Package org.codelibs.fess.ldap
Class LdapManager
java.lang.Object
org.codelibs.fess.ldap.LdapManager
Manages LDAP connections and operations.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected classA holder for the directory context. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected ThreadLocal<LdapManager.DirContextHolder> A thread-local variable to hold the directory context.protected org.codelibs.fess.mylasta.direction.FessConfigThe Fess configuration.protected booleanA flag to indicate if the LDAP connection is bound. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidaddGroupAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Group group) Adds group attributes to the LDAP entry for group creation.protected voidaddRoleAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Role user) Adds role attributes to the LDAP entry for role creation.protected voidaddUserAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.User user) Adds user attributes to the LDAP entry for user creation.protected booleanallowEmptyGroupAndRole(LdapUser ldapUser) Checks if the specified LDAP user is allowed to have empty group and role permissions.voidapply(org.codelibs.fess.opensearch.user.exentity.Group group) Applies LDAP attributes to a group object.voidapply(org.codelibs.fess.opensearch.user.exentity.User user) Applies LDAP attributes to a user object.booleanchangePassword(String username, String password) Changes the password for a user in the LDAP directory.Creates the admin environment for LDAP connection.createEnvironment(String initialContextFactory, String securityAuthentication, String providerUrl, String principal, String credntials) Creates the environment for LDAP connection.protected LdapUsercreateLdapUser(String username, Hashtable<String, String> env) Creates a new LDAP user instance with the specified username and environment.Creates the search environment for LDAP connection.createSearchEnv(String username, String password) Creates the search environment for LDAP connection.protected voidDeletes an entry from the LDAP directory.voiddelete(org.codelibs.fess.opensearch.user.exentity.Group group) Deletes a group from the LDAP directory.voiddelete(org.codelibs.fess.opensearch.user.exentity.Role role) Deletes a role from the LDAP directory.voiddelete(org.codelibs.fess.opensearch.user.exentity.User user) Deletes a user from the LDAP directory.protected StringescapeLDAPSearchFilter(String filter) Deprecated.getAttributeValueList(List<SearchResult> result, String name) Gets a list of attribute values from search results.protected LdapManager.DirContextHoldergetDirContext(Supplier<Hashtable<String, String>> envSupplier) Gets the directory context.String[]getRoles(LdapUser ldapUser, String bindDn, String accountFilter, String groupFilter, Consumer<String[]> lazyLoading) Retrieves roles for the specified LDAP user based on the provided filters.protected org.dbflute.optional.OptionalEntity<String> getSAMAccountGroupName(String bindDn, String groupName) Gets the sAMAccountName for a group from the LDAP directory.protected StringgetSearchRoleName(String entryDn) Extracts the role name from an LDAP entry DN.voidinit()Initializes the LDAP manager.protected voidInserts a new entry into the LDAP directory.voidinsert(org.codelibs.fess.opensearch.user.exentity.Group group) Inserts or updates a group in the LDAP directory.voidinsert(org.codelibs.fess.opensearch.user.exentity.Role role) Inserts or updates a role in the LDAP directory.voidinsert(org.codelibs.fess.opensearch.user.exentity.User user) Inserts or updates a user in LDAP directory.org.dbflute.optional.OptionalEntity<FessUser> Authenticates a user with the specified username without password validation.org.dbflute.optional.OptionalEntity<FessUser> Authenticates a user with the specified username and password against LDAP.protected voidmodify(String dn, List<ModificationItem> modifyList, Supplier<Hashtable<String, String>> envSupplier) Modifies an entry.protected voidmodifyAddEntry(List<ModificationItem> modifyList, String name, String value) Modifies an entry by adding a new attribute.protected voidmodifyDeleteEntry(List<ModificationItem> modifyList, String name, Object value) Modifies an entry by deleting an attribute.protected voidmodifyGroupAttributes(org.codelibs.fess.opensearch.user.exentity.Group group, Supplier<Hashtable<String, String>> adminEnv, String entryDN, List<SearchResult> result) Modifies group attributes in the LDAP directory.protected voidmodifyReplaceEntry(List<ModificationItem> modifyList, String name, String value) Modifies an entry by replacing an attribute.protected voidmodifyUserAttributes(org.codelibs.fess.opensearch.user.exentity.User user, Supplier<Hashtable<String, String>> adminEnv, String