LDAP changes for AD and other configurations (#4938)

* LDAP changes for AD and other configurations * don't use '' as password - oracle treats this as null * change password to 'NULL' Co-authored-by: david blasby <[email protected]>
geonetwork · Aug 19, 2020 · 88d4f43 · 88d4f43
1 parent 5d006a1
commit 88d4f43
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 16 deletions.
diff --git a/...c/main/java/org/fao/geonet/kernel/security/ldap/AbstractLDAPUserDetailsContextMapper.java b/...c/main/java/org/fao/geonet/kernel/security/ldap/AbstractLDAPUserDetailsContextMapper.java
@@ -41,10 +41,7 @@
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 /**
  * Map LDAP user information to GeoNetworkUser information.
@@ -114,6 +111,16 @@ public UserDetails mapUserFromContext(DirContextOperations userCtx,
             username = username.toLowerCase();
         }
 
+        //pass DN along.
+        // NOTE: LDAPUser doesn't allow you to set DN!!!
+        if (!userInfo.containsKey("dn")) {
+            ArrayList dns = new ArrayList(Arrays.asList(
+                    userCtx.getDn().toString(),   //will not include base
+                    userCtx.getNameInNamespace() // includes base
+                ));
+            userInfo.put("dn", dns);
+        }
+
         LDAPUser userDetails = new LDAPUser(username);
         User user = userDetails.getUser();
         user.setName(getUserInfo(userInfo, "name"));

diff --git a/...ao/geonet/kernel/security/ldap/LDAPUserDetailsContextMapperWithProfileSearchEnhanced.java b/...ao/geonet/kernel/security/ldap/LDAPUserDetailsContextMapperWithProfileSearchEnhanced.java
@@ -31,6 +31,7 @@
 
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
+import javax.naming.PartialResultException;
 import javax.naming.directory.*;
 import java.text.MessageFormat;
 import java.util.*;
@@ -103,10 +104,17 @@ public String cn_short(Map<String, ArrayList<String>> userInfo) {
 
     //This will find the longest "cn" value given in the map
     // typically, there are >1 of these.  I.e. "blasby, david" and "blasby, david,ou=GIS Department,ou=Corporate Users,dc=example,dc=com"
+    // alternatively,  use userInfo.get("dn") list.
     public String cn_long(Map<String, ArrayList<String>> userInfo) {
         ArrayList<String> cn = userInfo.get("cn");
         if ((cn == null) || (cn.size() == 0))  // bad user!
             return null;
+
+        for(String dn: userInfo.get("dn")) {
+            dn = dn.replaceFirst("^cn=",""); // dn will start with "cn="
+            cn.add(dn);
+        }
+
         Comparator<String> comparator = (str1, str2) -> str1.length() > str2.length() ? -1 : 1;
         String longest = cn.stream().sorted(comparator).findFirst().get();
         return longest;
@@ -165,20 +173,26 @@ protected void setProfilesAndPrivileges(Profile defaultProfile,
 
                 Set<LDAPRole> allRoles = new HashSet<>();
 
-                //for each found LDAP-Group
-                while (ldapInfoList.hasMore()) {
-                    SearchResult sr = (SearchResult) ldapInfoList.next();
-                    String ldapGroupName = cn_short(sr.getAttributes());
-
-                    //have the converters process the LDAP-Group
-                    //NOTE: they will return an empty list if they don't know what the role means
-                    //      allRoles is a set, you can add duplicates to it with no problem...
-                    for(LDAPRoleConverter converter : this.ldapRoleConverters){
-                        List<LDAPRole> newRoles = converter.convert(userInfo, userDetails, ldapGroupName, sr.getAttributes());
-                        if (newRoles != null)
-                            allRoles.addAll(newRoles);
+                try {
+                    //for each found LDAP-Group
+                    while (ldapInfoList.hasMore()) {
+                        SearchResult sr = (SearchResult) ldapInfoList.next();
+                        String ldapGroupName = cn_short(sr.getAttributes());
+
+                        //have the converters process the LDAP-Group
+                        //NOTE: they will return an empty list if they don't know what the role means
+                        //      allRoles is a set, you can add duplicates to it with no problem...
+                        for (LDAPRoleConverter converter : this.ldapRoleConverters) {
+                            List<LDAPRole> newRoles = converter.convert(userInfo, userDetails, ldapGroupName, sr.getAttributes());
+                            if (newRoles != null)
+                                allRoles.addAll(newRoles);
+                        }
                     }
                 }
+                catch (PartialResultException ee) {
+                    // do nothing - this occurs when you are searching from the very top of the LDAP.
+                    // its not really a problem.  Usually you would use template.setIgnorePartialResultException
+                }
 
                 //we have a set of GN-Role, now add them to the user object
                 for(LDAPRole role: allRoles) {

diff --git a/core/src/main/java/org/fao/geonet/kernel/security/ldap/LDAPUtils.java b/core/src/main/java/org/fao/geonet/kernel/security/ldap/LDAPUtils.java
@@ -120,6 +120,7 @@ protected User getUser(LDAPUser user, boolean importPrivilegesFromLdap,
             toSave = user.getUser();
         }
         toSave.getSecurity().setAuthType(LDAPConstants.LDAP_FLAG);
+        toSave.getSecurity().setPassword("NULL"); //Oracle doesn't allow a password as '' (interpreted as null)
         toSave = userRepo.save(toSave);
         user.setUser(toSave);
         return toSave;