8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster* $Id: SMSEmbeddedLdapObject.java,v 1.3 2009/10/28 04:24:27 hengming Exp $
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden* Portions Copyrighted 2011-2016 ForgeRock AS.
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport java.security.AccessController;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.guice.core.InjectorHolder;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.auditors.SMSAuditor;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport org.forgerock.opendj.ldap.ModificationType;
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Maddenimport org.forgerock.opendj.ldap.requests.ModifyRequest;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport org.opends.server.protocols.internal.InternalClientConnection;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport org.opends.server.protocols.internal.InternalSearchOperation;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport org.opends.server.protocols.internal.Requests;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport org.opends.server.protocols.internal.SearchRequest;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport org.opends.server.protocols.ldap.LDAPAttribute;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport org.opends.server.types.DirectoryException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport org.opends.server.types.SearchResultEntry;
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Maddenimport com.sun.identity.security.AdminTokenAction;
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Maddenimport com.sun.identity.shared.locale.AMResourceBundleCache;
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Maddenimport com.sun.identity.sm.SMSNotificationManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This object represents an LDAP entry in the directory server. The UMS have an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * equivalent class called PersistentObject. The SMS could not integrate with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * PersistentObject, because of the its dependecy on the Session object. This
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * would mean that, to instantiate an PersistentObject inside SMS, we need to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * create an UMS instance, which would be having directory parameters of SMS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class is used both to read and write information into the directory
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * server. The appropriate constructors discusses it is done.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * There can be only three types of SMS entries in the directory (i) entry with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organizationUnit object class (attribute: ou) (ii) entry with sunService
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object class (attributes: ou, labeledURI, sunServiceSchema, sunPluginSchema,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and sunKeyValue (sunXMLKeyValue, in the future) (iii) entry with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sunServiceComponent object class (attributes: ou, sunServiceID,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sunSMSPriority, sunKeyValue. All the schema, configuration and plugin entries
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will be stored using the above entries.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class SMSEmbeddedLdapObject extends SMSObjectDB
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major static Set<String> entriesPresent = Collections.synchronizedSet(new LinkedHashSet<String>());
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major static Set<String> entriesNotPresent = Collections.synchronizedSet(new LinkedHashSet<String>());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Other parameters
6a9f31289c0fb913776bb573106ed6332365bc1cTony Bamford static final String SMS_EMBEDDED_LDAP_OBJECT_SEARCH_LIMIT =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "com.sun.identity.sm.sms_embedded_ldap_object_search_limit";
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private ConfigAuditorFactory auditorFactory;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Public constructor for SMSEmbeddedLdapObject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public SMSEmbeddedLdapObject() throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Initialized (should be called only once by SMSEntry)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Synchronized initialized method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private synchronized void initialize() throws SMSException {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com auditorFactory = InjectorHolder.getInstance(ConfigAuditorFactory.class);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Obtain the I18N resource bundle & Debug
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug = Debug.getInstance("amSMSEmbeddedLdap");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMResourceBundleCache amCache = AMResourceBundleCache.getInstance();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster bundle = amCache.getResBundle(IUMSConstants.UMS_BUNDLE_NAME,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster icConn = InternalClientConnection.getRootConnection();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String serviceDN = SMSEntry.SERVICES_RDN + SMSEntry.COMMA +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attrs.put(SMSEntry.ATTR_OBJECTCLASS, attrValues);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com internalCreate(null, serviceDN, attrs);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Unable to initialize (trouble!!)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("SMSEmbeddedLdapObject.initialize: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Unable to initalize(exception):", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(IUMSConstants.UMS_BUNDLE_NAME,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster smsAttributes = new LinkedHashSet(smsAttrs.length);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If cache is enabled, register for notification to maintian
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // internal cache of entriesPresent
