directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [11/16] Remove the unboundid daos classes and lib, move the apache dao's into rbac package and make its classes and methods package private.
Date Wed, 22 Oct 2014 17:48:26 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
new file mode 100755
index 0000000..3def2ff
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
@@ -0,0 +1,2375 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.Attribute;
+import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapAttributeInUseException;
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.PasswordException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.util.attr.AttrHelper;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+
+
+/**
+ * Data access class for LDAP User entity.
+ * <p/>
+ * <p/>
+ * The Fortress User LDAP schema follows:
+ * <p/>
+ * <h4>1. InetOrgPerson Structural Object Class </h4>
+ * <code># The inetOrgPerson represents people who are associated with an</code><br />
+ * <code># organization in some way.  It is a structural class and is derived</code><br />
+ * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
+ * <li> <code>NAME 'inetOrgPerson'</code>
+ * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
+ * <li> <code>SUP organizationalPerson</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
+ * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
+ * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
+ * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
+ * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
+ * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
+ * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ * @created August 30, 2009
+ */
+final class UserDAO extends ApacheDsDataProvider
+{
+    private static final String CLS_NM = UserDAO.class.getName();
+    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+    private static PwPolicyControl pwControlx;
+
+    /**
+     * Initialize the OpenLDAP Pw Policy validator.
+     */
+    //todo: fix me, removed with unbound:
+/*
+    static
+    {
+        if ( GlobalIds.IS_OPENLDAP )
+        {
+            pwControl = new OLPWControlImpl();
+        }
+    }
+*/
+
+    /*
+      *  *************************************************************************
+      *  **  OpenAccessMgr USERS STATICS
+      *  ************************************************************************
+      */
+    private static final String USERS_AUX_OBJECT_CLASS_NAME = "ftUserAttrs";
+    private static final String ORGANIZATIONAL_PERSON_OBJECT_CLASS_NAME = "organizationalPerson";
+    private static final String USER_OBJECT_CLASS = "user.objectclass";
+    private static final String USERS_EXTENSIBLE_OBJECT = "extensibleObject";
+
+    // The Fortress User entity attributes are stored within standard LDAP object classes along with custom auxiliary object classes:
+    private static final String USER_OBJ_CLASS[] =
+        {
+            GlobalIds.TOP,
+            Config.getProperty( USER_OBJECT_CLASS ),
+            USERS_AUX_OBJECT_CLASS_NAME,
+            GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+            GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME,
+            USERS_EXTENSIBLE_OBJECT
+    };
+
+    private static final String objectClassImpl = Config.getProperty( USER_OBJECT_CLASS );
+    private static final String SN = "sn";
+    private static final String PW = "userpassword";
+    private static final String SYSTEM_USER = "ftSystem";
+
+    /**
+     * Constant contains the locale attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String L = "l";
+
+    /**
+     * Constant contains the postal address attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String POSTAL_ADDRESS = "postalAddress";
+
+    /**
+     * Constant contains the state attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String STATE = "st";
+
+    /**
+     * Constant contains the postal code attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String POSTAL_CODE = "postalCode";
+
+    /**
+     * Constant contains the post office box attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String POST_OFFICE_BOX = "postOfficeBox";
+
+    /**
+     * Constant contains the country attribute name used within organizationalPerson ldap object classes.
+     */
+    private static final String COUNTRY = "c";
+
+    /**
+     * Constant contains the  attribute name used within inetorgperson ldap object classes.
+     */
+    private static final String PHYSICAL_DELIVERY_OFFICE_NAME = "physicalDeliveryOfficeName";
+
+    /**
+     * Constant contains the  attribute name used within inetorgperson ldap object classes.
+     */
+    private static final String DEPARTMENT_NUMBER = "departmentNumber";
+
+    /**
+     * Constant contains the  attribute name used within inetorgperson ldap object classes.
+     */
+    private static final String ROOM_NUMBER = "roomNumber";
+
+    /**
+     * Constant contains the mobile attribute values used within iNetOrgPerson ldap object classes.
+     */
+    private static final String MOBILE = "mobile";
+
+    /**
+     * Constant contains the telephone attribute values used within organizationalPerson ldap object classes.
+     */
+    private static final String TELEPHONE_NUMBER = "telephoneNumber";
+
+    /**
+     * Constant contains the  attribute name for jpeg images to be stored within inetorgperson ldap object classes.
+     */
+    private static final String JPEGPHOTO = "jpegPhoto";
+
+    /**
+     * Constant contains the email attribute values used within iNetOrgPerson ldap object classes.
+     */
+    private static final String MAIL = "mail";
+    private static final String DISPLAY_NAME = "displayName";
+    private static final String TITLE = "title";
+    private static final String EMPLOYEE_TYPE = "employeeType";
+
+    private static final String OPENLDAP_POLICY_SUBENTRY = "pwdPolicySubentry";
+    private static final String OPENLDAP_PW_RESET = "pwdReset";
+    private static final String OPENLDAP_PW_LOCKED_TIME = "pwdAccountLockedTime";
+    private static final String OPENLDAP_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
+    private static final String LOCK_VALUE = "000001010000Z";
+    private static final String[] USERID =
+        { GlobalIds.UID };
+    private static final String[] ROLES =
+        { GlobalIds.USER_ROLE_ASSIGN };
+
+    private static final String[] USERID_ATRS =
+        {
+            GlobalIds.UID
+    };
+
+    // This smaller result set of attributes are needed for user validation and authentication operations.
+    private static final String[] AUTHN_ATRS =
+        {
+            GlobalIds.FT_IID,
+            GlobalIds.UID, PW,
+            GlobalIds.DESC,
+            GlobalIds.OU, GlobalIds.CN,
+            SN,
+            GlobalIds.CONSTRAINT,
+            GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+            GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+            GlobalIds.PROPS
+    };
+
+    // This default set of attributes contains all and is used for search operations.
