private static ApiErrorItem ParseLdapException(LdapException ex)
{
// If the LDAP server returned an error, it will be formatted
// similar to this:
// "0000052D: AtrErr: DSID-03191083, #1:\n\t0: 0000052D: DSID-03191083, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n\0"
//
// The leading number before the ':' is the Win32 API Error Code in HEX
if (ex.LdapErrorMessage == null)
{
return(new ApiErrorItem(ApiErrorCode.LdapProblem, "Unexpected null exception"));
}
var m = Regex.Match(ex.LdapErrorMessage, "([0-9a-fA-F]+):");
if (!m.Success)
{
return(new ApiErrorItem(ApiErrorCode.LdapProblem, $"Unexpected error: {ex.LdapErrorMessage}"));
}
var errCodeString = m.Groups[1].Value;
var errCode = int.Parse(errCodeString, NumberStyles.HexNumber, CultureInfo.InvariantCulture);
var err = Win32ErrorCode.ByCode(errCode);
return(err == null
? new ApiErrorItem(ApiErrorCode.LdapProblem, $"Unexpected Win32 API error; error code: {errCodeString}")
: new ApiErrorItem(ApiErrorCode.InvalidCredentials,
$"Resolved Win32 API Error: code={err.Code} name={err.CodeName} desc={err.Description}"));
}
protected void NotifyExceptionListeners(LdapMessage sourceMessage, LdapException ldapException)
{
if (null != directory_exception_event)
{
directory_exception_event(this, new DirectoryExceptionEventArgs(sourceMessage, ldapException));
}
}
public MonitorEventResponse(RfcLdapMessage message)
: base(message)
{
sbyte[] returnedValue = Value;
if (null == returnedValue)
{
throw new LdapException(LdapException.resultCodeToString(ResultCode),
ResultCode,
null);
}
LBERDecoder decoder = new LBERDecoder();
Asn1Sequence sequence = (Asn1Sequence)decoder.decode(returnedValue);
int length = ((Asn1Integer)sequence.get_Renamed(0)).intValue();
Asn1Set sequenceSet = (Asn1Set)sequence.get_Renamed(1);
specifier_list = new EdirEventSpecifier[length];
for (int i = 0; i < length; i++)
{
Asn1Sequence eventspecifiersequence =
(Asn1Sequence)sequenceSet.get_Renamed(i);
int classfication =
((Asn1Integer)eventspecifiersequence.get_Renamed(0)).intValue();
int enumtype =
((Asn1Enumerated)eventspecifiersequence.get_Renamed(1)).intValue();
specifier_list[i] =
new EdirEventSpecifier((EdirEventType)classfication, (EdirEventResultType)enumtype);
}
}
public static string returnErrorMessage(LdapException lexc)
{
string error = lexc.ServerErrorMessage;
string errorcode = error.Substring(77, 3);
string errorMessage = ADAuthentication.ldapErrors[errorcode];
return(errorMessage);
}
public BooleanResult AuthenticateUser(Shared.Types.SessionProperties properties)
{
// Get the LdapServer object from the session properties (created in BeginChain)
LdapServer server = properties.GetTrackedSingle <LdapServer>();
if (server == null)
{
return new BooleanResult()
{
Success = false, Message = "Internal error: LdapServer object not available"
}
}
;
try
{
m_logger.DebugFormat("AuthenticateUser({0})", properties.Id.ToString());
Shared.Types.UserInformation userInfo = properties.GetTrackedSingle <Shared.Types.UserInformation>();
m_logger.DebugFormat("Received username: {0}", userInfo.Username);
// Authenticate the login
m_logger.DebugFormat("Attempting authentication for {0}", userInfo.Username);
// Se o login foi realizado com sucesso, vamos mapear o disco da rede.
BooleanResult result = server.Authenticate(userInfo.Username, userInfo.Password);
return(result);
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
server.Close();
properties.AddTrackedSingle <LdapServer>(null);
return(new BooleanResult {
Success = false, Message = "Failed to contact LDAP server."
