public BooleanResult AuthorizeUser(SessionProperties properties) { m_logger.Debug("LDAP Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireAuth; // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); if (rules.Count == 0) { throw new Exception("No authorizaition rules found."); } // Get the LDAP server object LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If LDAP server object is not found, then something went wrong in authentication. // We allow or deny based on setting if (serv == null) { m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available."); // LdapServer is not available, allow or deny based on settings. return(new BooleanResult() { Success = Settings.Store.AuthzAllowOnError, Message = "LDAP server unavailable." }); } // If we require authentication, and we failed to auth this user, then we // fail authorization. Note that we do this AFTER checking the LDAP server object // because we may want to succeed if the authentication failed due to server // being unavailable. if (requireAuth) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid); if (!ldapResult.Success) { m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth."); return(new BooleanResult() { Success = false, Message = "Deny because LDAP authentication failed." }); } } catch (KeyNotFoundException) { // The plugin is not enabled for authentication m_logger.ErrorFormat("LDAP is not enabled for authentication, and authz is configured to require authentication."); return(new BooleanResult { Success = false, Message = "Deny because LDAP auth did not execute, and configured to require LDAP auth." }); } } // Apply the authorization rules try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; // Bind for searching if we have rules to process. If there's only one, it's the // default rule which doesn't require searching the LDAP tree. if (rules.Count > 1) { serv.BindForSearch(); } foreach (GroupAuthzRule rule in rules) { bool inGroup = false; // Don't need to check membership if the condition is "always." This is the // case for the default rule only. which is the last rule in the list. if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { inGroup = serv.MemberOfGroup(user, rule.Group); m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult() { Success = true, Message = string.Format("Allow via rule: \"{0}\"", rule.ToString()) } } ; else { return new BooleanResult() { Success = false, Message = string.Format("Deny via rule: \"{0}\"", rule.ToString()) } }; } } // We should never get this far because the last rule in the list should always be a match, // but if for some reason we do, return success. return(new BooleanResult() { Success = true, Message = "" }); } catch (Exception e) { if (e is LdapException) { LdapException ldapEx = (e as LdapException); if (ldapEx.ErrorCode == 81) { // Server can't be contacted, set server object to null m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message); serv.Close(); properties.AddTrackedSingle <LdapServer>(null); return(new BooleanResult { Success = Settings.Store.AuthzAllowOnError, Message = "Failed to contact LDAP server." }); } else if (ldapEx.ErrorCode == 49) { // This is invalid credentials, return false, but server object should remain connected m_logger.ErrorFormat("LDAP bind failed: invalid credentials."); return(new BooleanResult { Success = false, Message = "Authorization via LDAP failed. Invalid credentials." }); } } // Unexpected error, let the PluginDriver catch m_logger.ErrorFormat("Error during authorization: {0}", e); throw; } }
private void LoadSettings() { string[] ldapHosts = Settings.Store.LdapHost; string hosts = ""; for (int i = 0; i < ldapHosts.Count(); i++) { string host = ldapHosts[i]; if (i < ldapHosts.Count() - 1) { hosts += host + " "; } else { hosts += host; } } ldapHostTextBox.Text = hosts; int port = Settings.Store.LdapPort; ldapPortTextBox.Text = Convert.ToString(port); int timeout = Settings.Store.LdapTimeout; timeoutTextBox.Text = Convert.ToString(timeout); bool useSsl = Settings.Store.UseSsl; useSslCheckBox.CheckState = useSsl ? CheckState.Checked : CheckState.Unchecked; bool useTls = Settings.Store.UseTls; useTlsCheckBox.CheckState = useTls ? CheckState.Checked : CheckState.Unchecked; bool reqCert = Settings.Store.RequireCert; validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked; string serverCertFile = Settings.Store.ServerCertFile; sslCertFileTextBox.Text = serverCertFile; string searchDn = Settings.Store.SearchDN; searchDnTextBox.Text = searchDn; string searchPw = Settings.Store.GetEncryptedSetting("SearchPW"); searchPassTextBox.Text = searchPw; // Authentication tab bool allowEmpty = Settings.Store.AllowEmptyPasswords; this.allowEmptyPwCB.Checked = allowEmpty; string dnPattern = Settings.Store.DnPattern; dnPatternTextBox.Text = dnPattern; bool doSearch = Settings.Store.DoSearch; searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked; string filter = Settings.Store.SearchFilter; searchFilterTextBox.Text = filter; bool useAuth = Settings.Store.UseAuthBindForAuthzAndGateway; useAuthBindForAuthzAndGatewayCb.Checked = useAuth; string[] searchContexts = Settings.Store.SearchContexts; string ctxs = ""; for (int i = 0; i < searchContexts.Count(); i++) { string ctx = searchContexts[i]; if (i < searchContexts.Count() - 1) { ctxs += ctx + "\r\n"; } else { ctxs += ctx; } } searchContextsTextBox.Text = ctxs; // AttribConverter Grid string[] AttribConv = Settings.Store.AttribConv; Column1.DataSource = AttribConvert.Attribs.ToArray(); dataGridView1.ColumnCount = 2; for (int x = 0; x < AttribConv.Count(); x++) { string[] split = AttribConv[x].Split('\t'); if (split.Count() == 2) { split[0] = split[0].Trim(); split[1] = split[1].Trim(); if (!String.IsNullOrEmpty(split[0]) && !String.IsNullOrEmpty(split[1])) { if (AttribConvert.Attribs.Contains(split[0])) //if (Array.Exists(WinValues(), element => element == split[0])) { int index = AttribConvert.Attribs.IndexOf(split[0]); //int index = Array.FindIndex(WinValues(), item => item == split[0]); DataGridViewRow row = new DataGridViewRow(); DataGridViewComboBoxCell CellSample = new DataGridViewComboBoxCell(); CellSample.DataSource = AttribConvert.Attribs.ToArray(); // list of the string items that I want to insert in ComboBox. CellSample.Value = AttribConvert.Attribs[index]; // default value for the ComboBox row.Cells.Add(CellSample); row.Cells.Add(new DataGridViewTextBoxCell() { Value = split[1] }); dataGridView1.Rows.Add(row); } } } } /////////////// Authorization tab ///////////////// this.authzRuleMemberComboBox.SelectedIndex = 0; this.authzRuleActionComboBox.SelectedIndex = 0; this.authzRuleScope.SelectedIndex = 0; this.authzDefaultAllowRB.Checked = Settings.Store.AuthzDefault; this.authzDefaultDenyRB.Checked = !(bool)Settings.Store.AuthzDefault; this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth; this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError; List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules(); foreach (GroupAuthzRule rule in lst) { this.authzRulesListBox.Items.Add(rule); } ///////////////// Gateway tab ///////////////// this.gatewayRuleGroupMemberCB.SelectedIndex = 0; this.gatewayRuleScope.SelectedIndex = 0; List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules(); foreach (GroupGatewayRule rule in gwLst) { this.gatewayRulesListBox.Items.Add(rule); } ////////////// Change Password tab /////////////// List <AttributeEntry> attribs = CPAttributeSettings.Load(); foreach (AttributeEntry entry in attribs) { this.passwordAttributesDGV.Rows.Add(entry.Name, entry.Method); } }
private void LoadSettings() { string[] ldapHosts = Settings.Store.LdapHost; string hosts = ""; for (int i = 0; i < ldapHosts.Count(); i++) { string host = ldapHosts[i]; if (i < ldapHosts.Count() - 1) { hosts += host + " "; } else { hosts += host; } } ldapHostTextBox.Text = hosts; int port = Settings.Store.LdapPort; ldapPortTextBox.Text = Convert.ToString(port); int timeout = Settings.Store.LdapTimeout; timeoutTextBox.Text = Convert.ToString(timeout); int encryptionMethod = Settings.Store.EncryptionMethod; m_encryptionMethodCb.SelectedIndex = encryptionMethod; bool reqCert = Settings.Store.RequireCert; validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked; string serverCertFile = Settings.Store.ServerCertFile; sslCertFileTextBox.Text = serverCertFile; string searchDn = Settings.Store.SearchDN; searchDnTextBox.Text = searchDn; string searchPw = Settings.Store.GetEncryptedSetting("SearchPW"); searchPassTextBox.Text = searchPw; string grpDnPattern = Settings.Store.GroupDnPattern; this.groupDNPattern.Text = grpDnPattern; string grpMemberAttrib = Settings.Store.GroupMemberAttrib; this.groupMemberAttrTB.Text = grpMemberAttrib; string GroupGidAttrib = Settings.Store.GroupGidAttrib; this.groupGidAttr.Text = GroupGidAttrib; string GroupGidAttribIU = Settings.Store.GroupGidAttribIU; this.groupGidAttrIU.Text = GroupGidAttribIU; int derefValue = Settings.Store.Dereference; this.DereferenceComboBox.SelectedIndex = derefValue; // Authentication tab bool allowEmpty = Settings.Store.AllowEmptyPasswords; this.allowEmptyPwCB.Checked = allowEmpty; string dnPattern = Settings.Store.DnPattern; dnPatternTextBox.Text = dnPattern; bool doSearch = Settings.Store.DoSearch; searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked; string filter = Settings.Store.SearchFilter; searchFilterTextBox.Text = filter; bool useAuth = Settings.Store.UseAuthBindForAuthzAndGateway; m_useAuthBindForAuthzAndGatewayCb.Checked = useAuth; string[] searchContexts = Settings.Store.SearchContexts; string ctxs = ""; for (int i = 0; i < searchContexts.Count(); i++) { string ctx = searchContexts[i]; if (i < searchContexts.Count() - 1) { ctxs += ctx + "\r\n"; } else { ctxs += ctx; } } searchContextsTextBox.Text = ctxs; /////////////// Authorization tab ///////////////// this.authzRuleMemberComboBox.SelectedIndex = 0; this.authzRuleActionComboBox.SelectedIndex = 0; this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth; this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError; this.authzApplyToAllUsersCB.Checked = Settings.Store.AuthzApplyToAllUsers; List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules(); // The last one should be the default rule if (lst.Count > 0 && lst[lst.Count - 1].RuleCondition == GroupRule.Condition.ALWAYS) { GroupAuthzRule rule = lst[lst.Count - 1]; if (rule.AllowOnMatch) { this.authzDefaultAllowRB.Checked = true; } else { this.authzDefaultDenyRB.Checked = true; } lst.RemoveAt(lst.Count - 1); } else { // The list is empty or the last rule is not a default rule. throw new Exception("Default rule not found in rule list."); } // The rest of the rules foreach (GroupAuthzRule rule in lst) { this.authzRulesListBox.Items.Add(rule); } ///////////////// Gateway tab ///////////////// List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules(); foreach (GroupGatewayRule rule in gwLst) { this.gatewayRulesListBox.Items.Add(rule); } ////////////// Change Password tab /////////////// List <PasswordAttributeEntry> attribs = CPAttributeSettings.Load(); foreach (PasswordAttributeEntry entry in attribs) { this.passwordAttributesDGV.Rows.Add(entry.Name, entry.Method); } ///////////// Login Script //////////////// txt_script_serverurl.Text = Settings.Store.SFTPServerURL; txt_script_user.Text = Settings.Store.SFTPUser; txt_script_password.Text = Settings.Store.SFTPPassword; txt_script_fingerprint.Text = Settings.Store.SFTPFingerprint; txt_script_path.Text = Settings.Store.SFTPScriptPath; txt_script_path_2.Text = Settings.Store.SFTPScriptPath2; txt_script_group_list_path.Text = Settings.Store.SFTPGroupListPath; txt_script_cmd_login.Text = Settings.Store.CMDLoginScript; txt_script_cmd_logoff.Text = Settings.Store.CMDLogoffScript; }
public BooleanResult AuthorizeUser(SessionProperties properties) { ////m_logger.Debug("LDAP Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireAuth; // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); // Get the LDAP server object LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If LDAP server object is not found, then something went wrong in authentication. // We allow or deny based on setting if (serv == null) { ////m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available."); // LdapServer is not available, allow or deny based on settings. return(new BooleanResult() { Success = Settings.Store.AuthzAllowOnError, Message = "LDAP server unavailable." }); } // If we require authentication, and we failed to auth this user, then we // fail authorization. Note that we do this AFTER checking the LDAP server object // because we may want to succeed if the authentication failed due to server // being unavailable. PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); if (requireAuth && !WeAuthedThisUser(actInfo)) { ////m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth."); return(new BooleanResult() { Success = false, Message = "Deny because LDAP authentication failed, or did not execute." }); } // Apply the authorization rules try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); // Bind for searching if we have rules to process. If there's only one, it's the // default rule which doesn't require searching the LDAP tree. if (rules.Count > 0) { this.BindForAuthzOrGatewaySearch(serv); } foreach (GroupAuthzRule rule in rules) { bool inGroup = false; string path = rule.path.Replace("%u", userInfo.Username); string filter = rule.filter.Replace("%u", userInfo.Username); inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0; ////m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, inGroup ? "is" : "is