directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1481894 - in /directory/apacheds/trunk: core-api/src/main/java/org/apache/directory/server/core/api/ core-integ/src/test/resources/ interceptors/authn/src/main/java/org/apache/directory/server/core/authn/ interceptors/changelog/src/test/ja...
Date Mon, 13 May 2013 14:47:11 GMT
Author: elecharny
Date: Mon May 13 14:47:10 2013
New Revision: 1481894

URL: http://svn.apache.org/r1481894
Log:
o The LDAP principal now stores all the user passwords (we may have moe than one)
o Fixed some logs
o We now check all the userPasswords when processing a simple authentication
o Added a test to see if we can bind using 2 different passwords for a given user

Modified:
    directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
    directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties
    directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
    directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
    directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
    directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
    directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java

Modified: directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
(original)
+++ directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/LdapPrincipal.java
Mon May 13 14:47:10 2013
@@ -49,7 +49,7 @@ public final class LdapPrincipal impleme
     /** The userPassword
      * @todo security risk remove this immediately
      */
-    private byte[] userPassword;
+    private byte[][] userPasswords;
 
     /** The SchemaManager */
     private SchemaManager schemaManager;
@@ -77,7 +77,7 @@ public final class LdapPrincipal impleme
         }
 
         this.authenticationLevel = authenticationLevel;
-        this.userPassword = null;
+        this.userPasswords = null;
     }
 
 
@@ -95,8 +95,9 @@ public final class LdapPrincipal impleme
     {
         this.dn = dn;
         this.authenticationLevel = authenticationLevel;
-        this.userPassword = new byte[userPassword.length];
-        System.arraycopy( userPassword, 0, this.userPassword, 0, userPassword.length );
+        this.userPasswords = new byte[1][];
+        this.userPasswords[0] = new byte[userPassword.length];
+        System.arraycopy( userPassword, 0, this.userPasswords[0], 0, userPassword.length
);
         this.schemaManager = schemaManager;
     }
 
@@ -108,7 +109,7 @@ public final class LdapPrincipal impleme
     public LdapPrincipal()
     {
         authenticationLevel = AuthenticationLevel.NONE;
-        userPassword = null;
+        userPasswords = null;
     }
 
 
@@ -119,7 +120,7 @@ public final class LdapPrincipal impleme
     public LdapPrincipal( SchemaManager schemaManager )
     {
         authenticationLevel = AuthenticationLevel.NONE;
-        userPassword = null;
+        userPasswords = null;
         this.schemaManager = schemaManager;
     }
 
@@ -156,16 +157,23 @@ public final class LdapPrincipal impleme
     }
 
 
-    public byte[] getUserPassword()
+    public byte[][] getUserPasswords()
     {
-        return userPassword;
+        return userPasswords;
     }
 
 
-    public void setUserPassword( byte[] userPassword )
+    public void setUserPassword( byte[]... userPasswords )
     {
-        this.userPassword = new byte[userPassword.length];
-        System.arraycopy( userPassword, 0, this.userPassword, 0, userPassword.length );
+        this.userPasswords = new byte[userPasswords.length][];
+        int pos = 0;
+
+        for ( byte[] userPassword : userPasswords )
+        {
+            this.userPasswords[pos] = new byte[userPassword.length];
+            System.arraycopy( userPassword, 0, this.userPasswords[pos], 0, userPassword.length
);
+            pos++;
+        }
     }
 
 
@@ -177,9 +185,9 @@ public final class LdapPrincipal impleme
     {
         LdapPrincipal clone = ( LdapPrincipal ) super.clone();
 
-        if ( userPassword != null )
+        if ( userPasswords != null )
         {
-            clone.setUserPassword( userPassword );
+            clone.setUserPassword( userPasswords );
         }
 
         return clone;

Modified: directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties (original)
+++ directory/apacheds/trunk/core-integ/src/test/resources/log4j.properties Mon May 13 14:47:10
2013
@@ -23,7 +23,7 @@ log4j.appender.stdout.layout.ConversionP
 #log4j.logger.org=FATAL
 log4j.logger.jdbm.recman.BaseRecordManager=FATAL
 log4j.logger.org.apache.directory.server.OPERATIONS_LOG=FATAL
-log4j.logger.org.apache.directory.server.OPERATION_TIME=DEBUG
+log4j.logger.org.apache.directory.server.OPERATION_TIME=FATAL
 log4j.logger.org.apache.directory.api.CODEC_LOG=FATAL
 log4j.logger.org.apache.directory.server.ACI_LOG=FATAL
 log4j.logger.org.apache.directory.server.PROVIDER_LOG=FATAL

Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
(original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
Mon May 13 14:47:10 2013
@@ -28,7 +28,6 @@ import java.util.Arrays;
 import javax.naming.Context;
 
 import org.apache.commons.collections.map.LRUMap;
-import org.apache.commons.lang.ArrayUtils;
 import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
 import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
 import org.apache.directory.api.ldap.model.constants.SchemaConstants;
@@ -40,7 +39,6 @@ import org.apache.directory.api.ldap.mod
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.ldap.model.password.PasswordUtil;
 import org.apache.directory.api.util.Base64;
-import org.apache.directory.api.util.StringConstants;
 import org.apache.directory.api.util.Strings;
 import org.apache.directory.api.util.UnixCrypt;
 import org.apache.directory.server.core.api.DirectoryService;
@@ -133,26 +131,28 @@ public class SimpleAuthenticator extends
             }
         }
 