});
}
}
// This is an unexpected error, so set LdapServer object to null, because
// subsequent stages shouldn't use it, and this indicates to later stages
// that this stage failed unexpectedly.
server.Close();
properties.AddTrackedSingle <LdapServer>(null);
m_logger.ErrorFormat("Exception in LDAP authentication: {0}", e);
throw; // Allow pGina service to catch and handle exception
}
}
public void Ctor_Default()
{
var exception = new LdapException();
Assert.NotEmpty(exception.Message);
Assert.Null(exception.InnerException);
Assert.Equal(0, exception.ErrorCode);
Assert.Null(exception.ServerErrorMessage);
Assert.Empty(exception.PartialResults);
}
public void Ctor_ErrorCode_Message_ServerErrorMessage()
{
var exception = new LdapException(10, "message", "serverErrorMessage");
Assert.Equal("message", exception.Message);
Assert.Null(exception.InnerException);
Assert.Equal(10, exception.ErrorCode);
Assert.Equal("serverErrorMessage", exception.ServerErrorMessage);
Assert.Empty(exception.PartialResults);
}
public void TestInvalidFilter()
{
using LdapConnection connection = GetConnection();
LdapException ex = Assert.Throws <LdapException>(() =>
{
var searchRequest = new SearchRequest(LdapConfiguration.Configuration.SearchDn, "==invalid==", SearchScope.OneLevel);
_ = (SearchResponse)connection.SendRequest(searchRequest);
});
Assert.Equal(/* LdapError.FilterError */ 0x57, ex.ErrorCode);
}
public void Ctor_Message_InnerException()
{
var innerException = new Exception();
var exception = new LdapException("message", innerException);
Assert.Equal("message", exception.Message);
Assert.Same(innerException, exception.InnerException);
Assert.Equal(0, exception.ErrorCode);
Assert.Null(exception.ServerErrorMessage);
Assert.Empty(exception.PartialResults);
}
public static void Validate(int error)
{
if (error != (int)LdapStatus.LDAP_SUCCESS)
{
var errorPointer = LdapClientLibrary.ldap_err2string(error);
var errorString = Marshal.PtrToStringAnsi(errorPointer);
var message = string.Format("{0}-{1} (error code = {2})", "Exception thrown from LDAP", errorString, error);
var exception = new LdapException(message);
exception.LdapError = (LdapStatus)Enum.Parse(typeof(LdapStatus), error.ToString(), false);
throw exception;
}
}
private static void AppendLdapException(this StringBuilder stringBuilder, LdapException exception)
{
stringBuilder.AppendMarkdownLine("LdapException specific:");
stringBuilder.Append(" ").AppendMarkdownProperty("ServerErrorMessage", exception.ServerErrorMessage);
stringBuilder.Append(" ").AppendMarkdownProperty("ErrorCode", exception.ErrorCode.ToString());
foreach (var partialResult in exception.PartialResults)
{
if (partialResult != null)
{
stringBuilder.Append(" ").AppendMarkdownProperty("PartialResult", partialResult.ToString());
}
}
}
private static LdapPacket BuildError(LdapPacket request, LdapException ex)
{
BaseOperationDone operation = null;
switch (request.ProtocolOperation.Tag.LdapCommand)
{
case LdapCommands.AddRequest:
operation = new AddResponse();
break;
case LdapCommands.BindRequest:
operation = new BindResponse();
break;
case LdapCommands.DelRequest:
operation = new DelResponse();
break;
case LdapCommands.SearchRequest:
operation = new SearchResultDone();
break;
case LdapCommands.ModifyRequest:
operation = new ModifyResponse();
break;
}
operation.Result = new LDAPResult
{
MatchedDN = new DEROctetString(ex.Target),
DiagnosticMessage = new DEROctetString(ex.Message),
ResultCode = new DEREnumerated <LDAPResultCodes>
{
Value = ex.Code
}
};
var ldapPacket = new LdapPacket
{
MessageId = request.MessageId,
ProtocolOperation = new DERProtocolOperation
{
Operation = operation
}
};
return(ldapPacket);
}
// Token: 0x06001979 RID: 6521 RVA: 0x0006BFA4 File Offset: 0x0006A1A4
private PropertyValidationError CheckForDDLMisconfiguration(DirectoryException e)
{
DirectoryOperationException ex = e as DirectoryOperationException;
if (ex != null)
{
if (ex.Response == null)
{
return(null);
}
ResultCode resultCode = ex.Response.ResultCode;
if (resultCode == ResultCode.OperationsError)
{
return(new PropertyValidationError(DirectoryStrings.ErrorDDLOperationsError, ADDynamicGroupSchema.RecipientContainer, this.RecipientContainer));
}
switch (resultCode)
{
case ResultCode.ReferralV2:
case ResultCode.Referral:
return(new PropertyValidationError(DirectoryStrings.ErrorDDLReferral, ADDynamicGroupSchema.RecipientContainer, this.RecipientContainer));