not", filter, path); if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult() { Success = true, Message = string.Format("Allow via rule: \"{0}\"", rule.ToString()) } } ; else { return new BooleanResult() { Success = false, Message = string.Format("Deny via rule: \"{0}\"", rule.ToString()) } }; } } // If there is no matching rule use default. allow or deny if ((bool)Settings.Store.AuthzDefault) { return new BooleanResult() { Success = true, Message = "" } } ; else { return new BooleanResult() { Success = false, Message = String.Format("You are not allowed to login! No matching rule found! Default rule:{0}", (bool)Settings.Store.AuthzDefault ? "Allow" : "Deny") } }; } catch (Exception e) { if (e is LdapException) { LdapException ldapEx = (e as LdapException); if (ldapEx.ErrorCode == 81) { // Server can't be contacted, set server object to null ////m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message); serv.Close(); properties.AddTrackedSingle <LdapServer>(null); return(new BooleanResult { Success = Settings.Store.AuthzAllowOnError, Message = "Failed to contact LDAP server." }); } else if (ldapEx.ErrorCode == 49) { // This is invalid credentials, return false, but server object should remain connected ////m_logger.ErrorFormat("LDAP bind failed: invalid credentials."); return(new BooleanResult { Success = false, Message = "Authorization via LDAP failed. Invalid credentials." }); } } // Unexpected error, let the PluginDriver catch ////m_logger.ErrorFormat("Error during authorization: {0}", e); throw; } }
private void LoadSettings() { string[] ldapHosts = Settings.Store.LdapHost; string hosts = ""; for (int i = 0; i < ldapHosts.Count(); i++) { string host = ldapHosts[i]; if (i < ldapHosts.Count() - 1) { hosts += host + " "; } else { hosts += host; } } ldapHostTextBox.Text = hosts; int port = Settings.Store.LdapPort; ldapPortTextBox.Text = Convert.ToString(port); int timeout = Settings.Store.LdapTimeout; timeoutTextBox.Text = Convert.ToString(timeout); bool useSsl = Settings.Store.UseSsl; useSslCheckBox.CheckState = useSsl ? CheckState.Checked : CheckState.Unchecked; bool reqCert = Settings.Store.RequireCert; validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked; string serverCertFile = Settings.Store.ServerCertFile; sslCertFileTextBox.Text = serverCertFile; string searchDn = Settings.Store.SearchDN; searchDnTextBox.Text = searchDn; string searchPw = Settings.Store.GetEncryptedSetting("SearchPW"); searchPassTextBox.Text = searchPw; string grpDnPattern = Settings.Store.GroupDnPattern; this.groupDNPattern.Text = grpDnPattern; string grpMemberAttrib = Settings.Store.GroupMemberAttrib; this.groupMemberAttrTB.Text = grpMemberAttrib; int derefValue = Settings.Store.Dereference; this.DereferenceComboBox.SelectedIndex = derefValue; // Authentication tab bool allowEmpty = Settings.Store.AllowEmptyPasswords; this.allowEmptyPwCB.Checked = allowEmpty; string dnPattern = Settings.Store.DnPattern; dnPatternTextBox.Text = dnPattern; bool doSearch = Settings.Store.DoSearch; searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked; string filter = Settings.Store.SearchFilter; searchFilterTextBox.Text = filter; string[] searchContexts = Settings.Store.SearchContexts; string ctxs = ""; for (int i = 0; i < searchContexts.Count(); i++) { string ctx = searchContexts[i]; if (i < searchContexts.Count() - 1) { ctxs += ctx + "\r\n"; } else { ctxs += ctx; } } searchContextsTextBox.Text = ctxs; /////////////// Authorization tab ///////////////// this.authzRuleMemberComboBox.SelectedIndex = 0; this.authzRuleActionComboBox.SelectedIndex = 0; this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth; this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError; List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules(); // The last one should be the default rule if (lst.Count > 0 && lst[lst.Count - 1].RuleCondition == GroupRule.Condition.ALWAYS) { GroupAuthzRule rule = lst[lst.Count - 1]; if (rule.AllowOnMatch) { this.authzDefaultAllowRB.Checked = true; } else { this.authzDefaultDenyRB.Checked = true; } lst.RemoveAt(lst.Count - 1); } else { // The list is empty or the last rule is not a default rule. throw new Exception("Default rule not found in rule list."); } // The rest of the rules foreach (GroupAuthzRule rule in lst) { this.authzRulesListBox.Items.Add(rule); } ///////////////// Gateway tab ///////////////// List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules(); foreach (GroupGatewayRule rule in gwLst) { this.gatewayRulesListBox.Items.Add(rule); } }