directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [18/51] [partial] Rename packages from org.openldap.fortress to org.apache.directory.fortress.core. Change default suffix to org.apache. Switch default ldap api from unbound to apache ldap.
Date Wed, 22 Oct 2014 15:44:37 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
new file mode 100644
index 0000000..2b4ab29
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
@@ -0,0 +1,193 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.rbac.AuthZ;
+import org.apache.directory.fortress.core.rbac.Bind;
+import org.apache.directory.fortress.core.rbac.Mod;
+import org.apache.directory.fortress.core.rbac.UserAudit;
+
+
+/**
+ * This class performs data access for OpenLDAP synch repl log data
+ * <p/>
+ * <h3>1. Binds</h3>
+ * <p/>
+ * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
+ * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
+ * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
+ * <code># which contains the Bind Method used in the Bind. This will be the string</code>
+ * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
+ * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
+ * <code># the current database will be logged:</code>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass (  1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
+ * <li> <code>DESC 'Bind operation'</code>
+ * <li> <code>SUP auditObject STRUCTURAL</code>
+ * <li> <code>MUST ( reqVersion $ reqMethod ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h3>2. Authorizations</h3>
+ * <code>For  the  Search class the reqScope attribute contains the scope of the</code><br />
+ * <code>original search request, using the values specified for  the  LDAP  URL</code><br />
+ * <code>format. I.e.  base, one, sub, or subord.  The reqDerefAliases attribute</code><br />
+ * <code>is one of never, finding, searching, or always,  denoting  how  aliases</code><br />
+ * <code>will  be  processed during the search.  The reqAttrsOnly attribute is a</code><br />
+ * <code>Boolean value showing TRUE if only attribute names were  requested,  or</code><br />
+ * <code>FALSE  if  attributes  and  their values were requested.  The reqFilter</code><br />
+ * <code>attribute carries the filter used in the search request.   The  reqAttr</code><br />
+ * <code>attribute  lists  the  requested attributes if specific attributes were</code><br />
+ * <code>requested.  The reqEntries attribute is the integer count of  how  many</code><br />
+ * <code>entries  were  returned  by  this search request.  The reqSizeLimit and</code><br />
+ * <code>reqTimeLimit attributes indicate what  limits  were  requested  on  the</code><br />
+ * <code>search operation.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass  (  1.3.6.1.4.1.4203.666.11.5.2.11</code>
+ * <li> <code>NAME 'auditSearch'</code>
+ * <li> <code>DESC 'Search operation'</code>
+ * <li> <code>SUP auditReadObject STRUCTURAL</code>
+ * <li> <code>MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )</code>
+ * <li> <code>MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $</code>
+ * <li> <code>reqTimeLimit ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * <p/>
+ * <h3>3. Modifications</h3>
+ * The auditModify Structural object class is used to store Fortress update and delete events that can later be queried via ldap API.<br />
+ * The deletions can be recorded in this manner and associated with Fortress context because deletions will perform a modification first
+ * if audit is enabled.
+ * <p/>
+ * <code>The Modify operation contains a description  of  modifications  in  the</code><br />
+ * <code>reqMod  attribute,  which  was  already  described  above  in  the  Add</code><br />
+ * <code>operation. It may optionally  contain  the  previous  contents  of  any</code><br />
+ * <code>modified  attributes  in the reqOld attribute, using the same format as</code><br />
+ * <code>described above for the Delete operation.  The reqOld attribute is only</code><br />
+ * <code>populated  if  the  entry  being modified matches the configured logold</code><br />
+ * <code>filter.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass (  1.3.6.1.4.1.4203.666.11.5.2.9</code>
+ * <li> <code>NAME 'auditModify'</code>
+ * <li> <code>DESC 'Modify operation'</code>
+ * <li> <code>SUP auditWriteObject STRUCTURAL</code>
+ * <li> <code>MAY reqOld MUST reqMod )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * Note this class used descriptions pulled from man pages on slapd access log.
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+public interface AuditDAO
+{
+    /**
+     * This method returns failed authentications where the userid is not present in the directory.  This
+     * is possible because Fortress performs read on user before the bind.