userDN, List<SearchResult> result) Modifies user attributes in the LDAP directory.Normalizes a permission name based on configuration settings.protected voidprocessSearchRoles(List<SearchResult> result, BiConsumer<String, String> consumer) Processes search results to extract roles using a BiConsumer.protected voidprocessSearchRoles(List<SearchResult> result, Consumer<String> consumer) Processes search results to extract roles using a Consumer.protected voidprocessSubRoles(LdapUser ldapUser, String bindDn, Set<String> subRoleSet, String groupFilter, Set<String> roleSet) Processes sub-roles for the specified LDAP user.protected voidPuts a key-value pair to the environment.protected StringreplaceWithUnderscores(String value) Replaces special characters in a string with underscores for group names.protected voidsearch(String baseDn, String filter, String[] returningAttrs, Supplier<Hashtable<String, String>> envSupplier, org.codelibs.fess.ldap.LdapManager.SearchConsumer consumer) Searches the LDAP directory with the specified parameters.protected voidsetAttributeValue(List<SearchResult> result, String name, Consumer<Object> consumer) Sets an attribute value from search results using a Consumer.voidUpdates the LDAP configuration.protected StringupdateSearchRoles(Set<String> roleSet, String entryDn, String name) Updates the role set with search roles based on the entry DN and name.protected booleanvalidate()Validates the LDAP connection.voidValidates group attributes for the specified type.voidValidates user attributes for the specified type.
-
Field Details
-
contextLocal
A thread-local variable to hold the directory context. -
isBind
protected volatile boolean isBindA flag to indicate if the LDAP connection is bound. -
fessConfig
protected org.codelibs.fess.mylasta.direction.FessConfig fessConfigThe Fess configuration.
-
-
Constructor Details
-
LdapManager
public LdapManager()Default constructor.
-
-
Method Details
-
init
@PostConstruct public void init()Initializes the LDAP manager. -
createEnvironment
protected Hashtable<String,String> createEnvironment(String initialContextFactory, String securityAuthentication, String providerUrl, String principal, String credntials) Creates the environment for LDAP connection.- Parameters:
initialContextFactory- The initial context factory.securityAuthentication- The security authentication.providerUrl- The provider URL.principal- The principal.credntials- The credentials.- Returns:
- The environment for LDAP connection.
-
putEnv
Puts a key-value pair to the environment.- Parameters:
env- The environment.key- The key.value- The value.
-
createAdminEnv
Creates the admin environment for LDAP connection.- Returns:
- The admin environment for LDAP connection.
-
createSearchEnv
Creates the search environment for LDAP connection.- Parameters:
username- The username.password- The password.- Returns:
- The search environment for LDAP connection.
-
createSearchEnv
Creates the search environment for LDAP connection.- Returns:
- The search environment for LDAP connection.
-
updateConfig
public void updateConfig()Updates the LDAP configuration. -
validate
protected boolean validate()Validates the LDAP connection.- Returns:
- True if the LDAP connection is valid, otherwise false.
-
login
Authenticates a user with the specified username and password against LDAP.- Parameters:
username- the username for authenticationpassword- the password for authentication- Returns:
- an optional containing the authenticated user if successful, empty otherwise
-
login
Authenticates a user with the specified username without password validation.- Parameters:
username- the username for authentication- Returns:
- an optional containing the authenticated user if successful, empty otherwise
-
allowEmptyGroupAndRole
Checks if the specified LDAP user is allowed to have empty group and role permissions.- Parameters:
ldapUser- the LDAP user to check- Returns:
- true if empty permissions are allowed, false otherwise
-
createLdapUser
Creates a new LDAP user instance with the specified username and environment.- Parameters:
username- the username for the LDAP userenv- the environment configuration for LDAP connection- Returns:
- a new LdapUser instance
-
getRoles
public String[] getRoles(LdapUser ldapUser, String bindDn, String accountFilter, String groupFilter, Consumer<String[]> lazyLoading) Retrieves roles for the specified LDAP user based on the provided filters.- Parameters:
ldapUser- the LDAP user to retrieve roles forbindDn- the bind DN for LDAP connectionaccountFilter- the account filter patterngroupFilter- the group filter patternlazyLoading- the lazy loading consumer for roles- Returns:
- an array of role names
-
getSAMAccountGroupName
