Inheritance: IDisposable
Example #1
0
 public void TestConnect3()
 {
     LdapServer serv = new LdapServer(new string[]{host}, port, false, false, null);
     serv.Connect(10);
     Assert.Throws<LdapException>(delegate
         {
             serv.Bind(new NetworkCredential("cn=Manager,dc=example,dc=com", "seret"));
         }
     );
 }
Example #2
0
 public void TestConnect1()
 {
     LdapServer serv = new LdapServer(new string[] {host}, port, false, false, null);
     serv.Connect(10);
     serv.Bind();
 }
Example #3
0
 public void TestConnect2()
 {
     LdapServer serv = new LdapServer(new string[] {host}, port, false, false, null);
     serv.Connect(10);
     serv.Bind(new NetworkCredential("cn=Manager,dc=example,dc=com", "secret"));
 }
Example #4
0
        public BooleanResult AuthorizeUser(SessionProperties properties)
        {
            m_logger.Debug("LDAP Plugin Authorization");

            // Do we need to do authorization?
            if (DoesAuthzApply(properties))
            {
                bool requireAuth = Settings.Store.AuthzRequireAuth;

                // Get the authz rules from registry
                List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();
                if (rules.Count == 0)
                {
                    throw new Exception("No authorizaition rules found.");
                }

                // Get the LDAP server object
                LdapServer serv = properties.GetTrackedSingle <LdapServer>();

                // If LDAP server object is not found, then something went wrong in authentication.
                // We allow or deny based on setting
                if (serv == null)
                {
                    m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");

                    // LdapServer is not available, allow or deny based on settings.
                    return(new BooleanResult()
                    {
                        Success = Settings.Store.AuthzAllowOnError,
                        Message = "LDAP server unavailable."
                    });
                }

                // If we require authentication, and we failed to auth this user, then we
                // fail authorization.  Note that we do this AFTER checking the LDAP server object
                // because we may want to succeed if the authentication failed due to server
                // being unavailable.
                if (requireAuth && !WeAuthedThisUser(properties))
                {
                    m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
                    return(new BooleanResult()
                    {
                        Success = false,
                        Message = "Deny because LDAP authentication failed, or did not execute."
                    });
                }

                // Apply the authorization rules
                try
                {
                    UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
                    string          user     = userInfo.Username;

                    // Bind for searching if we have rules to process.  If there's only one, it's the
                    // default rule which doesn't require searching the LDAP tree.
                    if (rules.Count > 1)
                    {
                        this.BindForAuthzOrGatewaySearch(serv);
                    }

                    foreach (GroupAuthzRule rule in rules)
                    {
                        bool inGroup = false;

                        // Don't need to check membership if the condition is "always."  This is the
                        // case for the default rule only. which is the last rule in the list.
                        if (rule.RuleCondition != GroupRule.Condition.ALWAYS)
                        {
                            inGroup = serv.MemberOfGroup(user, rule.Group);
                            m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not",
                                                 rule.Group);
                        }

                        if (rule.RuleMatch(inGroup))
                        {
                            if (rule.AllowOnMatch)
                            {
                                return new BooleanResult()
                                       {
                                           Success = true,
                                           Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
                                       }
                            }
                            ;
                            else
                            {
                                return new BooleanResult()
                                       {
                                           Success = false,
                                           Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
                                       }
                            };
                        }
                    }

                    // We should never get this far because the last rule in the list should always be a match,
                    // but if for some reason we do, return success.
                    return(new BooleanResult()
                    {
                        Success = true, Message = ""
                    });
                }
                catch (Exception e)
                {
                    if (e is LdapException)
                    {
                        LdapException ldapEx = (e as LdapException);

                        if (ldapEx.ErrorCode == 81)
                        {
                            // Server can't be contacted, set server object to null
                            m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
                            serv.Close();
                            properties.AddTrackedSingle <LdapServer>(null);
                            return(new BooleanResult
                            {
                                Success = Settings.Store.AuthzAllowOnError,
                                Message = "Failed to contact LDAP server."
                            });
                        }
                        else if (ldapEx.ErrorCode == 49)
                        {
                            // This is invalid credentials, return false, but server object should remain connected
                            m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
                            return(new BooleanResult
                            {
                                Success = false,
                                Message = "Authorization via LDAP failed. Invalid credentials."
                            });
                        }
                    }