+     * User:
+     * dn: reqStart=20101014235402.000000Z, cn=log
+     * reqStart: 20101014235402.000000Z
+     * reqEnd: 20101014235402.000001Z
+     * reqAuthzID: cn=Manager,dc=jts,dc=com
+     * reqDerefAliases: never
+     * reqSession: 84
+     * reqAttrsOnly: FALSE
+     * reqSizeLimit: -1
+     * objectClass: auditSearch
+     * reqResult: 32
+     * reqAttr: ftId
+     * reqAttr: uid
+     * reqAttr: userpassword
+     * reqAttr: description
+     * reqAttr: ou
+     * reqAttr: cn
+     * reqAttr: sn
+     * reqAttr: ftRoleCstr
+     * reqAttr: ftCstr
+     * reqAttr: ftRoleAsgn
+     * reqAttr: pwdReset
+     * reqAttr: pwdAccountLockedTime
+     * reqAttr: ftProps
+     * reqEntries: 0
+     * reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
+     * reqType: search
+     * reqDN: uid=foo,ou=People,dc=jts,dc=com        /cal/cal2.jsp
+     * reqTimeLimit: -1
+     * reqScope: base
+     *
+     * @param audit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<AuthZ> searchInvalidAuthNs( UserAudit audit ) throws FinderException;
+
+
+    /**
+     * @param audit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<AuthZ> searchAuthZs( UserAudit audit ) throws FinderException;
+
+
+    /**
+     * @param audit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<AuthZ> getAllAuthZs( UserAudit audit ) throws FinderException;
+
+
+    /**
+     * @param audit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Bind> searchBinds( UserAudit audit ) throws FinderException;
+
+
+    /**
+     * @param audit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Mod> searchUserMods( UserAudit audit ) throws FinderException;
+
+
+    /**
+     * @param audit
+     * @return
+     * @throws FinderException
+     */
+    List<Mod> searchAdminMods( UserAudit audit ) throws FinderException;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
new file mode 100644
index 0000000..cb98431
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
@@ -0,0 +1,27 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+public enum DAOType
+{
+    APACHE_LDAP_API,
+    UNBOUNDID_API;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
new file mode 100644
index 0000000..7f9f535
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
@@ -0,0 +1,272 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.cfg.Config;
+
+
+/**
+ * A factory that creates DAO for either the UnboundID or the Apache Ldap API lib
+ * @author elecharny
+ */
+public class DaoFactory
+{
+
+    /**
+     * Create an instance of a AdminRoleDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static AdminRoleDAO createAdminRoleDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.AdminRoleDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.AdminRoleDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a AuditDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static AuditDAO createAuditDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.AuditDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a OrgUnitDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static OrgUnitDAO createOrgUnitDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.OrgUnitDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.OrgUnitDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a PermDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static PermDAO createPermDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.PermDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.PermDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a PolicyDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static PolicyDAO createPolicyDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.PolicyDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.PolicyDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a RoleDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static RoleDAO createRoleDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.RoleDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.RoleDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a SdDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static SdDAO createSdDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.SdDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.SdDAO();
+
+            default:
+                return null;
+        }
+    }
+
+
+    /**
+     * Create an instance of a UserDAO which depends of the used Backend
+     * 
+     * @return The created instance
+     */
+    public static UserDAO createUserDAO()
+    {
+        String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
+
+        DAOType daoType = DAOType.UNBOUNDID_API;
+
+        if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
+        {
+            daoType = DAOType.APACHE_LDAP_API;
+        }
+
+        switch ( daoType )
+        {
+            case UNBOUNDID_API:
+                return new org.apache.directory.fortress.core.rbac.dao.unboundid.UserDAO();
+
+            case APACHE_LDAP_API:
+                return new org.apache.directory.fortress.core.rbac.dao.apache.UserDAO();
+
+            default:
+                return null;
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
new file mode 100644
index 0000000..d7dba4d
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
@@ -0,0 +1,152 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.Graphable;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+
+
+/**
+ * This class provides dataaccess to the OrgUnit datasets in LDAP.
+ * <p/>
+ * The OrgUnitDAO maintains the following structural and aux object classes:
+ * <h4>1. organizationalUnit Structural Object Class is used to store basic attributes like ou and description</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 2.5.6.5 NAME 'organizationalUnit'</code>
+ * <li> <code>DESC 'RFC2256: an organizational unit'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST ou</code>
+ * <li> <code>MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $</code>
+ * <li> <code>x121Address $ registeredAddress $ destinationIndicator $</code>
+ * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
+ * <li> <code>telephoneNumber $ internationaliSDNNumber $</code>
+ * <li> <code>facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $</code>
+ * <li> <code>postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. ftOrgUnit Structural objectclass is used to store the OrgUnit internal id</h4>
+ * <ul>                                                              org.apache.directory.fortress.arbac.