+    private static final String[] DEFAULT_ATRS =
+        {
+            GlobalIds.FT_IID,
+            GlobalIds.UID, PW,
+            GlobalIds.DESC,
+            GlobalIds.OU,
+            GlobalIds.CN,
+            SN,
+            GlobalIds.USER_ROLE_DATA,
+            GlobalIds.CONSTRAINT,
+            GlobalIds.USER_ROLE_ASSIGN,
+            GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+            GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+            GlobalIds.IS_OPENLDAP ? OPENLDAP_POLICY_SUBENTRY : null,
+            GlobalIds.PROPS,
+            GlobalIds.USER_ADMINROLE_ASSIGN,
+            GlobalIds.USER_ADMINROLE_DATA,
+            POSTAL_ADDRESS,
+            L,
+            POSTAL_CODE,
+            POST_OFFICE_BOX,
+            STATE,
+            PHYSICAL_DELIVERY_OFFICE_NAME,
+            DEPARTMENT_NUMBER,
+            ROOM_NUMBER,
+            TELEPHONE_NUMBER,
+            MOBILE,
+            MAIL,
+            EMPLOYEE_TYPE,
+            TITLE,
+            SYSTEM_USER,
+            JPEGPHOTO
+    };
+
+    private static final String[] ROLE_ATR =
+        {
+            GlobalIds.USER_ROLE_DATA
+    };
+
+    private static final String[] AROLE_ATR =
+        {
+            GlobalIds.USER_ADMINROLE_DATA
+    };
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws CreateException
+     *
+     */
+    final User create( User entity ) throws CreateException
+    {
+        LdapConnection ld = null;
+
+        try
+        {
+            entity.setInternalId();
+
+            String dn = getDn( entity.getUserId(), entity.getContextId() );
+
+            Entry myEntry = new DefaultEntry( dn );
+
+            myEntry.add( GlobalIds.OBJECT_CLASS, USER_OBJ_CLASS );
+            myEntry.add( GlobalIds.FT_IID, entity.getInternalId() );
+            myEntry.add( GlobalIds.UID, entity.getUserId() );
+
+            // CN is required on inetOrgPerson object class, if caller did not set, use the userId:
+            if ( !VUtil.isNotNullOrEmpty( entity.getCn() ) )
+            {
+                entity.setCn( entity.getUserId() );
+            }
+
+            myEntry.add( GlobalIds.CN, entity.getCn() );
+
+            // SN is required on inetOrgPerson object class, if caller did not set, use the userId:
+            if ( !VUtil.isNotNullOrEmpty( entity.getSn() ) )
+            {
+                entity.setSn( entity.getUserId() );
+            }
+
+            myEntry.add( SN, entity.getSn() );
+
+            // guard against npe
+            myEntry.add( PW,
+                VUtil.isNotNullOrEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String(
+                    new char[]
+                        {} ) );
+            myEntry.add( DISPLAY_NAME, entity.getCn() );
+
+            if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+            {
+                myEntry.add( TITLE, entity.getTitle() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+            {
+                myEntry.add( EMPLOYEE_TYPE, entity.getEmployeeType() );
+            }
+
+            // These are multi-valued attributes, use the util function to load.
+            // These items are optional.  The utility function will return quietly if item list is empty:
+            loadAttrs( entity.getPhones(), myEntry, TELEPHONE_NUMBER );
+            loadAttrs( entity.getMobiles(), myEntry, MOBILE );
+            loadAttrs( entity.getEmails(), myEntry, MAIL );
+
+            // The following attributes are optional:
+            if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+            {
+                myEntry.add( SYSTEM_USER, entity.isSystem().toString().toUpperCase() );
+            }
+
+            if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+            {
+                String pwdPolicyDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+                    + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+                myEntry.add( OPENLDAP_POLICY_SUBENTRY, pwdPolicyDn );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+            {
+                myEntry.add( GlobalIds.OU, entity.getOu() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+            {
+                myEntry.add( GlobalIds.DESC, entity.getDescription() );
+            }
+
+            // props are optional as well:
+            // Add "initial" property here.
+            entity.addProperty( "init", "" );
+            loadProperties( entity.getProperties(), myEntry, GlobalIds.PROPS );
+            // map the userid to the name field in constraint:
+            entity.setName( entity.getUserId() );
+            myEntry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+            loadAddress( entity.getAddress(), myEntry );
+
+            if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+            {
+                myEntry.add( JPEGPHOTO, entity.getJpegPhoto() );
+            }
+
+            ld = getAdminConnection();
+            add( ld, myEntry, entity );
+            entity.setDn( dn );
+        }
+        catch ( LdapException e )
+        {
+            String error = "create userId [" + entity.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new CreateException( GlobalErrIds.USER_ADD_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws UpdateException
+     */
+    final User update( User entity )
+        throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+
+            if ( VUtil.isNotNullOrEmpty( entity.getCn() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CN, entity.getCn() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getSn() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, SN, entity.getSn() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.OU, entity.getOu() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getPassword() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( entity.getPassword() ) ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, EMPLOYEE_TYPE, entity.getEmployeeType() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, TITLE, entity.getTitle() ) );
+            }
+
+            if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+            {
+                String szDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+                    + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY, szDn ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, SYSTEM_USER, entity.isSystem().toString().toUpperCase() ) );
+            }
+
+            if ( entity.isTemporalSet() )
+            {
+                // map the userid to the name field in constraint:
+                entity.setName( entity.getUserId() );
+                String szRawData = CUtil.setConstraint( entity );
+
+                if ( VUtil.isNotNullOrEmpty( szRawData ) )
+                {
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
+                }
+            }
+
+            if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+            {
+                loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
+            }
+
+            loadAddress( entity.getAddress(), mods );
+
+            // These are multi-valued attributes, use the util function to load:
+            loadAttrs( entity.getPhones(), mods, TELEPHONE_NUMBER );
+            loadAttrs( entity.getMobiles(), mods, MOBILE );
+            loadAttrs( entity.getEmails(), mods, MAIL );
+
+            if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, JPEGPHOTO, entity.getJpegPhoto() ) );
+            }
+
+            if ( mods.size() > 0 )
+            {
+                ld = getAdminConnection();
+                modify( ld, userDn, mods, entity );
+                entity.setDn( userDn );
+            }
+
+            entity.setDn( userDn );
+        }
+        catch ( LdapException e )
+        {
+            String error = "update userId [" + entity.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * @param entity
+     * @param replace
+     * @return
+     * @throws UpdateException
+     */
+    final User updateProps( User entity, boolean replace )