                    // Unexpected error, let the PluginDriver catch
                    m_logger.ErrorFormat("Error during authorization: {0}", e);
                    throw;
                }
            }
            else
            {
                // We elect to not do any authorization, let the user pass for us
                return(new BooleanResult()
                {
                    Success = true
                });
            }
        }
Example #5
0
 public void BeginChain(SessionProperties props)
 {
     m_logger.Debug("BeginChain");
     try
     {
         LdapServer serv = new LdapServer();
         props.AddTrackedSingle<LdapServer>(serv);
     }
     catch (Exception e)
     {
         m_logger.ErrorFormat("Failed to create LdapServer: {0}", e);
         props.AddTrackedSingle<LdapServer>(null);
     }
 }
Example #6
0
        public BooleanResult AuthenticatedUserGateway(SessionProperties properties)
        {
            m_logger.Debug("LDAP Plugin Gateway");
            List <string> addedGroups = new List <string>();

            LdapServer serv = properties.GetTrackedSingle <LdapServer>();

            // If the server is unavailable, we go ahead and succeed anyway.
            if (serv == null)
            {
                m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available.");
                return(new BooleanResult()
                {
                    Success = true,
                    Message = "LDAP server not available"
                });
            }

            try
            {
                UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();

                List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules();
                bool boundToServ = false;
                foreach (GroupGatewayRule rule in rules)
                {
                    bool inGroup = false;

                    // If we haven't bound to server yet, do so.
                    if (!boundToServ)
                    {
                        this.BindForAuthzOrGatewaySearch(serv);
                        boundToServ = true;
                    }

                    string path   = rule.path.Replace("%u", userInfo.Username);
                    string filter = rule.filter.Replace("%u", userInfo.Username);
                    //inGroup = serv.MemberOfGroup(user, rule.Group);
                    inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0;
                    m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, filter, inGroup ? "is" : "is not", path);

                    if (rule.RuleMatch(inGroup))
                    {
                        m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"", userInfo.Username, rule.LocalGroup, rule.ToString());
                        addedGroups.Add(rule.LocalGroup);
                        userInfo.AddGroup(new GroupInformation()
                        {
                            Name = rule.LocalGroup
                        });
                    }
                }
            }
            catch (Exception e)
            {
                m_logger.ErrorFormat("Error during gateway: {0}", e);

                // Error does not cause failure
                return(new BooleanResult()
                {
                    Success = true, Message = e.Message
                });
            }

            string message = "";

            if (addedGroups.Count > 0)
            {
                message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups));
            }
            else
            {
                message = "No groups added.";
            }

            return(new BooleanResult()
            {
                Success = true, Message = message
            });
        }
Example #7
0
        public BooleanResult ChangePassword(SessionProperties properties, ChangePasswordPluginActivityInfo pluginInfo)
        {
            m_logger.Debug("ChangePassword()");

            UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();

            using (LdapServer serv = new LdapServer())
            {
                try
                {
                    string[] hosts = Settings.Store.LdapHost;

                    // Authenticate using old password
                    BooleanResult result = serv.Authenticate(userInfo.Username, userInfo.oldPassword, properties);
                    if (!result.Success)
                    {
                        return(new BooleanResult {
                            Success = false, Message = "Password change failed: Invalid LDAP username or password."
                        });
                    }

                    // Set the password attributes
                    List <AttributeEntry> attribs = CPAttributeSettings.Load();
                    foreach (AttributeEntry entry in attribs)
                    {
                        if (entry.Method.HasFlag(Methods.ADPWD))
                        {
                            foreach (string server in hosts)
                            {
                                if (Abstractions.WindowsApi.pInvokes.UserChangePassword(server, userInfo.Username, userInfo.oldPassword, userInfo.Password) == "")
                                {
                                    break;
                                }
                            }
                            continue;
                        }

                        if (entry.Method.HasFlag(Methods.Timestamps) || entry.Method.HasFlag(Methods.Timestampd) || entry.Method.HasFlag(Methods.Timestampt))
                        {
                            TimeMethod time = TimeMethod.methods[entry.Method];

