Class LdapManager

java.lang.Object
org.codelibs.fess.ldap.LdapManager

public class LdapManager extends Object
Manages LDAP connections and operations.
  • Field Details

    • contextLocal

      protected ThreadLocal<LdapManager.DirContextHolder> contextLocal
      A thread-local variable to hold the directory context.
    • isBind

      protected volatile boolean isBind
      A flag to indicate if the LDAP connection is bound.
    • fessConfig

      protected org.codelibs.fess.mylasta.direction.FessConfig fessConfig
      The Fess configuration.
  • Constructor Details

    • LdapManager

      public LdapManager()
      Default constructor.
  • Method Details

    • init

      @PostConstruct public void init()
      Initializes the LDAP manager.
    • createEnvironment

      protected Hashtable<String,String> createEnvironment(String initialContextFactory, String securityAuthentication, String providerUrl, String principal, String credntials)
      Creates the environment for LDAP connection.
      Parameters:
      initialContextFactory - The initial context factory.
      securityAuthentication - The security authentication.
      providerUrl - The provider URL.
      principal - The principal.
      credntials - The credentials.
      Returns:
      The environment for LDAP connection.
    • putEnv

      protected void putEnv(Hashtable<String,String> env, String key, String value)
      Puts a key-value pair to the environment.
      Parameters:
      env - The environment.
      key - The key.
      value - The value.
    • createAdminEnv

      protected Hashtable<String,String> createAdminEnv()
      Creates the admin environment for LDAP connection.
      Returns:
      The admin environment for LDAP connection.
    • createSearchEnv

      protected Hashtable<String,String> createSearchEnv(String username, String password)
      Creates the search environment for LDAP connection.
      Parameters:
      username - The username.
      password - The password.
      Returns:
      The search environment for LDAP connection.
    • createSearchEnv

      protected Hashtable<String,String> createSearchEnv()
      Creates the search environment for LDAP connection.
      Returns:
      The search environment for LDAP connection.
    • updateConfig

      public void updateConfig()
      Updates the LDAP configuration.
    • validate

      protected boolean validate()
      Validates the LDAP connection.
      Returns:
      True if the LDAP connection is valid, otherwise false.
    • login

      public org.dbflute.optional.OptionalEntity<FessUser> login(String username, String password)
      Authenticates a user with the specified username and password against LDAP.
      Parameters:
      username - the username for authentication
      password - the password for authentication
      Returns:
      an optional containing the authenticated user if successful, empty otherwise
    • login

      public org.dbflute.optional.OptionalEntity<FessUser> login(String username)
      Authenticates a user with the specified username without password validation.
      Parameters:
      username - the username for authentication
      Returns:
      an optional containing the authenticated user if successful, empty otherwise
    • allowEmptyGroupAndRole

      protected boolean allowEmptyGroupAndRole(LdapUser ldapUser)
      Checks if the specified LDAP user is allowed to have empty group and role permissions.
      Parameters:
      ldapUser - the LDAP user to check
      Returns:
      true if empty permissions are allowed, false otherwise
    • createLdapUser

      protected LdapUser createLdapUser(String username, Hashtable<String,String> env)
      Creates a new LDAP user instance with the specified username and environment.
      Parameters:
      username - the username for the LDAP user
      env - the environment configuration for LDAP connection
      Returns:
      a new LdapUser instance
    • getRoles

      public String[] getRoles(LdapUser ldapUser, String bindDn, String accountFilter, String groupFilter, Consumer<String[]> lazyLoading)
      Retrieves roles for the specified LDAP user based on the provided filters.
      Parameters:
      ldapUser - the LDAP user to retrieve roles for
      bindDn - the bind DN for LDAP connection
      accountFilter - the account filter pattern
      groupFilter - the group filter pattern
      lazyLoading - the lazy loading consumer for roles
      Returns:
      an array of role names
    • getSAMAccountGroupName

      protected org.dbflute.optional.OptionalEntity<String> getSAMAccountGroupName(String bindDn, String groupName)
      Gets the sAMAccountName for a group from the LDAP directory.
      Parameters:
      bindDn - the bind DN to search within
      groupName - the name of the group to search for
      Returns:
      an optional containing the sAMAccountName if found, empty otherwise
    • processSubRoles

      protected void processSubRoles(LdapUser ldapUser, String bindDn, Set<String> subRoleSet, String groupFilter, Set<String> roleSet)
      Processes sub-roles for the specified LDAP user.
      Parameters:
      ldapUser - the LDAP user to process sub-roles for
      bindDn - the bind DN for LDAP connection
      subRoleSet - the set of sub-roles to process
      groupFilter - the group filter pattern
      roleSet - the set of roles to update
    • updateSearchRoles

      protected String updateSearchRoles(Set<String> roleSet, String entryDn, String name)
      Updates the role set with search roles based on the entry DN and name.
      Parameters:
      roleSet - the set of roles to update
      entryDn - the entry DN to check
      name - the role name
      Returns:
      the role type prefix if successful, null otherwise
    • escapeLDAPSearchFilter