default:
switch (resultCode)
{
case ResultCode.NoSuchObject:
return(new PropertyValidationError(DirectoryStrings.ErrorDDLNoSuchObject, ADDynamicGroupSchema.RecipientContainer, this.RecipientContainer));
case ResultCode.InvalidDNSyntax:
return(new PropertyValidationError(DirectoryStrings.ErrorDDLInvalidDNSyntax, ADDynamicGroupSchema.RecipientContainer, this.RecipientContainer));
}
return(null);
}
}
else
{
LdapException ex2 = e as LdapException;
if (ex2 != null && ex2.ErrorCode == 87)
{
return(new PropertyValidationError(DirectoryStrings.ErrorDDLFilterError, ADDynamicGroupSchema.RecipientFilter, this.RecipientFilter));
}
return(null);
}
}
private void HandleLdapException(LdapException x)
{
switch (x.ResultCode)
{
case LdapException.Ldap_TIMEOUT:
throw new TimeoutException("Ldap lookup timed out", x);
case LdapException.OPERATIONS_ERROR:
case LdapException.INVALID_DN_SYNTAX:
if (x.ResultCode == 1 && x.LdapErrorMessage.Contains("DSID-0C090627"))
{
throw new DreamAbortException(DreamMessage.Forbidden(string.Format("Account '{0}' is disabled", this._username)));
}
throw new ArgumentException(string.Format("The search base '{0}' may have invalid format (Example: 'DC=sales,DC=acme,DC=com') or the account used for binding may be disabled. Error returned from LDAP: {1}", _config.LdapSearchBase, x.LdapErrorMessage), x);
default:
throw x;
}
}
private ApiErrorItem ParseLdapException(LdapException ex)
{
// If the LDAP server returned an error, it will be formated
// similar to this:
// "0000052D: AtrErr: DSID-03191083, #1:\n\t0: 0000052D: DSID-03191083, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n\0"
//
// The leading number before the ':' is the Win32 API Error Code in HEX
var m = Regex.Match(ex.LdapErrorMessage, "([0-9a-fA-F]+):");
if (m.Success)
{
var errCodeString = m.Groups[1].Value;
var errCode = int.Parse(errCodeString, NumberStyles.HexNumber);
var err = Win32ErrorCode.ByCode(errCode);
if (err != null)
{
_logger.LogWarning("resolved Win32 API Error: code={0} name={1} desc={2}",
err.Code, err.CodeName, err.Description);
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.InvalidCredentials,
FieldName = "currentPassword",
Message = $"0x{err.Code:X}:{err.CodeName}: {err.Description}",
});
}
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.Generic,
Message = "unexpected Win32 API error; error code: " + errCodeString,
});
}
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.Generic,
Message = "unexpected error: " + ex.LdapErrorMessage,
});
}
public bool Validate(string userName, string password, ContextOptions connectionMethod)
{
bool flag;
if (userName == null || userName.Length != 0)
{
if (this.contextType == ContextType.Domain || this.contextType == ContextType.ApplicationDirectory)
{
try
{
NetworkCredential networkCredential = new NetworkCredential(userName, password);
this.BindLdap(networkCredential, connectionMethod);
flag = true;
}
catch (LdapException ldapException1)
{
LdapException ldapException = ldapException1;
if ((long)ldapException.ErrorCode != (long)ExceptionHelper.ERROR_LOGON_FAILURE)
{
throw;
}
else
{
flag = false;
}
}
return(flag);
}
else
{
return(this.BindSam(this.serverName, userName, password));
}
}
else
{
return(false);
}
}
public static TargetConnection Create(Server localHub, TargetServerConfig targetServerConfig, NetworkCredential credential, SyncTreeType type, EdgeSyncLogSession logSession)
{
TargetConnection result;
try
{
result = new LdapTargetConnection(localHub.VersionNumber, targetServerConfig, credential, type, logSession);
}
catch (ExDirectoryException ex)
{
if (ex.InnerException is LdapException)
{
LdapException ex2 = ex.InnerException as LdapException;
if (ex2.ErrorCode == 49)
{
string userName = credential.UserName;
string host = targetServerConfig.Host;
}
}
throw;
}
return(result);
}
public BooleanResult AuthorizeUser(SessionProperties properties)
{
m_logger.Debug("LDAP Plugin Authorization");
bool requireAuth = Settings.Store.AuthzRequireAuth;
// Get the authz rules from registry
List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();
if (rules.Count == 0)
{
throw new Exception("No authorizaition rules found.");
}
// Get the LDAP server object
LdapServer serv = properties.GetTrackedSingle <LdapServer>();
// If LDAP server object is not found, then something went wrong in authentication.