protected org.dbflute.optional.OptionalEntity<String> getSAMAccountGroupName(String bindDn, String groupName) Gets the sAMAccountName for a group from the LDAP directory.- Parameters:
bindDn- the bind DN to search withingroupName- the name of the group to search for- Returns:
- an optional containing the sAMAccountName if found, empty otherwise
-
processSubRoles
protected void processSubRoles(LdapUser ldapUser, String bindDn, Set<String> subRoleSet, String groupFilter, Set<String> roleSet) Processes sub-roles for the specified LDAP user.- Parameters:
ldapUser- the LDAP user to process sub-roles forbindDn- the bind DN for LDAP connectionsubRoleSet- the set of sub-roles to processgroupFilter- the group filter patternroleSet- the set of roles to update
-
updateSearchRoles
Updates the role set with search roles based on the entry DN and name.- Parameters:
roleSet- the set of roles to updateentryDn- the entry DN to checkname- the role name- Returns:
- the role type prefix if successful, null otherwise
-
escapeLDAPSearchFilter
Deprecated.UseLdapUtil.escapeValue(String)insteadEscapes special characters in an LDAP search filter to prevent LDAP injection attacks.- Parameters:
filter- the LDAP search filter to escape (null is treated as empty string)- Returns:
- the escaped filter string safe for use in LDAP queries (empty string if filter is null)
- See Also:
-
normalizePermissionName
Normalizes a permission name based on configuration settings.- Parameters:
name- the permission name to normalize- Returns:
- the normalized permission name
-
processSearchRoles
protected void processSearchRoles(List<SearchResult> result, BiConsumer<String, String> consumer) throws NamingExceptionProcesses search results to extract roles using a BiConsumer.- Parameters:
result- the list of search resultsconsumer- the BiConsumer to process entry DN and role name- Throws:
NamingException- if LDAP naming exception occurs
-
processSearchRoles
protected void processSearchRoles(List<SearchResult> result, Consumer<String> consumer) throws NamingException Processes search results to extract roles using a Consumer.- Parameters:
result- the list of search resultsconsumer- the Consumer to process entry DN- Throws:
NamingException- if LDAP naming exception occurs
-
getSearchRoleName
Extracts the role name from an LDAP entry DN.- Parameters:
entryDn- the LDAP entry DN- Returns:
- the extracted role name, or null if not found
-
replaceWithUnderscores
Replaces special characters in a string with underscores for group names.- Parameters:
value- the string to process- Returns:
- the string with special characters replaced by underscores
-
setAttributeValue
Sets an attribute value from search results using a Consumer.- Parameters:
result- the list of search resultsname- the attribute nameconsumer- the Consumer to process the attribute value
-
getAttributeValueList
Gets a list of attribute values from search results.- Parameters:
result- the list of search resultsname- the attribute name- Returns:
- a list of attribute values
-
apply
public void apply(org.codelibs.fess.opensearch.user.exentity.User user) Applies LDAP attributes to a user object.- Parameters:
user- the user object to populate with LDAP attributes
-
insert
public void insert(org.codelibs.fess.opensearch.user.exentity.User user) Inserts or updates a user in LDAP directory.- Parameters:
user- the user object to insert or update
-
modifyUserAttributes
protected void modifyUserAttributes(org.codelibs.fess.opensearch.user.exentity.User user, Supplier<Hashtable<String, String>> adminEnv, String userDN, List<SearchResult> result) Modifies user attributes in the LDAP directory.- Parameters:
user- the user object with new attribute valuesadminEnv- the supplier for admin environmentuserDN- the DN of the user entryresult- the search results containing current attributes
-
addUserAttributes
protected void addUserAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.User user) Adds user attributes to the LDAP entry for user creation.- Parameters:
entry- the BasicAttributes to add user attributes touser- the user object containing attribute values
-
validateUserAttributes
public void validateUserAttributes(Class<?> type, Map<String, String> attributes, Consumer<String> consumer) Validates user attributes for the specified type.- Parameters:
type- the class type to validate forattributes- the map of attribute names to valuesconsumer- the consumer to handle validation errors
-
delete
public void delete(org.codelibs.fess.opensearch.user.exentity.User user) Deletes a user from the LDAP directory.- Parameters:
user- the user object to delete
-
insert
public void insert(org.codelibs.fess.opensearch.user.exentity.Role role) Inserts or updates a role in the LDAP directory.- Parameters:
