// Constructor
public PSearchEventSource(
LdapConnection conn,
string searchBase,
int scope,
string filter,
string[] attrs,
bool typesOnly,
LdapSearchConstraints constraints,
LdapEventType eventchangetype,
bool changeonly
)
{
// validate the input arguments
if ((conn == null)
|| (searchBase == null)
|| (filter == null)
|| (attrs == null))
{
throw new ArgumentException("Null argument specified");
}
mConnection = conn;
mSearchBase = searchBase;
mScope = scope;
mFilter = filter;
mAttrs = attrs;
mTypesOnly = typesOnly;
mEventChangeType = eventchangetype;
// make things ready for starting a search operation
if (constraints == null)
{
mSearchConstraints = new LdapSearchConstraints();
}
else
{
mSearchConstraints = constraints;
}
//Create the persistent search control
LdapPersistSearchControl psCtrl =
new LdapPersistSearchControl((int)eventchangetype,// any change
changeonly, //only get changes
true, //return entry change controls
true); //control is critcal
// add the persistent search control to the search constraints
mSearchConstraints.setControls(psCtrl);
}
public IActionResult BuscarLoginPorCpf([FromRoute] string cpf)
{
var idCelula = string.Empty;
var login = string.Empty;
using (var cn = new LdapConnection())
{
cn.Connect(_ldapConfig.First().Hostname, _ldapConfig.First().Port);
cn.Bind("stefanini-dom\\almintegration", "stefanini@10");
LdapSearchConstraints cons = cn.SearchConstraints;
cons.ReferralFollowing = true;
cn.Constraints = cons;
var filterInformacaoUsuario = $"(employeenumber={cpf})";
var search = cn.Search("DC=stefanini,DC=dom", LdapConnection.SCOPE_SUB, filterInformacaoUsuario, null, false, (LdapSearchConstraints)null);
while (search.hasMore())
{
var nextEntry = search.next();
var user = nextEntry.getAttributeSet();
idCelula = user.getAttribute("department").StringValue;
login = user.getAttribute("sAMAccountName").StringValue;
break;
}
}
return(Ok(new { idCelula, login }));
}
private static LdapEntry GetOneUserEntry(
LdapConnection conn,
LdapSettings ldapSettings,
string search)
{
LdapSearchConstraints constraints = new LdapSearchConstraints();
LdapSearchQueue queue = null;
queue = conn.Search(
ldapSettings.RootDN,
LdapConnection.SCOPE_SUB,
ldapSettings.UserDNKey + "=" + search,
null,
false,
(LdapSearchQueue)null,
(LdapSearchConstraints)null);
LdapEntry entry = null;
if (queue != null)
{
LdapMessage message = queue.getResponse();
if (message != null)
{
if (message is LdapSearchResult)
{
entry = ((LdapSearchResult)message).Entry;
}
}
}
return(entry);
}
public static bool searchGroupEntry(LdapConnection lc, String searchBase, string searchFilter)
{
bool status = true;
int searchScope = LdapConnection.SCOPE_SUB;
String[] attrList = new String[] { "distinguishedName" };
LdapSearchConstraints cons = new LdapSearchConstraints();
cons.TimeLimit = 10000;
try
{
LdapSearchResults searchResults =
lc.Search(searchBase,
searchScope,
searchFilter,
attrList,
false,
cons); // time out value
LdapEntry nextEntry = null;
if ((nextEntry = searchResults.next()) == null)
{
status = false;
}
}
catch
{
status = false;
}
return(status);
}
/// <summary> Constructs an LdapSearchConstraints object initialized with values
/// from an existing constraints object (LdapConstraints
/// or LdapSearchConstraints).
/// </summary>
public LdapSearchConstraints(LdapConstraints cons) : base(cons.TimeLimit, cons.ReferralFollowing, cons.getReferralHandler(), cons.HopLimit)
{
InitBlock();
LdapControl[] lsc = cons.getControls();
if (lsc != null)
{
LdapControl[] generated_var = new LdapControl[lsc.Length];
lsc.CopyTo(generated_var, 0);
setControls(generated_var);
}
System.Collections.Hashtable lp = cons.Properties;
if (lp != null)
{
Properties = (System.Collections.Hashtable)lp.Clone();
}
if (cons is LdapSearchConstraints)
{
LdapSearchConstraints scons = (LdapSearchConstraints)cons;
serverTimeLimit = scons.ServerTimeLimit;
dereference = scons.Dereference;
maxResults = scons.MaxResults;
batchSize = scons.BatchSize;
}
// Get a unique connection name for debug
}
ADInfo Search(LdapConnection ldapConn)
{
LdapSearchConstraints constraints = new LdapSearchConstraints
{
TimeLimit = 10000
};
LdapSearchResults lsc = ldapConn.Search(
SearchBase,
LdapConnection.SCOPE_SUB,
"SAMAccountName=" + Username.ToLower(),
null, // no specified attributes
false, // return attr and value
constraints);
while (lsc.hasMore())
{
LdapEntry nextEntry = null;
try
{
nextEntry = lsc.next();
return(new ADInfo(Username, nextEntry));
}
catch (LdapException e)
{
Console.WriteLine("Error: " + e.LdapErrorMessage);
// Exception is thrown, go for next entry
continue;
}
}
return(null);
}
private string IsUserExistsLDAP(string name, string pwd)
{
// Metemos los valores de configuración para conectarnos al ldap de Everis.
int LdapPort = LdapConnection.DEFAULT_PORT;
//int searchScope = LdapConnection.SCOPE_ONE;
int LdapVersion = LdapConnection.Ldap_V3;
//bool attributeOnly=true;
String[] attrs = { LdapConnection.NO_ATTRS };
LdapConnection lc = new LdapConnection();
string resultado = "";
// Vamos a meter una restricción de tiempo.