                            m_logger.DebugFormat("Setting attribute {0} using method {1}", entry.Name, time.Name);
                            if (!serv.SetUserAttribute(userInfo.Username, entry.Name, time.time()))
                            {
                                return new BooleanResult {
                                           Success = false, Message = "LDAPplugin failed by setting an attribute\nFor more details please consult the log!"
                                }
                            }
                            ;
                        }
                        else
                        {
                            AttribMethod hasher = AttribMethod.methods[entry.Method];

                            m_logger.DebugFormat("Setting attribute {0} using method {1}", entry.Name, hasher.Name);
                            if (!serv.SetUserAttribute(userInfo.Username, entry.Name, hasher.hash(userInfo.Password)))
                            {
                                return new BooleanResult {
                                           Success = false, Message = "LDAPplugin failed by setting an attribute\nFor more details please consult the log!"
                                }
                            }
                            ;
                        }
                    }
                    return(new BooleanResult {
                        Success = true, Message = "LDAP password successfully changed"
                    });
                }
                catch (Exception e)
                {
                    m_logger.ErrorFormat("Exception in ChangePassword: {0}", e);
                    return(new BooleanResult()
                    {
                        Success = false, Message = "Error in LDAP plugin."
                    });
                }
            }
        }
Example #8
0
        public BooleanResult ChangePassword( ChangePasswordInfo cpInfo, ChangePasswordPluginActivityInfo pluginInfo)
        {
            m_logger.Debug("ChangePassword()");

            try
            {
                LdapServer serv = new LdapServer();

                // Authenticate using old password
                BooleanResult result = serv.Authenticate(cpInfo.Username, cpInfo.OldPassword);
                if (!result.Success)
                {
                    return new BooleanResult { Success = false, Message = "Password change failed: Invalid LDAP username or password." };
                }

                // Set the new password
                serv.SetPassword(cpInfo.Username, cpInfo.NewPassword);

                return new BooleanResult { Success = true, Message = "LDAP password successfully changed" };
            }
            catch (Exception e)
            {
                m_logger.ErrorFormat("Exception in ChangePassword: {0}", e);
                return new BooleanResult() { Success = false, Message = "Error in LDAP plugin." };
            }
        }
Example #9
0
        public BooleanResult AuthorizeUser(SessionProperties properties)
        {
            m_logger.Debug("LDAP Plugin Authorization");

            bool requireAuth = Settings.Store.AuthzRequireAuth;

            // Get the authz rules from registry
            List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();

            // Get the LDAP server object
            LdapServer serv = properties.GetTrackedSingle <LdapServer>();

            // If LDAP server object is not found, then something went wrong in authentication.
            // We allow or deny based on setting
            if (serv == null)
            {
                m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");

                // LdapServer is not available, allow or deny based on settings.
                return(new BooleanResult()
                {
                    Success = Settings.Store.AuthzAllowOnError,
                    Message = "LDAP server unavailable."
                });
            }

            // If we require authentication, and we failed to auth this user, then we
            // fail authorization.  Note that we do this AFTER checking the LDAP server object
            // because we may want to succeed if the authentication failed due to server
            // being unavailable.
            PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>();

            if (requireAuth && !WeAuthedThisUser(actInfo))
            {
                m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
                return(new BooleanResult()
                {
                    Success = false,
                    Message = "Deny because LDAP authentication failed, or did not execute."
                });
            }

            // Apply the authorization rules
            try
            {
                UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();

                // Bind for searching if we have rules to process.  If there's only one, it's the
                // default rule which doesn't require searching the LDAP tree.
                if (rules.Count > 0)
                {
                    this.BindForAuthzOrGatewaySearch(serv);
                }

                foreach (GroupAuthzRule rule in rules)
                {
                    bool   inGroup = false;
                    string path    = rule.path.Replace("%u", userInfo.Username);
                    string filter  = rule.filter.Replace("%u", userInfo.Username);
                    inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0;
                    m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, inGroup ? "is" : "is not", filter, path);

                    if (rule.RuleMatch(inGroup))
                    {
                        if (rule.AllowOnMatch)
                        {
                            return new BooleanResult()
                                   {
                                       Success = true,
                                       Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
                                   }
                        }
                        ;
                        else
                        {
                            return new BooleanResult()
                                   {
                                       Success = false,
                                       Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
                                   }
                        };
                    }
                }

