View Javadoc
1   /**
2    * Originally contributed by eMation (www.emation.pt)
3    */
4   package org.itracker.services.authentication.adsson;
5   
6   import org.apache.log4j.Logger;
7   import org.itracker.model.User;
8   
9   import javax.naming.Context;
10  import javax.naming.NamingEnumeration;
11  import javax.naming.NamingException;
12  import javax.naming.PartialResultException;
13  import javax.naming.directory.*;
14  import java.security.PrivilegedAction;
15  import java.util.Enumeration;
16  import java.util.Hashtable;
17  
18  //TODO: Add Javadocs here
19  
20  /**
21   * @author ricardo
22   */
23  public class GetUserModelFromADPrivilegedAction implements PrivilegedAction<Object> {
24  
25      private static String ITRACKER_SUPER_USERS_GROUP = "ITracker Super Users";
26  
27      private final Logger logger;
28      private String login;
29      private String providerUrl;
30      private String baseBranch;
31  
32      public GetUserModelFromADPrivilegedAction(String login, String baseBranch, String providerUrl) {
33          this.logger = Logger.getLogger(getClass());
34          this.login = login;
35          this.providerUrl = providerUrl;
36          this.baseBranch = baseBranch;
37      }
38  
39      public Object run() {
40          try {
41              return getUserInfo(login);
42          } catch (NamingException e) {
43              logger.error(e.getMessage());
44              return (null);
45          }
46      }
47  
48      private User getUserInfo(String login) throws NamingException {
49          // Set up environment for creating initial context
50          Hashtable<String, String> env = new Hashtable<String, String>(11);
51          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
52          // Must use fully qualified hostname
53          env.put(Context.PROVIDER_URL, providerUrl);
54          // Request the use of the "GSSAPI" SASL mechanism
55          // Authenticate by using already established Kerberos credentials
56          env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
57  
58          /* Create initial context */
59          DirContext ctx = new InitialDirContext(env);
60          // do something useful with ctx
61          SearchControls sc = new SearchControls();
62          sc.setCountLimit(1);
63          sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
64          String filter = "(&(objectclass=user)(sAMAccountName=" + login + "))";
65          NamingEnumeration<?> answer = ctx.search(baseBranch, filter, sc);
66  
67          if (!answer.hasMoreElements()) {
68              logger.error("A.D. had no info on " + login);
69              return (null);
70          }
71  
72          SearchResult sr;
73          try {
74              sr = (SearchResult) answer.next();
75              logger.info("A.D. had info on " + login);
76          } catch (PartialResultException e) {
77              logger.error("A.D. had no info on " + login);
78              return (null);
79          }
80  
81          Attributes attributes = sr.getAttributes();
82          String mail = "";
83          String firstName = "";
84          String lastName = "";
85  
86          // check that properties are present
87          // active directory sometimes doesn't have "mail"
88          if ((attributes.get("givenName") == null) || (attributes.get("sn") == null)) {
89              logger.error("AD didn't return proper attributes. Check that it has at least [mail, givenName , sn]");
90              return (null);
91          }
92  
93          if (attributes.get("mail") != null) {
94              mail = (String) attributes.get("Mail").get();
95          }
96          if (attributes.get("givenName") != null)
97              firstName = (String) attributes.get("givenName").get();
98          if (attributes.get("sn") != null) {
99              lastName = (String) attributes.get("sn").get();
100         }
101         logger.info("Got at least givenName and sn from A.D. for user " + login);
102 
103         // create user 
104         User user = new User();
105 
106         user.setEmail(mail);
107         user.setFirstName(firstName);
108         user.setLastName(lastName);
109         user.setLogin(login);
110         user.setPassword("notused=");
111 
112         // if user belongs to "ITracker Super Users" group
113         // make him a super user
114         user.setSuperUser(false);
115 
116         logger.info("About to check if user " + login + " is a super user");
117         logger.debug("User attributes for user " + login + " " + attributes);
118         if (attributes.get("memberOf") != null) {
119             for (Enumeration<?> groups = attributes.get("memberOf").getAll(); groups.hasMoreElements(); ) {
120                 String group = (String) groups.nextElement();
121                 logger.info(login + " belongs to NT Group " + group);
122                 if (group.indexOf(ITRACKER_SUPER_USERS_GROUP) > 0) {
123                     user.setSuperUser(true);
124                     logger.info("User " + user.getLogin() + " was made an administrator ");
125                 }
126             }
127         } else {
128             logger.info("User attributes didn't contain memberOf...Looks like the A.D. user you specified in the adauth.properties properties file doesn't have enough permissions to check group membership for other users. Give that user enough privileges to read the memberOf attribute from A.D.");
129         }
130 
131         if (user.isSuperUser()) {
132             logger.info(login + " is a super user");
133         } else {
134             logger.info(login + " is not a super user");
135         }
136 
137         ctx.close();
138 
139         return user;
140     }
141 }