// We allow or deny based on setting
if (serv == null)
{
m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");
// LdapServer is not available, allow or deny based on settings.
return(new BooleanResult()
{
Success = Settings.Store.AuthzAllowOnError,
Message = "LDAP server unavailable."
});
}
// If we require authentication, and we failed to auth this user, then we
// fail authorization. Note that we do this AFTER checking the LDAP server object
// because we may want to succeed if the authentication failed due to server
// being unavailable.
if (requireAuth)
{
PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>();
try
{
BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid);
if (!ldapResult.Success)
{
m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
return(new BooleanResult()
{
Success = false,
Message = "Deny because LDAP authentication failed."
});
}
}
catch (KeyNotFoundException)
{
// The plugin is not enabled for authentication
m_logger.ErrorFormat("LDAP is not enabled for authentication, and authz is configured to require authentication.");
return(new BooleanResult
{
Success = false,
Message = "Deny because LDAP auth did not execute, and configured to require LDAP auth."
});
}
}
// Apply the authorization rules
try
{
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
string user = userInfo.Username;
// Bind for searching if we have rules to process. If there's only one, it's the
// default rule which doesn't require searching the LDAP tree.
if (rules.Count > 1)
{
serv.BindForSearch();
}
foreach (GroupAuthzRule rule in rules)
{
bool inGroup = false;
// Don't need to check membership if the condition is "always." This is the
// case for the default rule only. which is the last rule in the list.
if (rule.RuleCondition != GroupRule.Condition.ALWAYS)
{
inGroup = serv.MemberOfGroup(user, rule.Group);
m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not",
rule.Group);
}
if (rule.RuleMatch(inGroup))
{
if (rule.AllowOnMatch)
{
return new BooleanResult()
{
Success = true,
Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
}
}
;
else
{
return new BooleanResult()
{
Success = false,
Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
}
};
}
}
// We should never get this far because the last rule in the list should always be a match,
// but if for some reason we do, return success.
return(new BooleanResult()
{
Success = true, Message = ""
});
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
serv.Close();
properties.AddTrackedSingle <LdapServer>(null);
return(new BooleanResult
{
Success = Settings.Store.AuthzAllowOnError,
Message = "Failed to contact LDAP server."
});
}
else if (ldapEx.ErrorCode == 49)
{
// This is invalid credentials, return false, but server object should remain connected
m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
return(new BooleanResult
{
Success = false,
Message = "Authorization via LDAP failed. Invalid credentials."