      @Deprecated protected String escapeLDAPSearchFilter(String filter)
      Deprecated.
      Escapes special characters in an LDAP search filter to prevent LDAP injection attacks.
      Parameters:
      filter - the LDAP search filter to escape (null is treated as empty string)
      Returns:
      the escaped filter string safe for use in LDAP queries (empty string if filter is null)
      See Also:
    • normalizePermissionName

      public String normalizePermissionName(String name)
      Normalizes a permission name based on configuration settings.
      Parameters:
      name - the permission name to normalize
      Returns:
      the normalized permission name
    • processSearchRoles

      protected void processSearchRoles(List<SearchResult> result, BiConsumer<String,String> consumer) throws NamingException
      Processes search results to extract roles using a BiConsumer.
      Parameters:
      result - the list of search results
      consumer - the BiConsumer to process entry DN and role name
      Throws:
      NamingException - if LDAP naming exception occurs
    • processSearchRoles

      protected void processSearchRoles(List<SearchResult> result, Consumer<String> consumer) throws NamingException
      Processes search results to extract roles using a Consumer.
      Parameters:
      result - the list of search results
      consumer - the Consumer to process entry DN
      Throws:
      NamingException - if LDAP naming exception occurs
    • getSearchRoleName

      protected String getSearchRoleName(String entryDn)
      Extracts the role name from an LDAP entry DN.
      Parameters:
      entryDn - the LDAP entry DN
      Returns:
      the extracted role name, or null if not found
    • replaceWithUnderscores

      protected String replaceWithUnderscores(String value)
      Replaces special characters in a string with underscores for group names.
      Parameters:
      value - the string to process
      Returns:
      the string with special characters replaced by underscores
    • setAttributeValue

      protected void setAttributeValue(List<SearchResult> result, String name, Consumer<Object> consumer)
      Sets an attribute value from search results using a Consumer.
      Parameters:
      result - the list of search results
      name - the attribute name
      consumer - the Consumer to process the attribute value
    • getAttributeValueList

      protected List<Object> getAttributeValueList(List<SearchResult> result, String name)
      Gets a list of attribute values from search results.
      Parameters:
      result - the list of search results
      name - the attribute name
      Returns:
      a list of attribute values
    • apply

      public void apply(org.codelibs.fess.opensearch.user.exentity.User user)
      Applies LDAP attributes to a user object.
      Parameters:
      user - the user object to populate with LDAP attributes
    • insert

      public void insert(org.codelibs.fess.opensearch.user.exentity.User user)
      Inserts or updates a user in LDAP directory.
      Parameters:
      user - the user object to insert or update
    • modifyUserAttributes

      protected void modifyUserAttributes(org.codelibs.fess.opensearch.user.exentity.User user, Supplier<Hashtable<String,String>> adminEnv, String userDN, List<SearchResult> result)
      Modifies user attributes in the LDAP directory.
      Parameters:
      user - the user object with new attribute values
      adminEnv - the supplier for admin environment
      userDN - the DN of the user entry
      result - the search results containing current attributes
    • addUserAttributes

      protected void addUserAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.User user)
      Adds user attributes to the LDAP entry for user creation.
      Parameters:
      entry - the BasicAttributes to add user attributes to
      user - the user object containing attribute values
    • validateUserAttributes

      public void validateUserAttributes(Class<?> type, Map<String,String> attributes, Consumer<String> consumer)
      Validates user attributes for the specified type.
      Parameters:
      type - the class type to validate for
      attributes - the map of attribute names to values
      consumer - the consumer to handle validation errors
    • delete

      public void delete(org.codelibs.fess.opensearch.user.exentity.User user)
      Deletes a user from the LDAP directory.
      Parameters:
      user - the user object to delete
    • insert

      public void insert(org.codelibs.fess.opensearch.user.exentity.Role role)
      Inserts or updates a role in the LDAP directory.
      Parameters:
      role - the role object to insert or update
    • addRoleAttributes

      protected void addRoleAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Role user)
      Adds role attributes to the LDAP entry for role creation.
      Parameters:
      entry - the BasicAttributes to add role attributes to
      user - the role object containing attribute values
    • delete