+        throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+
+            if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+            {
+                loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, replace );
+            }
+
+            if ( mods.size() > 0 )
+            {
+                ld = getAdminConnection();
+                modify( ld, userDn, mods, entity );
+                entity.setDn( userDn );
+            }
+
+            entity.setDn( userDn );
+        }
+        catch ( LdapException e )
+        {
+            String error = "updateProps userId [" + entity.getUserId() + "] isReplace [" + replace
+                + "] caught LDAPException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * @param user
+     * @throws RemoveException
+     */
+    final String remove( User user )
+        throws RemoveException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            ld = getAdminConnection();
+            delete( ld, userDn, user );
+        }
+        catch ( LdapException e )
+        {
+            String error = "remove userId [" + user.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new RemoveException( GlobalErrIds.USER_DELETE_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param user
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    final void lock( User user ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME,
+                LOCK_VALUE ) );
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, user );
+        }
+        catch ( LdapException e )
+        {
+            String error = "lock user [" + user.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_PW_LOCK_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * @param user
+     * @throws UpdateException
+     *
+     */
+    final void unlock( User user )
+        throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            //ld = getAdminConnection();
+            List<Modification> mods = new ArrayList<Modification>();
+
+            mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME ) );
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, user );
+        }
+        catch ( LdapNoSuchAttributeException e )
+        {
+            LOG.info( "unlock user [" + user.getUserId() + "] no such attribute:"
+                + OPENLDAP_ACCOUNT_LOCKED_TIME );
+        }
+        catch ( LdapException e )
+        {
+            String error = "unlock user [" + user.getUserId() + "] caught LDAPException= "
+                + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_PW_UNLOCK_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    final User getUser( User user, boolean isRoles )
+        throws FinderException
+    {
+        User entity = null;
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        String[] uATTRS;
+        // Retrieve role attributes?
+
+        if ( isRoles )
+        {
+            // Retrieve the User's assigned RBAC and Admin Role attributes from directory.
+            uATTRS = DEFAULT_ATRS;
+
+        }
+        else
+        {
+            // Do not retrieve the User's assigned RBAC and Admin Role attributes from directory.
+            uATTRS = AUTHN_ATRS;
+        }
+
+        Entry findEntry = null;
+
+        try
+        {
+            ld = getAdminConnection();
+            findEntry = read( ld, userDn, uATTRS );
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getUser COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+            throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getUser [" + userDn + "]= caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        try
+        {
+            if(findEntry != null)
+            {
+                entity = unloadLdapEntry( findEntry, 0, user.getContextId() );
+            }
+        }
+        catch ( LdapInvalidAttributeValueException e )
+        {
+            entity = null;
+        }
+
+        if ( entity == null )
+        {
+            String warning = "getUser userId [" + user.getUserId() + "] not found, Fortress rc="
+                + GlobalErrIds.USER_NOT_FOUND;
+            throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     */
+    final List<UserAdminRole> getUserAdminRoles( User user )
+        throws FinderException
+    {
+        List<UserAdminRole> roles = null;
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            ld = getAdminConnection();
+            Entry findEntry = read( ld, userDn, AROLE_ATR );
+            roles = unloadUserAdminRoles( findEntry, user.getUserId(), user.getContextId() );
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getUserAdminRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+            throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getUserAdminRoles [" + userDn + "]= caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roles;
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    final List<String> getRoles( User user )
+        throws FinderException
+    {
+        List<String> roles = null;
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            ld = getAdminConnection();
+            Entry findEntry = read( ld, userDn, ROLES );
+
+            if ( findEntry == null )
+            {
+                String warning = "getRoles userId [" + user.getUserId() + "] not found, Fortress rc="
+                    + GlobalErrIds.USER_NOT_FOUND;
+                throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+            }
+
+            roles = getAttributes( findEntry, GlobalIds.USER_ROLE_ASSIGN );
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+            throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roles;
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     * @throws org.apache.directory.fortress.core.SecurityException
+     */
+    final Session checkPassword( User user ) throws FinderException
+    {
+        Session session = null;
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            session = new ObjectFactory().createSession();
+            session.setUserId( user.getUserId() );
+            ld = getUserConnection();
+            boolean result = bind( ld, userDn, user.getPassword() );
+
+            if ( result )
+            {
+                // check openldap password policies here
+                checkPwPolicies( ld, session );
+
+                if ( session.getErrorId() == 0 )
+                {
+                    session.setAuthenticated( true );
+                }
+            }
+        }
+        catch ( LdapAuthenticationException e )
+        {
+            // Check controls to see if password is locked, expired or out of grace:
+            checkPwPolicies( ld, session );
+            // if check pw control did not find problem the user entered invalid pw:
+            if ( session.getErrorId() == 0 )
+            {
+                String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "]";
+                session.setMsg( info );
+                session.setErrorId( GlobalErrIds.USER_PW_INVLD );
+                session.setAuthenticated( false );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeUserConnection( ld );
+        }
+
+        return session;
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws FinderException
+     */
+    final List<User> findUsers( User user ) throws FinderException
+    {
+        List<User> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String filter;
+
+            if ( VUtil.isNotNullOrEmpty( user.getUserId() ) )
+            {
+                // place a wild card after the input userId:
+                String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+                filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+                    + GlobalIds.UID + "=" + searchVal + "*))";
+            }
+            else if ( VUtil.isNotNullOrEmpty( user.getInternalId() ) )
+            {
+                // internalUserId search
+                String searchVal = encodeSafeText( user.getInternalId(), GlobalIds.USERID_LEN );
+                // this is not a wildcard search. Must be exact match.