LdapSearchConstraints constraints = new LdapSearchConstraints();
constraints.TimeLimit = 10000; // ms
try{
// Nos conectamos al servidor.
lc.Connect(ldapHost, LdapPort);
// Accedemos con las credenciales del usuario para ver si está.
lc.Bind(LdapVersion, Configuration["connectionStrings:LDAPDomain"] + name, pwd);
// Set values to search
string base1 = "OU=Spain,OU=Europe,OU=Everis,DC=usersad,DC=everis,DC=int";
string[] attributes = new string[] { "displayName", "samaccountname" };
string filter = String.Format("(&(objectClass=user)(samaccountname={0}))", name);
LdapSearchQueue lsc = lc.Search(base1, LdapConnection.SCOPE_SUB, filter, attributes, false, (LdapSearchQueue)null, (LdapSearchConstraints)null);
LdapMessage msg;
if ((msg = lsc.getResponse()) != null)
{
if (msg is LdapSearchResult)
{
LdapEntry nextEntry = ((LdapSearchResult)msg).Entry;
LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
Console.WriteLine("Nombre corto: " + attributeSet.getAttribute("samaccountname").StringValue);
Console.WriteLine("Nombre Largo: " + attributeSet.getAttribute("displayName").StringValue);
string[] ss = attributeSet.getAttribute("displayName").StringValue.Split(' ');
string s2 = ss[0];
if (ss.Length > 1)
{
s2 += " " + ss[1];
}
return(s2);
}
}
lc.Disconnect();
} catch (LdapException e) {
Console.WriteLine(e.Message);
return(null);
} catch (Exception) {
Console.WriteLine("error");
return(null);
}
return(resultado);
}
private void SetLdapControls(LdapFilter pageInfo, LdapSearchConstraints constraints)
{
LdapControl[] ldapControls =
{
new LdapSortControl(new LdapSortKey(pageInfo.OrderBy ?? LdapConfiguration.Attribute.UniqueName),
true),
new LdapVirtualListControl(pageInfo.TotalResults, 0, pageInfo.TotalPerPage - 1, pageInfo.ContentCount)
};
constraints.setControls(ldapControls);
}
public List <LdapEntry> ExecuteSearch(string searchBase, string filter = "")
{
var results = new List <LdapEntry>();
var lcm = LdapConnectionManager.Instance;
var conn = lcm.GetConnection();
var sb = searchBase + config.searchBase;
LdapControl[] requestControls = new LdapControl[1];
LdapSortKey[] keys = new LdapSortKey[1];
keys[0] = new LdapSortKey("cn"); //samaccountname
// Create the sort control
requestControls[0] = new LdapSortControl(keys, true);
// Set the controls to be sent as part of search request
LdapSearchConstraints cons = conn.SearchConstraints;
cons.SetControls(requestControls);
conn.Constraints = cons;
LdapSearchResults resps = (LdapSearchResults)conn.Search(sb, LdapConnection.ScopeSub, filter, null, false, (LdapSearchConstraints)null);
//var resps = SendSearch(searchBase, type, filter);
while (resps.HasMore())
{
/* Get next returned entry. Note that we should expect a Ldap-
* Exception object as well just in case something goes wrong
*/
LdapEntry nextEntry = null;
try
{
nextEntry = resps.Next();
results.Add(nextEntry);
}
catch (Exception e)
{
if (e is LdapReferralException)
{
continue;
}
else
{
logger.Error("Search stopped with exception " + e.ToString());
break;
}
}
/* Print out the returned Entries distinguished name. */
logger.Debug(nextEntry.Dn);
}
return(results);
}
private void ExecuteSearch(LdapFilter filter, LdapConnection ldapConnection, Action <LdapSearchResults> middleAction)
{
LdapSearchConstraints constraints = ldapConnection.SearchConstraints;
SetLdapControls(filter, constraints);
LdapSearchResults searchResults = ldapConnection.Search(
filter.SearchPath, LdapConnection.SCOPE_SUB,
filter.SearchCriteria, null, false, constraints);
middleAction(searchResults);
TotalResultsCallback(filter, searchResults);
}
public DomainSearcher(string username = "", string password = "", string Domain = "", string Server = "",
string SearchBase = "", string SearchString = "",
int ResultPageSize = 200, TimeSpan ServerTimeLimit = default(TimeSpan), bool TombStone = false,
bool ssl = false)
{
this.Domain = Domain;
this.Server = Server;
this.SearchBase = SearchBase;
this.Searcher = new LdapConnection();
if (this.Domain == "")
{
this.Domain = Environment.UserDomainName;
}
if (this.Server == "")
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
string logonserver = Environment.GetEnvironmentVariable(("logonserver"));
this.Server = logonserver.Replace("\\", "");
}
else
{
//Attempt to get userdomain from environmental variable linux.
