LDAPv3Repo.java revision 22e447f16376d70c72a621de30818e00ccd45ccc
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: LDAPv3Repo.java,v 1.74 2010/01/20 01:08:36 goodearth Exp $
*
*/
/*
* Portions Copyrighted 2011-2014 ForgeRock AS
* Portions Copyrighted 2012 Open Source Solution Technology Corporation
*/
//import com.iplanet.am.util.AMURLEncDec;
public class LDAPv3Repo extends IdRepo {
// config is part of IdRepo.java superclass and
// set in superclass's initialize method.
// private Map configMap = new AMHashMap();
private boolean hasShutdown = false;
private int ldapPort = 389;
// password control states
private final static int NO_PASSWORD_CONTROLS = 0;
private final static int PASSWORD_EXPIRED = -1;
private final static int activeMask = 0xfffffffD;
private final static int disableMask = 0x2;
private LDAPConnectionPool connPool;
private boolean sslMode = false;
private int connNumRetry = 3;
private int connRetryInterval = 1000;
private int timeLimit = 5000;
private int defaultMaxResults = 100;
private String roleSearchFilter =
"(&(objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition))";
private String filterroleSearchFilter =
"(&(objectclass=ldapsubentry)(objectclass=nsfilteredroledefinition))";
private boolean alwaysActive = false;
private boolean cacheEnabled = false;
private final int MIN_CONNECTION_POOL_SIZE = 1;
private final int MAX_CONNECTION_POOL_SIZE = 10;
// access to the _eventsMgr and _eventsMgr needs to be sync.
private boolean hasListener = false;
private static final String LDAPv3Config_LDAPV3GENERIC =
"sun-idrepo-ldapv3-ldapv3Generic";
private static final String LDAPv3Config_LDAPV3AMDS =
"sun-idrepo-ldapv3-ldapv3AMDS";
private static final String LDAPv3Config_LDAPV3AD =
"sun-idrepo-ldapv3-ldapv3AD";
private static final String LDAPv3Config_LDAPV3ADAM =
"sun-idrepo-ldapv3-ldapv3ADAM";
private static final String LDAPv3Config_LDAPV3OpenDS =
"sun-idrepo-ldapv3-ldapv3OpenDS";
private static final String LDAPv3Config_LDAPV3Tivoli =
"sun-idrepo-ldapv3-ldapv3Tivoli";
private static final String LDAPv3Config_LDAP_SERVER =
"sun-idrepo-ldapv3-config-ldap-server";
private static final String LDAPv3Config_AUTHID =
"sun-idrepo-ldapv3-config-authid";
private static final String LDAPv3Config_AUTHPW =
"sun-idrepo-ldapv3-config-authpw";
private static final String LDAPv3Config_LDAP_SSL_ENABLED =
"sun-idrepo-ldapv3-config-ssl-enabled";
private static final String LDAPv3Config_LDAP_CONNECTION_POOL_MIN_SIZE =
"sun-idrepo-ldapv3-config-connection_pool_min_size";
private static final String LDAPv3Config_LDAP_CONNECTION_POOL_MAX_SIZE =
"sun-idrepo-ldapv3-config-connection_pool_max_size";
private static final String LDAPv3Config_ORGANIZATION_NAME =
"sun-idrepo-ldapv3-config-organization_name";
private static final String LDAPv3Config_LDAP_GROUP_SEARCH_FILTER =
"sun-idrepo-ldapv3-config-groups-search-filter";
private static final String LDAPv3Config_LDAP_USERS_SEARCH_FILTER =
"sun-idrepo-ldapv3-config-users-search-filter";
private static final String LDAPv3Config_LDAP_ROLES_SEARCH_FILTER =
"sun-idrepo-ldapv3-config-roles-search-filter";
private static final String LDAPv3Config_LDAP_FILTERROLES_SEARCH_FILTER =
"sun-idrepo-ldapv3-config-filterroles-search-filter";
private static final String LDAPv3Config_LDAP_AGENT_SEARCH_FILTER =
"sun-idrepo-ldapv3-config-agent-search-filter";
private static final String LDAPv3Config_LDAP_ROLES_SEARCH_ATTRIBUTE =
"sun-idrepo-ldapv3-config-roles-search-attribute";
private static final String LDAPv3Config_LDAP_FILTERROLES_SEARCH_ATTRIBUTE =
"sun-idrepo-ldapv3-config-filterroles-search-attribute";
private static final String LDAPv3Config_LDAP_GROUPS_SEARCH_ATTRIBUTE =
"sun-idrepo-ldapv3-config-groups-search-attribute";
private static final String LDAPv3Config_LDAP_USERS_SEARCH_ATTRIBUTE =
"sun-idrepo-ldapv3-config-users-search-attribute";
private static final String LDAPv3Config_LDAP_USERS_NAMING_ATTRIBUTE =
"sun-idrepo-ldapv3-config-auth-naming-attr";
private static final String LDAPv3Config_LDAP_AGENT_SEARCH_ATTRIBUTE =
"sun-idrepo-ldapv3-config-agent-search-attribute";
private static final String LDAPv3Config_LDAP_ROLES_SEARCH_SCOPE =
"sun-idrepo-ldapv3-config-role-search-scope";
private static final String LDAPv3Config_LDAP_SEARCH_SCOPE =
"sun-idrepo-ldapv3-config-search-scope";
private static final String LDAPv3Config_LDAP_GROUP_CONTAINER_NAME =
"sun-idrepo-ldapv3-config-group-container-name";
private static final String LDAPv3Config_LDAP_AGENT_CONTAINER_NAME =
"sun-idrepo-ldapv3-config-agent-container-name";
private static final String LDAPv3Config_LDAP_PEOPLE_CONTAINER_NAME =
"sun-idrepo-ldapv3-config-people-container-name";
private static final String LDAPv3Config_LDAP_GROUP_CONTAINER_VALUE =
"sun-idrepo-ldapv3-config-group-container-value";
private static final String LDAPv3Config_LDAP_PEOPLE_CONTAINER_VALUE =
"sun-idrepo-ldapv3-config-people-container-value";
private static final String LDAPv3Config_LDAP_AGENT_CONTAINER_VALUE =
"sun-idrepo-ldapv3-config-agent-container-value";
private static final String LDAPv3Config_LDAP_TIME_LIMIT =
"sun-idrepo-ldapv3-config-time-limit";
private static final String LDAPv3Config_LDAP_MAX_RESULT =
"sun-idrepo-ldapv3-config-max-result";
private static final String LDAPv3Config_REFERRALS =
"sun-idrepo-ldapv3-config-referrals";
private static final String LDAPv3Config_ROLE_OBJECT_CLASS =
"sun-idrepo-ldapv3-config-role-objectclass";
private static final String LDAPv3Config_FILTERROLE_OBJECT_CLASS =
"sun-idrepo-ldapv3-config-filterrole-objectclass";
private static final String LDAPv3Config_GROUP_OBJECT_CLASS =
"sun-idrepo-ldapv3-config-group-objectclass";
private static final String LDAPv3Config_USER_OBJECT_CLASS =
"sun-idrepo-ldapv3-config-user-objectclass";
private static final String LDAPv3Config_AGENT_OBJECT_CLASS =
"sun-idrepo-ldapv3-config-agent-objectclass";
private static final String LDAPv3Config_GROUP_ATTR =
"sun-idrepo-ldapv3-config-group-attributes";
private static final String LDAPv3Config_USER_ATTR =
"sun-idrepo-ldapv3-config-user-attributes";
private static final String LDAPv3Config_AGENT_ATTR =
"sun-idrepo-ldapv3-config-agent-attributes";
private static final String LDAPv3Config_ROLE_ATTR =
"sun-idrepo-ldapv3-config-role-attributes";
private static final String LDAPv3Config_FILTERROLE_ATTR =
"sun-idrepo-ldapv3-config-filterrole-attributes";
private static final String LDAPv3Config_NSROLE =
"sun-idrepo-ldapv3-config-nsrole";
private static final String LDAPv3Config_NSROLEDN =
"sun-idrepo-ldapv3-config-nsroledn";
private static final String LDAPv3Config_NSROLEFILTER =
"sun-idrepo-ldapv3-config-nsrolefilter";
