8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: ComplianceServicesImpl.java,v 1.10 2009/11/20 23:52:51 ww203982 Exp $
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington * Portions Copyrighted 2011-2015 ForgeRock AS.
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.iplanet.am.sdk.AMEntryExistsException;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.iplanet.am.sdk.AMStoreConnection;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.iplanet.am.sdk.common.IComplianceServices;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.sm.ServiceSchemaManager;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport org.forgerock.opendj.ldap.ModificationType;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class <code>Compliance</code> contains the functionality to support
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * iPlanet Compliant DIT. The methods of this class will be used by other
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * classes in <code>com.iplanet.am.sdk package</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * In order to determine if iPlanet Compliance mode is required or not, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * parameter <code>com.iplanet.am.compliance</code> will be verified. A value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of <code>true</code> for this parameter, means iPlanet Compliance mode.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE: An explicit check must be performed using Compliance.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * isIplanetCompliant() method before calling any other methods in this class.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class ComplianceServicesImpl implements AMConstants, IComplianceServices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Map to keep role->group name mapping
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private Map roleToGroupMap = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private Map groupToRoleMap = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String USER_STATUS_ATTRIBUTE = "inetuserstatus";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String GROUP_STATUS_ATTRIBUTE = "inetgroupstatus";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String ORG_STATUS_ATTRIBUTE = "inetdomainstatus";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String RESOURCE_STATUS_ATTRIBUTE = "icsstatus";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String DEFAULT_DELETED_ORG_FILTER =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "(&(sunPreferredDomain=%V)(inetDomainStatus=deleted)"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "(objectclass=sunManagedOrganization))";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String DEFAULT_DELETED_GROUP_FILTER =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "(&(inetgroupstatus=deleted)(objectclass=iplanet-am-managed-group))";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String DEFAULT_DELETED_USER_FILTER =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "(&(inetUserStatus=deleted)(objectclass=inetorgperson))";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String DEFAULT_DELETED_OBJECT_FILTER =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "(|(objectclass=*)(objectclass=ldapsubentry))";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static private String DEFAULT_DELETED_RESOURCE_FILTER =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "(&(objectclass=icsCalendarResource)(icsStatus = deleted))";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static SSOToken internalToken = CommonUtils.getInternalToken();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster rootSuffix = AMStoreConnection.getAMSdkBaseDN();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("com.iplanet.am.rootsuffix property value "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "should not be null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method to addAttributes to an entry
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void addAttributesToEntry(SSOToken token, String dn,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObjectHandle(token, new Guid(dn));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method to remove attributes from an entry
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void removeAttributesFromEntry(SSOToken token, String dn,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObjectHandle(token, new Guid(dn));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which returns a group name corresponding to role DN. Returns null,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if no mapping found.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the role name from the roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if top level admin-role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String groupName = (String) roleToGroupMap.get(dn.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (groupName == null) { // If not, a org level admin-role
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String roleName = LDAPUtils.rdnValueFromDn(dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster groupName = (String) roleToGroupMap.get(roleName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.getGroupRoleFromDN():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which returns a role name corresponding to group DN. Returns null,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if no mapping found.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the role name from the roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if top level admin-role
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String groupName = LDAPUtils.rdnValueFromDn(dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String roleName = (String) groupToRoleMap.get(groupName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.getRoleFromGroupDN: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Obtained group to role mapping: " + groupName + " ::"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (roleName == null) { // If not, a org level admin-role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.getRoleFromGroupDN " + "Group: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.getRoleFromGroupDN:" + "Role Name: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which verifies if the <code>roleDN</code> corresponds to an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * admin role. If true the <code>memberOf</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>adminRole</code> attributes of each member/user are set to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * corresponding administration <code>groupDN</code> and administration
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>groupRDN</code> respectively. Each of the members/users are also
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * added to the corresponding admin group.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param membersGuid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Guid array of members to be operated on.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * distinguished name of the role.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if unsuccessful in adding the members to the corresponding