this.Server = Environment.GetEnvironmentVariable("userdomain");
}
}
if (SearchBase == "")
{
//this.SearchBase = "LDAP://" + this.GetBaseDN();
this.SearchBase = this.GetBaseDN();
}
if (ssl)
{
this.Searcher.SecureSocketLayer = true;
}
else
{
this.Searcher.SecureSocketLayer = false;
}
LdapSearchConstraints cons = this.Searcher.SearchConstraints;
cons.ReferralFollowing = true;
this.Searcher.Constraints = cons;
this.Searcher.Connect(this.Server, 389);
this.Searcher.Bind(username, password);
}
// Constructor
public PSearchEventSource(
LdapConnection conn,
string searchBase,
int scope,
string filter,
string[] attrs,
bool typesOnly,
LdapSearchConstraints constraints,
LdapEventType eventchangetype,
bool changeonly)
{
// validate the input arguments
if (conn == null ||
searchBase == null ||
filter == null ||
attrs == null)
{
throw new ArgumentException("Null argument specified");
}
_mConnection = conn;
_mSearchBase = searchBase;
_mScope = scope;
_mFilter = filter;
_mAttrs = attrs;
_mTypesOnly = typesOnly;
_mEventChangeType = eventchangetype;
// make things ready for starting a search operation
if (constraints == null)
{
_mSearchConstraints = new LdapSearchConstraints();
}
else
{
_mSearchConstraints = constraints;
}
// Create the persistent search control
var psCtrl =
new LdapPersistSearchControl(
(int)eventchangetype, // any change
changeonly, // only get changes
true, // return entry change controls
true); // control is critcal
// add the persistent search control to the search constraints
_mSearchConstraints.SetControls(psCtrl);
} // end of Constructor
private LdapSearchResults LookupLdapUser(bool retrieveGroupMembership, string username, out LdapConnection conn)
{
conn = Bind();
username = EscapeLdapString(username);
//search filter is built based on passed userQuery with username substitution
string searchFilter = this.BuildUserSearchQuery(username);
//Build interesting attribute list
List <string> attrs = new List <string>();
attrs.AddRange(new string[] { "sAMAccountName", "uid", "cn", "userAccountControl", "whenCreated", "name", "givenname", "sn", "telephonenumber", "mail", "description" });
if (retrieveGroupMembership)
{
attrs.Add(_config.GroupMembersAttribute);
}
if (!string.IsNullOrEmpty(_config.UserNameAttribute) && !attrs.Contains(_config.UserNameAttribute))
{
attrs.Add(_config.UserNameAttribute);
}
//add more attributes to lookup if using a displayname-pattern
string[] patternAttributes = RetrieveAttributesFromPattern(_config.DisplayNamePattern);
if (patternAttributes != null)
{
foreach (string patternAttribute in patternAttributes)
{
if (!attrs.Contains(patternAttribute))
{
attrs.Add(patternAttribute);
}
}
}
LdapSearchConstraints cons = new LdapSearchConstraints(new LdapConstraints(_timeLimit, true, null, 0));
cons.BatchSize = 0;
LdapSearchResults results = conn.Search(_config.LdapSearchBase,
LdapConnection.SCOPE_SUB,
searchFilter,
attrs.ToArray(),
false,
cons);
return(results);
}
private bool TrySearchSimple(string searchBase, LdapScope scope, string searchFilter, out List <LdapObject> results,
string[] attributes = null, int limit = -1, LdapSearchConstraints searchConstraints = null)
{
try
{
results = SearchSimple(searchBase, scope, searchFilter, attributes, limit, searchConstraints);
return(true);
}
catch (Exception ex)
{
_log.ErrorFormat("TrySearchSimple() failed. Error: {0}", ex);
}
results = null;
return(false);
}
private int checkUser(String loginDN, String password)
{
// Metemos los valores de configuración para conectarnos al ldap de Everis.
int LdapPort = LdapConnection.DEFAULT_PORT;
//int searchScope = LdapConnection.SCOPE_ONE;
int LdapVersion = LdapConnection.Ldap_V3;
//bool attributeOnly=true;
String[] attrs = { LdapConnection.NO_ATTRS };
LdapConnection lc = new LdapConnection();
int resultado = 0;
// Vamos a meter una restricción de tiempo.
LdapSearchConstraints constraints = new LdapSearchConstraints();
constraints.TimeLimit = 10000; // ms
try{
// Nos conectamos al servidor.
lc.Connect(Constants.ldapHost, LdapPort);
// Accedemos con las credenciales del usuario para ver si está.
lc.Bind(LdapVersion, loginDN, password);
// Set values to search
string base1 = "OU=Spain,OU=Europe,OU=Everis,DC=usersad,DC=everis,DC=int";
string[] attributes = new string[] { "displayName", "samaccountname" };
string filter = String.Format("(&(objectClass=user)(samaccountname={0}))", loginDN.Substring(8));
LdapSearchQueue lsc = lc.Search(base1, LdapConnection.SCOPE_SUB, filter, attributes, false, (LdapSearchQueue)null, (LdapSearchConstraints)null);
LdapMessage msg;
if ((msg = lsc.getResponse()) != null)
{
if (msg is LdapSearchResult)
{
LdapEntry nextEntry = ((LdapSearchResult)msg).Entry;
LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
Console.WriteLine("Nombre corto: " + attributeSet.getAttribute("samaccountname").StringValue);
Console.WriteLine("Nombre Largo: " + attributeSet.getAttribute("displayName").StringValue);
}
}
lc.Disconnect();
} catch (LdapException e) {
resultado = e.ResultCode;
} catch (Exception) {
resultado = -1;
}
return(resultado);
}
private void PopulateGroupsForUserWithQuery(XDoc doc, string username, LdapConnection conn)
{
doc.Start("groups");
string searchFilter = string.Format(Dream.PhpUtil.ConvertToFormatString(_config.GroupMembershipQuery), username);
//Build interesting attribute list
List <string> attrs = new List <string>();
attrs.AddRange(new string[] { "whenCreated", "name", "sAMAccountName", "cn" });
LdapSearchConstraints cons = new LdapSearchConstraints(new LdapConstraints(_timeLimit, true, null, 0));
cons.BatchSize = 0;
LdapSearchResults results = conn.Search(_config.LdapSearchBase,
LdapConnection.SCOPE_SUB,
searchFilter,
attrs.ToArray(),
false,
cons);
while (results.hasMore())
{
LdapEntry nextEntry = null;
try {
nextEntry = results.next();
} catch (LdapException x) {
HandleLdapException(x);
}
if (nextEntry == null)
{
throw new ArgumentNullException("nextEntry");
}
//Create xml from search entry
doc.Start("group").Attr("name", GetNameFromDn(nextEntry.DN)).Start("ldap-dn").Value(nextEntry.DN).End().End();
}
doc.End(); //groups
}
/// <summary>
/// Opens a new connection to the ldap server and returns it.
