public BooleanResult AuthorizeUser(SessionProperties properties)
{
m_logger.Debug("LDAP Plugin Authorization");
bool requireAuth = Settings.Store.AuthzRequireAuth;
// Get the authz rules from registry
List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();
if (rules.Count == 0)
{
throw new Exception("No authorizaition rules found.");
}
// Get the LDAP server object
LdapServer serv = properties.GetTrackedSingle <LdapServer>();
// If LDAP server object is not found, then something went wrong in authentication.
// We allow or deny based on setting
if (serv == null)
{
m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");
// LdapServer is not available, allow or deny based on settings.
return(new BooleanResult()
{
Success = Settings.Store.AuthzAllowOnError,
Message = "LDAP server unavailable."
});
}
// If we require authentication, and we failed to auth this user, then we
// fail authorization. Note that we do this AFTER checking the LDAP server object
// because we may want to succeed if the authentication failed due to server
// being unavailable.
if (requireAuth)
{
PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>();
try
{
BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid);
if (!ldapResult.Success)
{
m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
return(new BooleanResult()
{
Success = false,
Message = "Deny because LDAP authentication failed."
});
}
}
catch (KeyNotFoundException)
{
// The plugin is not enabled for authentication
m_logger.ErrorFormat("LDAP is not enabled for authentication, and authz is configured to require authentication.");
return(new BooleanResult
{
Success = false,
Message = "Deny because LDAP auth did not execute, and configured to require LDAP auth."
});
}
}
// Apply the authorization rules
try
{
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
string user = userInfo.Username;
// Bind for searching if we have rules to process. If there's only one, it's the
// default rule which doesn't require searching the LDAP tree.
if (rules.Count > 1)
{
serv.BindForSearch();
}
foreach (GroupAuthzRule rule in rules)
{
bool inGroup = false;
// Don't need to check membership if the condition is "always." This is the
// case for the default rule only. which is the last rule in the list.
if (rule.RuleCondition != GroupRule.Condition.ALWAYS)
{
inGroup = serv.MemberOfGroup(user, rule.Group);
m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not",
rule.Group);
}
if (rule.RuleMatch(inGroup))
{
if (rule.AllowOnMatch)
{
return new BooleanResult()
{
Success = true,
Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
}
}
;
else
{
return new BooleanResult()
{
Success = false,
Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
}
};
}
}
// We should never get this far because the last rule in the list should always be a match,
// but if for some reason we do, return success.
return(new BooleanResult()
{
Success = true, Message = ""
});
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
serv.Close();
properties.AddTrackedSingle <LdapServer>(null);
return(new BooleanResult
{
Success = Settings.Store.AuthzAllowOnError,
Message = "Failed to contact LDAP server."
});
}
else if (ldapEx.ErrorCode == 49)
{
// This is invalid credentials, return false, but server object should remain connected
m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
return(new BooleanResult
{
Success = false,
Message = "Authorization via LDAP failed. Invalid credentials."