+ * <li>  ------------------------------------------
+ * <li> <code> objectclass  ( 1.3.6.1.4.1.38088.2.6</code>
+ * <li> <code>NAME 'ftOrgUnit'</code>
+ * <li> <code>DESC 'Fortress OrgUnit Class'</code>
+ * <li> <code>SUP organizationalunit</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Emmanuel Lecharny
+ */
+public interface OrgUnitDAO
+{
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.CreateException
+     *
+     */
+    OrgUnit create( OrgUnit entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    OrgUnit update( OrgUnit entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    void deleteParent( OrgUnit entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.RemoveException
+     *
+     */
+    OrgUnit remove( OrgUnit entity ) throws RemoveException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws FinderException
+     *
+     */
+    OrgUnit findByKey( OrgUnit entity ) throws FinderException;
+
+
+    /**
+     * @param orgUnit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<OrgUnit> findOrgs( OrgUnit orgUnit ) throws FinderException;
+
+
+    /**
+     *
+     * @param orgUnit
+     * @return
+     * @throws FinderException
+     */
+    Set<String> getOrgs( OrgUnit orgUnit ) throws FinderException;
+
+
+    /**
+      *
+      * @param orgUnit
+      * @return
+      * @throws FinderException
+      */
+    List<Graphable> getAllDescendants( OrgUnit orgUnit ) throws FinderException;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
new file mode 100644
index 0000000..d526e8c
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
@@ -0,0 +1,317 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+import org.apache.directory.fortress.core.rbac.PermObj;
+import org.apache.directory.fortress.core.rbac.Permission;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+
+
+/**
+ * Permission data access class for LDAP.
+ * <p/>
+ * This DAO class maintains the PermObj and Permission entities.
+ * <h3>The Fortress PermObj Entity Class is a composite of 3 LDAP Schema object classes</h2>
+ * <h4>PermObj Base - ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass   ( 1.3.6.1.4.1.38088.2.2</code>
+ * <li> <code>NAME 'ftObject'</code>
+ * <li> <code>DESC 'Fortress Permission Object Class'</code>
+ * <li> <code>SUP organizationalunit</code>                                              GlobalIds
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST (</code>
+ * <li> <code>ftId $ ftObjNm ) </code>
+ * <li> <code>MAY ( ftType ) )  </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>PermObj - ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.</h4>
+ * <code>This aux object class can be used to store custom attributes.</code><br />
+ * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>PermObj - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h3>The Fortress Permission Entity Class is composite of 3 LDAP Schema object classes</h3>
+ * The Permission entity extends a single OpenLDAP standard structural object class, 'organizationalRole' with
+ * one extension structural class, ftOperation,  and two auxiliary object classes, ftProperties, ftMods.
+ * The following 4 LDAP object classes will be mapped into this entity:
+ * <h4>Permission Base - 'ftOperation' STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked</h4>
+ * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass   ( 1.3.6.1.4.1.38088.2.3</code>
+ * <li> <code>NAME 'ftOperation'</code>
+ * <li> <code>DESC 'Fortress Permission Operation Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftPermName $</code>
+ * <li> <code>ftObjNm $ ftOpNm )</code>
+ * <li> <code>MAY ( ftRoles $ ftUsers $</code>
+ * <li> <code> ftObjId $ ftType) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>Permission Aux - ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.</h4>
+ * <code>This aux object class can be used to store custom attributes.</code><br />
+ * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>Permission Aux - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * This class is thread safe.
+ * <p/>
+ *
+ * @author Emmanuel Lecharny
+ */
+public interface PermDAO
+{
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.CreateException
+     *
+     */
+    PermObj createObject( PermObj entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    PermObj updateObj( PermObj entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.RemoveException
+     *
+     */
+    void deleteObj( PermObj entity ) throws RemoveException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.CreateException
+     *
+     */
+    Permission createOperation( Permission entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    Permission updateOperation( Permission entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.RemoveException
+     *
+     */
+    void deleteOperation( Permission entity ) throws RemoveException;
+
+
+    /**
+     * @param pOp
+     * @param role
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    void grant( Permission pOp, Role role ) throws UpdateException;
+
+
+    /**
+     * @param pOp
+     * @param role
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    void revoke( Permission pOp, Role role ) throws UpdateException, FinderException;
+
+
+    /**
+     * @param pOp
+     * @param user
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    void grant( Permission pOp, User user ) throws UpdateException;
+
+
+    /**
+     * @param pOp
+     * @param user
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    void revoke( Permission pOp, User user ) throws UpdateException, FinderException;
+
+
+    /**
+     * @param permission
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    Permission getPerm( Permission permission ) throws FinderException;
+
+
+    /**
+     * @param permObj
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    PermObj getPerm( PermObj permObj ) throws FinderException;
+
+
+    /**
+     * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission).  It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
+     * It performs ldap operations:  read and (optionally) compare.  The first is to pull back the permission to see if user has access or not.  The second is to trigger audit
+     * record storage on ldap server but can be disabled.
