diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index fd184898f..ef01acd8c 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -32,7 +32,6 @@ import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapException; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.name.Dn; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapConnectionConfig; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; @@ -44,8 +43,6 @@ import org.apache.guacamole.auth.ldap.user.LDAPUserContext; import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.Credentials; -import org.apache.guacamole.net.auth.credentials.CredentialsInfo; -import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.apache.guacamole.token.TokenName; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -126,7 +123,7 @@ public class AuthenticationProviderService { if (searchBindDN != null) { // Create an LDAP connection using the search account - LdapConnection searchConnection = ldapService.bindAs( + LdapNetworkConnection searchConnection = ldapService.bindAs( searchBindDN, confService.getSearchBindPassword() ); @@ -183,7 +180,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - private LdapConnection bindAs(Credentials credentials) + private LdapNetworkConnection bindAs(Credentials credentials) throws GuacamoleException { // Get username and password from credentials @@ -234,24 +231,11 @@ public class AuthenticationProviderService { throws GuacamoleException { // Attempt bind - LdapConnection ldapConnection; - try { - ldapConnection = bindAs(credentials); - } - catch (GuacamoleException e) { - logger.error("Cannot bind with LDAP server: {}", e.getMessage()); - logger.debug("Error binding with LDAP server.", e); - ldapConnection = null; - } - - // If bind fails, permission to login is denied - if (ldapConnection == null) - throw new GuacamoleInvalidCredentialsException("Permission denied.", CredentialsInfo.USERNAME_PASSWORD); - + LdapNetworkConnection ldapConnection = bindAs(credentials); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); + try { - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); Dn authDn = new Dn(ldapConnectionConfig.getName()); // Retrieve group membership of the user that just authenticated @@ -297,7 +281,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs retrieving the user DN or the attributes. */ - private Map getAttributeTokens(LdapConnection ldapConnection, + private Map getAttributeTokens(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Get attributes from configuration information @@ -357,9 +341,7 @@ public class AuthenticationProviderService { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); - LdapConnection ldapConnection = bindAs(credentials); - if (ldapConnection == null) - return null; + LdapNetworkConnection ldapConnection = bindAs(credentials); try { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index 7bf09c630..744936d31 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -38,6 +38,8 @@ import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleUnsupportedException; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.auth.ldap.conf.EncryptionMethod; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -121,7 +123,7 @@ public class LDAPConnectionService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - public LdapConnection bindAs(Dn userDN, String password) + public LdapNetworkConnection bindAs(Dn userDN, String password) throws GuacamoleException { // Obtain appropriately-configured LdapNetworkConnection instance @@ -138,9 +140,7 @@ public class LDAPConnectionService { } catch (LdapException e) { - logger.error("Unable to connect to LDAP server: {}", e.getMessage()); - logger.debug("Failed to connect to LDAP server.", e); - return null; + throw new GuacamoleServerException("Error connecting to LDAP server.", e); } // Bind using provided credentials @@ -156,8 +156,12 @@ public class LDAPConnectionService { // Disconnect if an error occurs during bind catch (LdapException e) { logger.debug("Unable to bind to LDAP server.", e); + throw new GuacamoleInvalidCredentialsException( + "Unable to bind to the LDAP server.", + CredentialsInfo.USERNAME_PASSWORD); + } + finally { disconnect(ldapConnection); - return null; } return ldapConnection; @@ -165,7 +169,7 @@ public class LDAPConnectionService { } /** - * Generate a new LdapConnection object for following a referral + * Generate a new LdapNetworkConnection object for following a referral * with the given LdapUrl, and copy the username and password * from the original connection. * @@ -181,15 +185,15 @@ public class LDAPConnectionService { * limit is reached, this method will throw an exception. * * @return - * A LdapConnection object that points at the location + * A LdapNetworkConnection object that points at the location * specified in the referralUrl. * * @throws GuacamoleException * If an error occurs parsing out the LdapUrl object or the * maximum number of referral hops is reached. */ - public LdapConnection referralConnection(LdapUrl referralUrl, - LdapConnectionConfig ldapConfig, Integer hop) + public LdapNetworkConnection referralConnection(LdapUrl referralUrl, + LdapConnectionConfig ldapConfig, int hop) throws GuacamoleException { if (hop >= confService.getMaxReferralHops()) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index b67bb0a9c..6df617ae7 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -37,13 +37,9 @@ import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.OrNode; import org.apache.directory.api.ldap.model.message.Referral; -import org.apache.directory.api.ldap.model.message.Response; import org.apache.directory.api.ldap.model.message.SearchRequest; -import org.apache.directory.api.ldap.model.message.SearchResultEntry; -import org.apache.directory.api.ldap.model.message.SearchResultReference; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.api.ldap.model.url.LdapUrl; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapConnectionConfig; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; @@ -183,15 +179,14 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LdapConnection ldapConnection, + public List search(LdapNetworkConnection ldapConnection, Dn baseDN, ExprNode query) throws GuacamoleException { logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query); try { - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); // Search within subtree of given base DN SearchRequest request = ldapService.getSearchRequest(baseDN, @@ -204,17 +199,15 @@ public class ObjectQueryService { List entries = new ArrayList<>(); while (results.next()) { - Response response = results.get(); - if (response instanceof SearchResultEntry) { - entries.add(((SearchResultEntry) response).getEntry()); + if (results.isEntry()) { + entries.add(results.getEntry()); } - else