});
}
}
// Unexpected error, let the PluginDriver catch
m_logger.ErrorFormat("Error during authorization: {0}", e);
throw;
}
}
// Token: 0x060002A1 RID: 673 RVA: 0x0000ECEC File Offset: 0x0000CEEC
public static Exception DirectoryTracerCallback(string exceptionType)
{
Exception result = null;
if (!string.IsNullOrEmpty(exceptionType))
{
if (exceptionType.Contains("_") && !string.IsNullOrEmpty(exceptionType.Substring(exceptionType.IndexOf("_") + 1)))
{
string strA = exceptionType.Substring(0, exceptionType.IndexOf("_"));
int errorCode = int.Parse(exceptionType.Substring(exceptionType.IndexOf("_") + 1));
if (string.Compare(strA, "LdapException", StringComparison.OrdinalIgnoreCase) == 0)
{
result = new LdapException(errorCode);
}
}
else
{
if (exceptionType == "ADTransientException-ExceptionNativeErrorWhenLookingForServersInDomain")
{
throw new ADTransientException(DirectoryStrings.ExceptionNativeErrorWhenLookingForServersInDomain(-1, "Fault Injection domain", "Fault injection Error"));
}
if (exceptionType == "ThreadAbortException")
{
Thread.CurrentThread.Abort();
}
else
{
if (exceptionType == "MServTransientException")
{
throw new MServTransientException(DirectoryStrings.TransientMservError("Fault injection MSERV transient error"));
}
if (exceptionType == "MServPermanentException")
{
throw new MServPermanentException(DirectoryStrings.PermanentMservError("Fault injection MSERV permanent error"));
}
if (exceptionType == "GlsTransientException")
{
throw new EndpointNotFoundException("Fault injection GLS transient error");
}
if (exceptionType == "GlsPermanentException")
{
throw new QuotaExceededException("Fault injection GLS permanent error");
}
if (exceptionType == "GlsDelay")
{
Thread.Sleep(4000);
throw new TimeoutException("Test timeout exception");
}
if (exceptionType == "GlsAsyncTransientException")
{
throw new EndpointNotFoundException("Fault injection GLS Async transient error");
}
if (exceptionType == "GlsAsyncPermanentException")
{
throw new QuotaExceededException("Fault injection GLS Async permanent error");
}
if (exceptionType == "GlsAsyncDelay")
{
Thread.Sleep(4000);
throw new TimeoutException("Async test timeout exception");
}
if (exceptionType == "DirectoryExceptionNotification")
{
throw new LdapException(91);
}
}
}
}
return(result);
}
internal void ReadServerConfig(string serverName, ref ServerProperties properties)
{
string[] strArrays = new string[5];
strArrays[0] = "msDS-PortSSL";
strArrays[1] = "msDS-PortLDAP";
strArrays[2] = "domainControllerFunctionality";
strArrays[3] = "dnsHostName";
strArrays[4] = "supportedCapabilities";
string[] strArrays1 = strArrays;
LdapConnection ldapConnection = null;
using (ldapConnection)
{
bool flag = (this.options & ContextOptions.SecureSocketLayer) > 0;
if (!flag || this.contextType != ContextType.Domain)
{
ldapConnection = new LdapConnection(serverName);
}
else
{
LdapDirectoryIdentifier ldapDirectoryIdentifier = new LdapDirectoryIdentifier(serverName, LdapConstants.LDAP_SSL_PORT);
ldapConnection = new LdapConnection(ldapDirectoryIdentifier);
}
ldapConnection.AutoBind = false;
ldapConnection.SessionOptions.SecureSocketLayer = flag;
string str = null;
string str1 = "(objectClass=*)";
SearchResponse searchResponse = null;
SearchRequest searchRequest = new SearchRequest(str, str1, SearchScope.Base, strArrays1);
try
{
searchResponse = (SearchResponse)ldapConnection.SendRequest(searchRequest);
}
catch (LdapException ldapException1)
{
LdapException ldapException = ldapException1;
throw new PrincipalServerDownException(StringResources.ServerDown, ldapException);
}
properties.dnsHostName = (string)searchResponse.Entries[0].Attributes["dnsHostName"][0];
properties.SupportCapabilities = new string[searchResponse.Entries[0].Attributes["supportedCapabilities"].Count];
for (int i = 0; i < searchResponse.Entries[0].Attributes["supportedCapabilities"].Count; i++)
{
properties.SupportCapabilities[i] = (string)searchResponse.Entries[0].Attributes["supportedCapabilities"][i];
}
string[] supportCapabilities = properties.SupportCapabilities;
for (int j = 0; j < (int)supportCapabilities.Length; j++)
{
string str2 = supportCapabilities[j];
if ("1.2.840.113556.1.4.1851" != str2)
{
if ("1.2.840.113556.1.4.800" == str2)
{
properties.contextType = ContextType.Domain;
}
}
else
{
properties.contextType = ContextType.ApplicationDirectory;
}
}
if (!searchResponse.Entries[0].Attributes.Contains("domainControllerFunctionality"))
{
properties.OsVersion = DomainControllerMode.Win2k;
}
else
{
properties.OsVersion = (DomainControllerMode)Convert.ToInt32(searchResponse.Entries[0].Attributes["domainControllerFunctionality"][0], CultureInfo.InvariantCulture);
}
if (properties.contextType == ContextType.ApplicationDirectory)
{
if (searchResponse.Entries[0].Attributes.Contains("msDS-PortSSL"))
{
properties.portSSL = Convert.ToInt32(searchResponse.Entries[0].Attributes["msDS-PortSSL"][0]);
}
if (searchResponse.Entries[0].Attributes.Contains("msDS-PortLDAP"))
{
properties.portLDAP = Convert.ToInt32(searchResponse.Entries[0].Attributes["msDS-PortLDAP"][0]);
}
}
}
}
/// <summary>
/// Connects to LDAP Server according to user's credentials.
