + { + log.warn(LogManager.getHeader(context, + "ldap_authentication", "invalid search scope: " + ldap_search_scope)); + } + } - // Set up environment for creating initial context - Hashtable env = new Hashtable(11); - env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); - env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url); + // Set up environment for creating initial context + Hashtable env = new Hashtable(11); + env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url); if ((adminUser != null) && (!adminUser.trim().equals("")) && (adminPassword != null) && (!adminPassword.trim().equals(""))) @@ -419,158 +419,158 @@ public class LDAPAuthentication env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "none"); } - DirContext ctx = null; - try - { - // Create initial context - ctx = new InitialDirContext(env); + DirContext ctx = null; + try + { + // Create initial context + ctx = new InitialDirContext(env); - Attributes matchAttrs = new BasicAttributes(true); - matchAttrs.put(new BasicAttribute(ldap_id_field, netid)); + Attributes matchAttrs = new BasicAttributes(true); + matchAttrs.put(new BasicAttribute(ldap_id_field, netid)); - // look up attributes - try - { - SearchControls ctrls = new SearchControls(); - ctrls.setSearchScope(ldap_search_scope_value); + // look up attributes + try + { + SearchControls ctrls = new SearchControls(); + ctrls.setSearchScope(ldap_search_scope_value); - NamingEnumeration answer = ctx.search( - ldap_provider_url + ldap_search_context, - "(&({0}={1}))", new Object[] { ldap_id_field, - netid }, ctrls); + NamingEnumeration answer = ctx.search( + ldap_provider_url + ldap_search_context, + "(&({0}={1}))", new Object[] { ldap_id_field, + netid }, ctrls); - while (answer.hasMoreElements()) { - SearchResult sr = answer.next(); + while (answer.hasMoreElements()) { + SearchResult sr = answer.next(); if (StringUtils.isEmpty(ldap_search_context)) { resultDN = sr.getName(); } else { resultDN = (sr.getName() + "," + ldap_search_context); } - String attlist[] = {ldap_email_field, ldap_givenname_field, - ldap_surname_field, ldap_phone_field}; - Attributes atts = sr.getAttributes(); - Attribute att; + String attlist[] = {ldap_email_field, ldap_givenname_field, + ldap_surname_field, ldap_phone_field}; + Attributes atts = sr.getAttributes(); + Attribute att; - if (attlist[0] != null) { - att = atts.get(attlist[0]); - if (att != null) + if (attlist[0] != null) { + att = atts.get(attlist[0]); + if (att != null) { ldapEmail = (String) att.get(); } - } + } - if (attlist[1] != null) { - att = atts.get(attlist[1]); - if (att != null) + if (attlist[1] != null) { + att = atts.get(attlist[1]); + if (att != null) { ldapGivenName = (String) att.get(); } - } + } - if (attlist[2] != null) { - att = atts.get(attlist[2]); - if (att != null) + if (attlist[2] != null) { + att = atts.get(attlist[2]); + if (att != null) { ldapSurname = (String) att.get(); } - } + } - if (attlist[3] != null) { - att = atts.get(attlist[3]); - if (att != null) + if (attlist[3] != null) { + att = atts.get(attlist[3]); + if (att != null) { ldapPhone = (String) att.get(); } - } + } - if (answer.hasMoreElements()) { - // Oh dear - more than one match - // Ambiguous user, can't continue + if (answer.hasMoreElements()) { + // Oh dear - more than one match + // Ambiguous user, can't continue - } else { - log.debug(LogManager.getHeader(context, "got DN", resultDN)); - return resultDN; - } - } - } - catch (NamingException e) - { - // if the lookup fails go ahead and create a new record for them because the authentication - // succeeded - log.warn(LogManager.getHeader(context, - "ldap_attribute_lookup", "type=failed_search " - + e)); - } - } - catch (NamingException e) - { - log.warn(LogManager.getHeader(context, - "ldap_authentication", "type=failed_auth " + e)); - } - finally - { - // Close the context when we're done - try - { - if (ctx != null) + } else { + log.debug(LogManager.getHeader(context, "got DN", resultDN)); + return resultDN; + } + } + } + catch (NamingException e) + { + // if the lookup fails go ahead and create a new record for them because the authentication + // succeeded + log.warn(LogManager.getHeader(context, + "ldap_attribute_lookup", "type=failed_search " + + e)); + } + } + catch (NamingException e) + { + log.warn(LogManager.getHeader(context, + "ldap_authentication", "type=failed_auth " + e)); + } + finally + { + // Close the context when we're done + try + { + if (ctx != null) { ctx.close(); } - } - catch (NamingException e) - { - } - } + } + catch (NamingException e) + { + } + } - // No DN match found - return null; - } + // No DN match found + return null; + } - /** + /** * contact the ldap server and attempt to authenticate */ - protected boolean ldapAuthenticate(String netid, String password, - Context context) { - if (!password.equals("")) { - // Set up environment for creating initial context - Hashtable env = new Hashtable(); - env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, - "com.sun.jndi.ldap.LdapCtxFactory"); - env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url); + protected boolean ldapAuthenticate(String netid, String password, + Context context) { + if (!password.equals("")) { + // Set up environment for creating initial context + Hashtable env = new Hashtable(); + env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, + "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(javax.naming.Context.PROVIDER_URL, ldap_provider_url); - // Authenticate - env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "Simple"); - env.put(javax.naming.Context.SECURITY_PRINCIPAL, netid); - env.put(javax.naming.Context.SECURITY_CREDENTIALS, password); - env.put(javax.naming.Context.AUTHORITATIVE, "true"); - env.put(javax.naming.Context.REFERRAL, "follow"); + // Authenticate + env.put(javax.naming.Context.SECURITY_AUTHENTICATION, "Simple"); + env.put(javax.naming.Context.SECURITY_PRINCIPAL, netid); + env.put(javax.naming.Context.SECURITY_CREDENTIALS, password); + env.put(javax.naming.Context.AUTHORITATIVE, "true"); + env.put(javax.naming.Context.REFERRAL, "follow"); - DirContext ctx = null; - try { - // Try to bind - ctx = new InitialDirContext(env); - } catch (NamingException e) { - log.warn(LogManager.getHeader(context, - "ldap_authentication", "type=failed_auth " + e)); - return false; - } finally { - // Close the context when we're done - try { - if (ctx != null) + DirContext ctx = null; + try { + // Try to bind + ctx = new InitialDirContext(env); + } catch (NamingException e) { + log.warn(LogManager.getHeader(context, + "ldap_authentication", "type=failed_auth " + e)); + return false; + } finally { + // Close the context when we're done + try { + if (ctx != null) { ctx.close(); } - } catch (NamingException e) { - } - } - } else { - return false; - } + } catch (NamingException e) { + } + } + } else { + return false; + } - return true; - } - } + return true; + } + } /* * Returns URL to which to redirect to obtain credentials (either password @@ -649,11 +649,11 @@ public class LDAPAuthentication } catch (AuthorizeException ae) { - log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not authorize addition to group", dspaceGroupName)); + log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not authorize addition to group", dspaceGroupName)); } catch (SQLException e) { - log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not find group", dspaceGroupName)); + log.debug(LogManager.getHeader(context, "assignGroupsBasedOnLdapDn could not find group", dspaceGroupName)); } }