if (response instanceof SearchResultReference && - request.isFollowReferrals()) { + else if (results.isReferral() && request.isFollowReferrals()) { - Referral referral = ((SearchResultReference) response).getReferral(); + Referral referral = results.getReferral(); int referralHop = 0; for (String url : referral.getLdapUrls()) { - LdapConnection referralConnection = ldapService.referralConnection( + LdapNetworkConnection referralConnection = ldapService.referralConnection( new LdapUrl(url), ldapConnectionConfig, referralHop++); entries.addAll(search(referralConnection, baseDN, query)); } @@ -273,7 +266,7 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LdapConnection ldapConnection, Dn baseDN, + public List search(LdapNetworkConnection ldapConnection, Dn baseDN, ExprNode filter, Collection attributes, String attributeValue) throws GuacamoleException { ExprNode query = generateQuery(filter, attributes, attributeValue); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java index f9be1ae4f..c782c97b8 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java @@ -42,7 +42,7 @@ public abstract class LdapDnGuacamoleProperty implements GuacamoleProperty { return new Dn(value); } catch (LdapInvalidDnException e) { - throw new GuacamoleServerException("Invalid DN specified in configuration.", e); + throw new GuacamoleServerException("The DN \"" + value + "\" is invalid.", e); } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java index 3c99b11a4..01b41c964 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java @@ -45,7 +45,7 @@ public abstract class LdapFilterGuacamoleProperty implements GuacamoleProperty getConnections(AuthenticatedUser user, - LdapConnection ldapConnection) throws GuacamoleException { + LdapNetworkConnection ldapConnection) throws GuacamoleException { // Do not return any connections if base DN is not specified Dn configurationBaseDN = confService.getConfigurationBaseDN(); @@ -110,8 +109,7 @@ public class ConnectionService { try { // Pull the current user DN from the LDAP connection - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); Dn userDN = new Dn(ldapConnectionConfig.getName()); // getConnections() will only be called after a connection has been @@ -244,7 +242,7 @@ public class ConnectionService { * If an error occurs retrieving the group base DN. */ private ExprNode getConnectionSearchFilter(Dn userDN, - LdapConnection ldapConnection) + LdapNetworkConnection ldapConnection) throws LdapException, GuacamoleException { AndNode searchFilter = new AndNode(); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 986181b61..cf29a2bb9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -26,13 +26,13 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.NotNode; import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.ObjectQueryService; @@ -107,7 +107,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Map getUserGroups(LdapConnection ldapConnection) + public Map getUserGroups(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Do not return any user groups if base DN is not specified @@ -167,7 +167,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public List getParentUserGroupEntries(LdapConnection ldapConnection, + public List getParentUserGroupEntries(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { // Do not return any user groups if base DN is not specified @@ -206,7 +206,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Set getParentUserGroupIdentifiers(LdapConnection ldapConnection, + public Set getParentUserGroupIdentifiers(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { Collection attributes = confService.getGroupNameAttributes(); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java index cafc461d6..db36fc0b4 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java @@ -23,6 +23,7 @@ import com.google.inject.Inject; import java.util.Collections; import java.util.Map; import java.util.Set; +import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.net.auth.AbstractAuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.Credentials; @@ -72,13 +73,14 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser { * The unique identifiers of all user groups which affect the * permissions available to this user. */ - public void init(Credentials credentials, Map tokens, Set effectiveGroups) { + public void init(Credentials credentials, Map tokens, + Set effectiveGroups) { this.credentials = credentials; this.tokens = Collections.unmodifiableMap(tokens); this.effectiveGroups = effectiveGroups; setIdentifier(credentials.getUsername()); } - + /** * Returns a Map of all name/value pairs that should be applied as * parameter tokens when connections are established using this diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java index b87bca0c4..b5c789e1e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java @@ -21,7 +21,7 @@ package org.apache.guacamole.auth.ldap.user; import com.google.inject.Inject; import java.util.Collections; -import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; @@ -102,7 +102,7 @@ public class LDAPUserContext extends AbstractUserContext { /** * Initializes this UserContext using the provided AuthenticatedUser and - * LdapConnection. + * LdapNetworkConnection. * * @param user * The AuthenticatedUser representing the user that authenticated. This @@ -117,7 +117,7 @@ public class LDAPUserContext extends AbstractUserContext { * If associated data stored within the LDAP directory cannot be * queried due to an error. */ - public void init(AuthenticatedUser user, LdapConnection ldapConnection) + public void init(AuthenticatedUser user, LdapNetworkConnection ldapConnection) throws GuacamoleException { // Query all accessible users diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index 937723116..ba2998387 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -24,12 +24,12 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; import java.util.Map; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.api.ldap.model.name.Rdn; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; @@ -79,7 +79,7 @@ public class UserService { * @throws GuacamoleException * If an error occurs preventing retrieval of users. */ - public Map getUsers(LdapConnection ldapConnection) + public Map getUsers(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Retrieve all visible user objects @@ -134,7 +134,7 @@ public class UserService { * If an error occurs while querying the user DNs, or if the username * attribute property cannot be parsed within guacamole.properties. */ - public List getUserDNs(LdapConnection ldapConnection, + public List getUserDNs(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Retrieve user objects having a matching username