private static final String LDAPv3Config_MEMBEROF =
"sun-idrepo-ldapv3-config-memberof";
private static final String LDAPv3Config_UNIQUEMEMBER =
"sun-idrepo-ldapv3-config-uniquemember";
private static final String LDAPv3Config_DEFAULTGROUPMEMBER =
"sun-idrepo-ldapv3-config-dftgroupmember";
private static final String LDAPv3Config_MEMBERURL =
"sun-idrepo-ldapv3-config-memberurl";
private static final String LDAPv3Config_LDAP_IDLETIMEOUT =
"sun-idrepo-ldapv3-config-idletimeout";
private static final String LDAPv3Config_LDAP_PSEARCHBASE =
"sun-idrepo-ldapv3-config-psearchbase";
private static final String LDAPv3Config_LDAP_PSEARCHFILTER =
"sun-idrepo-ldapv3-config-psearch-filter";
private static final String LDAPv3Config_LDAP_PSEARCHSCOPE =
"sun-idrepo-ldapv3-config-psearch-scope";
private static final String LDAPv3Config_LDAP_ISACTIVEATTRNAME =
"sun-idrepo-ldapv3-config-isactive";
private static final String LDAPv3Config_LDAP_INETUSERACTIVE =
"sun-idrepo-ldapv3-config-active";
private static final String LDAPv3Config_LDAP_INETUSERINACTIVE =
"sun-idrepo-ldapv3-config-inactive";
private static final String LDAPv3Config_LDAP_CREATEUSERMAPPING =
"sun-idrepo-ldapv3-config-createuser-attr-mapping";
private static final String LDAPv3Config_LDAP_AUTHENTICATABLE =
"sun-idrepo-ldapv3-config-authenticatable-type";
private static final String LDAPv3Config_LDAP_CACHEENABLED =
"sun-idrepo-ldapv3-config-cache-enabled";
private static final String LDAPv3Config_LDAP_CACHETTL =
"sun-idrepo-ldapv3-config-cache-ttl";
private static final String LDAPv3Config_LDAP_CACHESIZE =
"sun-idrepo-ldapv3-config-cache-size";
private static final String LDAPv3Config_LDAP_NUM_RETRIES =
"sun-idrepo-ldapv3-config-numretires";
private static final String LDAPv3Config_LDAP_RETRY_INTERVAL =
"com.iplanet.am.ldap.connection.delay.between.retries";
private static final String LDAPv3Config_LDAP_ERROR_CODES =
"sun-idrepo-ldapv3-config-errorcodes";
private static final String defaultStatusAttribute =
"inetUserStatus";
private static final String sunIdentityServerDeviceStatus =
"sunIdentityServerDeviceStatus";
private static final String SCHEMA_BUG_PROPERTY =
"com.sun.identity.shared.ldap.schema.quoting";
private static final String CLASS_NAME =
"com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo";
public LDAPv3Repo() {
}
}
if (debug.messageEnabled()) {
}
}
}
try {
} catch (ServerEntryNotFoundException senf) {
if (debug.messageEnabled()) {
}
}
// put ldapServer from list into a string seperated by space for
// failover purposes. LDAPConnection will automatcially handle failover.
// hostname:portnumber | severID | siteID
// serverID is optional. if omitted, it means any(don't care).
// siteID is optional. if omitted, it means any(don't care).
// host whose siteID and serverID matches webtop naming's serverid and
// siteid are put in the front of the list as well as those host which
// otherwise it will go to the end of the list.
if (tk.hasMoreTokens()) {
}
if (tk.hasMoreTokens()) {
}
hostSiteID = siteID;
}
}
} else {
}
} else {
} else {
}
}
} // end of while
} else {
}
}
if (firstChoiceList.isEmpty()) {
} else {
if (!secondChoiceList.isEmpty()) {
}
}
if (debug.messageEnabled()) {
+ "; ldapServers:" + ldapServers);
}
if (index > -1) {
try {
if (portindex > -1) {
} else {
}
} catch(NumberFormatException e) {
if (debug.messageEnabled()) {
}
}
}
}
private String getLDAPServerList() {
}
}
// connOptions has the default options set for failover and
// fallback features.
if (debug.messageEnabled()) {
}
if (ldapServerName == null) {
}
// ldapServerName is list of server names separated by space for
// failover purposes. LDAPConnection will automatically handle failover.
// port will not be used since ldapserver is in the following format:
// nameOfLDAPhost:portNumber.
if (minPoolSize < 1) {
}
if (maxPoolSize < 1) {
}
try {
sslMode = true;
} else {
ldc = new LDAPConnection();
sslMode = false;
}
if (debug.messageEnabled()) {
+ "LDAPConnection failed", ex);
}
}
try {
if (cacheEnabled) {
if (debug.messageEnabled()) {
+ "; cacheSize=" + cacheSize );
}
}
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
"failed: " + resultCode);
}
}
try {
if (tosec > 0) {
} else {
}
// Construct the pool by cloning the successful connection
if (shutdownMan.acquireValidLock()) {
try {
ldc, connOptions);
// create the shutdown hook
shutdownListener = new ShutdownListener() {
public void shutdown() {
}
}
};
// Register the shutdown hook
} finally {
}
}
} catch (LDAPException lex) {
try {
ldc.disconnect();
} catch (LDAPException lex1) {
+ lex1.getLDAPResultCode());
}
}
// if we get here and connPool is still null, all servers failed
ldapServerName + " connection pool create failed");
}
if (debug.messageEnabled()) {
}
}
reBind = new LDAPRebind() {
{
}
};
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#initialize(java.util.Map)
*/
if (debug.messageEnabled()) {
}
super.initialize(configParams);
if (debug.messageEnabled()) {
+ myServiceStr);
}
} else {
myServiceMap = new HashMap();
}
if (debug.messageEnabled()) {
if (myServiceMap != null) {
+ myServiceMap);
} else {
}
}
// find out which configuration/DS this is: AMDS, AD, generic DS
// get the organization name
} else {
}
} else {
}
} else {
}
} else {
}
} else {
}
} else {
}
} else {
}
LDAPv3Config_NSROLE, "nsrole");
LDAPv3Config_NSROLEDN, "nsRoleDN");
LDAPv3Config_NSROLEFILTER, "nsRoleFilter");
}
}
}
}
}
alwaysActive = true;
}
authenticatableSet = new CaseInsensitiveHashSet();
if (tmpAuthSet != null) {
}
// check if connection pool is initialized properly
if (debug.messageEnabled()) {
+ "timeLimit =" + timeLimit
+ "; maxResults =" + defaultMaxResults
+ "; roleSearchScope=" + roleSearchScope
+ "; orgDN=" + orgDN
+ "; createUserAttrMap=" + createUserAttrMap);
}
}
public void shutdown() {
if (debug.messageEnabled()) {
}
hasShutdown = true;
super.shutdown();
}
if (shutdownListener != null) {
if (shutdownMan.acquireValidLock()) {
try {
if (debug.messageEnabled()) {
}
} finally {
}
}
}
myListener = null;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getSupportedOperations(
* com.iplanet.am.sdk.IdType)
*/
}
/*
* (non-Javadoc
*
* @see com.sun.identity.idm.IdRepo#getSupportedTypes()
*/
public Set getSupportedTypes() {
return supportedOps.keySet();
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#isActive(com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String)
*/
throws IdRepoUnsupportedOpException, SSOException {
/*
* attribute is not configured or attribute is configured but does not
* exist in user entry or does not contain the word "active" then it is
* assume active.