+     *
+     * @param session contains {@link Session#getUserId()}, for rbac check {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
+     * @param inPerm  must contain required attributes {@link Permission#objName} and {@link Permission#opName}.  {@link Permission#objectId} is optional.
+     * @return boolean containing result of check.
+     * @throws org.apache.directory.fortress.core.FinderException
+     *          In the event system error occurs looking up data on ldap server.
+     */
+    boolean checkPermission( Session session, Permission inPerm ) throws FinderException;
+
+
+    /**
+     * @param permission
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Permission> findPermissions( Permission permission ) throws FinderException;
+
+
+    /**
+     * @param permObj
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<PermObj> findPermissions( PermObj permObj ) throws FinderException;
+
+
+    /**
+     * @param ou
+     * @return
+     * @throws FinderException
+     */
+    List<PermObj> findPermissions( OrgUnit ou, boolean limitSize ) throws FinderException;
+
+
+    /**
+     * @param role
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Permission> findPermissions( Role role ) throws FinderException;
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Permission> findPermissions( User user ) throws FinderException;
+
+
+    /**
+     * @param user
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Permission> findUserPermissions( User user ) throws FinderException;
+
+
+    /**
+     * @param session
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Permission> findPermissions( Session session, boolean isAdmin ) throws FinderException;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
new file mode 100644
index 0000000..666406b
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
@@ -0,0 +1,127 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.PwPolicy;
+
+
+/**
+ * This DAO class maintains the OpenLDAP Password Policy entity which is a composite of the following structural and aux object classes:
+ * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code> objectclass ( 2.5.6.14 NAME 'device'</code>
+ * <li> <code>DESC 'RFC2256: a device'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST cn</code>
+ * <li> <code>MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
+ * <li> <code>NAME 'pwdPolicy'</code>
+ * <li> <code>SUP top</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( pwdAttribute )</code>
+ * <li> <code>MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $</code>
+ * <li> <code>pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $</code>
+ * <li> <code>pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $</code>
+ * <li> <code>pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )</code>
+ * <li> <code></code>
+ * <li> <code></code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+public interface PolicyDAO
+{
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.CreateException
+     *
+     */
+    PwPolicy create( PwPolicy entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    void update( PwPolicy entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.RemoveException
+     */
+    void remove( PwPolicy entity ) throws RemoveException;
+
+
+    /**
+     * @param policy
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    PwPolicy getPolicy( PwPolicy policy ) throws FinderException;
+
+
+    /**
+     * @param policy
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<PwPolicy> findPolicy( PwPolicy policy ) throws FinderException;
+
+
+    /**
+     * @return
+     * @throws FinderException
+     */
+    Set<String> getPolicies( String contextId ) throws FinderException;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
new file mode 100644
index 0000000..2cd573d
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
@@ -0,0 +1,177 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.Graphable;
+import org.apache.directory.fortress.core.rbac.Role;
+
+
+/**
+ * This class perform data access for Fortress Role entity.
+ * <p/>
+ * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
+ * <h4>1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass   ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Emmanuel Lecharny
+ */
+public interface RoleDAO
+{
+    /**
+     * @param entity
+     * @return
+     * @throws CreateException
+     */
+    Role create( Role entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    Role update( Role entity ) throws UpdateException;
+
+
+    /**
+     *
+     * @param entity
+     * @throws UpdateException
+     */
+    void deleteParent( Role entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @param userDn
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    Role assign( Role entity, String userDn ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @param userDn
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     *
+     */
+    Role deassign( Role entity, String userDn ) throws UpdateException;
+
+
+    /**
+     * @param role
+     * @throws RemoveException
+     */
+    void remove( Role role ) throws RemoveException;
+
+
+    /**
+     * @param role
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    Role getRole( Role role ) throws FinderException;
+
+
+    /**
+     * @param role
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<Role> findRoles( Role role ) throws FinderException;
+
+
+    /**
+     * @param role
+     * @param limit
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     *
+     */
+    List<String> findRoles( Role role, int limit ) throws FinderException;
+
+
+    /**
+     *
+     * @param userDn
+     * @param contextId
+     * @return
+     * @throws FinderException
+     */
+    List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException;
+
+
+    /**
+     *
+     * @param contextId
+     * @return
+     * @throws FinderException
+     */
+    List<Graphable> getAllDescendants( String contextId ) throws FinderException;
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
new file mode 100644
index 0000000..53eb10f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
@@ -0,0 +1,154 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.SDSet;
+
+
+/**
+ * This class performs persistence on the RBAC Static Separation of Duties and Dynamic Separation of Duties data sets.