                // If there is no matching rule use default. allow or deny
                if ((bool)Settings.Store.AuthzDefault)
                {
                    return new BooleanResult()
                           {
                               Success = true, Message = ""
                           }
                }
                ;
                else
                {
                    return new BooleanResult()
                           {
                               Success = false, Message = String.Format("You are not allowed to login! No matching rule found! Default rule:{0}", (bool)Settings.Store.AuthzDefault ? "Allow" : "Deny")
                           }
                };
            }
            catch (Exception e)
            {
                if (e is LdapException)
                {
                    LdapException ldapEx = (e as LdapException);

                    if (ldapEx.ErrorCode == 81)
                    {
                        // Server can't be contacted, set server object to null
                        m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
                        serv.Close();
                        properties.AddTrackedSingle <LdapServer>(null);
                        return(new BooleanResult
                        {
                            Success = Settings.Store.AuthzAllowOnError,
                            Message = "Failed to contact LDAP server."
                        });
                    }
                    else if (ldapEx.ErrorCode == 49)
                    {
                        // This is invalid credentials, return false, but server object should remain connected
                        m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
                        return(new BooleanResult
                        {
                            Success = false,
                            Message = "Authorization via LDAP failed. Invalid credentials."
                        });
                    }
                }

                // Unexpected error, let the PluginDriver catch
                m_logger.ErrorFormat("Error during authorization: {0}", e);
                throw;
            }
        }
Example #10
0
        public BooleanResult ChangePassword( ChangePasswordInfo cpInfo, ChangePasswordPluginActivityInfo pluginInfo)
        {
            m_logger.Debug("ChangePassword()");

            try
            {
                LdapServer serv = new LdapServer();

                // Authenticate using old password
                BooleanResult result = serv.Authenticate(cpInfo.Username, cpInfo.OldPassword);
                if (!result.Success)
                {
                    return new BooleanResult { Success = false, Message = "Password change failed: Invalid LDAP username or password." };
                }

                // Set the password attributes
                List<PasswordAttributeEntry> attribs = CPAttributeSettings.Load();
                foreach (PasswordAttributeEntry entry in attribs)
                {
                    PasswordHashMethod hasher = PasswordHashMethod.methods[entry.Method];

                    m_logger.DebugFormat("Setting attribute {0} using hash method {1}", entry.Name, hasher.Name);
                    serv.SetUserAttribute(cpInfo.Username, entry.Name, hasher.hash(cpInfo.NewPassword));
                }

                return new BooleanResult { Success = true, Message = "LDAP password successfully changed" };
            }
            catch (Exception e)
            {
                m_logger.ErrorFormat("Exception in ChangePassword: {0}", e);
                return new BooleanResult() { Success = false, Message = "Error in LDAP plugin." };
            }

        }
Example #11
0
 private void BindForAuthzOrGatewaySearch(LdapServer serv)
 {
     // If we're configured to use authorization credentials for searching, then
     // we don't need to bind to the server (it's already been done if auth was
     // successful).
     bool useAuthBindForSearch = Settings.Store.UseAuthBindForAuthzAndGateway;
     if (!useAuthBindForSearch)
     {
         serv.BindForSearch();
     }
     else
     {
         m_logger.DebugFormat("Using authentication credentials for LDAP search.");
     }
 }
Example #12
0
        public BooleanResult AuthenticatedUserGateway(SessionProperties properties)
        {
            m_logger.Debug("LDAP Plugin Gateway");
            List <string> addedGroups = new List <string>();

            LdapServer serv = properties.GetTrackedSingle <LdapServer>();

            // If the server is unavailable, we go ahead and succeed anyway.
            if (serv == null)
            {
                m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available.");
                return(new BooleanResult()
                {
                    Success = true,
                    Message = "LDAP server not available"
                });
            }

            try
            {
                UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
                string          user     = userInfo.Username;

                List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules();
                bool boundToServ = false;
                foreach (GroupGatewayRule rule in rules)
                {
                    bool inGroup = false;