*/
if (debug.messageEnabled()) {
+ "; name:" + name);
}
"305", args);
}
if (alwaysActive) {
try {
return found;
} catch (IdRepoException ide) {
return false;
}
}
// agents sunIdentityServerDeviceStatus: Active
} else {
}
try {
} catch (IdRepoException idrepoerr) {
if (debug.messageEnabled()) {
}
return (false); // we can't determine user status.
}
if (debug.messageEnabled()) {
}
// in case of AD, we need to check if ADS_UF_ACCOUNTDISABLE
// bits is on. 0x00000002 => account is disabled.
return (!disable);
} else {
}
} else {
return (true);
}
}
/* (non-Javadoc)
* @see com.sun.identity.idm.IdRepo#setActiveStatus(
com.iplanet.sso.SSOToken, com.sun.identity.idm.IdType,
java.lang.String, boolean)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
+ " Users and Agent are not allowed ");
}
} else {
// agents sunIdentityServerDeviceStatus: Active
}
// AD the active status is the second bit of
// userAccountControl.
if (active) {
} else {
}
} else {
if (active) {
} else {
}
}
if (debug.messageEnabled()) {
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#isExists(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
try {
} catch (IdRepoUnsupportedOpException ide) {
return false;
} catch (IdRepoException idrepoerr) {
return false;
}
int resultCode = 0;
try {
} catch (LDAPException e) {
switch (e.getLDAPResultCode()) {
case LDAPException.NO_SUCH_OBJECT:
if (debug.messageEnabled()) {
"does not exist.");
}
break;
if (debug.messageEnabled()) {
"different LDAP server.");
}
break;
if (debug.messageEnabled()) {
"access rights to perform this operation.");
}
break;
default:
if (debug.messageEnabled()) {
+ e.getLDAPResultCode());
+ "Could not read the specified entry.");
}
break;
}
resultCode = e.getLDAPResultCode();
(resultCode == 82)) {
throw ide;
}
return false;
} finally {
}
}
return true;
}
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ ": " + dn);
}
int resultCode = 0;
try {
} catch (LDAPException e) {
switch (e.getLDAPResultCode()) {
case LDAPException.NO_SUCH_OBJECT:
if (debug.messageEnabled()) {
"The specified entry does not exist.");
}
break;
if (debug.messageEnabled()) {
"different LDAP server.");
}
break;
if (debug.messageEnabled()) {
"access rights to perform this operation.");
}
break;
default:
if (debug.messageEnabled()) {
+ e.getLDAPResultCode());
+ "Could not read the specified entry.");
}
break;
}
resultCode = e.getLDAPResultCode();
throw ide;
}
return false;
} finally {
}
}
return true;
}
public void removeListener() {
if (debug.messageEnabled()) {
}
if (ldapServerName == null) {
}
if (ldapServerName == null) {
"server name.");
}
// keep a count with eventsMgr.ldapServerName of number of listener.
// when the count reaches 0. remove the ldapServerName entry.
// see if we already have an event service for this server.
if (eventService != null) {
//OPENAM-1007 synchronizing with listOfPS caused deadlock
//synchronizing with eventservice instead
synchronized (eventService) {
if (hasListener) {
// find the listener idrepo.
// if this is the last, then remove the listener.
// if not, just remove teh idrepo from list.
// need to change findrequest.
if (listOfRepo != null) {
if (requestNum != null) {
if (requestInt <= 1) {
} else {
requestInt - 1));
}
if (debug.messageEnabled()) {
"requestInt=" + requestInt);
}
}
}
}
} else { // listener was not added
if (requestNum == null) {
}
}
} // end of synchronized(eventService)
}
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#addListener(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.AMObjectListener, java.util.Map)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ " LDAPv3Config_LDAP_SERVER="
+ "; LDAPv3Config_LDAP_PSEARCHBASE="
+ "; LDAPv3Config_LDAP_PSEARCHFILTER="
+ "; LDAPv3Config_LDAP_IDLETIMEOUT="
}
"server configuration." +
return 0;
}
// TODO Auto-generated method stub
// listener.setConfigMap(configMap);
// If CLI, do not have persistent search for notifications.
if (!SystemProperties.isServerMode()) {
return 0;
}
// see if we already have an event service for this server.
if (ldapServerName == null) {
}
if (ldapServerName == null) {
"ldap server name.");
return 0;
}
if (searchBase == null) {
+ "missing persistence search base. Not "
+ "starting persistent search.");
return 0;
}
// if the listener shares the same host, we tried to use the same
// event_service to minialize threads and polling and monitors.
if (eventService == null) {
try {
if (debug.messageEnabled()) {
"eventService is null. idleTimeOut=" +idleTimeOut);
}
if (idleTimeOut == 0) {
} else {
}
} catch (LDAPException le) {
"new eventService failed. LDAPException=", le);
throw ide;
}
}
//OPENAM-1007 synchronizing with listOfPS caused deadlock
//synchronizing with eventservice instead
synchronized (eventService) {
LDAPv3Config_LDAP_PSEARCHFILTER, "(objectclass=*)");
} else {
}
try {
int requestNum;
if (numRequest == null) {
requestNum = 1;
} else {
}
} catch (IdRepoException idrepoex) {
"search not supported");
} catch (LDAPException ldapex) {
"eventService.addListener.LDAPException", ldapex);
ldapex.getLDAPResultCode()));
throw ide;
}
// create an entry in the list.
listOfRepo = new HashMap();
} else {
//found a ps to this host with same characteristic. share it.
}
// probably should save the reqID with our listener.
// once we have our listener we can get at our config
// listener.getconfig
// will this id change? what happens it timeout and have to be
// restarted.
hasListener = true;
return 0;
}
}
/*
* given a Map of attributes(attrMap), return a Map with only attributes
* that were predefined to be permited or allowed.
*/
}
if (attrNameValue != null) {
}
}
return (allowedAttr);
}
// replace the default user status attribute name and value
// with what's configured on datastore config page.
// add the attribute if it does not exist.
return attrMap;
}
// the inetuserstatus attribute exist.
if ((previousStatus != null) &&
} else {
}
} else {
}
return attrMap;
}
// add missing required atttr and its default value.
if (debug.messageEnabled()) {
+ createUserAttrMap + ", attrMap = " +
}
// if the attrname is same as the attrvalue.
// see getCreateUserAttrMapping
// special case, use the username as the value of
// the attribute..
} else {
if (mapAttrValue != null) {
}
}
}
}
}
}
}
if (debug.messageEnabled()) {
}
return attrMap;
}
// in AD mode, and the user requested inetuserstatus, and the
// current attribute is userAccountControl. set inetuserstatus
// according to userAccountControl ADS_UF_ACCOUNTDISABLE bits.
if (debug.messageEnabled()) {
+ "; attrValueSet=" + attrValueSet);
}
} else {
}
} else {
// ADAM
} else {
}
}
if (debug.messageEnabled()) {
}
return newAttrVal;
}
// in AD mode, and the user requested inetuserstatus, and the
// current attribute is userAccountControl. set
// inetuserstatus according to userAccountControl bits.
if (debug.messageEnabled()) {
}
byte[][] newAttrVal = new byte[1][];
}
} else {
}
} else {
// ADAM
} else {
}
}
if (debug.messageEnabled()) {
+ newAttrVal);
}
return newAttrVal;
}
throws IdRepoException, SSOException {
/*
if he is setting userAccountControl then don't have
to check for inetuserstatus. can assume he will take
care of the account_disable bit.
if he is setting inetuserstatus and not userAccountControl,
userAccountControl according to inetuserstatus and remove
inetuserstatus for the list of attributes and add
userAccountControl to the list of attributes.