      public void delete(org.codelibs.fess.opensearch.user.exentity.Role role)
      Deletes a role from the LDAP directory.
      Parameters:
      role - the role object to delete
    • apply

      public void apply(org.codelibs.fess.opensearch.user.exentity.Group group)
      Applies LDAP attributes to a group object.
      Parameters:
      group - the group object to populate with LDAP attributes
    • insert

      public void insert(org.codelibs.fess.opensearch.user.exentity.Group group)
      Inserts or updates a group in the LDAP directory.
      Parameters:
      group - the group object to insert or update
    • modifyGroupAttributes

      protected void modifyGroupAttributes(org.codelibs.fess.opensearch.user.exentity.Group group, Supplier<Hashtable<String,String>> adminEnv, String entryDN, List<SearchResult> result)
      Modifies group attributes in the LDAP directory.
      Parameters:
      group - the group object with new attribute values
      adminEnv - the supplier for admin environment
      entryDN - the DN of the group entry
      result - the search results containing current attributes
    • addGroupAttributes

      protected void addGroupAttributes(BasicAttributes entry, org.codelibs.fess.opensearch.user.exentity.Group group)
      Adds group attributes to the LDAP entry for group creation.
      Parameters:
      entry - the BasicAttributes to add group attributes to
      group - the group object containing attribute values
    • validateGroupAttributes

      public void validateGroupAttributes(Class<?> type, Map<String,String> attributes, Consumer<String> consumer)
      Validates group attributes for the specified type.
      Parameters:
      type - the class type to validate for
      attributes - the map of attribute names to values
      consumer - the consumer to handle validation errors
    • delete

      public void delete(org.codelibs.fess.opensearch.user.exentity.Group group)
      Deletes a group from the LDAP directory.
      Parameters:
      group - the group object to delete
    • changePassword

      public boolean changePassword(String username, String password)
      Changes the password for a user in the LDAP directory.

      This method performs the following validations:

      • Checks if username and password are not blank
      • Verifies LDAP admin is enabled for the user
      • Confirms the user exists in LDAP directory
      Parameters:
      username - the username of the user (must not be null or blank)
      password - the new password (must not be null or blank)
      Returns:
      true if the password was changed successfully, false otherwise
      Throws:
      LdapOperationException - if the user is not found in LDAP
    • insert

      protected void insert(String entryDN, Attributes entry, Supplier<Hashtable<String,String>> envSupplier)
      Inserts a new entry into the LDAP directory.
      Parameters:
      entryDN - the DN of the entry to insert
      entry - the attributes of the entry
      envSupplier - the supplier for environment configuration
    • delete

      protected void delete(String entryDN, Supplier<Hashtable<String,String>> envSupplier)
      Deletes an entry from the LDAP directory.
      Parameters:
      entryDN - the DN of the entry to delete
      envSupplier - the supplier for environment configuration
    • search

      protected void search(String baseDn, String filter, String[] returningAttrs, Supplier<Hashtable<String,String>> envSupplier, org.codelibs.fess.ldap.LdapManager.SearchConsumer consumer)
      Searches the LDAP directory with the specified parameters.
      Parameters:
      baseDn - the base DN for the search
      filter - the search filter
      returningAttrs - the attributes to return from the search
      envSupplier - the supplier for environment configuration
      consumer - the consumer to handle search results
    • modifyAddEntry

      protected void modifyAddEntry(List<ModificationItem> modifyList, String name, String value)
      Modifies an entry by adding a new attribute.
      Parameters:
      modifyList - The list of modification items.
      name - The name of the attribute.
      value - The value of the attribute.
    • modifyReplaceEntry

      protected void modifyReplaceEntry(List<ModificationItem> modifyList, String name, String value)
      Modifies an entry by replacing an attribute.
      Parameters:
      modifyList - The list of modification items.
      name - The name of the attribute.
      value - The value of the attribute.
    • modifyDeleteEntry

      protected void modifyDeleteEntry(List<ModificationItem> modifyList, String name, Object value)
      Modifies an entry by deleting an attribute.
      Parameters:
      modifyList - The list of modification items.
      name - The name of the attribute.
      value - The value of the attribute.
    • modify

      protected void modify(String dn, List<ModificationItem> modifyList, Supplier<Hashtable<String,String>> envSupplier)
      Modifies an entry.
      Parameters:
      dn - The DN of the entry.
      modifyList - The list of modification items.
      envSupplier - The environment supplier.
    • getDirContext

      protected LdapManager.DirContextHolder getDirContext(Supplier<Hashtable<String,String>> envSupplier)
      Gets the directory context.
      Parameters:
      envSupplier - The environment supplier.
      Returns:
      The directory context holder.