From 92d8040e05e1771f70d872aa76ea81fd80fe3894 Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Wed, 11 Sep 2019 09:28:08 +0300 Subject: [PATCH 1/7] Fix searching user for old-style login. --- .../src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java | 7 +++---- modules/web/src/com/haulmont/addon/ldap/web-app.properties | 1 + 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java b/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java index e355b147..841fa82f 100644 --- a/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java +++ b/modules/core/src/com/haulmont/addon/ldap/core/dao/LdapUserDao.java @@ -308,8 +308,6 @@ static boolean match(String loginString) { */ class ActiveDirectoryDomain { - private static final String CN_USERS = "CN=Users"; - final String nETBIOSName; final String nCName; final String dnsRoot; @@ -334,6 +332,7 @@ LdapContextSource getLdapContextSource() { ldapContextSource.setPassword(ldapPropertiesConfig.getContextSourcePassword()); ldapContextSource.setUrl(getUrl()); ldapContextSource.setBase(nCName); + ldapContextSource.setReferral("follow"); ldapContextSource.afterPropertiesSet(); } return ldapContextSource; @@ -357,11 +356,11 @@ List searchUser(String query, @Nullable SearchControls searchControls) searchControls.setCountLimit(1); } - return getLdapTemplate().search(CN_USERS, query, new LdapUserMapper(ldapConfigDao.getLdapConfig())); + return getLdapTemplate().search(LdapUtils.emptyLdapName(), query, new LdapUserMapper(ldapConfigDao.getLdapConfig())); } boolean authenticate(String filter, String password) throws LoginException { - return getLdapTemplate().authenticate(CN_USERS, filter, password, + return getLdapTemplate().authenticate(LdapUtils.emptyLdapName(), filter, password, (ctx, ldapEntryIdentification) -> {}, e -> logger.error(String.format("Could not auth user by query: %s", filter), e)); } diff --git a/modules/web/src/com/haulmont/addon/ldap/web-app.properties b/modules/web/src/com/haulmont/addon/ldap/web-app.properties index 64ac161f..50a0769c 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web-app.properties +++ b/modules/web/src/com/haulmont/addon/ldap/web-app.properties @@ -61,6 +61,7 @@ cuba.web.standardAuthenticationUsers = admin,anonymous ldap.expiringSessionNotificationCron = */30 * * * * * ldap.addonEnabled = true ldap.expiringSessionsEnable = false +ldap.synchronizeInfoAfterLogin = true cuba.web.theme = halo cuba.web.loginScreenId=loginWindow cuba.web.mainScreenId=mainWindow From 917e2b0e329f5fc74baf75863f50002a70ae8e0c Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Wed, 11 Sep 2019 09:31:30 +0300 Subject: [PATCH 2/7] Ability to not synchronize users after login. New users can`t log-in. --- .../UserSynchronizationServiceBean.java | 11 +++++++---- .../ldap/config/LdapPropertiesConfig.java | 6 ++++++ .../service/UserSynchronizationService.java | 1 + .../addon/ldap/web/messages.properties | 1 + .../ldapcomponent/LdapAddonLoginProvider.java | 19 ++++++++++++++----- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java index f4bf504b..77d7cc93 100644 --- a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java +++ b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java @@ -42,10 +42,7 @@ import org.springframework.transaction.annotation.Transactional; import javax.inject.Inject; -import java.util.ArrayList; -import java.util.List; -import java.util.Optional; -import java.util.Set; +import java.util.*; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -232,6 +229,12 @@ public void synchronizeUsersFromLdap(List cubaUsers, List ldapUs } + @Override + public User getExistingCubaUser(String login){ + return cubaUserDao.getCubaUsersByLogin(Collections.singletonList(login)).stream() + .findFirst().orElse(null); + } + private void copyLdapAttributesToCubaUser(LdapMatchingRuleContext ldapMatchingRuleContext, User syncUser, String login, diff --git a/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java b/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java index ed363db5..393d2302 100644 --- a/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java +++ b/modules/global/src/com/haulmont/addon/ldap/config/LdapPropertiesConfig.java @@ -83,6 +83,10 @@ public interface LdapPropertiesConfig extends Config { @Property("ldap.synchronizeCommonInfoFromLdap") Boolean getSynchronizeCommonInfoFromLdap(); + @Source(type = SourceType.APP) + @Property("ldap.synchronizeInfoAfterLogin") + Boolean getSynchronizeInfoAfterLogin(); + void setContextSourceUrl(String contextSourceUrl); void setContextSourceBase(String contextSourceBase); @@ -109,4 +113,6 @@ public interface LdapPropertiesConfig extends Config { void setSynchronizeCommonInfoFromLdap(Boolean synchronizeCommonInfoFromLdap); + void setSynchronizeInfoAfterLogin(Boolean synchronizeInfoAfterLogin); + } diff --git a/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java