*/
// read userAccountControl so we can mask the active bit.
if (isString) {
} else {
byte[][] attrBytes =
}
} else {
}
if (isString) {
} else {
byte [][] usrCtlBin = new byte[1][];
usrCtlBin[0] =
}
}
}
}
}
// encode the AD password.
// the password must be enclosed in double quotes
// and converted byte array with encoding "UTF-16LE"
byte[] encodedPwd = null;
try {
} catch (UnsupportedEncodingException uex) {
if (debug.warningEnabled()) {
}
}
return encodedPwd;
}
// replace the default user status attribute name and value
// with what's configured on datastore config page.
// add the attribute if it does not exist.
if (previousPass != null) {
return encodeADPwd(previousPass);
}
}
}
return null;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#create(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Map)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
null));
}
}
int resultCode = 0;
byte[] encodedPwd = null;
} else {
"305", args);
}
// add the default objectclass to the attrMap passed in.
boolean addedOC = false;
addedOC = true;
} else {
// ignore empty set because some servers can't handle it.
if ((attrNameValue != null) &&
(!attrNameValue.isEmpty())) {
if (dsType.equalsIgnoreCase(
if (attrNameValue.isEmpty()) {
continue;
}
}
}
}
}
if (!addedOC) {// object class not in attrMap passed in, add it.
}
attrValues[i] = s;
}
}
}
if (debug.messageEnabled()) {
} else {
" set:" + set);
}
}
} // null
} else {
attrValues));
}
// add default user to group.
}
if (debug.messageEnabled()) {
}
if (encodedPwd != null) {
}
try {
theEntry);
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
}
} finally {
}
}
if (memberOfAttr != null) {
try {
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
"mod user", lde);
}
} finally {
}
}
if (cacheEnabled) {
}
}
}
return eDN;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#delete(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
int resultCode = 0;
try {
eDN);
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
}
} finally {
}
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Set)
*/
if (debug.messageEnabled()) {
}
return myMap;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Set)
*/
if (debug.messageEnabled()) {
}
return theAttrMap;
}
}
int resultCode = 0;
boolean addActiveAttrName = false;
predefinedAttr = new CaseInsensitiveHashSet();
}
} else {
}
addActiveAttrName = true;
}
}
}
if (debug.messageEnabled()) {
+ "; attrNames=" + attrNames);
}
if ((predefinedAttr == null) ||
(predefinedAttr.isEmpty())) {
try {
} catch (LDAPException lde) {
if (debug.warningEnabled()) {
}
} finally {
}
}
} else {
try {
} catch (LDAPException lde) {
if (debug.warningEnabled()) {
}
} finally {
}
}
}
} else {
if (predefinedAttr != null) {
new CaseInsensitiveHashSet();
}
}
if (attrNamesCase.isEmpty()) {
return theAttrMap; // nothing to read.
}
}
if (debug.messageEnabled()) {
+ attrNames);
}
try {
} catch (LDAPException lde) {
if (debug.warningEnabled()) {
}
} finally {
}
}
}
if (foundEntry == null) {
+ " to retrieve its attributes.");
throw new IdRepoException(
}
// convert from LDAPAttributeSet to Map.
for (int i = 0; i < size; i++) {
if (debug.messageEnabled()) {
+ attrName);
}
if ((predefinedAttr != null)
{
continue;
}
if (isString) {
) {
}
if (!addActiveAttrName) {
// we didn't add this. requested by caller.
}
attrName);
} else {
}
} else {
if (!addActiveAttrName) {
}
} else {
}
if (debug.messageEnabled()) {
values);
}
}
}
}
/*
* Add this 'dn' explicitly to the result set and return. reason:
* does not return this attribute, but returns other ones.
*/
}
if (debug.messageEnabled()) {
}
return (theAttrMap);
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ ": " + name);
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#getBinaryAttributes(
* com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, java.util.Set)
*/
if (debug.messageEnabled()) {
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#setBinaryAttributes(
* com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, java.util.Map,
* boolean)
*/
{
if (debug.messageEnabled()) {
}
}
/**
* Finds the dynamic group member DNs
*
* @param url
* the url to be used for the group member search
* @return the set of group member DNs satisfied the search url
*/
throws IdRepoException {
int resultCode = 0;
groupMemberDNs = new HashSet();
if (debug.messageEnabled()) {
}
try {
} catch (LDAPException lde) {
+ "ld.search error: " + resultCode);
if (debug.messageEnabled()) {
lde);
}
return groupMemberDNs;
} finally {
}
}
while (res.hasMoreElements()) {
try {
}
} catch (LDAPReferralException lre) {
// ignore referrals
continue;
} catch (LDAPException le) {
throw ide;
}
}
return groupMemberDNs;
}
// returns all members of the group named name.
try {
} catch (IdRepoUnsupportedOpException ide) {
return null;
} catch (IdRepoException idrepoerr) {
return null;
}
int resultCode = 0;
try {
} catch (LDAPException e) {
resultCode = e.getLDAPResultCode();
if (debug.messageEnabled()) {
}
(resultCode == 82)) {
throw ide;
}
return null;
} finally {
}
}
}
try {
throw (new IdRepoException("MalformedURLException"));
}
}
}
}
return resultSet;
}
int resultCode = 0;
roleMemberDNs = new HashSet();
if (debug.messageEnabled()) {
+ "; orgDN=" + orgDN);
}
// all entries which has nsRoleDN=managedRoleName
try {
} catch (LDAPException lde) {
+ resultCode);
if (debug.messageEnabled()) {
"LDAPv3Repo: getManagedRoleMembers, ld.search error", lde);
}
return roleMemberDNs;
} finally {
}
}
while (res.hasMoreElements()) {
try {
}
} catch (LDAPReferralException lre) {
// ignore referrals
continue;
} catch (LDAPException le) {
// If time or size limit has reached, return the results
if (debug.messageEnabled()) {
+ le.getMessage()
+ " roleMembersDNs=" + roleMemberDNs);
}
return (roleMemberDNs);
}
if (debug.messageEnabled()) {
"search iteration exception", le);
}
}
}
if (debug.messageEnabled()) {
" exit getManagedRoleMembers. roleMembersDNs=" + roleMemberDNs);
}
// to work around a bug in ldapcache of not being able
// to flush the search if the search of role return empty.
clearCache();
}
return roleMemberDNs;
}
int resultCode = 0;
roleMemberDNs = new HashSet();
if (debug.messageEnabled()) {
+ "; membersType=" + membersType );
}
try {
} catch (LDAPException lde) {
+ resultCode);
if (debug.messageEnabled()) {
+ " ld.read", lde);
}
return roleMemberDNs;
} finally {
}
}
if (debug.messageEnabled()) {
" inside while. roleFilter=" + roleFilter);
}
// Use search scope as SCOPE_SUB to get members from
// filtered role.
request =
try {
} catch (LDAPException lde) {
+ resultCode);
if (debug.messageEnabled()) {
+ " ld.read", lde);
}
return roleMemberDNs;
} finally {
}
}
while (res.hasMoreElements()) {
try {
}
} catch (LDAPReferralException lre) {
// ignore referrals
} catch (LDAPException le) {
/*
* If time or size limit has reached, return
* the results.