+                filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+                    + GlobalIds.FT_IID + "=" + searchVal + "))";
+            }
+            else
+            {
+                // Beware - returns ALL users!!:"
+                filter = "(objectclass=" + objectClassImpl + ")";
+            }
+
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, user.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param user
+     * @param limit
+     * @return
+     * @throws FinderException
+     *
+     */
+    final List<String> findUsers( User user, int limit ) throws FinderException
+    {
+        List<String> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+                + GlobalIds.UID + "=" + searchVal + "*))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+            while ( searchResults.next() )
+            {
+                Entry entry = searchResults.getEntry();
+                userList.add( getAttribute( entry, GlobalIds.UID ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "findUsers caught LdapException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "findUsers caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param role
+     * @return
+     * @throws FinderException
+     *
+     */
+    final List<User> getAuthorizedUsers( Role role ) throws FinderException
+    {
+        List<User> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(";
+            Set<String> roles = RoleUtil.getDescendants( role.getName(), role.getContextId() );
+
+            if ( VUtil.isNotNullOrEmpty( roles ) )
+            {
+                filter += "|(" + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+
+                for ( String uRole : roles )
+                {
+                    filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + uRole + ")";
+                }
+
+                filter += ")";
+            }
+            else
+            {
+                filter += GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+            }
+
+            filter += ")";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param role
+     * @return
+     * @throws FinderException
+     */
+    final List<User> getAssignedUsers( Role role )
+        throws FinderException
+    {
+        List<User> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+                + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     *
+     * @param roles
+     * @return
+     * @throws FinderException
+     */
+    final Set<String> getAssignedUsers( Set<String> roles, String contextId )
+        throws FinderException
+    {
+        Set<String> userSet = new HashSet<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+        try
+        {
+            String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(|";
+
+            if ( VUtil.isNotNullOrEmpty( roles ) )
+            {
+                for ( String roleVal : roles )
+                {
+                    String filteredVal = encodeSafeText( roleVal, GlobalIds.USERID_LEN );
+                    filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + filteredVal + ")";
+                }
+            }
+            else
+            {
+                return null;
+            }
+
+            filter += "))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, USERID_ATRS, false, GlobalIds.BATCH_SIZE );
+
+            while ( searchResults.next() )
+            {
+                userSet.add( getAttribute( searchResults.getEntry(), GlobalIds.UID ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userSet;
+    }
+
+
+    /**
+     * @param role
+     * @return
+     * @throws FinderException
+     */
+    final List<User> getAssignedUsers( AdminRole role )
+        throws FinderException
+    {
+        List<User> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+                + GlobalIds.USER_ADMINROLE_ASSIGN + "=" + roleVal + "))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "getAssignedUsers admin role name [" + role.getName()
+                + "] caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "getAssignedUsers admin role name [" + role.getName()
+                + "] caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param role
+     * @param limit
+     * @return
+     * @throws FinderException
+     *
+     */
+    final List<String> getAuthorizedUsers( Role role, int limit )
+        throws FinderException
+    {
+        List<String> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+                + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+            while ( searchResults.next() )
+            {
+                Entry entry = searchResults.getEntry();
+                userList.add( getAttribute( entry, GlobalIds.UID ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+                + e.getMessage();
+            throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param searchVal
+     * @return
+     * @throws FinderException
+     */
+    final List<String> findUsersList( String searchVal, String contextId )
+        throws FinderException
+    {
+        List<String> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+        try
+        {
+            searchVal = encodeSafeText( searchVal, GlobalIds.USERID_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+                + GlobalIds.UID + "=" + searchVal + "*))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( ( unloadLdapEntry( searchResults.getEntry(), sequence++, contextId ) ).getUserId() );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "findUsersList caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "findUsersList caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param ou
+     * @return
+     * @throws FinderException
+     */
+    final List<User> findUsers( OrgUnit ou, boolean limitSize )
+        throws FinderException
+    {
+        List<User> userList = new ArrayList<>();
+        LdapConnection ld = null;
+        String userRoot = getRootDn( ou.getContextId(), GlobalIds.USER_ROOT );
+
+        try
+        {
+            String szOu = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
+            String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+                + GlobalIds.OU + "=" + szOu + "))";
+            int maxLimit;
+
+            if ( limitSize )
+            {
+                maxLimit = 10;
+            }
+            else
+            {
+                maxLimit = 0;
+            }
+
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, userRoot,
+                SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, ou.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "findUsers caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        catch ( CursorException e )
+        {
+            String warning = "findUsers caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userList;
+    }
+
+
+    /**
+     * @param entity
+     * @param newPassword
+     * @return
+     * @throws UpdateException
+     *
+     * @throws SecurityException
+     * @throws PasswordException 
+     */
+    final boolean changePassword( User entity, char[] newPassword ) throws SecurityException
+    {
+        boolean rc = true;
+        LdapConnection ld = null;
+        List<Modification> mods;
+        String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+        try
+        {
+            ld = getUserConnection();
+            bind( ld, userDn, entity.getPassword() );
+            mods = new ArrayList<Modification>();
+