/// </summary>
/// <returns>The ldap connection object</returns>
private LdapConnection ConnectToServer()
{
try {
LdapConnection ldapConnection = new LdapConnection();
//A time limit on the connection to the server is added.
ldapConnection.Constraints.TimeLimit = _settings.ConnectionTimeoutMsec;
ldapConnection.Connect(_settings.Host, _settings.Port);
string authenticationMethod = ldapConnection.AuthenticationMethod;
int protocol = ldapConnection.ProtocolVersion;
System.Collections.IDictionary prop = ldapConnection.SaslBindProperties;
LdapSearchConstraints searh = ldapConnection.SearchConstraints;
//ldapConnection.SearchConstraints.
return(ldapConnection);
}
catch (Exception e) {
throw new ConnectingToLdapServerFailedException(_settings, e);
}
}
private static List <Claim> ValidaPermissaoGrupo(Ldap ldap, LoginData loginData, String usuarioDN, List <PermissionGroup> grupos)
{
LdapConnection ldapConnection = ldapConnection = new LdapConnection();
ldapConnection.Connect(ldap.host, ldap.port);
ldapConnection.Bind(ldap.ldapVersion, ldap.bindLogin, ldap.bindPassword);
LdapSearchConstraints cons = new LdapSearchConstraints();
String[] atributos = new String[] { "member" };
List <Claim> claims = new List <Claim>();
try
{
foreach (PermissionGroup grupo in grupos)
{
String groupDN = GetDNGrupo(ldapConnection, ldap, grupo.Name);
LdapSearchResults searchResults = ldapConnection.Search(groupDN, LdapConnection.SCOPE_BASE, null, atributos, false, cons);
var nextEntry = searchResults.Next();
nextEntry.getAttributeSet();
try
{
if (nextEntry.getAttribute("member").StringValueArray.Where(x => x == usuarioDN).Count() > 0)
{
claims.AddRange(GetClaimType(grupo.AccessType));
}
}
catch { }
}
}
catch (Exception erro) {
GALibrary.GALogs.SaveLog("AD", "Erro ao validar permissao do usuario: " + erro.ToString(), 1, GALibrary.Models.DB.Context.Parameter.FirstOrDefault());
}
ldapConnection.Disconnect();
return(claims);
}
public void Search_when_paging_using_VirtualListViewControl_returns_expected_results()
{
const int pages = 10;
const int pageSize = 50;
var cnPrefix = new Random().Next().ToString();
var expectedEntries = Enumerable.Range(1, pages * pageSize).Select(x => LdapOps.AddEntry(cnPrefix)).ToList();
var searchConstraints = new LdapSearchConstraints
{
BatchSize = 0,
MaxResults = 1000
};
var entries = new List <LdapEntry>();
TestHelper.WithAuthenticatedLdapConnection(
ldapConnection =>
{
var sortControl = new LdapSortControl(new LdapSortKey("cn"), true);
var pageCount = 1;
while (true)
{
searchConstraints.SetControls(new LdapControl[] { BuildLdapVirtualListControl(pageCount, pageSize), sortControl });
var searchResults = ldapConnection.Search(TestsConfig.LdapServer.BaseDn, LdapConnection.ScopeSub, "cn=" + cnPrefix + "*", null, false, searchConstraints).ToList();
entries.AddRange(searchResults);
if (searchResults.Count < pageSize)
{
break;
}
pageCount++;
}
});
Assert.Equal(expectedEntries.Count, entries.Count);
foreach (var pair in expectedEntries.OrderBy(x => x.Dn).Zip(entries.OrderBy(x => x.Dn)))
{
pair.First.AssertSameAs(pair.Second);
}
}
private async Task <List <Claim> > UserVerifyGroup(String userDN)
{
LdapSearchConstraints cons = new LdapSearchConstraints();
String[] atributos = new String[] { "member" };
List <Claim> claims = new List <Claim>();
var permissionGroups = await permissionGroupRepository.GetList();
try
{
foreach (PermissionGroup group in permissionGroups)
{
String groupDN = await GetGroupDN(group.GroupName);
LdapSearchResults searchResults = ldapConnection.Search(groupDN, LdapConnection.SCOPE_BASE, null, atributos, false, cons);
var nextEntry = searchResults.Next();
nextEntry.getAttributeSet();
try
{
if (nextEntry.getAttribute("member").StringValueArray.Where(x => x == userDN).Count() > 0)
{
claims.AddRange(GetClaimType(group.AccessType));
claims.Add(new Claim("Reports", group.Id.ToString()));
}
}
catch { }
}
}
catch (Exception error)
{
await log.SaveLogApplicationError(controllerName, "Erro ao verificar grupo de segurança: " + error.ToString());
}
ldapConnection.Disconnect();
return(claims);
}
/// <summary>Searches the directory
/// </summary>
/// <param name="searchBase">Where to start the search</param>
/// <param name="searchScope">Scope of search</param>
/// <param name="searchFilter">Filter to search for</param>
/// <param name="searchAttrs">Attributes to search for</param>
/// <returns>List of entries matching filter</returns>
public LdapEntry[] Search(string searchBase, int searchScope, string searchFilter, string[] searchAttrs)
{
if (!conn.Connected)
{
return(null);
}
try {
List <LdapEntry> retVal = new List <LdapEntry> ();