*/
if (
) {
if (debug.messageEnabled()) {
"getFilteredRoleMembers search " +
le.getMessage() +
" ; roleMemberDNs=" + roleMemberDNs);
}
return (roleMemberDNs);
}
if (debug.messageEnabled()) {
"LDAPv3Repo: getFilteredRoleMembers " +
"iteration exception", le);
}
}
} // inner while
} // outer while
}
if (debug.messageEnabled()) {
}
return roleMemberDNs;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getMembers(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String,
* com.iplanet.am.sdk.IdType)
*/
if (debug.messageEnabled()) {
+ ": " + membersType);
}
+ " for Users or Agents");
} else {
"LDAPv3Repo: Groups do not supported membership for " +
membersType.getName());
throw new IdRepoException(
}
} else {
throw new IdRepoException(
}
} else {
throw new IdRepoException(
}
} else {
"305", args);
}
if (debug.messageEnabled()) {
}
return results;
}
private Set getGroupMemberFromUser(
throws IdRepoException, SSOException {
int resultCode = 0;
if (debug.messageEnabled()) {
"; memberOfAttr=" + memberOfAttr);
}
try {
} catch (LDAPException lde) {
+ resultCode);
if (debug.messageEnabled()) {
lde);
}
return groupDNs;
} finally {
}
}
}
}
return groupDNs;
}
switch (nextChar) {
case '*' :
break;
case '(' :
break;
case ')' :
break;
case '/' :
break;
case '\\' :
//assuming backslash wasn't escaped before this method
break;
case '\0' :
break;
default :
break;
}
}
}
private Set getGroupMemberSearch(
throws IdRepoException, SSOException {
int ldapResultCode = 0;
//replace any special search filter char defined in rfc2254
int searchGroupScope = searchScope;
if (debug.messageEnabled()) {
"; basedn=" + baseDN +
"; scope=" + searchGroupScope +
"\n grpMembershipFilter=" + grpMembershipFilter);
}
try {
} catch (LDAPException e) {
ldapResultCode = e.getLDAPResultCode();
if (debug.messageEnabled()) {
}
throw ide;
} finally {
}
}
try {
while (results.hasMoreElements()) {
try {
if (debug.messageEnabled()) {
}
} catch (LDAPReferralException refe) {
continue;
}
}
} catch (LDAPException e) {
ldapResultCode = e.getLDAPResultCode();
if (debug.messageEnabled()) {
}
throw ide;
}
return groupDNs;
}
private Set getGroupMemberShips(
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
"; membershipType=" + membershipType);
}
return groupDNs;
}
if (debug.messageEnabled()) {
" membershipType=" + membershipType);
}
int resultCode = 0;
try {
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
}
return roleDNs;
} finally {
}
}
if (foundEntry != null) {
}
}
}
return roleDNs;
}
int resultCode = 0;
allRoleDNs = new HashSet();
// nsRole returns both managedRole and filteredRole.
// there is no way to just get the filtererRole.
// so get all the roles(managedRole and filteredRole) then
// remove managedRole from all the roles to get the filteredRole.
try {
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
"ld.read: error", lde);
}
return allRoleDNs;
} finally {
}
}
}
}
if (debug.messageEnabled()) {
}
// need to convert to lowercaes before comparision because
// ds is case insensitive and will sometime return all lowercase
// and sometime return mix case for filtered and static role.
}
if (!normManagedRoleDNs.contains(
}
}
allRoleDNs = result;
return allRoleDNs;
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#getMemberships(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String,
* com.iplanet.am.sdk.IdType)
*/
if (debug.messageEnabled()) {
}
+ " Users is not allowed ");
} else {
} else { // Memberships of any other types not supported for
+ "entities not supported for Users");
membershipType.getName() };
throw new IdRepoException(
}
}
return result;
}
throws IdRepoException, SSOException {
int resultCode = 0;
userDN);
if (memberOfAttr != null) {
}
switch (operation) {
case ADDMEMBER:
mod = new LDAPModification(
modMemberOf = new LDAPModification(
}
break;
case REMOVEMEMBER:
mod = new LDAPModification(
modMemberOf = new LDAPModification(
}
}
if (cacheEnabled) {
}
throw ide;
}
try {
} catch (LDAPException lde) {
+ " userDN= " + userDN );
if (debug.messageEnabled()) {
"ld.modify", lde);
}
} finally {
}
}
throw ide;
}
request =
try {
} catch (LDAPException lde) {
+ " userDN= " + userDN );
if (debug.messageEnabled()) {
"ld.modify", lde);
}
} finally {
}
}
}
}
}
throws IdRepoException, SSOException {
// to add just put nsRoleDN into the user entry.
// there is nothing we can for filtered role since membership
// is controlled by a filtered.
int resultCode = 0;
switch (operation) {
case ADDMEMBER:
break;
case REMOVEMEMBER:
mbr1);
}
try {
} catch (LDAPException lde) {
roleDN);
if (debug.messageEnabled()) {
"ld.modify: ", lde);
}
} finally {
}
}
if (cacheEnabled) {
}
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#modifyMemberShip(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Set,
* com.iplanet.am.sdk.IdType, int)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ operation);
}
if (debug.messageEnabled()) {
"is empty");
}
}
if (debug.messageEnabled()) {
"to users and agents is not supported");
}
}
if (debug.messageEnabled()) {
"type cannot be made a member of any identity"
+ membersType.getName());
}
}
}
} else {
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#removeAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Set)
*/
if (debug.messageEnabled()) {
}
}
}
if ((predefinedAttr != null)
continue;
}
} // while
int resultCode = 0;
try {
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
lde);
}
} finally {
}
}
if (cacheEnabled) {
}
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#search(com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, int, int,
* java.util.Set, boolean, int, java.util.Map)
*/
boolean recursive)
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ returnAttrs);
+ returnAttrs);
}
// String base = orgDN;
if (!recursive) {
}
boolean attrsOnly = false;
int ldapErrCode = 0;
int errorCode;
if (maxResults < 1) {
} else {
}
if (maxTime < 1) {
} else {
}
if ((returnAllAttrs) ||
.size()]);
} else { // don't return any attr it will be faster.
// Need to get back the naming attribute
}
}
if (debug.messageEnabled()) {
} else {
}
}
try {
} catch (LDAPException lde) {
if (debug.messageEnabled()) {
"LDAPv3Repo: search, ld.search error: " + resultCode);
}
ldapError)};
(resultCode == 82)){
throw ide;
} else if (resultCode == 32) {
// return empty set for entry not found error.
return new RepoSearchResults(new HashSet(),
} else {
throw ide;
}
} finally {
}
}
allEntryMap = new HashMap();
allEntries = new HashSet();
try {
while (myResults.hasMoreElements()) {
if (debug.messageEnabled()) {
+ "; returnAllAttrs=" + returnAllAttrs
+ "; allEntries=" + allEntries
+ "; allEntryMap=" + allEntryMap);
}
if (returnAllAttrs) {
// return all the attributes
for (int i = 0; i < size; i++) {
&& enumVals.hasMoreElements()) {
}
}
}
// Get the naming attribute value
namingAttr.toLowerCase())) {
} else
}
if (debug.messageEnabled()) {
"; attrEntryMap=" + attrEntryMap);
}
// return the attributes specified by caller.
attrName);
// return empty set if attribute does not exist.
&& enumVals.hasMoreElements()) {
}
}
}
// Get the naming attribute value
namingAttr.toLowerCase())) {
} else
}
if (debug.messageEnabled()) {
"; attrEntryMap=" + attrEntryMap);
}
} else {
/*
* returnAllAttrs is false and list of attr to return is
* null do not return any attribute.