+ * <p/>
+ * The Fortress SDSet entity is a composite of the following other Fortress structural and aux object classes:
+ * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 2.5.6.8 NAME 'organizationalRole'</code>
+ * <li> <code>DESC 'RFC2256: an organizational role'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST cn</code>
+ * <li> <code>MAY ( x121Address $ registeredAddress $ destinationIndicator $</code>
+ * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
+ * <li> <code>telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $</code>
+ * <li> <code>seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $</code>
+ * <li> <code>postOfficeBox $ postalCode $ postalAddress $</code>
+ * <li> <code>physicalDeliveryOfficeName $ ou $ st $ l $ description ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. The RBAC Separation of Duties</h4>
+ * <ul>
+ * <li>  ---Static Separation of Duties Set-------
+ * <li> <code>objectclass   ( 1.3.6.1.4.1.38088.2.4</code>
+ * <li> <code>NAME 'ftSSDSet'</code>
+ * <li> <code>DESC 'Fortress Role Static Separation of Duty Set Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
+ * <li> <code>MAY ( ftRoles $ description ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * OR
+ * <h4>Dynamic Separation of Duties Set</h4>
+ * <ul>
+ * <li>
+ * <li> <code>objectclass   ( 1.3.6.1.4.1.38088.2.5</code>
+ * <li> <code>NAME 'ftDSDSet'</code>
+ * <li> <code>DESC 'Fortress Role Dynamic Separation of Duty Set Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
+ * <li> <code>MAY ( ftRoles $ description ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public interface SdDAO
+{
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.CreateException
+     */
+    SDSet create( SDSet entity ) throws CreateException;
+
+
+    /**
+     * @param entity
+     * @return
+     * @throws org.apache.directory.fortress.core.UpdateException
+     */
+    SDSet update( SDSet entity ) throws UpdateException;
+
+
+    /**
+     * @param entity
+     * @throws org.apache.directory.fortress.core.RemoveException
+     */
+    SDSet remove( SDSet entity ) throws RemoveException;
+
+
+    /**
+     * @param sdSet
+     * @return
+     * @throws FinderException
+     */
+    SDSet getSD( SDSet sdSet ) throws FinderException;
+
+
+    /**
+     * Given an SSD name and type, find matching object in the directory.
+     * @param sdset requires name and type.
+     * @return List of matching SDSets.
+     * @throws org.apache.directory.fortress.core.FinderException
+     */
+    List<SDSet> search( SDSet sdset ) throws FinderException;
+
+
+    /**
+     * @param role
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     */
+    List<SDSet> search( Role role, SDSet.SDType type ) throws FinderException;
+
+
+    /**
+     * @param roles
+     * @param sdSet
+     * @return
+     * @throws org.apache.directory.fortress.core.FinderException
+     */
+    Set<SDSet> search( Set<String> roles, SDSet sdSet ) throws FinderException;
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
new file mode 100644
index 0000000..abf4960
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
@@ -0,0 +1,200 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.rbac.AdminRole;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.UserAdminRole;
+import org.apache.directory.fortress.core.rbac.UserRole;
+
+
+/**
+ * Data access class for LDAP User entity.