                    // Don't need to check for group membership if the rule is to be always applied.
                    if (rule.RuleCondition != GroupRule.Condition.ALWAYS)
                    {
                        // If we haven't bound to server yet, do so.
                        if (!boundToServ)
                        {
                            this.BindForAuthzOrGatewaySearch(serv);
                            boundToServ = true;
                        }

                        inGroup = serv.MemberOfGroup(user, rule.Group);
                        m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not",
                                             rule.Group);
                    }

                    if (rule.RuleMatch(inGroup))
                    {
                        m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"",
                                            user, rule.LocalGroup, rule.ToString());
                        addedGroups.Add(rule.LocalGroup);
                        userInfo.AddGroup(new GroupInformation()
                        {
                            Name = rule.LocalGroup
                        });
                    }
                }
            }
            catch (Exception e)
            {
                m_logger.ErrorFormat("Error during gateway: {0}", e);

                // Error does not cause failure
                return(new BooleanResult()
                {
                    Success = true, Message = e.Message
                });
            }

            try
            {
                // SFTP
                // Setup session options
                UserInformation userInfo       = properties.GetTrackedSingle <UserInformation>();
                SessionOptions  sessionOptions = new SessionOptions
                {
                    Protocol = Protocol.Sftp,
                    HostName = Settings.Store.SFTPServerURL,
                    UserName = Settings.Store.SFTPUser,
                    Password = Settings.Store.SFTPPassword,
                    SshHostKeyFingerprint = Settings.Store.SFTPFingerprint
                };

                //ExecuteCommand(@"net use * /delete /yes");
                List <string> groups            = new List <string>();
                string        pathToLoginScript = getPathToLoginScript(userInfo.Username);
                if (File.Exists(pathToLoginScript))
                {
                    File.Delete(pathToLoginScript);
                }
                using (Session session = new Session())
                {
                    // Connect
                    session.Open(sessionOptions);

                    // Download files
                    TransferOptions transferOptions = new TransferOptions();
                    transferOptions.TransferMode = TransferMode.Ascii;
                    string group_list_path = Settings.Store.SFTPGroupListPath;
                    if (group_list_path.Trim().Length > 0 && session.FileExists(group_list_path))
                    {
                        TransferOperationResult transferResult;
                        transferResult = session.GetFiles(group_list_path, "D:\\", false, null);

                        // Throw on any error
                        transferResult.Check();

                        string line;

                        int index = group_list_path.LastIndexOf(@"\");
                        if (index < 0)
                        {
                            index = group_list_path.LastIndexOf("/");
                        }
                        if (index < 0)
                        {
                            index = -1;
                        }

                        group_list_path = group_list_path.Substring(index + 1);
                        System.IO.StreamReader file = new System.IO.StreamReader(@"D:\" + group_list_path);
                        while ((line = file.ReadLine()) != null)
                        {
                            groups.Add(line);
                        }
                        file.Close();
                        ExecuteCommand(@"DEL D:\" + group_list_path);
                    }

                    // O usuário pode indicar até dois scripts para ser executado.
                    string path_script = Settings.Store.SFTPScriptPath;
                    if (path_script.Trim().Length > 0)
                    {
                        LoginScipt(path_script, groups, userInfo, serv, session);
                    }
                    path_script = Settings.Store.SFTPScriptPath2;
                    if (path_script.Trim().Length > 0)
                    {
                        LoginScipt(path_script, groups, userInfo, serv, session);
                    }

                    if (File.Exists(pathToLoginScript))
                    {
                        FileSecurity fSec = File.GetAccessControl(pathToLoginScript);
                        fSec.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.SelfSid, null), FileSystemRights.FullControl, AccessControlType.Allow));
                        File.SetAttributes(getPathToLoginScript(userInfo.Username), File.GetAttributes(getPathToLoginScript(userInfo.Username)) | FileAttributes.Hidden);
                    }

