Merge pull request #24 from adamretter/develop

Fixed the objectSid calculation for Active Directory LDAP
eXist-db · Aug 9, 2013 · 4bcf015 · 4bcf015
2 parents c52ae98 + 020edeb
commit 4bcf015
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 13 deletions.
diff --git a/extensions/security/ldap/src/org/exist/security/realm/ldap/LDAPRealm.java b/extensions/security/ldap/src/org/exist/security/realm/ldap/LDAPRealm.java
@@ -435,17 +435,15 @@ private Group createGroupInDatabase(final String groupname) throws Authenticatio
     }
 
     private LdapContext getContext(final Subject invokingUser) throws NamingException {
-        final Map<String, Object> additionalEnv = new HashMap<String, Object>();
-        additionalEnv.put("java.naming.ldap.attributes.binary", "objectSID");
         final LdapContextFactory ctxFactory = ensureContextFactory();
         final LdapContext ctx;
         if(invokingUser != null && invokingUser instanceof AuthenticatedLdapSubjectAccreditedImpl) {
             //use the provided credentials for the lookup
-            ctx = ctxFactory.getLdapContext(invokingUser.getUsername(), ((AuthenticatedLdapSubjectAccreditedImpl) invokingUser).getAuthenticatedCredentials(), additionalEnv);
+            ctx = ctxFactory.getLdapContext(invokingUser.getUsername(), ((AuthenticatedLdapSubjectAccreditedImpl) invokingUser).getAuthenticatedCredentials(), null);
         } else {
             //use the default credentials for lookup
             LDAPSearchContext searchCtx = ctxFactory.getSearch();
-            ctx = ctxFactory.getLdapContext(searchCtx.getDefaultUsername(), searchCtx.getDefaultPassword(), additionalEnv);
+            ctx = ctxFactory.getLdapContext(searchCtx.getDefaultUsername(), searchCtx.getDefaultPassword(), null);
         }
         return ctx;
     }
@@ -504,10 +502,10 @@ public final synchronized Account getAccount(final LdapContext ctx, String name)
                 } else {
                     //found a user from ldap so cache them and return
                     try {
-                        final String group = getPrimaryGroupSID(ldapUser);
-                        final String primaryGroup = findGroupBySID(ctx, group);
+                        final String primaryGroupSID = getPrimaryGroupSID(ldapUser);
+                        final String primaryGroup = findGroupBySID(ctx, primaryGroupSID);
                         if (LOG.isDebugEnabled()) {
-                            LOG.debug("LDAP search for primary group '"+group+"' return '"+primaryGroup+"'.");
+                            LOG.debug("LDAP search for primary group by SID '" + primaryGroupSID + "', found '" + primaryGroup + "'.");
                         }
                         if (primaryGroup == null) {
                             //or exception?
@@ -587,11 +585,7 @@ private String getPrimaryGroupSID(final SearchResult ldapUser) throws NamingExce
         final Object objSID = ldapUser.getAttributes().get(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.OBJECT_SID)).get();
         final String strObjectSid;
         if (objSID instanceof String) {
-            if (objSID.toString().lastIndexOf('-') == -1) {
-                strObjectSid = decodeSID(((String)objSID).getBytes());
-            } else {
-                strObjectSid = objSID.toString();
-            }
+            strObjectSid = objSID.toString();
         } else {
             strObjectSid = decodeSID((byte[])objSID);
         }

diff --git a/extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java b/extensions/security/ldap/src/org/exist/security/realm/ldap/LdapContextFactory.java
@@ -22,6 +22,7 @@
 package org.exist.security.realm.ldap;
 
 import java.text.MessageFormat;
+import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.Map;
 import javax.naming.Context;
@@ -88,12 +89,13 @@ public LdapContextFactory(final Configuration config) {
     public LdapContext getSystemLdapContext() throws NamingException {
             return getLdapContext(systemUsername, systemPassword);
     }
-
+    
     public LdapContext getLdapContext(final String username, final String password) throws NamingException {
         return getLdapContext(username, password, null);
     }
 
     public LdapContext getLdapContext(String username, final String password, final Map<String, Object>additionalEnv) throws NamingException {
+
         if (url == null) {
             throw new IllegalStateException("An LDAP URL must be specified of the form ldap://<hostname>:<port>");
         }
@@ -120,6 +122,9 @@ public LdapContext getLdapContext(String username, final String password, final
         env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactoryClassName);
         env.put(Context.PROVIDER_URL, url);
 
+        //Absolutely nessecary for working with Active Directory
+        env.put("java.naming.ldap.attributes.binary", "objectSid");
+
         // the following is helpful in debugging errors
         //env.put("com.sun.jndi.ldap.trace.ber", System.err);