public BooleanResult AuthenticatedUserGateway(SessionProperties properties) { ////m_logger.Debug("LDAP Plugin Gateway"); List <string> addedGroups = new List <string>(); LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If the server is unavailable, we go ahead and succeed anyway. if (serv == null) { ////m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available."); return(new BooleanResult() { Success = true, Message = "LDAP server not available" }); } try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules(); bool boundToServ = false; foreach (GroupGatewayRule rule in rules) { bool inGroup = false; // If we haven't bound to server yet, do so. if (!boundToServ) { this.BindForAuthzOrGatewaySearch(serv); boundToServ = true; } string path = rule.path.Replace("%u", userInfo.Username); string filter = rule.filter.Replace("%u", userInfo.Username); //inGroup = serv.MemberOfGroup(user, rule.Group); inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0; ////m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, filter, inGroup ? "is" : "is not", path); if (rule.RuleMatch(inGroup)) { ////m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"", userInfo.Username, rule.LocalGroup, rule.ToString()); addedGroups.Add(rule.LocalGroup); userInfo.AddGroup(new GroupInformation() { Name = rule.LocalGroup }); } } } catch (Exception e) { ////m_logger.ErrorFormat("Error during gateway: {0}", e); // Error does not cause failure return(new BooleanResult() { Success = true, Message = e.Message }); } string message = ""; if (addedGroups.Count > 0) { message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups)); } else { message = "No groups added."; } return(new BooleanResult() { Success = true, Message = message }); }
public BooleanResult AuthorizeUser(SessionProperties properties) { ////m_logger.Debug("LDAP Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireAuth; // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); // Get the LDAP server object LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If LDAP server object is not found, then something went wrong in authentication. // We allow or deny based on setting if (serv == null) { ////m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available."); // LdapServer is not available, allow or deny based on settings. return(new BooleanResult() { Success = Settings.Store.AuthzAllowOnError, Message = "LDAP server unavailable." }); } // If we require authentication, and we failed to auth this user, then we // fail authorization. Note that we do this AFTER checking the LDAP server object // because we may want to succeed if the authentication failed due to server // being unavailable. PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); if (requireAuth && !WeAuthedThisUser(actInfo)) { ////m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth."); return(new BooleanResult() { Success = false, Message = "Deny because LDAP authentication failed, or did not execute." }); } // Apply the authorization rules try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); // Bind for searching if we have rules to process. If there's only one, it's the // default rule which doesn't require searching the LDAP tree. if (rules.Count > 0) { this.BindForAuthzOrGatewaySearch(serv); } foreach (GroupAuthzRule rule in rules) { bool inGroup = false; string path = rule.path.Replace("%u", userInfo.Username); string filter = rule.filter.Replace("%u", userInfo.Username); inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0; ////m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, inGroup ? "is" : "is not", filter, path); if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult() { Success = true, Message = string.Format("Allow via rule: \"{0}\"", rule.ToString()) } } ; else { return new BooleanResult() { Success = false, Message = string.Format("Deny via rule: \"{0}\"", rule.ToString()) } }; } } // If there is no matching rule use default. allow or deny if ((bool)Settings.Store.AuthzDefault) { return new BooleanResult() { Success = true, Message = "" } } ; else { return new BooleanResult() { Success = false, Message = String.Format("You are not allowed to login! No matching rule found! Default rule:{0}", (bool)Settings.Store.AuthzDefault ? "Allow" : "Deny") } }; } catch (Exception e) { if (e is LdapException) { LdapException ldapEx = (e as LdapException); if (ldapEx.ErrorCode == 81) { // Server can't be contacted, set server object to null ////m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message); serv.Close(); properties.AddTrackedSingle <LdapServer>(null); return(new BooleanResult { Success = Settings.Store.AuthzAllowOnError, Message = "Failed to contact LDAP server." }); } else if (ldapEx.ErrorCode == 49) { // This is invalid credentials, return false, but server object should remain connected ////m_logger.ErrorFormat("LDAP bind failed: invalid credentials."); return(new BooleanResult { Success = false, Message = "Authorization via LDAP failed. Invalid credentials." }); } } // Unexpected error, let the PluginDriver catch ////m_logger.ErrorFormat("Error during authorization: {0}", e); throw; } }