+            mods.add( new DefaultModification(
+                ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( newPassword ) ) );
+
+            modify( ld, userDn, mods );
+
+            // The 2nd modify is to update audit attributes on the User entry:
+            if ( GlobalIds.IS_AUDIT && ( entity.getAdminSession() != null ) )
+            {
+                // Because the user modified their own password, set their userId here:
+                //(entity.getAdminSession()).setInternalUserId(entity.getUserId());
+                mods = new ArrayList<Modification>();
+                modify( ld, userDn, mods, entity );
+            }
+        }
+        catch ( LdapInvalidAttributeValueException e )
+        {
+            String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+
+            warning += " constraint violation, ldap rc=" + e.getMessage()
+                + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
+
+            throw new PasswordException( GlobalErrIds.PSWD_CONST_VIOLATION, warning );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+            warning += " user not authorized to change password, ldap rc=" + e.getMessage() + " Fortress rc="
+                + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+            throw new UpdateException( GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning );
+        }
+        catch ( LdapException e )
+        {
+            String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+            warning += " caught LDAPException rc=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e );
+        }
+        finally
+        {
+            closeUserConnection( ld );
+        }
+
+        return rc;
+    }
+
+
+    /**
+     * @param user
+     * @throws UpdateException
+     *
+     */
+    final void resetUserPassword( User user ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+
+            mods.add( new DefaultModification(
+                ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( user.getPassword() ) ) );
+
+            mods.add( new DefaultModification(
+                ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET, "TRUE" ) );
+
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, user );
+        }
+        catch ( LdapException e )
+        {
+            String warning = "resetUserPassword userId [" + user.getUserId() + "] caught LDAPException="
+                + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_PW_RESET_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    final String assign( UserRole uRole ) throws UpdateException, FinderException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            String szUserRole = uRole.getRawData();
+
+            mods.add( new DefaultModification(
+                ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_DATA, szUserRole ) );
+
+            mods.add( new DefaultModification(
+                ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_ASSIGN, uRole.getName() ) );
+
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, uRole );
+        }
+        catch ( LdapAttributeInUseException e )
+        {
+            String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
+
+            warning += "assignment already exists.";
+            throw new FinderException( GlobalErrIds.URLE_ASSIGN_EXIST, warning );
+        }
+        catch ( LdapException e )
+        {
+            String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
+
+            warning += "caught LDAPException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.URLE_ASSIGN_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    final String deassign( UserRole uRole )
+        throws UpdateException, FinderException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+        try
+        {
+            // read the user's RBAC role assignments to locate target record.  Need the raw data before attempting removal:
+            List<UserRole> roles = getUserRoles( uRole.getUserId(), uRole.getContextId() );
+            int indx = -1;
+
+            // Does the user have any roles assigned?
+            if ( roles != null )
+            {
+                // function call will set indx to -1 if name not found:
+                indx = roles.indexOf( uRole );
+
+                // Is the targeted name assigned to user?
+                if ( indx > -1 )
+                {
+                    // Retrieve the targeted name:
+                    UserRole fRole = roles.get( indx );
+                    // delete the name assignment attribute using the raw name data:
+                    List<Modification> mods = new ArrayList<Modification>();
+
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REMOVE_ATTRIBUTE,
+                        GlobalIds.USER_ROLE_DATA, fRole.getRawData() ) );
+
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REMOVE_ATTRIBUTE,
+                        GlobalIds.USER_ROLE_ASSIGN, fRole.getName() ) );
+                    ld = getAdminConnection();
+                    modify( ld, userDn, mods, uRole );
+                }
+            }
+            // target name not found:
+            if ( indx == -1 )
+            {
+                // The user does not have the target name assigned,
+                String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                    + "] assignment does not exist.";
+                throw new FinderException( GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                + "] caught LDAPException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    final String assign( UserAdminRole uRole ) throws UpdateException, FinderException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            String szUserRole = uRole.getRawData();
+            mods.add( new DefaultModification(
+                ModificationOperation.ADD_ATTRIBUTE,
+                GlobalIds.USER_ADMINROLE_DATA, szUserRole ) );
+
+            mods.add( new DefaultModification(
+                ModificationOperation.ADD_ATTRIBUTE,
+                GlobalIds.USER_ADMINROLE_ASSIGN, uRole.getName() ) );
+
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, uRole );
+        }
+        catch ( LdapAttributeInUseException e )
+        {
+            String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                + "] assignment already exists.";
+            throw new FinderException( GlobalErrIds.ARLE_ASSIGN_EXIST, warning );
+        }
+        catch ( LdapException e )
+        {
+            String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                + "] caught LDAPException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_ASSIGN_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    final String deassign( UserAdminRole uRole )
+        throws UpdateException, FinderException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+        try
+        {
+            // read the user's ARBAC roles to locate record.  Need the raw data before attempting removal:
+            User user = new User( uRole.getUserId() );
+            user.setContextId( uRole.getContextId() );
+            List<UserAdminRole> roles = getUserAdminRoles( user );
+
+            int indx = -1;
+
+            // Does the user have any roles assigned?
+            if ( roles != null )
+            {
+                // function call will set index to -1 if name not found:
+                indx = roles.indexOf( uRole );
+
+                // Is the targeted name assigned to user?