role- the role object to insert or update
-
addRoleAttributes
protected void addRoleAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Role user) Adds role attributes to the LDAP entry for role creation.- Parameters:
entry- the BasicAttributes to add role attributes touser- the role object containing attribute values
-
delete
public void delete(org.codelibs.fess.opensearch.user.exentity.Role role) Deletes a role from the LDAP directory.- Parameters:
role- the role object to delete
-
apply
public void apply(org.codelibs.fess.opensearch.user.exentity.Group group) Applies LDAP attributes to a group object.- Parameters:
group- the group object to populate with LDAP attributes
-
insert
public void insert(org.codelibs.fess.opensearch.user.exentity.Group group) Inserts or updates a group in the LDAP directory.- Parameters:
group- the group object to insert or update
-
modifyGroupAttributes
protected void modifyGroupAttributes(org.codelibs.fess.opensearch.user.exentity.Group group, Supplier<Hashtable<String, String>> adminEnv, String entryDN, List<SearchResult> result) Modifies group attributes in the LDAP directory.- Parameters:
group- the group object with new attribute valuesadminEnv- the supplier for admin environmententryDN- the DN of the group entryresult- the search results containing current attributes
-
addGroupAttributes
protected void addGroupAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Group group) Adds group attributes to the LDAP entry for group creation.- Parameters:
entry- the BasicAttributes to add group attributes togroup- the group object containing attribute values
-
validateGroupAttributes
public void validateGroupAttributes(Class<?> type, Map<String, String> attributes, Consumer<String> consumer) Validates group attributes for the specified type.- Parameters:
type- the class type to validate forattributes- the map of attribute names to valuesconsumer- the consumer to handle validation errors
-
delete
public void delete(org.codelibs.fess.opensearch.user.exentity.Group group) Deletes a group from the LDAP directory.- Parameters:
group- the group object to delete
-
changePassword
Changes the password for a user in the LDAP directory.This method performs the following validations:
- Checks if username and password are not blank
- Verifies LDAP admin is enabled for the user
- Confirms the user exists in LDAP directory
- Parameters:
username- the username of the user (must not be null or blank)password- the new password (must not be null or blank)- Returns:
- true if the password was changed successfully, false otherwise
- Throws:
LdapOperationException- if the user is not found in LDAP
-
insert
protected void insert(String entryDN, Attributes entry, Supplier<Hashtable<String, String>> envSupplier) Inserts a new entry into the LDAP directory.- Parameters:
entryDN- the DN of the entry to insertentry- the attributes of the entryenvSupplier- the supplier for environment configuration
-
delete
Deletes an entry from the LDAP directory.- Parameters:
entryDN- the DN of the entry to deleteenvSupplier- the supplier for environment configuration
-
search
protected void search(String baseDn, String filter, String[] returningAttrs, Supplier<Hashtable<String, String>> envSupplier, org.codelibs.fess.ldap.LdapManager.SearchConsumer consumer) Searches the LDAP directory with the specified parameters.- Parameters:
baseDn- the base DN for the searchfilter- the search filterreturningAttrs- the attributes to return from the searchenvSupplier- the supplier for environment configurationconsumer- the consumer to handle search results
-
modifyAddEntry
Modifies an entry by adding a new attribute.- Parameters:
modifyList- The list of modification items.name- The name of the attribute.value- The value of the attribute.
-
modifyReplaceEntry
Modifies an entry by replacing an attribute.- Parameters:
modifyList- The list of modification items.name- The name of the attribute.value- The value of the attribute.
-
modifyDeleteEntry
Modifies an entry by deleting an attribute.- Parameters:
modifyList- The list of modification items.name- The name of the attribute.value- The value of the attribute.
-
modify
protected void modify(String dn, List<ModificationItem> modifyList, Supplier<Hashtable<String, String>> envSupplier) Modifies an entry.- Parameters:
dn- The DN of the entry.modifyList- The list of modification items.envSupplier- The environment supplier.
-
getDirContext
protected LdapManager.DirContextHolder getDirContext(Supplier<Hashtable<String, String>> envSupplier) Gets the directory context.- Parameters:
envSupplier- The environment supplier.- Returns:
- The directory context holder.
-
LdapUtil.escapeValue(String)instead