RfcFilter rfcFilter = new RfcFilter(searchFilter);
LdapSearchConstraints cons = new LdapSearchConstraints();
cons.MaxResults = 0;
LdapSearchQueue queue = conn.Search(searchBase,
searchScope,
rfcFilter.filterToString(),
searchAttrs,
false,
(LdapSearchQueue)null,
cons);
LdapMessage msg;
while ((msg = queue.getResponse()) != null)
{
if (msg is LdapSearchResult)
{
LdapEntry entry = ((LdapSearchResult)msg).Entry;
retVal.Add(entry);
}
}
return(retVal.ToArray());
} catch (Exception e) {
Log.Debug(e);
return(null);
}
}
public static string lookingForGroupDN(LdapConnection lc, String searchBase, string groupName)
{
string searchFilter = String.Concat("(&(objectCategory=Group)(cn=", groupName, "))");
string dn = "";
int searchScope = LdapConnection.SCOPE_SUB;
String[] attrList = new String[] { "distinguishedName" };
LdapSearchConstraints cons = new LdapSearchConstraints();
cons.TimeLimit = 10000;
try
{
LdapSearchResults searchResults =
lc.Search(searchBase,
searchScope,
searchFilter,
attrList,
false,
cons); // time out value
LdapEntry nextEntry = null;
if ((nextEntry = searchResults.next()) != null)
{
LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
System.Collections.IEnumerator ienum = attributeSet.GetEnumerator();
while (ienum.MoveNext())
{
LdapAttribute attribute = (LdapAttribute)ienum.Current;
dn = attribute.StringValue;
}
}
}
catch (LdapException e)
{
Console.WriteLine("ERROR: Cannot find the group DN {0} (Maybe wrong groupname? ) ", groupName);
throw new System.Exception(e.ToString());
}
return(dn);
}
private LdapSearchQueue StartUserSearch(SearchRequestState requestState)
{
var searchConstraints =
new LdapSearchConstraints(_ldapConfiguration.Value.TimeoutInMilliseconds,
_ldapConfiguration.Value.TimeoutInSeconds,
LdapSearchConstraints.DerefNever,
1,
true,
1,
null,
20);
var attributes = new[] { "name", "givenname", "samaccountname", "mail" };
var searchQueue = requestState.Connection.Search(_ldapConfiguration.Value.SearchBase,
LdapConnection.ScopeSub,
requestState.Filter,
attributes,
false,
null,
searchConstraints);
return(searchQueue);
}
private LdapSearchResults Search(string @base,
int scope,
string filter,
string[] attrs,
bool typesOnly,
LdapSearchConstraints cons)
{
Log.Information("Getting all directory entries with the following config:\n" +
$"base: {@base}\n" +
$"scope: {scope}\n" +
$"filter: {filter}\n" +
$"attrs: {attrs}\n" +
$"typesOnly: {typesOnly}\n" +
$"cons: {cons}\n"
);
return(_connection.Search(
@base,
scope,
filter,
attrs,
typesOnly,
cons));
}
public LdapUser GetUserByUserName(string userName)
{
LdapUser user = null;
LdapSearchConstraints lsc = new LdapSearchConstraints();
lsc.ReferralFollowing = this._ldapSettings.ReferralFollowing;
var un = userName.Split('@')[0];
var filter = string.Format(this._ldapSettings.SearchFilter, un);
using (var ldapConnection = this.GetConnection())
{
var search = ldapConnection.Search(
this._searchBase,
LdapConnection.SCOPE_SUB,
filter,
this._attributes,
false,
null,
lsc);
LdapMessage message;
while ((message = search.getResponse()) != null)
{
if (!(message is LdapSearchResult searchResultMessage))
{
continue;
}
user = this.CreateUserFromAttributes(searchResultMessage.Entry.DN, searchResultMessage.Entry.getAttributeSet());
}
}
return(user);
}
/// <summary>
/// Searchs for a certificate on the ldap server. Uses the connection given and fetches the search string
/// by calling GetBase() and GetFilter()
/// </summary>
/// <exception cref="SearchFailedException">Returned if the search failed</exception>
/// <param name="ldapConnection">Ldap connection settings</param>
/// <param name="subject">The certificate subject used in the search</param>
/// <returns></returns>
private LdapSearchResults Search(LdapConnection ldapConnection, CertificateSubject subject)
{
LdapSearchResults ldapSearchResults;
string searchBase = subject.DnsSearchBase;
string searchFilter = subject.DnsSearchFilter;
LdapSearchConstraints lsc = new LdapSearchConstraints();
lsc.ServerTimeLimit = _settings.SearchServerTimeoutMsec;
lsc.TimeLimit = _settings.SearchClientTimeoutMsec;
lsc.MaxResults = _settings.MaxResults;
string[] attributes = { "userCertificate" };
try
{
ldapSearchResults = ldapConnection.Search(searchBase, LdapConnection.SCOPE_SUB, searchFilter, attributes, false, lsc);
}
catch (Exception e) {
throw new SearchFailedException(e);
}
return(ldapSearchResults);
}
private string BuscarEmailsParaEnvio(string funcionalidade, Prestador prestador)
{
var idFuncionalidade =
_reajusteContratoRepository.ObterIdFuncionalidade(funcionalidade);