* Get the naming attribute for results
* return entry DN if empty
*/
namingAttr.toLowerCase())) {
enumVals.hasMoreElements()) {
}
}
if (debug.messageEnabled()) {
"; allEntries=" + allEntries);
}
}
} // while
} catch (LDAPException e) {
ldapErrCode = e.getLDAPResultCode();
switch (errorCode) {
case LDAPException.LDAP_TIMEOUT:
{
break;
}
case LDAPException.SIZE_LIMIT_EXCEEDED: {
break;
}
default:
}
}
if (debug.messageEnabled()) {
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#search(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Map, boolean,
* int, int, java.util.Set)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#setAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Map, boolean)
*/
throws IdRepoException, SSOException {
}
/*
* (non-Javadoc)
*
* @see com.iplanet.am.sdk.IdRepo#setAttributes(com.iplanet.sso.SSOToken,
* com.iplanet.am.sdk.IdType, java.lang.String, java.util.Map, boolean)
*/
boolean dontChangeOCs)
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ name + " attributes = " +
}
if (debug.messageEnabled()) {
"are empty");
}
}
}
if (encodedPwd != null) {
if (isAdd) {
} else {
}
}
if ((predefinedAttr != null)
if (debug.messageEnabled()) {
" setAttributes: not in predefinedAttr list"
+ " predefinedAttr=" + predefinedAttr
+ " attrName=" + attrName);
}
continue;
}
if (isString) {
// delete the attribute from entry by setting value to
// empty.
} else {
if (isAdd) {
} else {
}
}
} else {
for (int i = 0; i < size; i++) {
if (debug.messageEnabled()) {
}
}
if (isAdd) {
} else {
}
if (debug.messageEnabled()) {
}
}
} // while
// Check if LdapModSet is empty
if (debug.messageEnabled()) {
}
}
// For user objects, need to check if all objectclasses are present
// If not, they must be added (for account lockout atleast)
.hasNext();) {
boolean found = false;
// Check if present in ocValues
{
found = true;
break;
}
}
if (!found) {
}
}
}
}
if (!ocsToBeAdded.isEmpty()) {
// see if user is adding objectclass if so remove the one
// he is adding from our list.
}
}
// For all the OCs in the ocsToBeAdded Set, compare the
// attributes with the incoming attributes to be set and
// then if present, consider the OC to be added. This is
// to avoid unnecessary adding of all OCs inspite of any
// operation.
try {
break;
}
}
}
}
} catch (LDAPException ldx) {
if (debug.warningEnabled()) {
}
}
// Add to ldapModSet
if (!ocsToBeAdded.isEmpty()) {
}
}
}
int resultCode = 0;
eDN, ldapModSet);
try {
if (debug.messageEnabled()) {
}
} catch (LDAPException lde) {
if (debug.warningEnabled()) {
resultCode, lde);
}
} finally {
}
}
if (cacheEnabled) {
}
}
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
"229", args);
}
} else {
}
int resultCode = 0;
try {
if (sslMode) {
} else {
ldc = new LDAPConnection();
}
if (debug.messageEnabled()) {
}
if (cacheEnabled) {
}
} catch (LDAPException lde) {
if (debug.warningEnabled()) {
resultCode, lde);
}
} finally {
try {
ldc.disconnect();
} catch (LDAPException lde) {
}
}
}
}
/**
* Called by assignService() and modifyService(). Apart from
* seting mixed types of attributes (string & binary), it does not
* modify the objectclasses.
*/
// check for binary attributes.
boolean foundBin = false;
if (!foundBin) {
// need to seperate into binary and string
// attribute map
binAttrMap = new HashMap();
}
foundBin = true;
}
}
if (foundBin) {
// Set the binary attributes
} else {
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#assignService(com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, java.lang.String,
* java.util.Map)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
"213", args);
// setAttributes(token, type, name, attrMap, false);
return;
}
// add the serviceName and attrMap to myServiceMap
if (debug.messageEnabled()) {
+ myServiceMap);
}
} else {
"null or 0");
}
if (debug.messageEnabled()) {
+ myServiceMap);
}
if (myListener != null) {
}
} else {
"213", args);
}
if (debug.messageEnabled()) {
+ myServiceMap);
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#unassignService(
* com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, java.lang.String,
* java.util.Set)
*/
if (debug.messageEnabled()) {
+ "; attrMap=" + attrMap);
}
{
"213", args);
// remove the serviceName and attrMap from myServiceMap
if (debug.messageEnabled()) {
"myServiceMap:" + myServiceMap);
}
} else {
"null or 0");
}
if (debug.messageEnabled()) {
+ myServiceMap);
}
if (myListener != null) {
}
// Get the object classes that need to be remove from Service Schema
// Get the attributes that need to be removed
try {
} catch (LDAPException lde) {
"get Object Attributes failed: "
+ resultCode);
if (debug.messageEnabled()) {
}
}
}
}
try {
// remove attribute one at a time, so if the first
// one fails, it will keep continue to remove
// other attributes.
if (debug.messageEnabled()) {
"occurred while removing attribute: "
+ attrName);
}
} // catch
} else {
/*
* Basically, when the service is unassigned, it should
* remove the service related attributes first and the OCs.
* While getting all objectclasses that is for services and
* the relevant user attributes that are associated with
* the service to remove, somehow getOCAttributes() api
* returns the following eventhough there is no string
* manipulation in that api.
* removeAttrs [iplanet-am-user-federation-info-key,
* sunidentityserverdiscoentrie,
* iplanet-am-user-federation-info]
* But the attrName is like
* attrName sunidentityserverdiscoentries
* So added this startsWith check here.
*/
try {
false);
if (debug.messageEnabled()) {
"else part: error " +
"occurred while removing attribute: "
+ attrName);
}
} // catch
}
}
}
} // while
// Now update the object class attribute
} else {
"213", args);
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#getAssignedServices(
* com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String)
*/
if (debug.messageEnabled()) {
+ myServiceMap);
}
{
"213", args);
}
}
if (debug.messageEnabled()) {
"resultsSet: " + resultsSet);
}
if (debug.messageEnabled()) {
}
} else {
"213", args);
}
return resultsSet;
}
/* (non-Javadoc)
* @see com.sun.identity.idm.IdRepo#getServiceAttributes(
* com.iplanet.sso.SSOToken, com.sun.identity.idm.IdType, java.lang.String,
* java.lang.String, java.util.Set)
*/
public Map getServiceAttributes(
) throws IdRepoException, SSOException {
true));
}
/* (non-Javadoc)
* @see com.sun.identity.idm.IdRepo#getServiceAttributes(
* com.iplanet.sso.SSOToken, com.sun.identity.idm.IdType,
* java.lang.String, java.lang.String, java.util.Set)
*/
public Map getBinaryServiceAttributes(
) throws IdRepoException, SSOException {
false));
}
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
{
"213", args);
// get the user attributes from ldap.
// find the attributes in service map.
if (debug.messageEnabled()) {
+ userAttrs);
}
return (userAttrs);
}
if (debug.messageEnabled()) {
"userAttrs:" + userAttrs);
}
return (userAttrs);
} else {
// find the attrs requested from the realm service map.
}
}
if (debug.messageEnabled()) {
}
}
// merge the attributes found from user and service map.
// use values from user first then the default template.
// convert to binary if necessary
if (tmpAttrSet != null) {
// convert to binary
int i =0;
byte [][] resultArr =
i++;
}
} else {
}
}
}
}
if (debug.messageEnabled()) {
}
return (userAttrs);
"returns empty");
return (new HashMap());
}
if (debug.messageEnabled()) {
+ "attrNames is null or empty. srvCfgAttrMap="
+ srvCfgAttrMap);
}
return (new HashMap(srvCfgAttrMap));
} else {
srvCfgAttrMap.keySet());
}
}
if (debug.messageEnabled()) {
"REALM resultMap=" + resultMap);
}
return (resultMap);
}
} else {
"213", args);
}
}
/*
* (non-Javadoc)
*
* @see com.sun.identity.idm.IdRepo#modifyService(com.iplanet.sso.SSOToken,
* com.sun.identity.idm.IdType, java.lang.String, java.lang.String,
* java.util.Map)
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
{
"213", args);
// modify my map by doing an add and replace of existing value.
