View Javadoc
1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License.
18   *
19   */
20  package org.apache.directory.server.ldap.handlers.sasl.gssapi;
21  
22  
23  import javax.naming.Context;
24  import javax.security.auth.kerberos.KerberosPrincipal;
25  import javax.security.sasl.AuthorizeCallback;
26  
27  import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
28  import org.apache.directory.api.ldap.model.entry.Attribute;
29  import org.apache.directory.api.ldap.model.message.BindRequest;
30  import org.apache.directory.api.ldap.model.name.Dn;
31  import org.apache.directory.api.util.Strings;
32  import org.apache.directory.server.core.api.CoreSession;
33  import org.apache.directory.server.core.api.LdapPrincipal;
34  import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
35  import org.apache.directory.server.protocol.shared.kerberos.GetPrincipal;
36  import org.apache.directory.server.ldap.LdapSession;
37  import org.apache.directory.server.ldap.handlers.sasl.AbstractSaslCallbackHandler;
38  import org.apache.directory.server.ldap.handlers.sasl.SaslConstants;
39  import org.slf4j.Logger;
40  import org.slf4j.LoggerFactory;
41  
42  
43  /**
44   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
45   */
46  public class GssapiCallbackHandler extends AbstractSaslCallbackHandler
47  {
48      private static final Logger LOG = LoggerFactory.getLogger( GssapiCallbackHandler.class );
49  
50  
51      /**
52       * Creates a new instance of GssapiCallbackHandler.
53       *
54       * @param ldapSession the mina IO session
55       * @param adminSession the admin session
56       * @param bindRequest the bind message
57       */
58      public GssapiCallbackHandler( LdapSession ldapSession, CoreSession adminSession, BindRequest bindRequest )
59      {
60          super( adminSession.getDirectoryService(), bindRequest );
61          this.ldapSession = ldapSession;
62          this.adminSession = adminSession;
63      }
64  
65  
66      protected Attribute lookupPassword( String username, String password )
67      {
68          // do nothing, password not used by GSSAPI
69          return null;
70      }
71  
72  
73      protected void authorize( AuthorizeCallback authorizeCB ) throws Exception
74      {
75          LOG.debug( "Processing conversion of principal name to Dn." );
76  
77          String username = authorizeCB.getAuthorizationID();
78  
79          // find the user's entry
80          GetPrincipalprotocol/shared/kerberos/GetPrincipal.html#GetPrincipal">GetPrincipal getPrincipal = new GetPrincipal( new KerberosPrincipal( username ) );
81          PrincipalStoreEntry./../../../org/apache/directory/server/kerberos/shared/store/PrincipalStoreEntry.html#PrincipalStoreEntry">PrincipalStoreEntry entry = ( PrincipalStoreEntry ) getPrincipal.execute( adminSession, new Dn( ldapSession
82              .getLdapServer().getSearchBaseDn() ) );
83          String bindDn = entry.getDistinguishedName();
84  
85          LOG.debug( "Converted username {} to Dn {}.", username, bindDn );
86  
87          LdapPrincipalre/api/LdapPrincipal.html#LdapPrincipal">LdapPrincipal ldapPrincipal = new LdapPrincipal( adminSession.getDirectoryService().getSchemaManager(),
88              new Dn( entry.getDistinguishedName() ),
89              AuthenticationLevel.STRONG, Strings.EMPTY_BYTES );
90          ldapSession.putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal );
91          ldapSession.putSaslProperty( Context.SECURITY_PRINCIPAL, bindDn );
92  
93          authorizeCB.setAuthorizedID( bindDn );
94          authorizeCB.setAuthorized( true );
95      }
96  }