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Reads in the object from persistent store, assuming that the guid and the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * SSOToken are valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Map read(SSOToken token, String dn) throws SMSException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // This must not be possible return an exception.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("SMSEmbeddedLdapObject.read: Null or Empty DN=" + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-NO_SUCH_OBJECT");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject: Invalid DN=" + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException(IUMSConstants.UMS_BUNDLE_NAME,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if entry does not exist
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com debug.message("SMSEmbeddedLdapObject:read Entry not present: " +
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden SearchRequest request = Requests.newSearchRequest(DN.valueOf(dn), SearchScope.BASE_OBJECT,
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden SearchFilter.objectClassPresent(), smsAttributes.toArray(new String[smsAttributes.size()]));
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden InternalSearchOperation iso = icConn.processSearch(request);
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden LinkedList searchResult = iso.getSearchEntries();
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden } else if (resultCode == ResultCode.NO_SUCH_OBJECT) {
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden // Add to not present Set
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden throw new SMSException("", "sms-entry-cannot-access");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Create an entry in the directory
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void create(SSOToken token, String dn, Map attrs)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Update entryPresent cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Create an entry in the directory using the principal name
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private void internalCreate(SSOToken token, String dn, Map attrs)
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com SMSAuditor auditor = newAuditor(token, dn, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AddOperation ao = icConn.processAdd(dn, attrList);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com "SMSEmbeddedLdapObject.create: Successfully created" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (resultCode == ResultCode.ENTRY_ALREADY_EXISTS) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com // During install time and other times,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com // this error gets throws due to unknown issue. Issue:
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com // Hence mask it.
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com debug.warning("SMSEmbeddedLdapObject.create: Entry " +
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com "Already Exists Error for DN" + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("SMSEmbeddedLdapObject.create: Error creating entry: "+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-entry-cannot-create");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Save the entry using the token provided. The principal provided will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * used to get the proxy connection.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void modify(SSOToken token, String dn, ModificationItem mods[])
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com SMSAuditor auditor = newAuditor(token, dn, readCurrentState(dn));
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden ModifyRequest request = org.forgerock.opendj.ldap.requests.Requests.newModifyRequest(dn);
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden ModifyOperation mo = icConn.processModify(request);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.modify: Successfully " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("SMSEmbeddedLdapObject.modify: Error modifying entry "+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dn + " by Principal: " + token.getPrincipal().getName() +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-entry-cannot-modify");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Delete the entry in the directory. This will delete sub-entries also!
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void delete(SSOToken token, String dn) throws SMSException,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com SMSAuditor auditor = newAuditor(token, dn, readCurrentState(dn));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if there are sub-entries, delete if present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator se = subEntries(token, dn, "*", 0, false, false).iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject: deleting sub-entry: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster delete(token, getNamingAttribute() + "=" + entry + "," + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if there are suborganizations, delete if present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // The recursive 'false' here has the scope SCOPE_ONE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // while searching for the suborgs.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Loop through the suborg at the first level and if there
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // is no next suborg, delete that.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set subOrgNames = searchSubOrgNames(token, dn, "*", 0, false, false,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator so = subOrgNames.iterator(); so.hasNext(); ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject: deleting " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DeleteOperation dop = icConn.processDelete(dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.delete: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException("", "sms-entry-cannot-delete"));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the sub-entry names. Returns a set of RDNs that are sub-entries.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The paramter <code>numOfEntries</code> identifies the number of entries
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to return, if <code>0</code> returns all the entries.