b/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java index b2c9a8e3..3729bbb1 100644 --- a/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java +++ b/modules/global/src/com/haulmont/addon/ldap/service/UserSynchronizationService.java @@ -68,4 +68,5 @@ UserSynchronizationResultDto synchronizeUser(String login, boolean saveSynchroni */ void synchronizeUsersFromLdap(List cubaUsers, List ldapUsers, List matchingRules); + User getExistingCubaUser(String login); } diff --git a/modules/web/src/com/haulmont/addon/ldap/web/messages.properties b/modules/web/src/com/haulmont/addon/ldap/web/messages.properties index 231da40b..17c07bb9 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web/messages.properties +++ b/modules/web/src/com/haulmont/addon/ldap/web/messages.properties @@ -30,3 +30,4 @@ menu-config.ldap$UserSynchronizationLog.browse=LDAP Log menu-config.ldap$LdapPropertiesConfig.edit=LDAP Config expiringSessionMessage=Your session is about to be closed LoginException.InactiveUserLoginAttempt=Authentication error. Please contact your system administrator. +LoginException.UserNotRegistered=User is not registered in system. Please contact your system administrator. diff --git a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java index 781e7d92..1c7e8d3b 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java +++ b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java @@ -25,6 +25,7 @@ import com.haulmont.cuba.core.global.Messages; import com.haulmont.cuba.core.sys.ConditionalOnAppProperty; import com.haulmont.cuba.security.auth.*; +import com.haulmont.cuba.security.entity.User; import com.haulmont.cuba.security.global.LoginException; import com.haulmont.cuba.web.auth.WebAuthConfig; import com.haulmont.cuba.web.security.LoginProvider; @@ -38,6 +39,7 @@ import java.io.Serializable; import java.util.HashMap; import java.util.Map; +import java.util.Objects; import static com.haulmont.cuba.web.security.ExternalUserCredentials.EXTERNAL_AUTH_USER_SESSION_ATTRIBUTE; @@ -93,11 +95,18 @@ public AuthenticationDetails login(Credentials credentials) throws LoginExceptio loginPasswordCredentials.getLogin(), loginPasswordCredentials.getPassword(), loginPasswordCredentials.getLocale()); - UserSynchronizationResultDto userSynchronizationResult - = userSynchronizationService.synchronizeUser(loginPasswordCredentials.getLogin(), true, null, null, null); - if (userSynchronizationResult.isInactiveUser()) { - throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, - "LoginException.InactiveUserLoginAttempt", loginPasswordCredentials.getLocale())); + + if (ldapPropertiesConfig.getSynchronizeInfoAfterLogin()) { + UserSynchronizationResultDto userSynchronizationResult = userSynchronizationService.synchronizeUser(loginPasswordCredentials.getLogin(), true, null, null, null); + if (userSynchronizationResult.isInactiveUser()) { + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.InactiveUserLoginAttempt", loginPasswordCredentials.getLocale())); + } + } else { + final User cubaUser = userSynchronizationService.getExistingCubaUser(loginPasswordCredentials.getLogin()); + if (Objects.isNull(cubaUser)) + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.UserNotRegistered", loginPasswordCredentials.getLocale())); } TrustedClientCredentials tcCredentials = new TrustedClientCredentials( From 02812fc21420bd08fb6b381c91832b49cb5a90d1 Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Wed, 11 Sep 2019 09:52:54 +0300 Subject: [PATCH 3/7] Upload repository setting. --- .gitignore | 3 ++- build.gradle | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index b8f6f24f..724fffee 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,5 @@ deploy/* modules/*/build/* out test-run -.idea \ No newline at end of file +.idea +/gradle.properties diff --git a/build.gradle b/build.gradle index c8afeaa0..2fab9c52 100644 --- a/build.gradle +++ b/build.gradle @@ -82,6 +82,11 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.''' } + uploadRepository { + url = uploadRepoUrl + user=uploadRepoUsername + password=uploadRepoPassword + } } dependencies { From 08f3173c02b8aafaaf0c57a102a76d97aba1b58a Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Wed, 11 Sep 2019 10:18:46 +0300 Subject: [PATCH 4/7] Revert "Upload repository setting." This reverts commit 02812fc2 --- .gitignore | 3 +-- build.gradle | 5 ----- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 724fffee..b8f6f24f 100644 --- a/.gitignore +++ b/.gitignore @@ -8,5 +8,4 @@ deploy/* modules/*/build/* out test-run -.idea -/gradle.properties +.idea \ No newline at end of file diff --git a/build.gradle b/build.gradle index 2fab9c52..c8afeaa0 100644 --- a/build.gradle +++ b/build.gradle @@ -82,11 +82,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.''' } - uploadRepository { - url = uploadRepoUrl - user=uploadRepoUsername - password=uploadRepoPassword - } } dependencies { From c411cb45ad30d5d5e9adb57ad22cc1db560006c8 Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Tue, 24 Mar 2020 20:03:28 +0300 Subject: [PATCH 5/7] Bump fork version. --- README.md | 7 +++++++ build.gradle | 8 +++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4480ec7c..958e8046 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,12 @@ # LDAP +Friendly fork of https://github.com/cuba-platform/ldap-addon + +1. Added ability to avoid syncing of user information from ldap after user login. +2. Fix login for old-style user names like _domain\user_ + +____________________ +

