Implement

 - Search and Bind
 - Search and Compare
 - Groups to Scopes
 - Groups as Scopes
[#118968291] https://www.pivotaltracker.com/story/show/118968291

docs/UAA-LDAP.md

@@ -221,7 +221,7 @@ The following attributes are available for the default search and bind configura
   will run a query to match the password. In order for this query to work, you must know what 
   type of hash/encoding/salt is used for the LDAP password.
 * `ldap.base.passwordEncoder` - A fully qualified Java classname to a password encoder.
-  The [default](https://github.com/cloudfoundry/uaa/blob/master/common/src/main/java/org/cloudfoundry/identity/uaa/ldap/DynamicPasswordComparator.java#L20-20)
+  The [default](https://github.com/cloudfoundry/uaa/blob/master/model/org/cloudfoundry/identity/uaa/provider/ldap/DynamicPasswordComparator.java#L20-20)
   uses the Apache Directory Server password utilities to support several different encodings.
 
 <pre>
@@ -237,7 +237,7 @@ ldap:
     searchBase: ''
     searchFilter: 'cn={0}'
     passwordAttributeName: userPassword
-    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
+    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator
     localPasswordCompare: true
 </pre>
 
@@ -608,7 +608,7 @@ In the above example, the user `marissa`'s  UAA email always become `generated-m
 
 * <a name="ldap.base.passwordEncoder">`ldap.base.passwordEncoder`</a>
   A fully qualified Java classname to a password encoder.
-  The [default](https://github.com/cloudfoundry/uaa/blob/master/common/src/main/java/org/cloudfoundry/identity/uaa/ldap/DynamicPasswordComparator.java#L20-20)
+  The [default](https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/provider/ldap/DynamicPasswordComparator.java#L20-20)
   uses the Apache Directory Server password utilities to support several different encodings.
   <br/>This property is used with the 'search and compare' authentication mechanism.
 

model/src/main/java/org/cloudfoundry/identity/uaa/provider/LdapIdentityProviderDefinition.java

@@ -372,7 +372,11 @@ public String getPasswordEncoder() {
     }
 
     public void setPasswordEncoder(String passwordEncoder) {
-        this.passwordEncoder = passwordEncoder;
+        if (passwordEncoder==null || "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator".equals(passwordEncoder)) {
+            this.passwordEncoder = passwordEncoder;
+        } else {
+            throw new IllegalArgumentException("Unknown encoder:"+passwordEncoder);
+        }
     }
 
     public String getGroupRoleAttribute() {

server/src/test/java/org/cloudfoundry/identity/uaa/provider/ldap/LdapIdentityProviderDefinitionTest.java

@@ -260,7 +260,7 @@ public void test_Search_and_Compare_Config() throws Exception {
             "    searchBase: ''\n" +
             "    searchFilter: 'cn={0}'\n" +
             "    passwordAttributeName: userPassword\n" +
-            "    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator\n" +
             "    localPasswordCompare: true\n"+
             "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
             "    mailSubstituteOverridesLdap: true\n"+
@@ -281,7 +281,7 @@ public void test_Search_and_Compare_Config() throws Exception {
         assertTrue(def.isMailSubstituteOverridesLdap());
         assertTrue(def.isSkipSSLVerification());
         assertEquals("userPassword", def.getPasswordAttributeName());
-        assertEquals("org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator", def.getPasswordEncoder());
+        assertEquals("org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator", def.getPasswordEncoder());
         assertNull(def.getGroupSearchBase());
         assertNull(def.getGroupSearchFilter());
         assertNull(def.getLdapGroupFile());
@@ -304,7 +304,7 @@ public void test_Search_and_Compare_With_Groups_1_Config_And_Custom_Attributes()
             "    searchBase: ''\n" +
             "    searchFilter: 'cn={0}'\n" +
             "    passwordAttributeName: userPassword\n" +
-            "    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator\n" +
             "    localPasswordCompare: true\n"+
             "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
             "    mailSubstituteOverridesLdap: true\n"+
@@ -336,7 +336,7 @@ public void test_Search_and_Compare_With_Groups_1_Config_And_Custom_Attributes()
         assertTrue(def.isMailSubstituteOverridesLdap());
         assertTrue(def.isSkipSSLVerification());
         assertEquals("userPassword", def.getPasswordAttributeName());
-        assertEquals("org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator", def.getPasswordEncoder());
+        assertEquals("org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator", def.getPasswordEncoder());
         assertEquals("ou=scopes,dc=test,dc=com", def.getGroupSearchBase());
         assertEquals("member={0}", def.getGroupSearchFilter());
         assertEquals("ldap/ldap-groups-as-scopes.xml",def.getLdapGroupFile());
@@ -417,7 +417,7 @@ public void deserialize_unknown_profile_file_throws_error() throws Exception {
             "    searchBase: ''\n" +
             "    searchFilter: 'cn={0}'\n" +
             "    passwordAttributeName: userPassword\n" +
-            "    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator\n" +
             "    localPasswordCompare: true\n"+
             "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
             "    mailSubstituteOverridesLdap: true\n"+
@@ -440,7 +440,7 @@ public void deserialize_unknown_group_file_throws_error() throws Exception {
             "    searchBase: ''\n" +
             "    searchFilter: 'cn={0}'\n" +
             "    passwordAttributeName: userPassword\n" +
-            "    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator\n" +
             "    localPasswordCompare: true\n"+
             "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
             "    mailSubstituteOverridesLdap: true\n"+
@@ -457,4 +457,58 @@ public void deserialize_unknown_group_file_throws_error() throws Exception {
 