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * admin group. As a result of which the memberOf and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * adminRole attributes are also not updated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void verifyAndLinkRoleToGroup(SSOToken token, Guid[] membersGuid,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the group corresponding to roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (groupName != null) { // roleDN corresponds to an admin role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the members to corresponding group.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AssignableDynamicGroup group = (AssignableDynamicGroup)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster addAttributesToEntry(token, membersGuid[i].getDn(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndLinkRoleToGroup: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Admin groups are missing");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance." + "verifyAndLinkRoleToGroup(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("771"), "771");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Verifies if the <code>roleDN</code> corresponds to an admin role. If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * true the <code>memberOf</code> and <code>adminRole</code> attributes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of each member/user are set to null. Each of the members/users are also
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * removed to the corresponding admin group.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * single sign on token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param members
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Set of member distinguished name to be operated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * distinguished name of the role.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if unsuccessful in removing the members from the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * corresponding administrative groups and updating the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>memberOf</code> and <code>adminRole</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute values to null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void verifyAndUnLinkRoleToGroup(SSOToken token, Set members,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the group corresponding to roleDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Delete the attributes memberOf & adminRole attribute values'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // corresponding to this groupDN.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AssignableDynamicGroup group = (AssignableDynamicGroup)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster removeAttributesFromEntry(token, memberDN, attrSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndUnLinkRoleToGroup: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Admin groups are missing");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance." + "verifyAndUnLinkRoleToGroup(): ",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("772"), "772");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which verifies if the <code>groupDN</code> corresponds to an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * administrative role. If true then the members listed in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <Code>membersGuid</Code> are added to the admin role.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param membersGuid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Guid array of members to be operated on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param groupDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DN of the role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if unsuccessful in adding the members to the corresponding
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * admin group. As a result of which the memberOf and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * adminRole attributes are also not updated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void verifyAndLinkGroupToRole(SSOToken token, Guid[] membersGuid,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the role corresponding to groupDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (roleName != null) { // roleDN corresponds to an admin role
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String orgDN = dn.parent().parent().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.verifyAndLinkGroupToRole"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Linking group: " + groupDN + " to role :" + roleDN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add the members to corresponding group.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ManagedRole role = (ManagedRole) UMSObject.getObject(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndLinkGroupToRole: Admin "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "groups are missing");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndLinkGroupToRole():", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("972", args),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which verifies if the groupDN corresponds to an admin role. If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * true then the <Code> members </Code> are removed from the admin role.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token Single Sign On Token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param members Set of member DNs to be operated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param groupDN Distinguished Name of the group.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AMException if unsuccessful in removing the members from the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * corresponding admin groups and updating the <code>memberOf</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and <code>adminRole</code> attribute values to null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void verifyAndUnLinkGroupToRole(SSOToken token, Set members,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the group corresponding to roleDN
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String orgDN = dn.parent().parent().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.verifyAndUnlinkGroupToRole(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Remove the members from the admin role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ManagedRole role = (ManagedRole) UMSObject.getObject(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndUnLinkGroupToRole: Admin "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "groups are missing");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndUnLinkGroupToRole(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("972", args),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks the attribute set for the presence of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "inetuserstatus" attribute. If the attribute exists and has a value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "deleted", the method returns true, if not it returns false.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param attrSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The attrSet to be verified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the attrSet has inetuserstatus attribute and the value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which is "deleted"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void verifyAttributes(AttrSet attrSet) throws AMException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String userStatus = attrSet.getValue(USER_STATUS_ATTRIBUTE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (userStatus != null && userStatus.equalsIgnoreCase("deleted")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("Compliance.verifyAttributes(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("327"), "327");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which adds additional compliance required attributes to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * existing list of attribute names and then fetches the attribute set from