// call listener.
if (debug.messageEnabled()) {
"myServiceMap" + myServiceMap);
}
} else {
} else {
}
}
}
if (debug.messageEnabled()) {
"myServiceMap" + myServiceMap);
}
if (myListener != null) {
"setServiceAttributes:" + myServiceMap);
}
throw new IdRepoException(
} else {
}
} else {
"213", args);
}
}
/**
* Returns the fully qualified name for the identity. It is expected
* that the fully qualified name would be unique, hence it is recommended
* to prefix the name with the data store name or protocol.
* Used by IdRepo framework to check for equality of two identities
*
* @param token administrator SSOToken that can be used by the datastore
* to determine the fully qualified name
* @param type type of the identity
* @param name name of the identity
*
* @return fully qualified name for the identity within the
* data store
*/
throws IdRepoException, SSOException {
// given the idtype and the name, we will do search to get its FDN.
if (debug.messageEnabled()) {
+ "; name=" + name);
}
"220", args);
}
return null;
} else {
}
}
}
/*
* search for the "name" in DS and return DN if found
* ruturns empty string otherwise.
*/
throws IdRepoException, SSOException {
// given the idtype and the name, we will do search to get its FDN.
if (debug.messageEnabled()) {
+ "; name=" + name);
}
int userMatches = 0;
int ldapResultCode = 0;
try {
if (debug.messageEnabled()) {
}
} catch (LDAPException e) {
ldapResultCode = e.getLDAPResultCode();
if (debug.messageEnabled()) {
}
throw ide;
} finally {
}
}
try {
boolean userNamingValueSet=false;
while (results.hasMoreElements()) {
try {
userMatches ++;
if (debug.messageEnabled()) {
}
} catch (LDAPReferralException refe) {
continue;
}
}
} catch (LDAPException e) {
ldapResultCode = e.getLDAPResultCode();
if (debug.messageEnabled()) {
}
throw ide;
}
if (userMatches > 1) {
if (debug.messageEnabled()) {
+ " found more than match.");
}
}
return userDN;
}
/**
* Returns <code>true</code> if the data store supports authentication
* of identities. Used by IdRepo framework to authenticate identities.
*
* @return <code>true</code> if data store supports authentication of
* of identities; else <code>false</code>
*/
public boolean supportsAuthentication() {
if (debug.messageEnabled()) {
" authenticationEnabled=" + true);
}
return (true);
}
/**
* Returns <code>true</code> if the successfully authenticates
* the identity with the provided credentials. In case it
* requires additional credentials, the list would be returned via the
* <code>IdRepoException</code> exception.
*
* @param credentials Array of callback objects containing information
* such as username and password.
*
* @return <code>true</code> if it authenticates the identity;
* else <code>false</code>
*/
throws IdRepoException, AuthLoginException {
// Obtain user name and password from credentials and authenticate
if (credentials[i] instanceof NameCallback) {
if (debug.messageEnabled()) {
username);
}
} else if (credentials[i] instanceof PasswordCallback) {
.getPassword();
"LDAPv3Repo:authenticate passwd present: XXX");
} else {
}
}
}
throw new IdRepoException(
}
boolean success = false;
if (debug.messageEnabled()) {
+ username);
}
// ldapServerName is list of server names seperated by sapce for
// failover purposes. LDAPConnection will automatcially
// handle failover.
// port will not be used since ldapserver is in the following format:
// nameOfLDAPhost:portNumber.
if (ldapServerName == null) {
}
try {
} catch (LDAPUtilException ldapUtilEx) {
if (debug.messageEnabled()) {
" LDAPUtilException: " +
ldapUtilEx.getMessage());
}
"211", args);
}
if (debug.messageEnabled()) {
"IdType.USER authenticateIt=true");
}
return(true);
}
}
if (debug.messageEnabled()) {
"IdType.AGENT authenticateIt=true");
}
return(true);
}
}
if (debug.messageEnabled()) {
"IdType.GROUP authenticateIt=true");
}
return(true);
}
}
if (debug.messageEnabled()) {
username);
}
return(false);
}
throws IdRepoException,
return (false);
}
}
try {
// need to reset filter otherwise it appends
// new filter to previous filter.
}
} catch (LDAPUtilException ldapUtilEx) {
switch (ldapUtilEx.getLDAPResultCode()) {
if (debug.messageEnabled()) {
"The specified user does not exist. " +
"username=" + username);
}
throw new AuthLoginException(AM_AUTH,
"NoUser", null);
if (debug.messageEnabled()) {
" Invalid password. username=" + username);
}
throw new InvalidPasswordException(AM_AUTH,
if (debug.messageEnabled()) {
"Unwilling to perform. Account inactivated." +
" username" + username);
}
throw new AuthLoginException(amAuthLDAP,
"FConnect", null);
if (debug.messageEnabled()) {
"Inappropriate authentication. username="
+ username);
}
null);
if (debug.messageEnabled()) {
"Exceed password retry limit. username"
+ username);
}
throw new AuthLoginException(amAuthLDAP,
"ExceedRetryLimit", null);
default:
if (debug.messageEnabled()) {
"default exception. username=" + username);
}
}
}
}
/*
* returns the LDPACache handle for this instance of the plugin.
*/
return(ldapCache);
}
/*
* flush the entire cache starting from orgDN.
*/
public void clearCache() {
if (debug.messageEnabled()) {
}
return;
}
if (debug.messageEnabled()) {
}
}
/*
* removed the dn from the cache.
*/
if (debug.messageEnabled()) {
}
boolean flushStatus;
return;
}
/*
DN fqdn = new DN(dn);
DN parentDN = fqdn.getParent();
String parent = parentDN.toString();
DN grandParentDN = parentDN.getParent();
String grandParent = grandParentDN.toString();
do {
flushStatus = ldapCache.flushEntries(
dn, LDAPv2.SCOPE_BASE);
if (debug.messageEnabled()) {
debug.message("objectChanged " +
"LDAPPersistSearchControl.MODIFY " + dn +
" dn scope_base flushStatus= " + flushStatus);
}
} while (flushStatus);
do {
flushStatus = ldapCache.flushEntries(
parent, LDAPv2.SCOPE_BASE);
if (debug.messageEnabled()) {
debug.message("objectChanged " +
"LDAPPersistSearchControl.MODIFY " + parent +
" parent scope_base flushStatus= " + flushStatus);
}
} while (flushStatus);
do {
flushStatus = ldapCache.flushEntries(
parent, LDAPv2.SCOPE_ONE);
if (debug.messageEnabled()) {
debug.message("objectChanged " +
"LDAPPersistSearchControl.MODIFY " + parent +
" parent scope_one flushStatus= " + flushStatus);
}
} while (flushStatus);
do {
flushStatus = ldapCache.flushEntries(
parent, LDAPv2.SCOPE_SUB);
if (debug.messageEnabled()) {
debug.message("objectChanged" +
" LDAPPersistSearchControl.MODIFY " + parent +
" parent scope_sub flushStatus= " +flushStatus);
}
} while (flushStatus);
// we need to do grandparent because of role membership.