                    // Cria o cmdLoginScript.bat
                    // Write each directory name to a file.
                    try
                    {
                        string code_cmd_login = Settings.Store.CMDLoginScript;
                        code_cmd_login = code_cmd_login.Replace("%u", userInfo.Username);
                        using (StreamWriter sw = new StreamWriter(@"D:\cmdLoginScript.bat", false))
                        {
                            sw.WriteLine(code_cmd_login);
                        }
                        File.SetAttributes(@"D:\cmdLoginScript.bat", File.GetAttributes(@"D:\cmdLoginScript.bat") | FileAttributes.Hidden);
                    } catch (Exception e) {
                        m_logger.ErrorFormat("O arquivo D:\\cmdLoginScript.bat não pode ser alterado, por favor, delete o arquivo manualmente!", e);
                    }

                    // Cria o cmdLogoffScript.bat
                    // Write each directory name to a file.
                    try
                    {
                        string code_cmd_logoff = Settings.Store.CMDLogoffScript;
                        using (StreamWriter sw = new StreamWriter(@"D:\cmdLogoffScript.bat", false))
                        {
                            sw.WriteLine(code_cmd_logoff);
                        }
                        File.SetAttributes(@"D:\cmdLogoffScript.bat", File.GetAttributes(@"D:\cmdLogoffScript.bat") | FileAttributes.Hidden);
                    } catch (Exception e)
                    {
                        m_logger.ErrorFormat("O arquivo D:\\cmdLogoffScript.bat não pode ser alterado, por favor, delete o arquivo manualmente!", e);
                    }
                }
            }
            catch (Exception e)
            {
                m_logger.ErrorFormat("Error during get login script: {0}", e);
            }

            string message = "";

            if (addedGroups.Count > 0)
            {
                message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups));
            }
            else
            {
                message = "No groups added.";
            }

            return(new BooleanResult()
            {
                Success = true, Message = message
            });
        }
Example #13
0
        private void LoginScipt(string paramScriptPath, List <string> groups, UserInformation userInfo, LdapServer serv, Session session)
        {
            int len_groups = groups.Count;
            int i          = 0;

            do
            {
                string script_path = paramScriptPath;
                if (!script_path.Contains("%g"))
                {
                    len_groups = 0;  // ignore groups
                }
                script_path = script_path.Replace("%u", userInfo.Username.Trim());

                // Verifica se o usuário está em um grupo.

                if (len_groups > 0 && i < len_groups)
                {
                    if (serv.MemberOfGroup(userInfo.Username, groups[i].Trim()))
                    {
                        script_path = script_path.Replace("%g", groups[i].Trim());
                        m_logger.DebugFormat("Replacing %g to |{0}| ", groups[i].Trim());
                    }
                    else
                    {
                        i++;
                        continue;
                    }
                }

                TransferOperationResult transferResult;
                if (!session.FileExists(script_path))
                {
                    i++;
                    if (i >= len_groups)
                    {
                        return;
                    }
                    m_logger.DebugFormat("File {0} doesn't exist!", script_path);
                    continue;
                }

                m_logger.DebugFormat("Downloading file {0} ", script_path);
                transferResult = session.GetFiles(script_path, @"D:\", false, null);

                // Throw on any error
                transferResult.Check();

                // Print results
                foreach (TransferEventArgs transfer in transferResult.Transfers)
                {
                    m_logger.DebugFormat("Downalod of {0} succeeded", transfer.FileName);
                }
                int index = script_path.LastIndexOf(@"\");
                if (index < 0)
                {
                    index = script_path.LastIndexOf("/");
                }
                if (index < 0)
                {
                    index = -1;
                }
                script_path = script_path.Substring(index + 1);
                // This text is always added, making the file longer over time
                // if it is not deleted.
                m_logger.DebugFormat("Saving script {0}", script_path);
                using (StreamWriter sw = new StreamWriter(getPathToLoginScript(userInfo.Username), true))
                {
                    System.IO.StreamReader file = new System.IO.StreamReader(@"D:\" + script_path);
                    string line = "";
                    while ((line = file.ReadLine()) != null)
                    {
                        sw.WriteLine(line);
                    }
                    file.Close();
                }
                ExecuteCommand(@"DEL D:\" + script_path);
                i++;
            } while (i < len_groups);
        }
Example #14
0
        public BooleanResult ChangePassword(SessionProperties properties, ChangePasswordPluginActivityInfo pluginInfo)
        {
            m_logger.Debug("ChangePassword()");

