Skip to content
Permalink
Browse files
get pw polices working again
  • Loading branch information
shawnmckinney committed Jun 23, 2021
1 parent 63976c7 commit 1c53cdf703e1672d1e1942603a62c0db9286a2ae
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 136 deletions.
@@ -30,8 +30,11 @@
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.directory.api.ldap.codec.api.LdapApiService;
import org.apache.directory.api.ldap.codec.osgi.DefaultLdapCodecService;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyResponse;
//import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy;
import org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyResponseFactory;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.SearchCursor;
@@ -838,15 +841,12 @@ Session checkPassword( User user ) throws FinderException, PasswordException
}

//PasswordPolicy respCtrl = getPwdRespCtrl( bindResponse );
/*
PasswordPolicyResponse respCtrl = getPwdRespCtrl( bindResponse );
if ( respCtrl != null )
{
// check IETF password policies here
checkPwPolicies( session, respCtrl );
}
*/

if ( session.getErrorId() == 0 )
{
@@ -884,107 +884,94 @@ private void checkPwPolicies( PwMessage pwMsg, PasswordPolicyResponse respCtrl )
String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
if ( respCtrl != null )
{
// LDAP has notified of password violation:
// if ( respCtrl.hasResponse() )
if ( true )
String errMsg = null;
if ( respCtrl.getTimeBeforeExpiration() > 0 )
{
pwMsg.setExpirationSeconds( respCtrl.getTimeBeforeExpiration() );
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds
.PASSWORD_EXPIRATION_WARNING, "PASSWORD WILL EXPIRE", Warning.Type.PASSWORD ) );
}
if ( respCtrl.getGraceAuthNRemaining() > 0 )
{
pwMsg.setGraceLogins( respCtrl.getGraceAuthNRemaining() );
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.PASSWORD_GRACE_WARNING,
"PASSWORD IN GRACE", Warning.Type.PASSWORD ) );
}
if ( respCtrl.getPasswordPolicyError() != null )
{
String errMsg = null;
/* if ( respCtrl.getResponse() != null )*/
if ( true )
switch ( respCtrl.getPasswordPolicyError() )
{
if ( respCtrl.getTimeBeforeExpiration() > 0 )
{
pwMsg.setExpirationSeconds( respCtrl.getTimeBeforeExpiration() );
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds
.PASSWORD_EXPIRATION_WARNING, "PASSWORD WILL EXPIRE", Warning.Type.PASSWORD ) );
}
if ( respCtrl.getGraceAuthNRemaining() > 0 )
{
pwMsg.setGraceLogins( respCtrl.getGraceAuthNRemaining() );
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.PASSWORD_GRACE_WARNING,
"PASSWORD IN GRACE", Warning.Type.PASSWORD ) );
}

if ( respCtrl.getPasswordPolicyError() != null )
{

switch ( respCtrl.getPasswordPolicyError() )
case CHANGE_AFTER_RESET:
// Don't throw exception if authenticating in J2EE Realm - The Web application must
// give user a chance to modify their password.
if ( !Config.getInstance().isRealm() )
{

case CHANGE_AFTER_RESET:
// Don't throw exception if authenticating in J2EE Realm - The Web application must
// give user a chance to modify their password.
if ( !Config.getInstance().isRealm() )
{
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
rc = GlobalErrIds.USER_PW_RESET;
}
else
{
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO" +
" CONTINUE DUE TO REALM";
result = true;
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET,
errMsg, Warning.Type.PASSWORD ) );
}
break;

case ACCOUNT_LOCKED:
errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
rc = GlobalErrIds.USER_PW_LOCKED;
break;

case PASSWORD_EXPIRED:
errMsg = msgHdr + "PASSWORD HAS EXPIRED";
rc = GlobalErrIds.USER_PW_EXPIRED;
break;

case PASSWORD_MOD_NOT_ALLOWED:
errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
break;

case MUST_SUPPLY_OLD_PASSWORD:
errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
break;

case INSUFFICIENT_PASSWORD_QUALITY:
errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
rc = GlobalErrIds.USER_PW_NSF_QUALITY;
break;

case PASSWORD_TOO_SHORT:
errMsg = msgHdr + "PASSWORD TOO SHORT";
rc = GlobalErrIds.USER_PW_TOO_SHORT;
break;

case PASSWORD_TOO_YOUNG:
errMsg = msgHdr + "PASSWORD TOO YOUNG";
rc = GlobalErrIds.USER_PW_TOO_YOUNG;
break;

case PASSWORD_IN_HISTORY:
errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
rc = GlobalErrIds.USER_PW_IN_HISTORY;
break;

default:
errMsg = msgHdr + "PASSWORD CHECK FAILED";
rc = GlobalErrIds.USER_PW_CHK_FAILED;
break;
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
rc = GlobalErrIds.USER_PW_RESET;
}