+ * <p/>
+ * <p/>
+ * The Fortress User LDAP schema follows:
+ * <p/>
+ * <h4>1. InetOrgPerson Structural Object Class </h4>
+ * <code># The inetOrgPerson represents people who are associated with an</code><br />
+ * <code># organization in some way.  It is a structural class and is derived</code><br />
+ * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
+ * <li> <code>NAME 'inetOrgPerson'</code>
+ * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
+ * <li> <code>SUP organizationalPerson</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
+ * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
+ * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
+ * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
+ * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
+ * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
+ * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Emmanuel Lecharny
+ */
+public interface UserDAO
+{
+    List<User> findUsers( OrgUnit ou, boolean limitSize ) throws FinderException;
+
+
+    List<User> findUsers( User user ) throws FinderException;
+
+
+    List<String> findUsers( User user, int limit ) throws FinderException;
+
+
+    String assign( UserRole uRole ) throws UpdateException, FinderException;
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    String assign( UserAdminRole uRole ) throws UpdateException, FinderException;
+
+
+    boolean changePassword( User entity, char[] newPassword ) throws SecurityException;
+
+
+    Session checkPassword( User user ) throws FinderException;
+
+
+    List<User> getAuthorizedUsers( Role role ) throws FinderException;
+
+
+    User update( User entity ) throws UpdateException;
+
+
+    void lock( User user ) throws UpdateException;
+
+
+    void unlock( User user ) throws UpdateException;
+
+
+    User create( User entity ) throws CreateException;
+
+
+    /**
+     * @param uRole
+     * @return
+     * @throws UpdateException
+     *
+     * @throws FinderException
+     *
+     */
+    String deassign( UserAdminRole uRole ) throws UpdateException, FinderException;
+
+
+    String deassign( UserRole uRole ) throws UpdateException, FinderException;
+
+
+    void resetUserPassword( User user ) throws UpdateException;
+
+
+    User updateProps( User entity, boolean replace ) throws UpdateException;
+
+
+    String remove( User user ) throws RemoveException;
+
+
+    String deletePwPolicy( User user ) throws UpdateException;
+
+
+    /**
+     * @param role
+     * @return
+     * @throws FinderException
+     */
+    List<User> getAssignedUsers( AdminRole role ) throws FinderException;
+
+
+    List<User> getAssignedUsers( Role role ) throws FinderException;
+
+
+    List<String> getRoles( User user ) throws FinderException;
+
+
+    User getUser( User user, boolean isRoles ) throws FinderException;
+
+
+    Set<String> getAssignedUsers( Set<String> roles, String contextId ) throws FinderException;
+
+
+    List<String> getAuthorizedUsers( Role role, int limit ) throws FinderException;
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
new file mode 100644
index 0000000..efaf510
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
@@ -0,0 +1,379 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao.apache;
+
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.openldap.accelerator.api.addRole.RbacAddRoleRequest;
+import org.openldap.accelerator.api.addRole.RbacAddRoleRequestImpl;
+import org.openldap.accelerator.api.addRole.RbacAddRoleResponse;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequest;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequestImpl;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessResponse;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionRequest;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionRequestImpl;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionResponse;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequest;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequestImpl;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionResponse;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleRequest;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleRequestImpl;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleResponse;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequest;
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequestImpl;
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.rbac.Permission;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.UserRole;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+/**
+ * Data access class for invoking RBAC Accelerator server-side operations.  This class utilizes the openldap accelerator component for LDAPv3 extended operations.
+ * This class follows the pattern of {@link org.apache.directory.fortress.core.AccessMgr} except policy decisions are session state are made/stored on server-side and not client-side.
+ * Its methods are not intended to be invoked by outside clients that should instead use {@link org.apache.directory.fortress.core.rbac.AccelMgrImpl}.
+ *
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+public final class AcceleratorDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.AcceleratorDAO
+
+{
+    private static final Logger LOG = LoggerFactory.getLogger( AcceleratorDAO.class.getName() );
+
+    /**
+     * Authenticate user and return sessionId inside {@link Session#sessionId}.
+     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#createSession(org.apache.directory.fortress.core.rbac.User, boolean)}
+     * Success will result in rbac session state, i.e. {@link org.apache.directory.fortress.core.rbac.Session}, to be stored on server-side.
+     * Result may be stored inside RBAC server-side audit record and retrieved with {@link org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.rbac.UserAudit)}
+     *
+     * It uses the {@link RbacCreateSessionRequest} and {@link RbacCreateSessionResponse} accelerator APIs.
+     *
+     * todo: this method does not yet, but will soon, return password policy decisions.
+     *
+     * @param user
+     * @return session contains a valid sessionId captured from accelerator createSession method.
+     *
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CREATE_SESSION_ERR}.