-        byte[] storedPassword;
+        byte[][] storedPasswords;
 
         if ( principal == null )
         {
             // Not found in the cache
             // Get the user password from the backend
-            storedPassword = lookupUserPassword( bindContext );
+            storedPasswords = lookupUserPassword( bindContext );
 
             // Deal with the special case where the user didn't enter a password
             // We will compare the empty array with the credentials. Sometime,
             // a user does not set a password. This is bad, but there is nothing
             // we can do against that, except education ...
-            if ( storedPassword == null )
+            if ( storedPasswords == null )
             {
-                storedPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
+                storedPasswords = new byte[][]
+                    {};
             }
 
             // Create the new principal before storing it in the cache
             principal = new LdapPrincipal( getDirectoryService().getSchemaManager(), bindContext.getDn(),
-                AuthenticationLevel.SIMPLE, storedPassword );
+                AuthenticationLevel.SIMPLE );
+            principal.setUserPassword( storedPasswords );
 
             // Now, update the local cache ONLY if pwdpolicy is not enabled.
             if ( !getDirectoryService().isPwdPolicyEnabled() )
@@ -198,25 +198,26 @@ public class SimpleAuthenticator extends
         }
 
         // Get the stored password, either from cache or from backend
-        byte[] storedPassword = principal.getUserPassword();
+        byte[][] storedPasswords = principal.getUserPasswords();
 
-        // Now, compare the two passwords.
-        if ( PasswordUtil.compareCredentials( credentials, storedPassword ) )
+        // Now, compare the passwords.
+        for ( byte[] storedPassword : storedPasswords )
         {
-            if ( IS_DEBUG )
+            if ( PasswordUtil.compareCredentials( credentials, storedPassword ) )
             {
-                LOG.debug( "{} Authenticated", bindContext.getDn() );
-            }
+                if ( IS_DEBUG )
+                {
+                    LOG.debug( "{} Authenticated", bindContext.getDn() );
+                }
 
-            return principal;
-        }
-        else
-        {
-            // Bad password ...
-            String message = I18n.err( I18n.ERR_230, bindContext.getDn().getName() );
-            LOG.info( message );
-            throw new LdapAuthenticationException( message );
+                return principal;
+            }
         }
+
+        // Bad password ...
+        String message = I18n.err( I18n.ERR_230, bindContext.getDn().getName() );
+        LOG.info( message );
+        throw new LdapAuthenticationException( message );
     }
 
 
@@ -226,7 +227,7 @@ public class SimpleAuthenticator extends
      * @return the credentials from the backend
      * @throws Exception if there are problems accessing backend
      */
-    private byte[] lookupUserPassword( BindOperationContext bindContext ) throws LdapException
+    private byte[][] lookupUserPassword( BindOperationContext bindContext ) throws LdapException
     {
         // ---- lookup the principal entry's userPassword attribute
         Entry userEntry;
@@ -277,8 +278,6 @@ public class SimpleAuthenticator extends
 
         }
 
-        Value<?> userPassword;
-
         Attribute userPasswordAttr = userEntry.get( userPasswordAttribute );
 
         bindContext.setEntry( new ClonedServerEntry( userEntry ) );
@@ -286,13 +285,21 @@ public class SimpleAuthenticator extends
         // ---- assert that credentials match
         if ( userPasswordAttr == null )
         {
-            return StringConstants.EMPTY_BYTES;
+            return new byte[][]
+                {};
         }
         else
         {
-            userPassword = userPasswordAttr.get();
+            byte[][] userPasswords = new byte[userPasswordAttr.size()][];
+            int pos = 0;
+
+            for ( Value<?> userPassword : userPasswordAttr )
+            {
+                userPasswords[pos] = userPassword.getBytes();
+                pos++;
+            }
 
-            return userPassword.getBytes();
+            return userPasswords;
         }
     }
 

Modified: directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
(original)
+++ directory/apacheds/trunk/interceptors/changelog/src/test/java/org/apache/directory/server/core/changelog/MemoryChangeLogStoreTest.java
Mon May 13 14:47:10 2013
@@ -144,7 +144,7 @@ public class MemoryChangeLogStoreTest
         assertEquals( principal.getAuthenticationLevel(), readPrincipal.getAuthenticationLevel()
);
         assertEquals( principal.getName(), readPrincipal.getName() );
         assertEquals( principal.getDn(), readPrincipal.getDn() );
-        assertNull( readPrincipal.getUserPassword() );
+        assertNull( readPrincipal.getUserPasswords() );
 
         assertEquals( zuluTime, read.getZuluTime() );
         assertEquals( revision, read.getRevision() );