+                if ( indx > -1 )
+                {
+                    // Retrieve the targeted name:
+                    UserRole fRole = roles.get( indx );
+                    // delete the name assignment attribute using the raw name data:
+                    List<Modification> mods = new ArrayList<Modification>();
+
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData() ) );
+
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName() ) );
+
+                    ld = getAdminConnection();
+                    modify( ld, userDn, mods, uRole );
+                }
+            }
+
+            // target name not found:
+            if ( indx == -1 )
+            {
+                // The user does not have the target name assigned,
+                String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                    + "] assignment does not exist.";
+                throw new FinderException( GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+                + "] caught LDAPException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param user
+     * @return
+     * @throws UpdateException 
+     * @throws Exception 
+     *
+     */
+    final String deletePwPolicy( User user ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String userDn = getDn( user.getUserId(), user.getContextId() );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+
+            mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY ) );
+            ld = getAdminConnection();
+            modify( ld, userDn, mods, user );
+        }
+        catch ( LdapException e )
+        {
+            String warning = "deletePwPolicy userId [" + user.getUserId() + "] caught LDAPException="
+                + e.getMessage() + " msg=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.USER_PW_PLCY_DEL_FAILED, warning, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return userDn;
+    }
+
+
+    /**
+     * @param entry
+     * @return
+     * @throws LdapInvalidAttributeValueException 
+     */
+    private User unloadLdapEntry( Entry entry, long sequence, String contextId )
+        throws LdapInvalidAttributeValueException
+    {
+        User entity = new ObjectFactory().createUser();
+        entity.setSequenceId( sequence );
+        entity.setInternalId( getAttribute( entry, GlobalIds.FT_IID ) );
+        entity.setDescription( getAttribute( entry, GlobalIds.DESC ) );
+        entity.setUserId( getAttribute( entry, GlobalIds.UID ) );
+        entity.setCn( getAttribute( entry, GlobalIds.CN ) );
+        entity.setName( entity.getCn() );
+        entity.setSn( getAttribute( entry, SN ) );
+        entity.setOu( getAttribute( entry, GlobalIds.OU ) );
+        entity.setDn( entry.getDn().getName() );
+        entity.setTitle( getAttribute( entry, TITLE ) );
+        entity.setEmployeeType( getAttribute( entry, EMPLOYEE_TYPE ) );
+        unloadTemporal( entry, entity );
+        entity.setRoles( unloadUserRoles( entry, entity.getUserId(), contextId ) );
+        entity.setAdminRoles( unloadUserAdminRoles( entry, entity.getUserId(), contextId ) );
+        entity.setAddress( unloadAddress( entry ) );
+        entity.setPhones( getAttributes( entry, TELEPHONE_NUMBER ) );
+        entity.setMobiles( getAttributes( entry, MOBILE ) );
+        entity.setEmails( getAttributes( entry, MAIL ) );
+        String szBoolean = getAttribute( entry, SYSTEM_USER );
+        if ( szBoolean != null )
+        {
+            entity.setSystem( Boolean.valueOf( szBoolean ) );
+        }
+
+        entity.addProperties( AttrHelper.getProperties( getAttributes( entry, GlobalIds.PROPS ) ) );
+
+        if ( GlobalIds.IS_OPENLDAP )
+        {
+            szBoolean = getAttribute( entry, OPENLDAP_PW_RESET );
+            if ( szBoolean != null && szBoolean.equalsIgnoreCase( "true" ) )
+            {
+                entity.setReset( true );
+            }
+            String szPolicy = getAttribute( entry, OPENLDAP_POLICY_SUBENTRY );
+            if ( VUtil.isNotNullOrEmpty( szPolicy ) )
+            {
+                entity.setPwPolicy( getRdn( szPolicy ) );
+            }
+
+            szBoolean = getAttribute( entry, OPENLDAP_PW_LOCKED_TIME );
+
+            if ( szBoolean != null && szBoolean.equals( LOCK_VALUE ) )
+            {
+                entity.setLocked( true );
+            }
+        }
+
+        entity.setJpegPhoto( getPhoto( entry, JPEGPHOTO ) );
+
+        return entity;
+    }
+
+
+    /**
+     * @param userId
+     * @return
+     * @throws FinderException
+     */
+    private List<UserRole> getUserRoles( String userId, String contextId )
+        throws FinderException
+    {
+        List<UserRole> roles = null;
+        LdapConnection ld = null;
+        String userDn = getDn( userId, contextId );
+        try
+        {
+            ld = getAdminConnection();
+            Entry findEntry = read( ld, userDn, ROLE_ATR );
+            roles = unloadUserRoles( findEntry, userId, contextId );
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getUserRoles COULD NOT FIND ENTRY for user [" + userId + "]";
+            throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getUserRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roles;
+    }
+
+
+    /**
+     * @param ld
+     * @param pwMsg
+     */
+    private void checkPwPolicies( LdapConnection ld, PwMessage pwMsg )
+    {
+        int rc = 0;
+        boolean success = false;
+        String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
+
+        if ( ld != null )
+        {
+            if ( !GlobalIds.IS_OPENLDAP )
+            {
+                String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
+                pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED, msg, Warning.Type.PASSWORD ) );
+                pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
+                LOG.debug( msg );
+                return;
+            }
+            // todo: fixme, removed with unbound:
+/*
+            else if ( pwControl != null )
+            {
+                // ------------> pwControl.checkPasswordPolicy( ld, success, pwMsg );
+            }
+*/
+
+            // OpenLDAP has notified of password violation:
+            if ( pwMsg.getErrorId() > 0 )
+            {
+                String errMsg;
+
+                switch ( pwMsg.getErrorId() )
+                {
+
+                    case GlobalPwMsgIds.CHANGE_AFTER_RESET:
+                        // Don't throw exception if authenticating in J2EE Realm - The Web application must give user a chance to modify their password.