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Set<String> subEntries(SSOToken token, String dn, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, boolean sortResults, boolean ascendingOrder)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject: SubEntries search: " + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the filter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // This is a workaround for Issue 3823, where DS returns an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // empty set if restarted during OpenSSO operation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sfilter = MessageFormat.format(getSearchFilter(),(Object[])objs);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington return getSubEntries(token, dn, sfilter, numOfEntries, sortResults, ascendingOrder);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington private Set<String> getSubEntries(SSOToken token, String dn, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, boolean sortResults, boolean ascendingOrder)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // sorting is not implemented
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the sub entries
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden SearchRequest request = Requests.newSearchRequest(DN.valueOf(dn), SearchScope.SINGLE_LEVEL,
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden SearchFilter.createFilterFromString(filter), orgUnitAttr.toArray(new String[orgUnitAttr.size()]));
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Madden InternalSearchOperation iso = icConn.processSearch(request);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.getSubEntries(): " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (resultCode == ResultCode.SIZE_LIMIT_EXCEEDED) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.getSubEntries: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "size limit " + numOfEntries + " exceeded for " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.getSubEntries: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Unable to search for " + "sub-entries: " + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-entry-cannot-search");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the results and return
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington Set<String> answer = new LinkedHashSet<>();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster LinkedList searchResult = iso.getSearchEntries();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for(Iterator iter = searchResult.iterator(); iter.hasNext(); ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SearchResultEntry entry = (SearchResultEntry)iter.next();
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden String rdn = entry.getName().rdn().getFirstAVA().getAttributeValue().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.getSubEntries: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Successfully obtained sub-entries for : " + dn);
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden } catch (DirectoryException | IllegalArgumentException dex) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.getSubEntries: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Unable to search for " + "sub-entries: " + dn, dex);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException(dex, "sms-entry-cannot-search");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the sub-entry names. Returns a set of RDNs that are sub-entries.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The paramter <code>numOfEntries</code> identifies the number of entries
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to return, if <code>0</code> returns all the entries.
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Set<String> schemaSubEntries(SSOToken token, String dn, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String sidFilter, int numOfEntries, boolean sortResults,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean ascendingOrder) throws SMSException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject: schemaSubEntries search: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the filter
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com getServiceIdSearchFilter(), (Object[]) objs);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set answer = getSubEntries(token, dn, sfilter, numOfEntries,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return ("SMSEmbeddedLdapObject");
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Iterator<SMSDataEntry> search(SSOToken token, String startDN, String filter,
6a9f31289c0fb913776bb573106ed6332365bc1cTony Bamford int numOfEntries, int timeLimit, boolean sortResults,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster InternalSearchOperation iso = searchObjects(startDN, filter,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com SearchScope.WHOLE_SUBTREE, numOfEntries, sortResults,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resultCode == ResultCode.SIZE_LIMIT_EXCEEDED) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.search:" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " size limit exceeded. numOfEntries = " + numOfEntries);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.searchEx: Unable to " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "search. startDN = " + startDN + ", filter = " +
6a9f31289c0fb913776bb573106ed6332365bc1cTony Bamford throw new SMSException("", "sms-error-in-searching");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster LinkedList searchResult = iso.getSearchEntries();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return new EmbeddedSearchResultIterator(searchResult, excludes);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns LDAP entries that match the filter, using the start DN provided
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Set<String> search(SSOToken token, String startDN, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, int timeLimit, boolean sortResults,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean ascendingOrder) throws SSOException, SMSException {
6a9f31289c0fb913776bb573106ed6332365bc1cTony Bamford debug.message("SMSEmbeddedLdapObject.search: startDN = " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster InternalSearchOperation iso = searchObjects(startDN, filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SearchScope.WHOLE_SUBTREE, numOfEntries, sortResults,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resultCode == ResultCode.SIZE_LIMIT_EXCEEDED) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.search:" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " size limit exceeded. numOfEntries = " + numOfEntries);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.search: Unable to " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "search. startDN = " + startDN + ", filter = " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-error-in-searching");
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington Set<String> answer = new LinkedHashSet<>();
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington for (SearchResultEntry entry : iso.getSearchEntries()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.search: returned " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "successfully: " + filter + "\n\tObjects: " + answer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private InternalSearchOperation searchObjects(String startDN,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String filter, SearchScope scope, int numOfEntries,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // sorting is not implemented
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the sub entries
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Madden SearchRequest request = Requests.newSearchRequest(startDN, scope, filter);
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Madden InternalSearchOperation iso = icConn.processSearch(request);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("SMSEmbeddedLdapObject.searchObjects: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Unable to " + "search. startDN = " + startDN +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException(dex, "sms-error-in-searching");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if the provided DN exists. Used by PolicyManager.
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major * @param token Admin token.
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major * @param dn The DN to check.