Modified: directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
(original)
+++ directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/bind/SimpleBindRequestTest.java
Mon May 13 14:47:10 2013
@@ -77,7 +77,21 @@ import org.junit.runner.RunWith;
         "sn: administrator",
         "displayName: Directory Superuser",
         "uid: superuser",
-        "userPassword: test" })
+        "userPassword: test",
+        "",
+        // Entry # 2
+        "dn: uid=superuser2,ou=system",
+        "objectClass: person",
+        "objectClass: organizationalPerson",
+        "objectClass: inetOrgPerson",
+        "objectClass: top",
+        "cn: superuser2",
+        "sn: administrator",
+        "displayName: Directory Superuser",
+        "uid: superuser2",
+        "userPassword: test1",
+        "userPassword: test2"
+    })
 public class SimpleBindRequestTest extends AbstractLdapTestUnit
 {
     private LdapAsyncConnection connection;
@@ -90,6 +104,7 @@ public class SimpleBindRequestTest exten
     public void setup() throws Exception
     {
         connection = new LdapNetworkConnection( "localhost", getLdapServer().getPort() );
+        connection.setTimeOut( 0L );
     }
 
 
@@ -163,6 +178,34 @@ public class SimpleBindRequestTest exten
 
 
     /**
+     * Test a successful simple bind request when the user has 2 passwords.
+     */
+    @Test
+    public void testSimpleBindRequest2Passwords() throws Exception
+    {
+        BindRequest bindRequest = new BindRequestImpl();
+        bindRequest.setDn( new Dn( "uid=superUser2,ou=system" ) );
+        bindRequest.setCredentials( "test1" );
+
+        BindResponse bindResponse = connection.bind( bindRequest );
+
+        assertNotNull( bindResponse );
+        assertEquals( ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode()
);
+        assertTrue( connection.isAuthenticated() );
+
+        bindRequest = new BindRequestImpl();
+        bindRequest.setDn( new Dn( "uid=superUser2,ou=system" ) );
+        bindRequest.setCredentials( "test2" );
+
+        bindResponse = connection.bind( bindRequest );
+
+        assertNotNull( bindResponse );
+        assertEquals( ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode()
);
+        assertTrue( connection.isAuthenticated() );
+    }
+
+
+    /**
      * Test a successful blank (anonymous) bind request.
      */
     @Test

Modified: directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
(original)
+++ directory/apacheds/trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/request/BindRequestHandler.java
Mon May 13 14:47:10 2013
@@ -318,8 +318,15 @@ public class BindRequestHandler extends 
                 {
                     DirectoryService ds = ldapSession.getLdapServer().getDirectoryService();
                     String saslMechanism = bindRequest.getSaslMechanism();
-                    CoreSession userSession = ds.getSession( ldapPrincipal.getDn(), ldapPrincipal.getUserPassword(),
-                        saslMechanism, null );
+                    byte[] password = null;
+
+                    if ( ldapPrincipal.getUserPasswords() != null )
+                    {
+                        password = ldapPrincipal.getUserPasswords()[0];
+                    }
+
+                    CoreSession userSession = ds.getSession( ldapPrincipal.getDn(),
+                        password, saslMechanism, null );
 
                     // Set the user session into the ldap session 
                     ldapSession.setCoreSession( userSession );

Modified: directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
(original)
+++ directory/apacheds/trunk/server-config/src/main/java/org/apache/directory/server/config/beans/DelegatingAuthenticatorBean.java
Mon May 13 14:47:10 2013
@@ -38,6 +38,14 @@ public class DelegatingAuthenticatorBean
     @ConfigurationElement(attributeType = "ads-delegatePort")
     private int delegatePort;
 
+    /** Tells if we use SSL to connect */
+    @ConfigurationElement(attributeType = "ads-delegateSsl")
+    private boolean delegateSsl;
+
+    /** The base DN which will be the starting point from which we use the delegator authenticator
*/
+    @ConfigurationElement(attributeType = "ads-delegateBaseDn")
+    private String delegateBaseDn;
+
 
     /**
      * @return the delegateHost
@@ -87,6 +95,8 @@ public class DelegatingAuthenticatorBean
 
         sb.append( tabs ).append( "  delegate host : " ).append( delegateHost ).append( '\n'
);
         sb.append( tabs ).append( "  delegate port : " ).append( delegatePort ).append( '\n'
);
+        sb.append( tabs ).append( "  delegate base DN : " ).append( delegateBaseDn ).append(
'\n' );
+        sb.append( tabs ).append( "  delegate SSL : " ).append( delegateSsl ).append( '\n'
);
 
         return sb.toString();
     }

Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java?rev=1481894&r1=1481893&r2=1481894&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java
(original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthIT.java
Mon May 13 14:47:10 2013
@@ -45,7 +45,7 @@ import org.junit.runner.RunWith;
 
 
 /**
- * Tests the server to make sure standard compare operations work properly.
+ * Tests the Delegated authenticator
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
@@ -100,6 +100,8 @@ public class DelegatedAuthIT extends Abs
         assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
         LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", getLdapServer()
             .getPort() );
+
+        ldapConnection.setTimeOut( 0L );
         ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
 
         assertTrue( ldapConnection.isAuthenticated() );



Mime
View raw message