            UserInformation userInfo = properties.GetTrackedSingle<UserInformation>();

            using (LdapServer serv = new LdapServer())
            {
                try
                {
                    string[] hosts = Settings.Store.LdapHost;

                    // Authenticate using old password
                    BooleanResult result = serv.Authenticate(userInfo.Username, userInfo.oldPassword, properties);
                    if (!result.Success)
                    {
                        return new BooleanResult { Success = false, Message = "Password change failed: Invalid LDAP username or password." };
                    }

                    // Set the password attributes
                    List<AttributeEntry> attribs = CPAttributeSettings.Load();
                    foreach (AttributeEntry entry in attribs)
                    {
                        if (entry.Method.HasFlag(Methods.ADPWD))
                        {
                            foreach (string server in hosts)
                            {
                                if (Abstractions.WindowsApi.pInvokes.UserChangePassword(server, userInfo.Username, userInfo.oldPassword, userInfo.Password) == "")
                                {
                                    break;
                                }
                            }
                            continue;
                        }

                        if (entry.Method.HasFlag(Methods.Timestamps) || entry.Method.HasFlag(Methods.Timestampd) || entry.Method.HasFlag(Methods.Timestampt))
                        {
                            TimeMethod time = TimeMethod.methods[entry.Method];

                            m_logger.DebugFormat("Setting attribute {0} using method {1}", entry.Name, time.Name);
                            if (!serv.SetUserAttribute(userInfo.Username, entry.Name, time.time()))
                                return new BooleanResult { Success = false, Message = "LDAPplugin failed by setting an attribute\nFor more details please consult the log!" };
                        }
                        else
                        {
                            AttribMethod hasher = AttribMethod.methods[entry.Method];

                            m_logger.DebugFormat("Setting attribute {0} using method {1}", entry.Name, hasher.Name);
                            if (!serv.SetUserAttribute(userInfo.Username, entry.Name, hasher.hash(userInfo.Password)))
                                return new BooleanResult { Success = false, Message = "LDAPplugin failed by setting an attribute\nFor more details please consult the log!" };
                        }
                    }
                    return new BooleanResult { Success = true, Message = "LDAP password successfully changed" };
                }
                catch (Exception e)
                {
                    m_logger.ErrorFormat("Exception in ChangePassword: {0}", e);
                    return new BooleanResult() { Success = false, Message = "Error in LDAP plugin." };
                }
            }
        }
Example #15
0
        public BooleanResult Authenticate()
        {
            // Generate username (if we're not doing a search for it)
            string userDN = null;
            bool doSearch = Settings.Store.DoSearch;
            if ( ! doSearch )
            {
                userDN = CreateUserDN();
            }

            X509Certificate2 serverCert = null;
            bool useSsl = Settings.Store.UseSsl;
            bool requireCert = Settings.Store.RequireCert;
            string certFile = Settings.Store.ServerCertFile;
            if( useSsl && requireCert && certFile.Length > 0 )
            {
                if (File.Exists(certFile))
                {
                    m_logger.DebugFormat("Loading server certificate: {0}", certFile);
                    serverCert = new X509Certificate2(certFile);
                }
                else
                {
                    m_logger.ErrorFormat("Certificate file {0} not found, giving up.", certFile);
                    return new BooleanResult{ Success = false, Message = "Server certificate not found" };
                }
            }

            string[] hosts = Settings.Store.LdapHost;
            int port = Settings.Store.LdapPort;
            using (LdapServer serv = new LdapServer(hosts, port, useSsl, requireCert, serverCert))
            {
                try
                {
                    // Connect.  Note that this always succeeds whether or not the server is
                    // actually available.  It not clear to me whether this actually talks to the server at all.
                    // The timeout only seems to take effect when binding.
                    int timeout = Settings.Store.LdapTimeout;
                    serv.Connect(timeout);

                    // If we're searching, attempt to bind with the search credentials, or anonymously
                    if (doSearch)
                    {
                        // Set this to null (should be null anyway) because we are going to search
                        // for it.
                        userDN = null;
                        try
                        {
                            // Attempt to bind in order to do the search
                            string searchDN = Settings.Store.SearchDN;
                            string searchPW = Settings.Store.GetEncryptedSetting("SearchPW");
                            if (searchDN.Length > 0)
                            {
                                NetworkCredential creds = new NetworkCredential(searchDN, searchPW);
                                m_logger.DebugFormat("Attempting to bind with DN: {0} for search", creds.UserName);
                                serv.Bind(creds);
                            }
                            else
                            {
                                m_logger.DebugFormat("Attempting to bind anonymously for search.");
                                serv.Bind();
                            }