+                        if ( !GlobalIds.IS_REALM )
+                        {
+                            errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
+                            rc = GlobalErrIds.USER_PW_RESET;
+                        }
+                        else
+                        {
+                            errMsg = msgHdr
+                                + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO CONTINUE DUE TO REALM";
+                            success = true;
+                            pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD ) );
+                        }
+
+                        break;
+
+                    case GlobalPwMsgIds.ACCOUNT_LOCKED:
+                        errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
+                        rc = GlobalErrIds.USER_PW_LOCKED;
+                        break;
+
+                    case GlobalPwMsgIds.PASSWORD_HAS_EXPIRED:
+                        errMsg = msgHdr + "PASSWORD HAS EXPIRED";
+                        rc = GlobalErrIds.USER_PW_EXPIRED;
+                        break;
+
+                    case GlobalPwMsgIds.NO_MODIFICATIONS:
+                        errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
+                        rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+                        break;
+
+                    case GlobalPwMsgIds.MUST_SUPPLY_OLD:
+                        errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
+                        rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
+                        break;
+
+                    case GlobalPwMsgIds.INSUFFICIENT_QUALITY:
+                        errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
+                        rc = GlobalErrIds.USER_PW_NSF_QUALITY;
+                        break;
+
+                    case GlobalPwMsgIds.PASSWORD_TOO_SHORT:
+                        errMsg = msgHdr + "PASSWORD TOO SHORT";
+                        rc = GlobalErrIds.USER_PW_TOO_SHORT;
+                        break;
+
+                    case GlobalPwMsgIds.PASSWORD_TOO_YOUNG:
+                        errMsg = msgHdr + "PASSWORD TOO YOUNG";
+                        rc = GlobalErrIds.USER_PW_TOO_YOUNG;
+                        break;
+
+                    case GlobalPwMsgIds.HISTORY_VIOLATION:
+                        errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
+                        rc = GlobalErrIds.USER_PW_IN_HISTORY;
+                        break;
+
+                    default:
+                        errMsg = msgHdr + "PASSWORD CHECK FAILED";
+                        rc = GlobalErrIds.USER_PW_CHK_FAILED;
+                        break;
+                }
+
+                pwMsg.setMsg( errMsg );
+                pwMsg.setErrorId( rc );
+                pwMsg.setAuthenticated( success );
+                LOG.debug( errMsg );
+            }
+            else
+            {
+                // Checked out good:
+                String msg = msgHdr + "PASSWORD CHECK SUCCESS";
+                pwMsg.setMsg( msg );
+                pwMsg.setErrorId( 0 );
+                pwMsg.setAuthenticated( true );
+                LOG.debug( msg );
+            }
+        }
+    }
+
+
+    /**
+     * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+     *
+     * @param list  contains List of type {@link UserAdminRole} targeted for adding to ldap.
+     * @param entry collection of ldap attributes containing ARBAC role assignments in raw ldap format.
+     * @throws LdapException 
+     */
+    private void loadUserAdminRoles( List<UserAdminRole> list, Entry entry ) throws LdapException
+    {
+        if ( list != null )
+        {
+            Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
+            Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
+
+            for ( UserAdminRole userRole : list )
+            {
+                userAdminRoleData.add( userRole.getRawData() );
+                userAdminRoleAssign.add( userRole.getName() );
+            }
+
+            if ( userAdminRoleData.size() != 0 )
+            {
+                entry.add( userAdminRoleData );
+                entry.add( userAdminRoleAssign );
+            }
+        }
+    }
+
+
+    /**
+     * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+     *
+     * @param list contains List of type {@link UserRole} targeted for updating into ldap.
+     * @param mods contains ldap modification set containing RBAC role assignments in raw ldap format to be updated.
+     * @throws LdapInvalidAttributeValueException 
+     */
+    private void loadUserRoles( List<UserRole> list, List<Modification> mods )
+        throws LdapInvalidAttributeValueException
+    {
+        Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
+        Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
+
+        if ( list != null )
+        {
+            for ( UserRole userRole : list )
+            {
+                userRoleData.add( userRole.getRawData() );
+                userRoleAssign.add( userRole.getName() );
+            }
+
+            if ( userRoleData.size() != 0 )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, userRoleData ) );
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, userRoleAssign ) );
+            }
+        }
+    }
+
+
+    /**
+     * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+     *
+     * @param list contains List of type {@link UserAdminRole} targeted for updating to ldap.
+     * @param mods contains ldap modification set containing ARBAC role assignments in raw ldap format to be updated.
+     * @throws LdapInvalidAttributeValueException 
+     */
+    private void loadUserAdminRoles( List<UserAdminRole> list, List<Modification> mods )
+        throws LdapInvalidAttributeValueException
+    {
+        Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
+        Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
+
+        if ( list != null )
+        {
+            boolean nameSeen = false;
+
+            for ( UserAdminRole userRole : list )
+            {
+                userAdminRoleData.add( userRole.getRawData() );
+
+                if ( !nameSeen )
+                {
+                    userAdminRoleAssign.add( userRole.getName() );
+                    nameSeen = true;
+                }
+            }
+
+            if ( userAdminRoleData.size() != 0 )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleData ) );
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleAssign ) );
+            }
+        }
+    }
+
+
+    /**
+     * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+     *
+     * @param list  contains List of type {@link UserRole} targeted for adding to ldap.
+     * @param entry ldap entry containing attributes mapping to RBAC role assignments in raw ldap format.
+     * @throws LdapException 
+     */
+    private void loadUserRoles( List<UserRole> list, Entry entry ) throws LdapException
+    {
+        if ( list != null )
+        {
+            Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
+            Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
+
+            for ( UserRole userRole : list )
+            {
+                userRoleData.add( userRole.getRawData() );
+                userRoleAssign.add( userRole.getName() );
+            }
+
+            if ( userRoleData.size() != 0 )
+            {
+                entry.add( userRoleData, userRoleAssign );
+            }
+        }
+    }
+
+
+    /**
+     * Given a User address, {@link Address}, load into ldap attribute set in preparation for ldap add.
+     *
+     * @param address  contains User address {@link Address} targeted for adding to ldap.
+     * @param entry collection of ldap attributes containing RBAC role assignments in raw ldap format.
+     */
+    private void loadAddress( Address address, Entry entry ) throws LdapException
+    {
+        if ( address != null )
+        {
+            if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+            {
+                for ( String val : address.getAddresses() )
+                {
+                    entry.add( POSTAL_ADDRESS, val );
+                }
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+            {
+                entry.add( L, address.getCity() );
+            }
+
+            //if(VUtil.isNotNullOrEmpty(address.getCountry()))
+            //{
+            //    attrs.add(GlobalIds.COUNTRY, address.getAddress1());
+            //}
+
+            if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+            {
+                entry.add( POSTAL_CODE, address.getPostalCode() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+            {
+                entry.add( POST_OFFICE_BOX, address.getPostOfficeBox() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+            {
+                entry.add( STATE, address.getState() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+            {
+                entry.add( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+            {
+                entry.add( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+            {
+                entry.add( ROOM_NUMBER, address.getRoomNumber() );
+            }
+        }
+    }
+
+
+    /**
+     * Given an address, {@link Address}, load into ldap modification set in preparation for ldap modify.