}
}
if ( rc != 0 )
{
pwMsg.setMsg( errMsg );
pwMsg.setErrorId( rc );
pwMsg.setAuthenticated( result );
LOG.debug( errMsg );
else
{
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO" +
" CONTINUE DUE TO REALM";
result = true;
pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET,
errMsg, Warning.Type.PASSWORD ) );
}
break;

case ACCOUNT_LOCKED:
errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
rc = GlobalErrIds.USER_PW_LOCKED;
break;

case PASSWORD_EXPIRED:
errMsg = msgHdr + "PASSWORD HAS EXPIRED";
rc = GlobalErrIds.USER_PW_EXPIRED;
break;

case PASSWORD_MOD_NOT_ALLOWED:
errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
break;

case MUST_SUPPLY_OLD_PASSWORD:
errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
break;

case INSUFFICIENT_PASSWORD_QUALITY:
errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
rc = GlobalErrIds.USER_PW_NSF_QUALITY;
break;

case PASSWORD_TOO_SHORT:
errMsg = msgHdr + "PASSWORD TOO SHORT";
rc = GlobalErrIds.USER_PW_TOO_SHORT;
break;

case PASSWORD_TOO_YOUNG:
errMsg = msgHdr + "PASSWORD TOO YOUNG";
rc = GlobalErrIds.USER_PW_TOO_YOUNG;
break;

case PASSWORD_IN_HISTORY:
errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
rc = GlobalErrIds.USER_PW_IN_HISTORY;
break;

default:
errMsg = msgHdr + "PASSWORD CHECK FAILED";
rc = GlobalErrIds.USER_PW_CHK_FAILED;
break;
}
}
if ( rc != 0 )
{
pwMsg.setMsg( errMsg );
pwMsg.setErrorId( rc );
pwMsg.setAuthenticated( result );
LOG.debug( errMsg );
}
}
}

@@ -275,7 +275,7 @@ protected void add( LdapConnection connection, Entry entry, FortEntity entity, b
// TODO: FIXME #2
if ( setRelaxControl )
{
addRequest.addControl( new RelaxControlImpl() );
//addRequest.addControl( new RelaxControlImpl() );
}
AddResponse response = connection.add( addRequest );
ResultCodeEnum.processResponse(response);
@@ -353,7 +353,7 @@ protected void modify( LdapConnection connection, String dn, List<Modification>
// TODO: FIXME #2
if ( setRelaxControl )
{
modRequest.addControl( new RelaxControlImpl() );
//modRequest.addControl( new RelaxControlImpl() );
}
modRequest.setName( new Dn( dn ) );
ModifyResponse response = connection.modify( modRequest );
@@ -880,21 +880,6 @@ protected String getRdn( String dn )
}


/*
protected String getRdnValue( String dn )
{
try
{
return new Dn( dn ).getRdn().getNormValue();
}
catch ( LdapInvalidDnException lide )
{
return null;
}
}
*/


/**
* Create multi-occurring ldap attribute given array of strings and attribute name.
*
@@ -1227,32 +1212,15 @@ protected String encodeSafeText( String value, int validLen ) throws LdapExcepti
* Get Password Policy Response Control from LDAP client.
*
* @param resp contains reference to LDAP pw policy response.
* @return PasswordPolicy response control.
* @return PasswordPolicyResponse control.
*/
protected PasswordPolicyResponse getPwdRespCtrl(Response resp )
{
// TODO: FIXME #3
LdapApiService codec = new DefaultLdapCodecService();
PasswordPolicyResponseFactory factory = ( PasswordPolicyResponseFactory ) codec.getResponseControlFactories().
get( PasswordPolicyResponse.OID );
PasswordPolicyResponse passwordPolicyResponse = factory.newControl();
return passwordPolicyResponse;
}

/*
protected PasswordPolicy getPwdRespCtrl(Response resp )
protected PasswordPolicyResponse getPwdRespCtrl(BindResponse resp )
{
Control control = resp.getControls().get( PP_REQ_CTRL.getOid() );
if ( control == null )
{
return null;
}
return ( ( PasswordPolicyDecorator ) control ).getDecorated();
Control control = resp.getControls().get( PasswordPolicyResponse.OID );
return ( PasswordPolicyResponse ) control;
}


*/
/**
* Calls the PoolMgr to perform an LDAP bind for a user/password combination. This function is valid
* if and only if the user entity is a member of the USERS data set.

0 comments on commit 1c53cdf

Please sign in to comment.