license Build Status diff --git a/build.gradle b/build.gradle index 9b9fe0e3..9004e506 100644 --- a/build.gradle +++ b/build.gradle @@ -59,7 +59,7 @@ apply(plugin: 'addon-gradle-plugin') cuba { artifact { group = 'com.haulmont.addon.ldap' - version = '1.5' + version = '1.5f' isSnapshot = true } tomcat { @@ -82,6 +82,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.''' } + + uploadRepository { + url = uri("https://maven.pkg.github.com/sergeev-ms/ldap-addon") + user=project.findProperty("github.user") ?: System.getenv("GITHUB_USER") + password=project.findProperty("github.key") ?: System.getenv("GITHUB_TOKEN") + } } dependencies { From 5f07be1bd789730f785e416c559348ffe6471ad0 Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Tue, 22 Sep 2020 12:42:32 +0300 Subject: [PATCH 6/7] If used RememberMeToken check sync config is enabled. --- .../UserSynchronizationServiceBean.java | 1 + .../ldapcomponent/LdapAddonLoginProvider.java | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java index 77d7cc93..cbd17b45 100644 --- a/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java +++ b/modules/core/src/com/haulmont/addon/ldap/core/service/UserSynchronizationServiceBean.java @@ -232,6 +232,7 @@ public void synchronizeUsersFromLdap(List cubaUsers, List ldapUs @Override public User getExistingCubaUser(String login){ return cubaUserDao.getCubaUsersByLogin(Collections.singletonList(login)).stream() + .filter(User::getActive) .findFirst().orElse(null); } diff --git a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java index 1c7e8d3b..51c48956 100644 --- a/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java +++ b/modules/web/src/com/haulmont/addon/ldap/web/security/ldapcomponent/LdapAddonLoginProvider.java @@ -79,14 +79,16 @@ public AuthenticationDetails login(Credentials credentials) throws LoginExceptio return null; } - if (RememberMeCredentials.class.isAssignableFrom(credentials.getClass())) { - UserSynchronizationResultDto userSynchronizationResult = - userSynchronizationService.synchronizeUser(((RememberMeCredentials) credentials).getLogin(), true, null, null, null); - if (userSynchronizationResult.isInactiveUser()) { - throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, - "LoginException.InactiveUserLoginAttempt", ((RememberMeCredentials) credentials).getLocale())); + if (ldapPropertiesConfig.getSynchronizeInfoAfterLogin()) { + if (RememberMeCredentials.class.isAssignableFrom(credentials.getClass())) { + UserSynchronizationResultDto userSynchronizationResult = + userSynchronizationService.synchronizeUser(((RememberMeCredentials) credentials).getLogin(), true, null, null, null); + if (userSynchronizationResult.isInactiveUser()) { + throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, + "LoginException.InactiveUserLoginAttempt", ((RememberMeCredentials) credentials).getLocale())); + } + return null; } - return null; } LoginPasswordCredentials loginPasswordCredentials = (LoginPasswordCredentials) credentials; @@ -104,7 +106,7 @@ public AuthenticationDetails login(Credentials credentials) throws LoginExceptio } } else { final User cubaUser = userSynchronizationService.getExistingCubaUser(loginPasswordCredentials.getLogin()); - if (Objects.isNull(cubaUser)) + if (cubaUser == null) throw new LoginException(messages.formatMessage(LdapAddonLoginProvider.class, "LoginException.UserNotRegistered", loginPasswordCredentials.getLocale())); } From 2d35f9c9bdafdd7e496c469d6e56ad05f2766ed8 Mon Sep 17 00:00:00 2001 From: sergeev_ms Date: Tue, 22 Sep 2020 12:42:57 +0300 Subject: [PATCH 7/7] Update platform and addon versions. --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 9004e506..4f0ee680 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ */ buildscript { - ext.cubaVersion = rootProject.hasProperty('cubaVersion') ? rootProject['cubaVersion'] : '7.2-SNAPSHOT' + ext.cubaVersion = rootProject.hasProperty('cubaVersion') ? rootProject['cubaVersion'] : '7.2.7' repositories { mavenLocal() if (System.getenv('HAULMONT_REPOSITORY_URL')) { @@ -59,8 +59,8 @@ apply(plugin: 'addon-gradle-plugin') cuba { artifact { group = 'com.haulmont.addon.ldap' - version = '1.5f' - isSnapshot = true + version = '1.5.2f' + isSnapshot = false } tomcat { dir = "$project.rootDir/deploy/tomcat"