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major * @return <code>true</code> if the entry exists, <code>false</code> otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean entryExists(SSOToken token, String dn) {
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major debug.message("SMSEmbeddedLdapObject.entryExists: checking if entry exists: " + dn);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington dn = DN.valueOf(dn).toString().toLowerCase();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check the caches
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major debug.message("SMSEmbeddedLdapObject.entryExists: entry present in cache: " + dn);
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major return true;
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major debug.message("SMSEmbeddedLdapObject.entryExists: entry present in not-present-cache: " + dn);
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major return false;
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major // Check if entry exists
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major // Update the cache
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major Set<String> cacheToUpdate = entryExists ? entriesPresent : entriesNotPresent;
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major if (cacheToUpdate.size() > entriesPresentCacheSize) {
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major synchronized (cacheToUpdate) {
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major cacheToUpdate.remove(cacheToUpdate.iterator().next());
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks if the provided DN exists.
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major private static boolean entryExists(String dn) throws SMSException {
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Madden SearchRequest request = Requests.newSearchRequest(dn, SearchScope.BASE_OBJECT, "(objectclass=*)");
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Madden InternalSearchOperation iso = icConn.processSearch(request);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major } else if (resultCode == ResultCode.NO_SUCH_OBJECT
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major || resultCode == ResultCode.CLIENT_SIDE_NO_RESULTS_RETURNED) {
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major debug.warning("SMSEmbeddedLdapObject:entryExists: " + dn + " does not exist. resultCode = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major throw new SMSException("Failed to find entry with DN: " + dn + " LDAP error result: " + resultCode,
7b07aea90aa914516cc214e14bf19ed60a1a6c76Peter Major throw new SMSException("Failed to find entry with DN: " + dn, dex,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Registration of Notification Callbacks
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void registerCallbackHandler(SMSObjectListener changeListener)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster LDAPEventManager.addObjectChangeListener(changeListener);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void deregisterCallbackHandler(String id) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Method to convert Map to LDAPAttributeSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static List copyMapToAttrList(Map attrs) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington List<LDAPAttribute> attrList = new ArrayList<>(attrs.size());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for(Iterator iter = attrs.keySet().iterator(); iter.hasNext(); ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attrList.add(new LDAPAttribute(attrName, valueList));
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden // Method to covert JNDI ModificationItems to LDAP ModifyRequest
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden private static void copyModItemsToLDAPModifyRequest(ModificationItem mods[], ModifyRequest modifyRequest)
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden List<String> values = Collections.list((Enumeration<String>) dAttr.getAll());
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden modifyRequest.addModification(modType, attrName, values.toArray());
da6568101c99a4ec99c3b63f37fe358e07eee51eNeil Madden throw new SMSException(nne, "sms-cannot-copy-fromModItemToModSet");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void objectChanged(String dn, int type) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington dn = DN.valueOf(dn).toString().toLowerCase();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Remove from entriesPresent Set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Remove from entriesNotPresent set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Not clear why this class is implemeting the SMSObjectListener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // interface.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SMSEntry.debug.warning("SMSEmbeddedLDAPObject.allObjectsChanged:" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " got notifications, all objects changed");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the suborganization names. Returns a set of RDNs that are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * suborganization name. The paramter <code>numOfEntries</code> identifies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the number of entries to return, if <code>0</code> returns all the
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Set<String> searchSubOrgNames(SSOToken token, String dn, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, boolean sortResults, boolean ascendingOrder,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean recursive) throws SMSException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.searchSubOrgNames: search: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Instead of constructing the filter in the framework(SMSEntry.java),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Construct the filter here in SMSEmbeddedLdapObject or the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * implementation to support JDBC or other data store.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String FILTER_PATTERN_ORG = "(&(objectclass=" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SMSEntry.OC_REALM_SERVICE + ")(" + SMSEntry.ORGANIZATION_RDN +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String sfilter = MessageFormat.format(FILTER_PATTERN_ORG,
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington return searchSubOrganizationNames(dn, sfilter, numOfEntries,
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington private Set<String> searchSubOrganizationNames(String dn, String filter,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, boolean sortResults, boolean ascendingOrder,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean recursive) throws SMSException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SearchScope scope = (recursive) ? SearchScope.WHOLE_SUBTREE :