+     *
+     */
+    @Override
+    public final Session createSession( User user ) throws SecurityException
+    {
+        Session session = null;
+        LdapConnection ld = null;
+        try
+        {
+            ld = getAdminConnection();
+            ld.setTimeOut( 0 );
+            // Create a new RBAC session
+            RbacCreateSessionRequest rbacCreateSessionRequest = new RbacCreateSessionRequestImpl();
+            //rbacCreateSessionRequest.setTenantId( "jts" );
+            rbacCreateSessionRequest.setTenantId( user.getContextId() );
+            rbacCreateSessionRequest.setUserIdentity( user.getUserId() );
+            rbacCreateSessionRequest.setPassword( new String(user.getPassword()) );
+            if( VUtil.isNotNullOrEmpty( user.getRoles() ))
+            {
+                for ( UserRole userRole : user.getRoles())
+                {
+                    rbacCreateSessionRequest.addRole( userRole.getName() );
+                }
+            }
+            // Send the request
+            RbacCreateSessionResponse rbacCreateSessionResponse = ( RbacCreateSessionResponse ) ld.extended(
+                rbacCreateSessionRequest );
+            LOG.debug( "createSession userId: " + user.getUserId() + ", sessionId: " +  rbacCreateSessionResponse.getSessionId() + ", resultCode: " +   rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode());
+            session = new Session( user, rbacCreateSessionResponse.getSessionId() );
+            if(rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode() == 0)
+            {
+                session.setAuthenticated(true);
+            }
+            else
+            {
+                session.setAuthenticated(false);
+                String info = "createSession UserId [" + user.getUserId() + "] failed: " + rbacCreateSessionResponse.getLdapResult() + " , resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode();
+                throw new SecurityException( GlobalErrIds.USER_PW_INVLD, info );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "createSession userId [" + user.getUserId() + "] caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_CREATE_SESSION_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+        return session;
+    }
+
+
+    /**
+     * Perform user rbac authorization.  This function returns a Boolean value meaning whether the subject of a given session is
+     * allowed or not to perform a given operation on a given object. The function is valid if and
+     * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The session's subject has the permission
+     * to perform the operation on that object if and only if that permission is assigned to (at least)
+     * one of the session's active roles. This implementation will verify the roles or userId correspond
+     * to the subject's active roles are registered in the object's access control list.
+     * It uses the {@link RbacCheckAccessRequest} and {@link RbacCheckAccessResponse} accelerator APIs.
+     *
+     * @param session This object must be instantiated by calling {@link #createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @param perm  must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, of permission User is trying to access.
+     * @return True if user has access, false otherwise.
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CHECK_ACCESS_ERR}.
+     */
+    @Override
+    public boolean checkAccess( Session session, Permission perm )
+        throws SecurityException
+    {
+        boolean result = false;
+        LdapConnection ld = null;
+        try
+        {
+            ld = getAdminConnection();
+            RbacCheckAccessRequest rbacCheckAccessRequest = new RbacCheckAccessRequestImpl();
+            rbacCheckAccessRequest.setSessionId( session.getSessionId() );
+            rbacCheckAccessRequest.setObject( perm.getObjName() );
+            // objectId is optional
+            if(VUtil.isNotNullOrEmpty( perm.getObjId()))
+            {
+                rbacCheckAccessRequest.setObjectId( perm.getObjId() );
+            }
+            rbacCheckAccessRequest.setOperation( perm.getOpName() );
+            // Send the request
+            RbacCheckAccessResponse rbacCheckAccessResponse = ( RbacCheckAccessResponse ) ld.extended(
+                rbacCheckAccessRequest );
+            LOG.debug( "checkAccess result: {}", rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode());
+            if(rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode() == 0)
+            {
+                result = true;
+            }
+            else
+            {
+                result = false;
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "checkAccess perm obj [" + perm.getObjName() + "], operation [" + perm.getOpName() + "] caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_CHECK_ACCESS_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+        return result;
+    }
+
+
+    /**
+     * Deactivate user role from rbac session
+     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#dropActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
+     * Success will result in rbac session state to be modified inside server-side cache.
+     * It uses the {@link RbacDropRoleRequest} and {@link RbacDropRoleResponse} accelerator APIs.
+     *
+     * @param session contains a valid sessionId captured from accelerator createSession method.
+     * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DROP_ROLE_ERR}.
+     */
+    public void dropActiveRole( Session session, UserRole userRole ) throws SecurityException
+    {
+        LdapConnection ld = null;
+        try
+        {
+            ld = getAdminConnection();
+            RbacDropRoleRequest dropRoleRequest = new RbacDropRoleRequestImpl();
+            dropRoleRequest.setSessionId( session.getSessionId() );
+            dropRoleRequest.setRole( userRole.getName() );
+            dropRoleRequest.setUserIdentity( userRole.getUserId() );
+            // Send the request
+            RbacDropRoleResponse rbacDropRoleResponse = ( RbacDropRoleResponse ) ld.extended(
+                dropRoleRequest );
+            LOG.debug( "dropActiveRole result: {}", rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode());
+            if(rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
+            {
+                String info = "dropActiveRole Role [" + userRole.getName() + "] User ["
+                    + session.getUserId() + "], not previously activated.";
+                throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "dropActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_DROP_ROLE_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+    /**
+     * Activate user role into rbac session
+     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#addActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
+     * Success will result in rbac session state to be modified inside server-side cache.
+     * It uses the {@link RbacAddRoleRequest} and {@link RbacAddRoleResponse} accelerator APIs.