/// (These credentials have been stored in the SessionProperties object
/// during the Gateway stage.)
/// Retrieves the name of the script file on the user's LDAP account.
/// </summary>
private void LdapPart(SessionChangeDescription changeDescription, SessionProperties properties)
{
// initializes and sets up a new Ldap connection
LdapInitialization(properties);
// Get the LdapServer object from the session properties (created in LdapInitialization)
LdapServer server = properties.GetTrackedSingle <LdapServer>();
if (server == null)
{
pluginImpl_logger.ErrorFormat("Internal error: LdapServer object not available.");
return;
}
try
{
pluginImpl_logger.DebugFormat("AuthenticateUser({0})", properties.Id.ToString());
// retrieving user's information stored during Gateway stage
Shared.Types.UserInformation userInfo = properties.GetTrackedSingle <Shared.Types.UserInformation>();
string userLogin = properties.GetTracked <string>("UserLogin");
string userPassword = properties.GetTracked <string>("UserPassword");
pluginImpl_logger.DebugFormat("Received username: {0}", userLogin);
// Authenticate the login
pluginImpl_logger.DebugFormat("Attempting authentication for {0}", userLogin);
BooleanResult authenticateBool = server.Authenticate(userLogin, userPassword);
if (!authenticateBool.Success) // authentication and attribute value retrieving didn't work
{
pluginImpl_logger.ErrorFormat("LDAP Authentication failed. {0}", authenticateBool.Message);
return;
}
// retrieves the script name from Ldap
this.scriptName = server.GetScriptName();
pluginImpl_logger.DebugFormat("Name of the script file: {0}", this.scriptName);
// cleans up any resources held by the plugin
LdapEnd(properties);
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
pluginImpl_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
server.Close();
properties.AddTrackedSingle <LdapServer>(null);
return;
}
}
// This is an unexpected error, so set LdapServer object to null, because
// subsequent stages shouldn't use it, and this indicates to later stages
// that this stage failed unexpectedly.
server.Close();
properties.AddTrackedSingle <LdapServer>(null);
pluginImpl_logger.ErrorFormat("Exception in LDAP authentication: {0}", e);
throw; // Allow pGina service to catch and handle exception
}
}
public static string GetUnderlineLdapExceptionCode(this LdapException e)
{
var errorCode = new Regex(@"(?<=data\s)\S{3}", RegexOptions.IgnoreCase | RegexOptions.Multiline).Match(e.LdapErrorMessage).Value;
return(errorMessages.ContainsKey(errorCode) ? errorMessages[errorCode] : "Bilinmeyen Bir Hata Oluştu. Lütfen Sistem Yöneticinize Başvurun.");
}
protected override void OnError(Guid clientId, LdapException exception)
{
Console.WriteLine($"{clientId} E {exception.Message} ({exception.ResultCode})");
base.OnError(clientId, exception);
}
public DirectoryExceptionEventArgs(LdapMessage message, LdapException ldapException)
: base(message)
{
ldap_exception_object = ldapException;
}
public bool Validate(string userName, string password)
{
bool flag;
NetworkCredential networkCredential = new NetworkCredential(userName, password);
if (userName == null || userName.Length != 0)
{
if (this.contextType == ContextType.Domain || this.contextType == ContextType.ApplicationDirectory)
{
try
{
if (this.lastBindMethod != CredentialValidator.AuthMethod.Simple || !this.fastConcurrentSupported && this.contextType != ContextType.ApplicationDirectory)
{
try
{
this.BindLdap(networkCredential, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing);
this.lastBindMethod = CredentialValidator.AuthMethod.Negotiate;
flag = true;
return(flag);
}
catch (LdapException ldapException)
{
}
this.BindLdap(networkCredential, ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer);
this.lastBindMethod = CredentialValidator.AuthMethod.Simple;
flag = true;
}
else
{
try
{
this.BindLdap(networkCredential, ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer);
this.lastBindMethod = CredentialValidator.AuthMethod.Simple;