+     *
+     * @param address contains entity of type {@link Address} targeted for updating into ldap.
+     * @param mods contains ldap modification set contains attributes to be updated in ldap.
+     */
+    private void loadAddress( Address address, List<Modification> mods )
+    {
+        if ( address != null )
+        {
+            if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_ADDRESS ) );
+
+                for ( String val : address.getAddresses() )
+                {
+                    mods.add( new DefaultModification(
+                        ModificationOperation.ADD_ATTRIBUTE, POSTAL_ADDRESS, val ) );
+                }
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, L, address.getCity() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_CODE, address.getPostalCode() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, POST_OFFICE_BOX, address.getPostOfficeBox() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, STATE, address.getState() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, DEPARTMENT_NUMBER, address.getDepartmentNumber() ) );
+            }
+
+            if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, ROOM_NUMBER, address.getRoomNumber() ) );
+            }
+        }
+    }
+
+
+    /**
+     * Given an ldap entry containing organzationalPerson address information, convert to {@link Address}
+     *
+     * @param entry     contains ldap entry to retrieve admin roles from.
+     * @return entity of type {@link Address}.
+     * @throws LdapInvalidAttributeValueException 
+     * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+     */
+    private Address unloadAddress( Entry entry ) throws LdapInvalidAttributeValueException
+    {
+        Address addr = new ObjectFactory().createAddress();
+        List<String> pAddrs = getAttributes( entry, POSTAL_ADDRESS );
+
+        if ( pAddrs != null )
+        {
+            for ( String pAddr : pAddrs )
+            {
+                addr.setAddress( pAddr );
+            }
+        }
+
+        addr.setCity( getAttribute( entry, L ) );
+        addr.setState( getAttribute( entry, STATE ) );
+        addr.setPostalCode( getAttribute( entry, POSTAL_CODE ) );
+        addr.setPostOfficeBox( getAttribute( entry, POST_OFFICE_BOX ) );
+        addr.setBuilding( getAttribute( entry, PHYSICAL_DELIVERY_OFFICE_NAME ) );
+        addr.setDepartmentNumber( getAttribute( entry, DEPARTMENT_NUMBER ) );
+        addr.setRoomNumber( getAttribute( entry, ROOM_NUMBER ) );
+        // todo: add support for country attribute
+        //addr.setCountry(getAttribute(le, GlobalIds.COUNTRY));
+
+        return addr;
+    }
+
+
+    /**
+     * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserAdminRole}
+     * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+     *
+     * @param entry     contains ldap entry to retrieve admin roles from.
+     * @param userId attribute maps to {@link UserAdminRole#userId}.
+     * @param contextId
+     * @return List of type {@link UserAdminRole} containing admin roles assigned to a particular user.
+     * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+     */
+    private List<UserAdminRole> unloadUserAdminRoles( Entry entry, String userId, String contextId )
+    {
+        List<UserAdminRole> uRoles = null;
+        List<String> roles = getAttributes( entry, GlobalIds.USER_ADMINROLE_DATA );
+
+        if ( roles != null )
+        {
+            long sequence = 0;
+            uRoles = new ArrayList<>();
+
+            for ( String raw : roles )
+            {
+                UserAdminRole ure = new ObjectFactory().createUserAdminRole();
+                ure.load( raw, contextId );
+                ure.setSequenceId( sequence++ );
+                ure.setUserId( userId );
+                uRoles.add( ure );
+            }
+        }
+
+        return uRoles;
+    }
+
+
+    /**
+     *
+     * @param userId
+     * @param contextId
+     * @return
+     */
+    private String getDn( String userId, String contextId )
+    {
+        return GlobalIds.UID + "=" + userId + "," + getRootDn( contextId, GlobalIds.USER_ROOT );
+    }
+
+
+    /**
+    * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserRole}
+    * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+    *
+    * @param entry     contains ldap entry to retrieve roles from.
+    * @param userId attribute maps to {@link UserRole#userId}.
+    * @param contextId
+    * @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
+    * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+    */
+    private List<UserRole> unloadUserRoles( Entry entry, String userId, String contextId )
+    {
+        List<UserRole> uRoles = null;
+        List<String> roles = getAttributes( entry, GlobalIds.USER_ROLE_DATA );
+
+        if ( roles != null )
+        {
+            long sequence = 0;
+            uRoles = new ArrayList<>();
+
+            for ( String raw : roles )
+            {
+                UserRole ure = new ObjectFactory().createUserRole();
+                ure.load( raw, contextId );
+                ure.setUserId( userId );
+                ure.setSequenceId( sequence++ );
+                uRoles.add( ure );
+            }
+        }
+
+        return uRoles;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java b/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
index 5d100b6..972a618 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
@@ -33,8 +33,6 @@ import org.apache.directory.fortress.core.ObjectFactory;
 import org.apache.directory.fortress.core.PasswordException;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
-import org.apache.directory.fortress.core.rbac.dao.UserDAO;
 import org.apache.directory.fortress.core.util.attr.AttrHelper;
 import org.apache.directory.fortress.core.util.attr.VUtil;
 import org.apache.directory.fortress.core.util.time.CUtil;
@@ -61,7 +59,7 @@ public final class UserP
 {
     //private static final boolean IS_SESSION_PROPS_ENABLED = Config.getBoolean( "user.session.props.enabled", false );
     private static final String CLS_NM = UserP.class.getName();
-    private static UserDAO uDao = DaoFactory.createUserDAO();
+    private static UserDAO uDao = new UserDAO();
     private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
     private static final PolicyP policyP = new PolicyP();
     private static final AdminRoleP admRoleP = new AdminRoleP();


Mime
View raw message