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * LDAP. The compliance attributes are verified for "inetuserstatus"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param po a PersistentObject of the entry.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param attributeNames Array of attribute names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AMException if the fetched attribute names has inetuserstatus
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute and the value of which is "deleted" or if unable to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * fetch the attribute set.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected AttrSet verifyAndGetAttributes(PersistentObject po,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // The only thing to verify for compliance is "deleted user". Hence,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // fetch additional attribute "inetuserstatus" along with the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // attributes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean found = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if "intetuserstatus" attribute already exists in request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String fetchAttributes[] = new String[numAttrs + 1];
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (; i < numAttrs; i++) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (attributeNames[i].equalsIgnoreCase(USER_STATUS_ATTRIBUTE)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // use the original list of attr names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Fetch the attribute,value pairs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster retAttrSet = po.getAttributes(fetchAttributes);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.verifyAndGetAttributes(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("330"), "330");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Verify for deleted user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if the entry corresponding to userDN represents a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * deleted user entry (entry with inetuserstatus:deleted)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a SSOToken object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a String representing a user DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMEntryExistsException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the userDN corresponds to a deleted user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void checkIfDeletedUser(SSOToken token, String userDN)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String userAttribute[] = { USER_STATUS_ATTRIBUTE };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObject(token, new Guid(userDN),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.checkIfDeletedUser(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (attrValue != null && attrValue.equalsIgnoreCase("deleted")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("Compliance.checkIfDeletedUser(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMEntryExistsException(AMSDKBundle.getString("329"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if the entry corresponding to orgDN represents a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * deleted organization entry (entry with inetdomainstatus:deleted).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a SSOToken object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a String representing an organization DN.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMEntryExistsException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the orgDN corresponds to a deleted organization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void checkIfDeletedOrg(SSOToken token, String orgDN)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObject(token, new Guid(orgDN));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.checkIfDeletedOrg(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (((attr != null) && (attr.size() != 0)) && attr.contains("deleted"))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Org is deleted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("Compliance.checkIfDeletedOrg(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMEntryExistsException(AMSDKBundle.getString("361"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks all the parent organizations of this entry till the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * base DN, and returns true if any one of them is deleted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token Single Sign On token of user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param dn Distinguished name of the object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param profileType the profile type of the object whose ancestor is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * being checked.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws AMException if there are errors from data layer.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isAncestorOrgDeleted(SSOToken token, String dn,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.isAncestorOrgDeleted-> "
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String tdn = DN.valueOf(dn).toString().toLowerCase();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (((Boolean) deletedOrg.get(tdn)).booleanValue()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } // else continue
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster tdn = DirectoryServicesFactory.getInstance().getOrganizationDN(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check to see if ancestor is in the cache deleted cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.isAncestorOrgDeleted-> "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return ((Boolean) deletedOrg.get(tdn)).booleanValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObject(internalToken,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = po.getAttribute(ORG_STATUS_ATTRIBUTE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (debug.messageEnabled() && (attr != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.isAncestorOrgDeleted-> "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + ORG_STATUS_ATTRIBUTE + "=" + attr.toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Org is deleted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("isAncestorOrgDeleted: caching org: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized (deletedOrg) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // we have encountered at least one ancestor
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // who is deleted so return true.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("isAncestorOrgDeleted: caching org: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized (deletedOrg) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.isAncestorOrgDeleted-> "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // continue till we reach the rootSuffix. any one of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // the ancestors could still be marked deleted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster tdn = DirectoryServicesFactory.getInstance().getOrganizationDN(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // reached the rootsuffix. This will should never be marked deleted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method to clean up the deletedOrg cache, when an event notification
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * occurs from the directory
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DN of organization that has been modified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void cleanDeletedOrgCache(String orgDN) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check to see if this dn is in the deletedOrg cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // delete this entry if it is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized (deletedOrg) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the parent DN..