flag = true;
return(flag);
}
catch (LdapException ldapException1)
{
}
this.BindLdap(networkCredential, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing);
this.lastBindMethod = CredentialValidator.AuthMethod.Negotiate;
flag = true;
}
}
catch (LdapException ldapException3)
{
LdapException ldapException2 = ldapException3;
if ((long)ldapException2.ErrorCode != (long)ExceptionHelper.ERROR_LOGON_FAILURE)
{
throw;
}
else
{
flag = false;
}
}
return(flag);
}
else
{
return(this.BindSam(this.serverName, userName, password));
}
}
else
{
return(false);
}
}
public DirectoryExceptionEventArgs(LdapMessage message, LdapException ldapException)
: base(message)
{
ldap_exception_object = ldapException;
}
public BooleanResult AuthorizeUser(SessionProperties properties)
{
////m_logger.Debug("LDAP Plugin Authorization");
bool requireAuth = Settings.Store.AuthzRequireAuth;
// Get the authz rules from registry
List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();
// Get the LDAP server object
LdapServer serv = properties.GetTrackedSingle <LdapServer>();
// If LDAP server object is not found, then something went wrong in authentication.
// We allow or deny based on setting
if (serv == null)
{
////m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");
// LdapServer is not available, allow or deny based on settings.
return(new BooleanResult()
{
Success = Settings.Store.AuthzAllowOnError,
Message = "LDAP server unavailable."
});
}
// If we require authentication, and we failed to auth this user, then we
// fail authorization. Note that we do this AFTER checking the LDAP server object
// because we may want to succeed if the authentication failed due to server
// being unavailable.
PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>();
if (requireAuth && !WeAuthedThisUser(actInfo))
{
////m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
return(new BooleanResult()
{
Success = false,
Message = "Deny because LDAP authentication failed, or did not execute."
});
}
// Apply the authorization rules
try
{
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
// Bind for searching if we have rules to process. If there's only one, it's the
// default rule which doesn't require searching the LDAP tree.
if (rules.Count > 0)
{
this.BindForAuthzOrGatewaySearch(serv);
}
foreach (GroupAuthzRule rule in rules)
{
bool inGroup = false;
string path = rule.path.Replace("%u", userInfo.Username);
string filter = rule.filter.Replace("%u", userInfo.Username);
inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0;
////m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, inGroup ? "is" : "is not", filter, path);
if (rule.RuleMatch(inGroup))
{
if (rule.AllowOnMatch)
{
return new BooleanResult()
{
Success = true,
Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
}
}
;
else
{
return new BooleanResult()
{
Success = false,
Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
}
};
}
}
// If there is no matching rule use default. allow or deny
if ((bool)Settings.Store.AuthzDefault)
{
return new BooleanResult()
{
Success = true, Message = ""
}
}
;
else
{
return new BooleanResult()
{
Success = false, Message = String.Format("You are not allowed to login! No matching rule found! Default rule:{0}", (bool)Settings.Store.AuthzDefault ? "Allow" : "Deny")
}
};
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
////m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
serv.Close();
properties.AddTrackedSingle <LdapServer>(null);
return(new BooleanResult
{
Success = Settings.Store.AuthzAllowOnError,
Message = "Failed to contact LDAP server."
});
}
else if (ldapEx.ErrorCode == 49)
{
// This is invalid credentials, return false, but server object should remain connected
////m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
return(new BooleanResult
{
Success = false,
Message = "Authorization via LDAP failed. Invalid credentials."
});
}
}
// Unexpected error, let the PluginDriver catch
////m_logger.ErrorFormat("Error during authorization: {0}", e);
throw;
}
}