var logins = _reajusteContratoRepository.ObterLoginsComFuncionalidade(idFuncionalidade, prestador);
var listaEmails = new List <string>();
using (var cn = new LdapConnection())
{
cn.Connect(_ldapConfig.First().Hostname, _ldapConfig.First().Port);
cn.Bind("stefanini-dom\\almintegration", "stefanini@10");
LdapSearchConstraints cons = cn.SearchConstraints;
cons.ReferralFollowing = true;
cn.Constraints = cons;
foreach (var login in logins)
{
var filterInformacaoUsuario = $"(sAMAccountName={login})";
var search = cn.Search("DC=stefanini,DC=dom", LdapConnection.SCOPE_SUB, filterInformacaoUsuario, null, false, (LdapSearchConstraints)null);
while (search.hasMore())
{
var nextEntry = search.next();
var user = nextEntry.getAttributeSet();
listaEmails.Add(user.getAttribute("mail").StringValue);
break;
}
}
}
return(string.Join(",", listaEmails));
}
public static void Main(String[] args)
{
if (args.Length != 4)
{
Console.WriteLine("Usage: mono ListGroups <host name> <login dn>"
+ " <password> <group dn>\n");
Console.WriteLine("Example: mono ListGroups Acme.com"
+ " \"cn=admin,o=Acme\" secret "
+ " cn=salesGroup,ou=sales,o=acme\n");
Environment.Exit(0);
}
int ldapPort = LdapConnection.DEFAULT_PORT;
int searchScope = LdapConnection.SCOPE_BASE;
int ldapVersion = LdapConnection.Ldap_V3;
int i;
IEnumerator objClass = null;
IEnumerator queryURL = null;
IEnumerator identity = null;
IEnumerator excludedMember = null;
IEnumerator member = null;
bool isGroup = false, isDynamicGroup = false;
String[] attrs = new String[] { "objectClass",
"memberQueryURL",
"dgIdentity",
"excludedMember",
"member" };
/* Since reading members of a dynamic group could potentially involve
* a significant directory search, we use a timeout. Setting
* time out to 10 seconds
*/
LdapSearchConstraints cons = new LdapSearchConstraints();
cons.TimeLimit = 10000;
String ldapHost = args[0];
String loginDN = args[1];
String password = args[2];
String groupDN = args[3];
LdapConnection lc = new LdapConnection();
try
{
// connect to the server
lc.Connect(ldapHost, ldapPort);
// bind to the server
lc.Bind(ldapVersion, loginDN, password);
Console.WriteLine("\n\tReading object :" + groupDN);
LdapSearchResults searchResults =
lc.Search(groupDN, // object to read
searchScope, // scope - read single object
null, // search filter
attrs, // return only required attributes
false, // return attrs and values
cons); // time out value
// Examine the attributes that were returned and extract the data
LdapEntry nextEntry = null;
try
{
nextEntry = searchResults.next();
}
catch (LdapException e)
{
Console.WriteLine("Error: " + e.ToString());
Environment.Exit(1);
}
LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
IEnumerator allAttributes = attributeSet.GetEnumerator();
while (allAttributes.MoveNext())
{
LdapAttribute attribute = (LdapAttribute)allAttributes.Current;
String attributeName = attribute.Name;
// Save objectclass values
if (attributeName.ToUpper().Equals("objectClass".ToUpper()))
{
objClass = attribute.StringValues;
}
// Save the memberQueryURL attribute if present
else if (attributeName.ToUpper().Equals("memberQueryURL".ToUpper()))
{
queryURL = attribute.StringValues;
}
// Save the dgIdentity attribute if present
else if (attributeName.ToUpper().Equals("dgIdentity".ToUpper()))
{
identity = attribute.StringValues;
}
// Save the excludedMember attribute if present
else if (attributeName.ToUpper().Equals("excludedMember".ToUpper()))
{
excludedMember = attribute.StringValues;
}
/* Save the member attribute. This may also show up
* as uniqueMember
*/
else if (attributeName.ToUpper().Equals("member".ToUpper()) ||
attributeName.ToUpper().Equals("uniqueMember".ToUpper()))
{
member = attribute.StringValues;
}
}
/* Verify that this is a group object (i.e. objectClass contains
* the value "group", "groupOfNames", or "groupOfUniqueNames").
* Also determine if this is a dynamic group object
* (i.e. objectClass contains the value "dynamicGroup" or
* "dynamicGroupAux").
*/
while (objClass.MoveNext())
{
String objectName = (String)objClass.Current;
if (objectName.ToUpper().Equals("group".ToUpper()) ||
objectName.ToUpper().Equals("groupOfNames".ToUpper()) ||
objectName.ToUpper().Equals("groupOfUniqueNames".ToUpper()))
{
isGroup = true;
}
else if (objectName.ToUpper().Equals("dynamicGroup".ToUpper()) ||
objectName.ToUpper().Equals("dynamicGroupAux".ToUpper()))
{
isGroup = isDynamicGroup = true;
}
}
if (!isGroup)
{
Console.WriteLine("\tThis object is NOT a group object."
+ "Exiting.\n");
Environment.Exit(0);
}
/* If this is a dynamic group, display its memberQueryURL, identity
* and excluded member list.