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster InternalSearchOperation iso = searchObjects(dn, filter,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com scope, numOfEntries, sortResults, ascendingOrder);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "searchSubOrganizationNames: suborg not present:" + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (resultCode == ResultCode.SIZE_LIMIT_EXCEEDED) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "searchSubOrganizationNames: size limit exceeded. " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "numOfEntries = " + numOfEntries + ", dn = " + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "searchSubOrganizationNames: Unable to search. dn = "+
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dn + ", filter = " + filter + ", resultCode = " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new SMSException("", "sms-suborg-cannot-search");
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington Set<String> answer = new LinkedHashSet<>();
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington for (SearchResultEntry entry : iso.getSearchEntries()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.searchSubOrganizationName: " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "Successfully obtained suborganization names for : " + dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.searchSubOrganizationName: " +
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com "Successfully obtained suborganization names : " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the organization names. Returns a set of RDNs that are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization name. The paramter <code>numOfEntries</code> identifies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the number of entries to return, if <code>0</code> returns all the
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington public Set<String> searchOrganizationNames(SSOToken token, String dn,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster int numOfEntries, boolean sortResults, boolean ascendingOrder,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String serviceName, String attrName, Set values)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.searchOrganizationNames" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Instead of constructing the filter in the framework(SMSEntry.java),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Construct the filter here in SMSEmbeddedLdapObject or the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * implementation to support JDBC or other data store. To return
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization names that match the given attribute name and values,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * only exact matching is supported, and if more than one value is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * provided the organization must have all these values for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute. Basically an AND is performed for attribute values for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * searching. The attributes can be under the service config as well
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * under the Realm/Organization directly. For eg.,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (|(&(objectclass=sunRealmService)(&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (|(sunxmlkeyvalue=SERVICE_NAME-ATTR_NAME=VALUE1)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (sunxmlkeyvalue=ATTR_NAME=VALUE1))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (|(sunxmlkeyvalue=SERVICE_NAME-ATTR_NAME=VALUE2)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (sunxmlkeyvalue=ATTR_NAME=VALUE2))(...))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (&(objectclass=sunServiceComponent)(&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (|(sunxmlkeyvalue=SERVICE_NAME-ATTR_NAME=VALUE1)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (sunxmlkeyvalue=ATTR_NAME=VALUE1))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (|(sunxmlkeyvalue=SERVICE_NAME-ATTR_NAME=VALUE2)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (sunxmlkeyvalue=ATTR_NAME=VALUE2))(...))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append("(|(").append(SMSEntry.ATTR_XML_KEYVAL).append("=")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(serviceName).append("-").append(attrName).append(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append("(").append(SMSEntry.ATTR_XML_KEYVAL).append("=").append(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attrName).append("=").append(val).append("))");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String dataStore = SMSEntry.getDataStore(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Include the OCs only for sunDS, not Active Directory.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //String FILTER_PATTERN_SEARCH_ORG = "(|(&(objectclass="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster FILTER_PATTERN_SEARCH_ORG = "(|(&(objectclass="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + SMSEntry.OC_REALM_SERVICE + "){0})" + "(&(objectclass="
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com FILTER_PATTERN_SEARCH_ORG, (Object[]) objs);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("SMSEmbeddedLdapObject.searchOrganizationNames: " +
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington return searchSubOrganizationNames(dn, sfilter, numOfEntries,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com sortResults, ascendingOrder, true);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private SMSAuditor newAuditor(SSOToken token, String dn, Map initialState) {
cebf7af1a98a560b542e390649a7371d6ee1762aJames Phillpotts if (!AMSetupServlet.isCurrentConfigurationValid()) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com String realm = SMSAuditor.getRealmFromDN(dn);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return auditorFactory.create(token, realm, objectId, initialState);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * Read the specified value using an admin token
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * @param dn The distinguished name
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * @return The map if the read was successful, null otherwise
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private Map readCurrentState(String dn) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return read(AccessController.doPrivileged(AdminTokenAction.getInstance()), dn);