1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos.kdc;
21
22
23 import javax.security.auth.kerberos.KerberosPrincipal;
24
25 import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
26 import org.apache.directory.api.ldap.model.constants.SchemaConstants;
27 import org.apache.directory.api.ldap.model.entry.Attribute;
28 import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
29 import org.apache.directory.api.ldap.model.entry.DefaultModification;
30 import org.apache.directory.api.ldap.model.entry.Entry;
31 import org.apache.directory.api.ldap.model.entry.Modification;
32 import org.apache.directory.api.ldap.model.entry.ModificationOperation;
33 import org.apache.directory.api.ldap.model.exception.LdapException;
34 import org.apache.directory.api.ldap.model.name.Dn;
35 import org.apache.directory.api.ldap.model.schema.SchemaManager;
36 import org.apache.directory.api.util.Strings;
37 import org.apache.directory.server.constants.ServerDNConstants;
38 import org.apache.directory.server.core.api.CoreSession;
39 import org.apache.directory.server.core.api.DirectoryService;
40 import org.apache.directory.server.core.api.LdapPrincipal;
41 import org.apache.directory.server.core.shared.DefaultCoreSession;
42 import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswdErrorType;
43 import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException;
44 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
45 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
46 import org.apache.directory.server.protocol.shared.kerberos.GetPrincipal;
47 import org.apache.directory.server.protocol.shared.kerberos.StoreUtils;
48 import org.apache.directory.shared.kerberos.KerberosAttribute;
49
50
51
52
53
54
55
56
57 public class DirectoryPrincipalStore implements PrincipalStore
58 {
59
60 private final DirectoryService directoryService;
61 private final Dn searchBaseDn;
62
63 private CoreSession adminSession;
64
65
66
67
68
69
70
71
72 public DirectoryPrincipalStore( DirectoryService directoryService, Dn searchBaseDn )
73 {
74 this.directoryService = directoryService;
75 this.adminSession = directoryService.getAdminSession();
76 this.searchBaseDn = searchBaseDn;
77 }
78
79
80
81
82
83 public void changePassword( KerberosPrincipal byPrincipal, KerberosPrincipal forPrincipal, String newPassword,
84 boolean isInitialTicket ) throws ChangePasswordException
85 {
86 try
87 {
88 Entry ebyPrincipalEntry = null;
89
90 ebyPrincipalEntry = StoreUtils.findPrincipalEntry( adminSession, searchBaseDn, byPrincipal.getName() );
91
92 if ( ebyPrincipalEntry == null )
93 {
94 throw new ChangePasswordException( ChangePasswdErrorType.KRB5_KPASSWD_HARDERROR,
95 Strings.getBytesUtf8( ( "No such principal " + byPrincipal ) ) );
96 }
97
98 SchemaManager schemaManager = directoryService.getSchemaManager();
99
100 CoreSession bySession = null;
101
102 boolean isAdmin = ebyPrincipalEntry.getDn()
103 .equals( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
104
105 if ( !isInitialTicket && !isAdmin )
106 {
107 throw new ChangePasswordException( ChangePasswdErrorType.KRB5_KPASSWD_INITIAL_FLAG_NEEDED );
108 }
109
110
111 if ( isAdmin )
112 {
113 bySession = adminSession;
114 }
115
116 else
117 {
118 LdapPrincipaldapPrincipal.html#LdapPrincipal">LdapPrincipal byLdapPrincipal = new LdapPrincipal( schemaManager, ebyPrincipalEntry.getDn(),
119 AuthenticationLevel.SIMPLE );
120
121 bySession = new DefaultCoreSession( byLdapPrincipal, directoryService );
122 }
123
124 Attribute newPasswordAttribute = new DefaultAttribute(
125 schemaManager.lookupAttributeTypeRegistry( SchemaConstants.USER_PASSWORD_AT ),
126 Strings.getBytesUtf8( newPassword ) );
127 Modification passwordMod = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
128 newPasswordAttribute );
129
130 Attribute principalAttribute = new DefaultAttribute(
131 schemaManager.lookupAttributeTypeRegistry( KerberosAttribute.KRB5_PRINCIPAL_NAME_AT ),
132 forPrincipal.getName() );
133 Modification principalMod = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
134 principalAttribute );
135
136 Entry forPrincipalEntry = StoreUtils.findPrincipalEntry( bySession, searchBaseDn, forPrincipal.getName() );
137
138 adminSession.modify( forPrincipalEntry.getDn(), passwordMod, principalMod );
139 }
140 catch ( LdapException e )
141 {
142 throw new ChangePasswordException( ChangePasswdErrorType.KRB5_KPASSWD_ACCESSDENIED, e );
143 }
144 catch ( Exception e )
145 {
146 throw new ChangePasswordException( ChangePasswdErrorType.KRB5_KPASSWD_HARDERROR, e );
147 }
148 }
149
150
151
152
153
154 public PrincipalStoreEntry getPrincipal( KerberosPrincipal principal ) throws Exception
155 {
156 return ( PrincipalStoreEntry ) new GetPrincipal( principal ).execute( adminSession, searchBaseDn );
157 }
158 }