*/
if (isDynamicGroup)
{
if ((queryURL != null) && (queryURL.MoveNext()))
{
Console.WriteLine("\tMember Query URL:");
while (queryURL.MoveNext())
{
Console.WriteLine("\t\t" + queryURL.Current);
}
}
if ((identity != null) && (identity.MoveNext()))
{
Console.WriteLine("\tIdentity for search:"
+ identity.Current);
}
if ((excludedMember != null) &&
(excludedMember.MoveNext()))
{
Console.WriteLine("\tExcluded member list:");
while (excludedMember.MoveNext())
{
Console.WriteLine("\t\t"
+ excludedMember.Current);
}
}
}
// Print the goup's member list
if (member != null && member.MoveNext())
{
Console.WriteLine("\n\tMember list:");
while (member.MoveNext())
{
Console.WriteLine("\t\t" + member.Current);
}
}
// disconnect with the server
lc.Disconnect();
}
catch (LdapException e)
{
Console.WriteLine("Error: " + e.ToString());
Environment.Exit(1);
}
catch (Exception e)
{
Console.WriteLine("Error: " + e.ToString());
}
Environment.Exit(0);
}
public ApiErrorItem PerformPasswordChange(string username,
string currentPassword, string newPassword)
{
var cleanUsername = username;
var atindex = cleanUsername.IndexOf("@");
if (atindex >= 0)
{
cleanUsername = cleanUsername.Substring(0, atindex);
}
// Must sanitize the username to eliminate the possibility of injection attacks:
// * https://docs.microsoft.com/en-us/windows/desktop/adschema/a-samaccountname
// * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10)
var samInvalid = "\"/\\[]:;|=,+*?<>";
var miscInvalid = "\r\n\t";
var invalid = (samInvalid + miscInvalid).ToCharArray();
var invalidIndex = cleanUsername.IndexOfAny(invalid);
if (invalidIndex >= 0)
{
var msg = "username contains one or more invalid characters";
_logger.LogWarning(msg);
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.InvalidCredentials,
FieldName = nameof(username),
Message = msg,
});
}
// LDAP filters require escaping of some special chars:
// * http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
var escape = "()&|=><!*/\\".ToCharArray();
var escapeIndex = cleanUsername.IndexOfAny(escape);
if (escapeIndex >= 0)
{
var buff = new StringBuilder();
var maxLen = cleanUsername.Length;
var copyFrom = 0;
while (escapeIndex >= 0)
{
buff.Append(cleanUsername.Substring(copyFrom, escapeIndex));
buff.Append(string.Format("\\{0:X}", (int)cleanUsername[escapeIndex]));
copyFrom = escapeIndex + 1;
escapeIndex = cleanUsername.IndexOfAny(escape, copyFrom);
}
if (copyFrom < maxLen)
{
buff.Append(cleanUsername.Substring(copyFrom));
}
cleanUsername = buff.ToString();
_logger.LogWarning("had to clean username: [{0}] => [{1}]", username, cleanUsername);
}
// Based on:
// * https://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
// * https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through
// * https://ltb-project.org/documentation/self-service-password/latest/config_ldap#active_directory
// * https://technet.microsoft.com/en-us/library/ff848710.aspx?f=255&MSPPError=-2147217396
using (var ldap = BindToLdap())
{
// First find user DN by username (SAM Account Name)
var searchConstraints = new LdapSearchConstraints(
0, 0, LdapSearchConstraints.DEREF_NEVER,
1000, true, 1, null, 10);
var searchFilter = $"(sAMAccountName={cleanUsername})";
var search = ldap.Search(
_options.LdapSearchBase, LdapConnection.SCOPE_SUB,
searchFilter, new[] { "distinguishedName" },
false, searchConstraints);
// We cannot use search.Count here -- apparently it does not
// wait for the results to return before resolving the count
// but fortunately hasMore seems to block until final result
if (!search.hasMore())
{
_logger.LogWarning("unable to find username: [{0}]", cleanUsername);
if (_options.HideUserNotFound)
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.InvalidCredentials,
FieldName = nameof(currentPassword),
Message = "invalid credentials",
});
}
else
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.UserNotFound,
FieldName = nameof(username),
Message = "username could not be located",
});
}
}
if (search.Count > 1)
{
_logger.LogWarning("found multiple with same username: [{0}]", cleanUsername);
// Hopefully this should not ever happen if AD is preserving SAM Account Name
// uniqueness constraint, but just in case, handling this corner case
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.UserNotFound,
FieldName = nameof(username),
Message = "multiple matching user entries resolved",
});
}
var userDN = search.next().DN;
var oldPassBytes = Encoding.Unicode.GetBytes($@"""{currentPassword}""")
.Select(x => (sbyte)x).ToArray();
var newPassBytes = Encoding.Unicode.GetBytes($@"""{newPassword}""")
.Select(x => (sbyte)x).ToArray();
var oldAttr = new LdapAttribute("unicodePwd", oldPassBytes);
var newAttr = new LdapAttribute("unicodePwd", newPassBytes);
var ldapDel = new LdapModification(LdapModification.DELETE, oldAttr);
var ldapAdd = new LdapModification(LdapModification.ADD, newAttr);
try
{
ldap.Modify(userDN, new[] { ldapDel, ldapAdd });
}
catch (LdapException ex)
{
_logger.LogWarning("failed to update password", ex);
return(ParseLdapException(ex));
}
ldap.StopTls();
ldap.Disconnect();
}
// Everything seems to have worked:
return(null);
}
/// <summary>
/// Retrieves group information from ldap
/// </summary>
/// <param name="retrieveGroupMembers">true to return users in each group. This may hurt performance</param>
/// <param name="optionalGroupName">Group to lookup by name. Null for all groups</param>
/// <returns></returns>
public XDoc GetGroupInfo(bool retrieveGroupMembers, string optionalGroupName)
{
LdapConnection conn = null;
XDoc resultXml = null;
try {
//Confirm a query bind has been established
conn = Bind();
string searchFilter;
//Build the searchfilter based on if a group name is given.
if (!string.IsNullOrEmpty(optionalGroupName))
{
optionalGroupName = EscapeLdapString(optionalGroupName);
//Looking up group by name
searchFilter = string.Format(PhpUtil.ConvertToFormatString(_config.GroupQuery), optionalGroupName);
}
else
{
//Looking up all groups
searchFilter = _config.GroupQueryAll;
}
//Build interesting attribute list
List <string> attrs = new List <string>();
attrs.AddRange(new string[] { "whenCreated", "name", "sAMAccountName", "cn" });
if (retrieveGroupMembers)
{
attrs.Add("member");
}
if (!string.IsNullOrEmpty(_config.GroupNameAttribute) && !attrs.Contains(_config.GroupNameAttribute))
{
attrs.Add(_config.GroupNameAttribute);
}
LdapSearchConstraints cons = new LdapSearchConstraints(new LdapConstraints(_timeLimit, true, null, 0));
cons.BatchSize = 0;
LdapSearchResults results = conn.Search(_config.LdapSearchBase,
LdapConnection.SCOPE_SUB,
searchFilter,
attrs.ToArray(),
false,
cons);
//Create outer groups collection if multiple groups are being looked up or none provided
if (string.IsNullOrEmpty(optionalGroupName))
{
resultXml = new XDoc("groups");
}
while (results.hasMore())
{
LdapEntry nextEntry = null;
try {
nextEntry = results.next();
} catch (LdapException x) {
HandleLdapException(x);
continue;
}
//Create xml from search entry
if (resultXml == null)
{
resultXml = new XDoc("group");
}
else
{
resultXml.Start("group");
}
string name = string.Empty;
//If a groupnameattribute is configured, use that. Otherwise try the common ones.
