diff --git a/README.md b/README.md index 02ab9036..929b5662 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,12 @@ # LDAP +Friendly fork of https://github.com/cuba-platform/ldap-addon + +1. Added ability to avoid syncing of user information from ldap after user login. +2. Fix login for old-style user names like _domain\user_ + +____________________ +

license Build Status diff --git a/build.gradle b/build.gradle index 9b9fe0e3..4f0ee680 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ */ buildscript { - ext.cubaVersion = rootProject.hasProperty('cubaVersion') ? rootProject['cubaVersion'] : '7.2-SNAPSHOT' + ext.cubaVersion = rootProject.hasProperty('cubaVersion') ? rootProject['cubaVersion'] : '7.2.7' repositories { mavenLocal() if (System.getenv('HAULMONT_REPOSITORY_URL')) { @@ -59,8 +59,8 @@ apply(plugin: 'addon-gradle-plugin') cuba { artifact { group = 'com.haulmont.addon.ldap' - version = '1.5' - isSnapshot = true + version = '1.5.2f' + isSnapshot = false } tomcat { dir = "$project.rootDir/deploy/tomcat" @@ -82,6 +82,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.''' } + + uploadRepository { + url = uri("https://maven.pkg.github.com/sergeev-ms/ldap-addon") + user=project.findProperty("github.user") ?: System.getenv("GITHUB_USER") + password=project.findProperty("github.key") ?: System.getenv("GITHUB_TOKEN") + } } dependencies { diff --git a/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java b/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java index 3461c68c..702a0dd4 100644 --- a/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java +++ b/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java @@ -313,8 +313,6 @@ static boolean match(String loginString) { */ class ActiveDirectoryDomain { - private static final String CN_USERS = "CN=Users"; - final String nETBIOSName; final String nCName; final String dnsRoot; @@ -339,6 +337,7 @@ LdapContextSource getLdapContextSource() { ldapContextSource.setPassword(ldapPropertiesConfig.getContextSourcePassword()); ldapContextSource.setUrl(getUrl()); ldapContextSource.setBase(nCName); + ldapContextSource.setReferral("follow"); ldapContextSource.afterPropertiesSet(); } return ldapContextSource; @@ -362,11 +361,11 @@ List searchUser(String query, @Nullable SearchControls searchControls) searchControls.setCountLimit(1); } - return getLdapTemplate().search(CN_USERS, query, new LdapUserMapper(ldapConfigDao.getLdapConfig())); + return getLdapTemplate().search(LdapUtils.emptyLdapName(), query, new LdapUserMapper(ldapConfigDao.getLdapConfig())); } boolean authenticate(String filter, String password) throws LoginException { - return getLdapTemplate().authenticate(CN_USERS, filter, password, + return getLdapTemplate().authenticate(LdapUtils.emptyLdapName(), filter, password, (ctx, ldapEntryIdentification) -> {}, e -> logger.error(String.format("Could not auth user by query: %s", filter), e)); } diff --git a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java index f4bf504b..cbd17b45 100644 --- a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java +++ b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java @@ -42,10 +42,7 @@ import org.springframework.transaction.annotation.Transactional; import javax.inject.Inject; -import java.util.ArrayList; -import java.util.List; -import java.util.Optional; -import java.util.Set; +import java.util.*; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -232,6 +229,13 @@ public void synchronizeUsersFromLdap(List cubaUsers, List ldapUs } + @Override + public User getExistingCubaUser(String login){ + return cubaUserDao.getCubaUsersByLogin(Collections.singletonList(login)).stream() + .filter(User::getActive) + .findFirst().orElse(null); + } + private void copyLdapAttributesToCubaUser(LdapMatchingRuleContext ldapMatchingRuleContext, User syncUser, String login, diff --git a/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java b/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java index ed363db5..393d2302 100644 --- a/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java +++ b/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java @@ -83,6 +83,10 @@ public interface LdapPropertiesConfig extends Config { @Property("ldap.synchronizeCommonInfoFromLdap") Boolean getSynchronizeCommonInfoFromLdap(); + @Source(type = SourceType.APP) + @Property("ldap.synchronizeInfoAfterLogin") + Boolean getSynchronizeInfoAfterLogin(); + void setContextSourceUrl(String contextSourceUrl); void setContextSourceBase(String contextSourceBase); @@ -109,4 +113,6 @@ public interface LdapPropertiesConfig extends Config { void setSynchronizeCommonInfoFromLdap(Boolean synchronizeCommonInfoFromLdap); + void setSynchronizeInfoAfterLogin(Boolean synchronizeInfoAfterLogin); + } diff --git a/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java b/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java index b2c9a8e3..3729bbb1 100644 --- a/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java +++ b/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java @@ -68,4 +68,5 @@ UserSynchronizationResultDto synchronizeUser(String login, boolean saveSynchroni */ void synchronizeUsersFromLdap(List cubaUsers, List ldapUsers, List matchingRules); + User getExistingCubaUser(String login); } diff --git a/modules/web/src/com/haulmont/addon/ldap/web-app.properties b/modules/web/src/com/haulmont/addon/ldap/web-app.properties index 64ac161f..50a0769c 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web-app.properties +++ b/modules/web/src/com/haulmont/addon/ldap/web-app.properties @@ -61,6 +61,7 @@ cuba.web.standardAuthenticationUsers = admin,anonymous ldap.expiringSessionNotificationCron = */30 * * * * * ldap.addonEnabled = true ldap.expiringSessionsEnable = false +ldap.synchronizeInfoAfterLogin = true cuba.web.theme = halo cuba.web.loginScreenId=loginWindow cuba.web.mainScreenId=mainWindow diff --git a/modules/web/src/com/haulmont/addon/ldap/web/messages.properties b/modules/web/src/com/haulmont/addon/ldap/web/messages.properties index 63ed4342..1a1b37ad 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web/messages.properties +++ b/modules/web/src/com/haulmont/addon/ldap/web/messages.properties @@ -30,3 +30,4 @@ menu-config.ldap$UserSynchronizationLog.browse=LDAP Log menu-config.ldap$LdapPropertiesConfig.edit=LDAP Config expiringSessionMessage=Your session is about to be closed LoginException.InactiveUserLoginAttempt=Authentication error. Please contact your system administrator. +LoginException.UserNotRegistered=User is not registered in system. Please contact your system administrator. diff --git a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java index 781e7d92..51c48956 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java +++ b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java @@ -25,6 +25,7 @@ import com.haulmont.cuba.core.global.Messages; import com.haulmont.cuba.core.sys.ConditionalOnAppProperty; import com.haulmont.cuba.security.auth.*; +import com.haulmont.cuba.security.entity.User; import com.haulmont.cuba.security.global.LoginException; import com.haulmont.cuba.web.auth.WebAuthConfig; import com.haulmont.cuba.web.security.LoginProvider; @@ -38,6 +39,7 @@ import java.io.Serializable; import java.util.HashMap; import java.util.Map; +import java.util.Objects; import static com.haulmont.cuba.web.security.ExternalUserCredentials.EXTERNAL_AUTH_USER_SESSION_ATTRIBUTE; @@ -77,14 +79,16 @@ public AuthenticationDetails login(Credentials credentials) throws LoginExceptio return null; } - if (RememberMeCredentials.class.isAssignableFrom(credentials.getClass())) { - UserSynchronizationResultDto userSynchronizationResult = - userSynchronizationService.synchronizeUser(((RememberMeCredentials) credentials).getLogin(), true, null, null, null); - if (userSynchronizationResult.isInactiveUser()) { - throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, - "LoginException.InactiveUserLoginAttempt", ((RememberMeCredentials) credentials).getLocale())); + if (ldapPropertiesConfig.getSynchronizeInfoAfterLogin()) { + if (RememberMeCredentials.class.isAssignableFrom(credentials.getClass())) { + UserSynchronizationResultDto userSynchronizationResult = + userSynchronizationService.synchronizeUser(((RememberMeCredentials) credentials).getLogin(), true, null, null, null); + if (userSynchronizationResult.isInactiveUser()) { + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.InactiveUserLoginAttempt", ((RememberMeCredentials) credentials).getLocale())); + } + return null; } - return null; } LoginPasswordCredentials loginPasswordCredentials = (LoginPasswordCredentials) credentials; @@ -93,11 +97,18 @@ public AuthenticationDetails login(Credentials credentials) throws LoginExceptio loginPasswordCredentials.getLogin(), loginPasswordCredentials.getPassword(), loginPasswordCredentials.getLocale()); - UserSynchronizationResultDto userSynchronizationResult - = userSynchronizationService.synchronizeUser(loginPasswordCredentials.getLogin(), true, null, null, null); - if (userSynchronizationResult.isInactiveUser()) { - throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, - "LoginException.InactiveUserLoginAttempt", loginPasswordCredentials.getLocale())); + + if (ldapPropertiesConfig.getSynchronizeInfoAfterLogin()) { + UserSynchronizationResultDto userSynchronizationResult = userSynchronizationService.synchronizeUser(loginPasswordCredentials.getLogin(), true, null, null, null); + if (userSynchronizationResult.isInactiveUser()) { + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.InactiveUserLoginAttempt", loginPasswordCredentials.getLocale())); + } + } else { + final User cubaUser = userSynchronizationService.getExistingCubaUser(loginPasswordCredentials.getLogin()); + if (cubaUser == null) + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.UserNotRegistered", loginPasswordCredentials.getLocale())); } TrustedClientCredentials tcCredentials = new TrustedClientCredentials(