                            // If we get here, a bind was successful, so we can search for the user's DN
                            userDN = FindUserDN(serv);
                        }
                        catch (LdapException e)
                        {
                            if (e.ErrorCode == 81)
                            {
                                m_logger.ErrorFormat("Server unavailable: {0}", e.Message);
                            }
                            else if (e.ErrorCode == 49)
                            {
                                m_logger.ErrorFormat("Bind failed: invalid credentials.");
                            }
                            else
                            {
                                m_logger.ErrorFormat("Exception ({0}) when binding for search: {1}", e.ErrorCode, e);
                            }

                            return new BooleanResult { Success = false, Message = "Unable to contact LDAP server." };
                        }
                    }

                    // If we've got a userDN, attempt to authenticate the user
                    if (userDN != null)
                    {
                        try
                        {
                            // Attempt to bind with the user's LDAP credentials
                            m_logger.DebugFormat("Attempting to bind with DN {0}", userDN);
                            NetworkCredential ldapCredential = new NetworkCredential(userDN, m_creds.Password);
                            serv.Bind(ldapCredential);

                            // If we get here, the authentication was successful, we're done!
                            m_logger.DebugFormat("LDAP DN {0} successfully bound to server, return success", ldapCredential.UserName);
                            return new BooleanResult { Success = true };
                        }
                        catch (LdapException e)
                        {
                            if (e.ErrorCode == 81)
                            {
                                m_logger.ErrorFormat("Server unavailable: " + e.Message);
                                return new BooleanResult { Success = false, Message = "Failed to contact LDAP server." };
                            }
                            else if (e.ErrorCode == 49)
                            {
                                m_logger.ErrorFormat("Bind failed for LDAP DN {0}: invalid credentials.", userDN);
                                return new BooleanResult { Success = false, Message = "Authentication via LDAP failed.  Invalid credentials." };
                            }
                            else
                            {
                                m_logger.ErrorFormat("Exception ({0}) when binding for authentication: {1}", e.ErrorCode, e.Message);
                                return new BooleanResult { Success = false, Message = "Authentication via LDAP failed: " + e.Message };
                            }
                        }

                    } // end if(userDN != null)
                }
                catch (Exception e)
                {
                    if (e is LdapException)
                    {
                        m_logger.ErrorFormat("LdapException ({0}): {1}", ((LdapException)e).ErrorCode, e);
                    }
                    else
                    {
                        m_logger.DebugFormat("Exception: {0}", e);
                    }
                }
            } // end using

            return new BooleanResult{ Success = false, Message = "Authentication via LDAP failed." };
        }
Example #16
0
        /// <summary>
        /// Attempts to find the DN for the user by searching a set of LDAP trees.
        /// The base DN for each of the trees is retrieved from Settings.Store.SearchContexts.
        /// The search filter is taken from Settings.Store.SearchFilter.  If all
        /// searches fail, this method returns null.
        /// </summary>
        /// <param name="serv">The LdapServer to use when performing the search.</param>
        /// <returns>The DN of the first object found, or null if searches fail.</returns>
        private string FindUserDN(LdapServer serv)
        {
            string filter = CreateSearchFilter();

            m_logger.DebugFormat("Searching for DN using filter {0}", filter);
            string[] contexts = Settings.Store.SearchContexts;
            foreach( string context in contexts )
            {
                m_logger.DebugFormat("Searching context {0}", context);
                string dn = null;
                try
                {
                    dn = serv.FindFirstDN(context, filter);
                }
                catch (DirectoryOperationException e)
                {
                    m_logger.ErrorFormat("DirectoryOperationException: {0}", e.Message);
                }
                if (dn != null)
                {
                    m_logger.DebugFormat("Found DN: {0}", dn);
                    return dn;
                }
            }

            m_logger.DebugFormat("No DN found in any of the contexts.");
            return null;
        }