if (!string.IsNullOrEmpty(_config.GroupNameAttribute))
{
name = GetAttributeSafe(nextEntry, _config.GroupNameAttribute);
}
else
{
name = GetAttributeSafe(nextEntry, "sAMAccountName"); //MS Active Directory
if (string.IsNullOrEmpty(name))
{
name = GetAttributeSafe(nextEntry, "uid"); //OpenLDAP
}
if (string.IsNullOrEmpty(name))
{
name = GetAttributeSafe(nextEntry, "name"); //OpenLDAP
}
if (string.IsNullOrEmpty(name))
{
name = GetAttributeSafe(nextEntry, "cn"); //Novell eDirectory
}
}
resultXml.Attr("name", name);
resultXml.Start("ldap-dn").Value(nextEntry.DN).End();
resultXml.Start("date.created").Value(ldapStringToDate(GetAttributeSafe(nextEntry, "whenCreated"))).End();
//Retrieve and write group membership to xml
LdapAttributeSet memberAttrSet = nextEntry.getAttributeSet();
LdapAttribute memberAttr = memberAttrSet.getAttribute("member");
// TODO MaxM: This currently does not differentiate between user and group
// members.
if (memberAttr != null)
{
foreach (string member in memberAttr.StringValueArray)
{
resultXml.Start("member");
resultXml.Attr("name", GetNameFromDn(member));
resultXml.Start("ldap-dn").Value(member).End();
resultXml.End();
}
}
if (string.IsNullOrEmpty(optionalGroupName))
{
resultXml.End();
}
}
} finally {
UnBind(conn);
}
return(resultXml);
}
public ApiErrorItem PerformPasswordChange(string username,
string currentPassword, string newPassword)
{
string cleanUsername = username;
try
{
cleanUsername = CleaningUsername(username);
}
catch (ApiErrorException ex)
{
return(ex.ErrorItem);
}
catch (Exception ex)
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.UserNotFound,
FieldName = nameof(username),
Message = "Some error in cleaning username: "******"{Username}"))
{
searchFilter = searchFilter.Replace("{Username}", cleanUsername);
}
}
catch (Exception ex)
{
string msg = "ldapSearchFilter could not be parsed. Be sure {Username} is included: " + ex.Message;
_logger.LogCritical(msg);
throw new ArgumentException(msg);
}
try
{
using (var ldap = BindToLdap())
{
var search = ldap.Search(
_options.LdapSearchBase, LdapConnection.SCOPE_SUB,
searchFilter, new[] { "distinguishedName" },
false, searchConstraints);
// We cannot use search.Count here -- apparently it does not
// wait for the results to return before resolving the count
// but fortunately hasMore seems to block until final result
if (!search.hasMore())
{
_logger.LogWarning("unable to find username: [{0}]", cleanUsername);
if (_options.HideUserNotFound)
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.InvalidCredentials,
FieldName = nameof(username),
Message = "invalid credentials",
});
}
else
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.UserNotFound,
FieldName = nameof(username),
Message = "username could not be located",
});
}
}
if (search.Count > 1)
{
_logger.LogWarning("found multiple with same username: [{0}]", cleanUsername);
// Hopefully this should not ever happen if AD is preserving SAM Account Name
// uniqueness constraint, but just in case, handling this corner case
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.UserNotFound,
FieldName = nameof(username),
Message = "multiple matching user entries resolved",
});
}
var userDN = search.next().DN;
try
{
if (_options.LdapChangePasswortWithDelAdd)
{
#region Change Password by Delete/Add
var oldPassBytes = Encoding.Unicode.GetBytes($@"""{currentPassword}""")
.Select(x => (sbyte)x).ToArray();
var newPassBytes = Encoding.Unicode.GetBytes($@"""{newPassword}""")
.Select(x => (sbyte)x).ToArray();
var oldAttr = new LdapAttribute("unicodePwd", oldPassBytes);
var newAttr = new LdapAttribute("unicodePwd", newPassBytes);
var ldapDel = new LdapModification(LdapModification.DELETE, oldAttr);
var ldapAdd = new LdapModification(LdapModification.ADD, newAttr);
ldap.Modify(userDN, new[] { ldapDel, ldapAdd }); // Change with Delete/Add
#endregion
}
else
{
#region Change Password by Replace
// If you don't have the rights to Add and/or Delete the Attribute, you might have the right to change the password-attribute.
// In this case uncomment the next 2 lines and comment the region 'Change Password by Delete/Add'
var replAttr = new LdapAttribute("userPassword", newPassword);
var ldapReplace = new LdapModification(LdapModification.REPLACE, replAttr);
ldap.Modify(userDN, new[] { ldapReplace }); // Change with Replace
#endregion
}
}
catch (LdapException ex)
{
_logger.LogWarning("failed to update password", ex);
return(ParseLdapException(ex));
}
if (this._options.LdapStartTls)
{
ldap.StopTls();
}
ldap.Disconnect();
}
}
catch (ApiErrorException ex)
{
return(ex.ErrorItem);
}
catch (Exception ex)
{
return(new ApiErrorItem
{
ErrorCode = ApiErrorCode.InvalidCredentials,
FieldName = nameof(username),
Message = "failed to update password: " + ex.Message,
});
}
// Everything seems to have worked:
return(null);
}