+     *
+     * @param session contains a valid sessionId captured from accelerator createSession method.
+     * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_ADD_ROLE_ERR}.
+     */
+    public void addActiveRole( Session session, UserRole userRole ) throws SecurityException
+    {
+        LdapConnection ld = null;
+        try
+        {
+            ld = getAdminConnection();
+            RbacAddRoleRequest addRoleRequest = new RbacAddRoleRequestImpl();
+            addRoleRequest.setSessionId( session.getSessionId() );
+            addRoleRequest.setRole( userRole.getName() );
+            addRoleRequest.setUserIdentity( userRole.getUserId() );
+            // Send the request
+            RbacAddRoleResponse rbacAddRoleResponse = ( RbacAddRoleResponse ) ld.extended(
+                addRoleRequest );
+            LOG.debug( "addActiveRole result: {}", rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode());
+            if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
+            {
+                String info;
+                int rc;
+                if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() == 20)
+                {
+                    info = "addActiveRole Role [" + userRole.getName() + "] User ["
+                        + session.getUserId() + "], already activated.";
+                    rc = GlobalErrIds.URLE_ALREADY_ACTIVE;
+                }
+                else
+                {
+                    info = "addActiveRole Role [" + userRole.getName() + "] User ["
+                        + session.getUserId() + "], not authorized for user.";
+                    rc = GlobalErrIds.URLE_ACTIVATE_FAILED;
+                }
+                throw new SecurityException( rc, info );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "addActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_ADD_ROLE_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+    /**
+     * Delete the stored session on rbac accelerator server.
+     * It uses the {@link RbacDeleteSessionRequest} and {@link RbacDeleteSessionResponse} accelerator APIs.
+     *
+     * @param session contains a valid sessionId captured from accelerator createSession method.
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DELETE_SESSION_ERR}.
+     */
+    public void deleteSession( Session session ) throws SecurityException
+    {
+        LdapConnection ld = null;
+        try
+        {
+            ld = getAdminConnection();
+            RbacDeleteSessionRequest deleteSessionRequest = new RbacDeleteSessionRequestImpl();
+            deleteSessionRequest.setSessionId( session.getSessionId() );
+            deleteSessionRequest.setUserIdentity( session.getUserId() );
+            // Send the request
+            RbacDeleteSessionResponse deleteSessionResponse = ( RbacDeleteSessionResponse ) ld.extended(
+                deleteSessionRequest );
+            LOG.debug( "deleteSession result: {}", deleteSessionResponse.getLdapResult().getResultCode().getResultCode());
+        }
+        catch ( LdapException e )
+        {
+            String error = "deleteSession caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_DELETE_SESSION_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * SessionRoles returns a list of UserRole's activated for user on rbac server.
+     * It uses the {@link RbacSessionRolesRequest} and {@link RbacSessionRolesResponse} accelerator APIs.
+     *
+     * todo: This method does not yet, but will soon populate temporal constraints associated with entities returned.
+     *
+     * @param session contains a valid sessionId captured from accelerator createSession method.
+     * @return List of type UserRole.  May be null if user has no roles activated in session stored - server side.
+     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_SESSION_ROLES_ERR}.
+     */
+    public List<UserRole> sessionRoles( Session session ) throws SecurityException
+    {
+        LdapConnection ld = null;
+        List<UserRole> userRoleList = null;
+        try
+        {
+            ld = getAdminConnection();
+            RbacSessionRolesRequest sessionRolesRequest = new RbacSessionRolesRequestImpl();
+            sessionRolesRequest.setSessionId( session.getSessionId() );
+            sessionRolesRequest.setUserIdentity( session.getUserId() );
+            // Send the request
+            RbacSessionRolesResponse sessionRolesResponse = ( RbacSessionRolesResponse ) ld.extended(
+                sessionRolesRequest );
+            LOG.debug( "sessionRoles result: {}", sessionRolesResponse.getLdapResult().getResultCode().getResultCode());
+            if(VUtil.isNotNullOrEmpty( sessionRolesResponse.getRoles() ) )
+            {
+                userRoleList = new ArrayList<>(  );
+                for( String roleNm : sessionRolesResponse.getRoles() )
+                {
+                    userRoleList.add( new UserRole( session.getUserId(), roleNm ) );
+                    // todo: add temporal constraints here
+                }
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "sessionRoles caught LDAPException=" + " msg=" + e
+                .getMessage();
+            throw new SecurityException( GlobalErrIds.ACEL_SESSION_ROLES_ERR, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+        return userRoleList;
+    }
+}


Mime
View raw message