// the base of role membershp is 2 levels above user.
do {
flushStatus = ldapCache.flushEntries(grandParent,
LDAPv2.SCOPE_ONE);
if (debug.messageEnabled()) {
debug.message("objectChanged " +
"LDAPPersistSearchControl.MODIFY " +
"grandParent scope_one flushStatus= " +
grandParent + " " + flushStatus);
}
} while (flushStatus);
do {
flushStatus = ldapCache.flushEntries(
grandParent, LDAPv2.SCOPE_SUB);
if (debug.messageEnabled()) {
debug.message("objectChanged " +
"LDAPPersistSearchControl.MODIFY " +
"grandParent scope_sub flushStatus= " +
grandParent + " " + flushStatus);
}
} while (flushStatus);
*/
do {
// this includes self.
if (debug.messageEnabled()) {
"LDAPPersistSearchControl.MODDN" +
" parent scope_one: flushStatus= " +
}
} while (flushStatus);
do {
if (debug.messageEnabled()) {
+ " parent scope_base: flushStatus= " +
}
} while (flushStatus);
} else { // assume LDAPPersistSearchControl.DELETE is the only one left.
}
}
/**
* find all the datastore that are interested in this change
* and notify its listener and update the data store's cache.
*/
boolean clearCache) {
if (debug.messageEnabled()) {
+ clearCache);
}
//Map listOfRepo = (Map) listOfPS.get(psIdKey);
if (listOfRepo != null) {
//HashSet listOfDS = (HashSet) listOfRepo.get("listOfDS");
if (!v3Repo.hasShutdown) {
if (allObjChanged) {
clearCache = true;
} else {
while (supTypeIter.hasNext()) {
}
}
if (clearCache) {
v3Repo.clearCache();
}
}
}
} else {
if (debug.messageEnabled()) {
+ "did not find any datastore for this ps.");
}
}
}
/**
* checks for an LDAP v3 server whether the control has returned
* if a password has expired or password is expiring and password
* policy is enabled on the server.
* @return PASSWOR_EXPIRED if password has expired
* Return number of seconds until expiration if password is going to expire
*/
int status = NO_PASSWORD_CONTROLS;
return PASSWORD_EXPIRED;
}
}
}
if (expgControl != null) {
try {
/* Return the number of seconds until expiration */
return expgControl.getSecondsToExpiration();
} catch(NumberFormatException e) {
if (debug.messageEnabled()) {
"> in password expiring control" );
}
}
}
}
return NO_PASSWORD_CONTROLS;
}
throws LDAPException, IdRepoException {
objClassName );
objClassName ) );
return attributes;
}
throws LDAPException, IdRepoException {
while( en.hasMoreElements() ) {
}
}
return attributeNames;
}
throws LDAPException, IdRepoException {
while( en.hasMoreElements() ) {
}
}
return attributeNames;
}
private LDAPSchema getLDAPSchema()
throws LDAPException, IdRepoException {
try {
} finally {
}
}
return (dirSchema);
}
throws IdRepoException, SSOException {
return OCValues;
}
return vals;
} else {
}
return tSet;
}
}
// read op from st.
while (st.hasMoreTokens()) {
if (supportService) {
}
}
}
if (debug.messageEnabled()) {
}
return opsReadSet;
}
// FIXME Is the field this.userSpecifiedOpsSet to be used in this?
// parse each entry, string, based syntax:
// idType=idOperation,idOperation ...
// if the idType is within my type and op then add it.
if (debug.messageEnabled()) {
}
idTypeRead = null;
if (st.hasMoreTokens()) {
if (debug.messageEnabled()) {
}
} else {
}
} // else a blank line.
if (debug.messageEnabled()) {
+ "; opsRead:" + opsRead);
}
}
} // while
// always added the "realm=service" so services can be added to realm.
}
}
private void loadSupportedOps() {
if (debug.messageEnabled()) {
}
}
} else {
// should we just throw an exception
}
if (debug.messageEnabled()) {
+ objClassFilter);
}
return objClassFilter;
}
} else {
// should we just throw an exception
}
return namingAttr;
}
name = "";
}
|| (peopleCtnrNamingAttr == null)
// Since people container is not specified, do a sub-tree
// search to find the user DN
// Auto-construct the DN in case search failed
try {
new LDAPSearchConstraints();
if (debug.messageEnabled()) {
}
if ((userAtttributesAllowed == null) ||
(userAtttributesAllowed.isEmpty())) {
try {
}
} finally {
}
}
} else {
try {
}
} finally {
}
}
}
// Take the first DN
} else {
if (debug.messageEnabled()) {
}
clearCache();
try {
}
} finally {
}
}
} else {
if (debug.messageEnabled()) {
"user search null.");
}
}
}
if (debug.messageEnabled()) {
"LDAPv3Repo.getDN. search return dn=" + dn);
}
} else {
if (debug.warningEnabled()) {
}
}
// Debug the exception and return the auto-constructed DN
if (debug.messageEnabled()) {
}
}
} else {
}
|| (agentCtnrNamingAttr == null)
} else {
}
|| (groupCtnrNamingAttr == null)
try {
try {
} finally {
}
}
// Take the first DN
}
// Debug the exception and return the auto-constructed DN
if (debug.messageEnabled()) {
}
}
} else {
}
} else {
"305", args);
}
return dn;
}
|| (peopleCtnrNamingAttr == null)
} else {
}
|| (agentCtnrNamingAttr == null)
} else {
}
|| (groupCtnrNamingAttr == null)
} else {
}
} else {
}
return dn;
}
if (debug.messageEnabled()) {
+ "filterModifier=" + filterModifier);
}
return null;
}
}
}
}
if (debug.messageEnabled()) {
+ filterSB);
}
}
if (debug.messageEnabled()) {
}
} else {
")");
}
if (debug.messageEnabled()) {
+ "objectClassFilter=" + objectClassFilter);
}
return (objectClassFilter);
} else {
if (indexat == -1) {
vPart = "*";
} else {
}
while (index != -1) {
filterSB = new StringBuffer();
}
// int index2 = objectClassFilter.indexOf("%V");
while (vIndex != -1) {
filterSB = new StringBuffer();
}
}
if (debug.messageEnabled()) {
+ "objectClassFilter=" + objectClassFilter);
}
return objectClassFilter;
}
if (createUserAttrMappingSet == null
|| createUserAttrMappingSet.isEmpty()) {
} else {
if (debug.messageEnabled()) {
+ "createUserAttrMappingSet="
}
if (eqIndex > -1) {
} else {
// this is a special case to denote use the user name for
// attr value.
}
}
}
if (debug.messageEnabled()) {
+ createAttrMap);
}
return createAttrMap;
}
} else {
}
}
// the key is made up of ...
// we might not need _idleTimeOut, _numRetries, _retryInterval
// and _retryErrorCodes since these values will likely be same
// for a given host. might be true for ssl also.
return psIdKey;
}
}
if (debug.messageEnabled()) {
+ " ; codes=" + codes);
}
} else {
}
}
return sortedCodes;
}
int defaultValue) {
int value = defaultValue;
try {
}
} catch (NumberFormatException nfe) {
}
if (debug.messageEnabled()) {
+ " = " + value);
}
return value;
}
private String getPropertyStringValue(
value = defaultVal;
}
return value;
}
} else {
if (debug.messageEnabled()) {
+ key);
}
}
if (debug.messageEnabled()) {
+ " = " + value);
} else {
+ key + " = NULL or ZERO LENGTH");
} else {
+ key + " = has value XXX");
}
}
}
return value;
}
}
private void checkConnPool()
throws IdRepoException {
throw ide;
}
}
throws IdRepoException, IdRepoFatalException {
throw ide;
// Throw Fatal exception for errCode 19 (Password too short)
// as it breaks password policy for password length.
throw ide;
throw ide;
eDN = "";
}
throw ide;
} else {
throw ide;
}
}
}