         LdapUtils.fromConfig(getLdapConfig(config));
     }
+
+    @Test
+    public void set_correct_password_compare() {
+        ldapIdentityProviderDefinition = new LdapIdentityProviderDefinition();
+        ldapIdentityProviderDefinition.setPasswordEncoder(DynamicPasswordComparator.class.getName());
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void set_wrong_password_compare_complains() {
+        ldapIdentityProviderDefinition = new LdapIdentityProviderDefinition();
+        ldapIdentityProviderDefinition.setPasswordEncoder("some.other.encoder");
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void deserialize_unknown_comparator_throws_error() throws Exception {
+        String config = "ldap:\n" +
+            "  profile:\n" +
+            "    file: ldap/ldap-search-and-compare.xml\n" +
+            "  base:\n" +
+            "    url: 'ldap://localhost:10389/'\n" +
+            "    mailAttributeName: mail\n" +
+            "    userDn: 'cn=admin,ou=Users,dc=test,dc=com'\n" +
+            "    password: 'password'\n" +
+            "    searchBase: ''\n" +
+            "    searchFilter: 'cn={0}'\n" +
+            "    passwordAttributeName: userPassword\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator1\n" +
+            "    localPasswordCompare: true\n"+
+            "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
+            "    mailSubstituteOverridesLdap: true\n";
+
+        LdapUtils.fromConfig(getLdapConfig(config));
+    }
+
+    @Test
+    public void deserialize_correct_comparator() throws Exception {
+        String config = "ldap:\n" +
+            "  profile:\n" +
+            "    file: ldap/ldap-search-and-compare.xml\n" +
+            "  base:\n" +
+            "    url: 'ldap://localhost:10389/'\n" +
+            "    mailAttributeName: mail\n" +
+            "    userDn: 'cn=admin,ou=Users,dc=test,dc=com'\n" +
+            "    password: 'password'\n" +
+            "    searchBase: ''\n" +
+            "    searchFilter: 'cn={0}'\n" +
+            "    passwordAttributeName: userPassword\n" +
+            "    passwordEncoder: org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator\n" +
+            "    localPasswordCompare: true\n"+
+            "    mailSubstitute: 'generated-{0}@company.example.com'\n" +
+            "    mailSubstituteOverridesLdap: true\n";
+
+        LdapUtils.fromConfig(getLdapConfig(config));
+    }
 }

uaa/slate/source/index.md.erb

@@ -628,32 +628,64 @@ _Error Codes_
 | 500        | Internal Server Error                                                 |
 
 #### LDAP Search and Bind
+
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/curl-request.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/http-request.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/http-response.md")).result(binding) %>
+
+_Request Headers_
+
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-headers.md")).result(binding) %>
+
+_Request Parameters_
+
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-parameters.md")).result(binding) %>
+
+_Request Fields_
+
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-fields.md")).result(binding) %>
+
+_Response Fields_
+
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndBind_Groups_Map_ToScopes_LDAPIdentityProvider/request-fields.md")).result(binding) %>
+
+_Error Codes_
+
+| Error Code | Description                                                           |
+|------------|-----------------------------------------------------------------------|
+| 401        | Unauthorized - Missing or invalid token                               |
+| 403        | Forbidden - Insufficient scope                                        |
+| 409        | Conflict - Provider with same origin and zone id exists               |
+| 422        | Unprocessable Entity - Invalid configuration                          |
+| 500        | Internal Server Error                                                 |
+
 #### LDAP Search and Compare
 
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/curl-request.md")).result(binding) %>
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/http-request.md")).result(binding) %>
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/http-response.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/curl-request.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/http-request.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/http-response.md")).result(binding) %>
 
 _Request Headers_
 
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/request-headers.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-headers.md")).result(binding) %>
 
 _Request Parameters_
 
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/request-parameters.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-parameters.md")).result(binding) %>
 
 _Request Fields_
 
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/request-fields.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-fields.md")).result(binding) %>
 
 _Response Fields_
 
-<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/createLDAPIdentityProvider/request-fields.md")).result(binding) %>
+<%= ERB.new(File.read("../build/generated-snippets/IdentityProviderEndpointsDocs/create_SearchAndCompare_Groups_As_Scopes_LDAPIdentityProvider/request-fields.md")).result(binding) %>
 
 _Error Codes_
 
 | Error Code | Description                                                           |
 |------------|-----------------------------------------------------------------------|
+| 401        | Unauthorized - Missing or invalid token                               |
 | 403        | Forbidden - Insufficient scope                                        |
 | 409        | Conflict - Provider with same origin and zone id exists               |
 | 422        | Unprocessable Entity - Invalid configuration                          |