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington tdn = DN.valueOf(tdn).parent().toString().toLowerCase();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if the entry corresponding to DN represents a user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * entry. If so, it sets the inetuserstatus attribute of the user to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * deleted. Otherwise, it simply deletes the entry corresponding to the DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a SSOToken object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param profileDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a String representing a DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if an error is encountered while setting the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * intetuserstatus attribute or if an error was encountered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * while performing a delete.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void verifyAndDeleteObject(SSOToken token, String profileDN)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PersistentObject po = UMSObject.getObject(token, guid);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = new Attr(USER_STATUS_ATTRIBUTE, "deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance:verifyAndDeleteObject: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Soft-delete mode, setting inetuserstatus "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster mailer = new EmailNotificationHelper(profileDN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attributes = DirectoryServicesFactory.getInstance()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .getAttributes(token, profileDN, AMObject.USER);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (mailer.isPresentUserDeleteNotificationList()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = new Attr(RESOURCE_STATUS_ATTRIBUTE, "deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance:verifyAndDeleteObject: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Soft-delete mode, setting icsstatus "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "to deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || po instanceof com.iplanet.ums.AssignableDynamicGroup
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || po instanceof com.iplanet.ums.DynamicGroup) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = new Attr(GROUP_STATUS_ATTRIBUTE, "deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance:verifyAndDeleteObject: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Soft-delete mode, setting inetgroupstatus "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "to deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (po instanceof com.iplanet.ums.Organization) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance:verifyAndDeleteObject: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Soft-delete mode, setting inetdomainstatus "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "to deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = new Attr(ORG_STATUS_ATTRIBUTE, "deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DCTreeServicesImpl dcTreeImpl = (DCTreeServicesImpl)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dcTreeImpl.updateDomainStatus(token, profileDN, "deleted");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.deleteObject(): ", ue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("773"), "773");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Compliance.deleteObject(): ", se);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("773"), "773");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if Admin Groups need to be created for an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization dn
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if Admin Groups need to be created
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if an error is encountered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static boolean isAdminGroupsEnabled(String orgDN) throws AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceSchemaManager scm = new ServiceSchemaManager(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map attrMap = gsc.getReadOnlyAttributeDefaults();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set values = (Set) attrMap.get(ADMIN_GROUPS_ENABLED_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean enabled = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String val = (String) values.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.isAdminGroupsEnabled = " + enabled);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("357"), "357");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("357"), "357");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if the object is directly under root suffix
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param objDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if the object is directly under root suffix
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static boolean isUnderRootSuffix(String objDN) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Will be null only in special cases during search filter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // construction (AMSearchFilterMaanager.getSearchFilter())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington return rootDN.equals(objectDN) || rootDN.equals(objectDN.parent());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which creates Admin Groups for an organization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a SSOToken object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param org
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * an organization object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if an error is encountered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected void createAdminGroups(SSOToken token, PersistentObject org)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Attr attr = new Attr("objectclass", INET_ADMIN_OBJECT_CLASS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attr = new Attr(ADMIN_ROLE_ATTR, DOMAIN_ADMINISTRATORS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map attributes = CommonUtils.attrSetToMap(attrSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DirectoryServicesFactory.getInstance().createEntry(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DOMAIN_ADMINISTRATORS, AMObject.ASSIGNABLE_DYNAMIC_GROUP, gcDN,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attr = new Attr("objectclass", INET_ADMIN_OBJECT_CLASS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attr = new Attr(ADMIN_ROLE_ATTR, DOMAIN_ADMINISTRATORS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attributes = CommonUtils.attrSetToMap(attrSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DirectoryServicesFactory.getInstance().createEntry(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMObject.ASSIGNABLE_DYNAMIC_GROUP, gcDN, attributes);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Method which checks if Compliance User Deletion is enabled
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return true if Compliance User Deletion is enabled
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception AMException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if an error is encountered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static boolean isComplianceUserDeletionEnabled() throws AMException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceSchemaManager scm = new ServiceSchemaManager(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map attrMap = gsc.getReadOnlyAttributeDefaults();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set values = (Set) attrMap.get(COMPLIANCE_USER_DELETION_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean enabled = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String val = (String) values.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.isComplianceUserDeletionEnabled = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("359"), "359");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("359"), "359");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Protected method to get the search filter to be used for searching for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * deleted objects.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getDeletedObjectFilter(int objectType) throws AMException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceSchemaManager scm = new ServiceSchemaManager(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster values = (Set) attrMap.get(COMPLIANCE_SPECIAL_FILTER_ATTR);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Compliance.getDeletedObjectSearchFilter = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("359"), "359");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new AMException(AMSDKBundle.getString("359"), "359");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (thisFilter.startsWith("Resource=")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster org_filter = (org_filter == null) ? DEFAULT_DELETED_ORG_FILTER
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster group_filter = (group_filter == null) ? DEFAULT_DELETED_GROUP_FILTER
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster user_filter = (user_filter == null) ? DEFAULT_DELETED_USER_FILTER
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster def_filter = (def_filter == null) ? DEFAULT_DELETED_OBJECT_FILTER
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster res_filter = (res_filter == null) ? DEFAULT_DELETED_RESOURCE_FILTER
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return ("(|" + org_filter + group_filter + user_filter + def_filter