});
}
}
// Unexpected error, let the PluginDriver catch
m_logger.ErrorFormat("Error during authorization: {0}", e);
throw;
}
}
private void LoadSettings()
{
string[] ldapHosts = Settings.Store.LdapHost;
string hosts = "";
for (int i = 0; i < ldapHosts.Count(); i++)
{
string host = ldapHosts[i];
if (i < ldapHosts.Count() - 1)
{
hosts += host + " ";
}
else
{
hosts += host;
}
}
ldapHostTextBox.Text = hosts;
int port = Settings.Store.LdapPort;
ldapPortTextBox.Text = Convert.ToString(port);
int timeout = Settings.Store.LdapTimeout;
timeoutTextBox.Text = Convert.ToString(timeout);
bool useSsl = Settings.Store.UseSsl;
useSslCheckBox.CheckState = useSsl ? CheckState.Checked : CheckState.Unchecked;
bool useTls = Settings.Store.UseTls;
useTlsCheckBox.CheckState = useTls ? CheckState.Checked : CheckState.Unchecked;
bool reqCert = Settings.Store.RequireCert;
validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked;
string serverCertFile = Settings.Store.ServerCertFile;
sslCertFileTextBox.Text = serverCertFile;
string searchDn = Settings.Store.SearchDN;
searchDnTextBox.Text = searchDn;
string searchPw = Settings.Store.GetEncryptedSetting("SearchPW");
searchPassTextBox.Text = searchPw;
// Authentication tab
bool allowEmpty = Settings.Store.AllowEmptyPasswords;
this.allowEmptyPwCB.Checked = allowEmpty;
string dnPattern = Settings.Store.DnPattern;
dnPatternTextBox.Text = dnPattern;
bool doSearch = Settings.Store.DoSearch;
searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked;
string filter = Settings.Store.SearchFilter;
searchFilterTextBox.Text = filter;
bool useAuth = Settings.Store.UseAuthBindForAuthzAndGateway;
useAuthBindForAuthzAndGatewayCb.Checked = useAuth;
string[] searchContexts = Settings.Store.SearchContexts;
string ctxs = "";
for (int i = 0; i < searchContexts.Count(); i++)
{
string ctx = searchContexts[i];
if (i < searchContexts.Count() - 1)
{
ctxs += ctx + "\r\n";
}
else
{
ctxs += ctx;
}
}
searchContextsTextBox.Text = ctxs;
// AttribConverter Grid
string[] AttribConv = Settings.Store.AttribConv;
Column1.DataSource = AttribConvert.Attribs.ToArray();
dataGridView1.ColumnCount = 2;
for (int x = 0; x < AttribConv.Count(); x++)
{
string[] split = AttribConv[x].Split('\t');
if (split.Count() == 2)
{
split[0] = split[0].Trim();
split[1] = split[1].Trim();
if (!String.IsNullOrEmpty(split[0]) && !String.IsNullOrEmpty(split[1]))
{
if (AttribConvert.Attribs.Contains(split[0]))
//if (Array.Exists(WinValues(), element => element == split[0]))
{
int index = AttribConvert.Attribs.IndexOf(split[0]);
//int index = Array.FindIndex(WinValues(), item => item == split[0]);
DataGridViewRow row = new DataGridViewRow();
DataGridViewComboBoxCell CellSample = new DataGridViewComboBoxCell();
CellSample.DataSource = AttribConvert.Attribs.ToArray(); // list of the string items that I want to insert in ComboBox.
CellSample.Value = AttribConvert.Attribs[index]; // default value for the ComboBox
row.Cells.Add(CellSample);
row.Cells.Add(new DataGridViewTextBoxCell()
{
Value = split[1]
});
dataGridView1.Rows.Add(row);
}
}
}
}
/////////////// Authorization tab /////////////////
this.authzRuleMemberComboBox.SelectedIndex = 0;
this.authzRuleActionComboBox.SelectedIndex = 0;
this.authzRuleScope.SelectedIndex = 0;
this.authzDefaultAllowRB.Checked = Settings.Store.AuthzDefault;
this.authzDefaultDenyRB.Checked = !(bool)Settings.Store.AuthzDefault;
this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth;
this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError;
List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules();
foreach (GroupAuthzRule rule in lst)
{
this.authzRulesListBox.Items.Add(rule);
}
///////////////// Gateway tab /////////////////
this.gatewayRuleGroupMemberCB.SelectedIndex = 0;
this.gatewayRuleScope.SelectedIndex = 0;
List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules();
foreach (GroupGatewayRule rule in gwLst)
{
this.gatewayRulesListBox.Items.Add(rule);
}
////////////// Change Password tab ///////////////
List <AttributeEntry> attribs = CPAttributeSettings.Load();
foreach (AttributeEntry entry in attribs)
{
this.passwordAttributesDGV.Rows.Add(entry.Name, entry.Method);
}
}
private void LoadSettings()
{
string[] ldapHosts = Settings.Store.LdapHost;
string hosts = "";
for (int i = 0; i < ldapHosts.Count(); i++)
{
string host = ldapHosts[i];
if (i < ldapHosts.Count() - 1)
{
hosts += host + " ";
}
else
{
hosts += host;
}
}
ldapHostTextBox.Text = hosts;
int port = Settings.Store.LdapPort;
ldapPortTextBox.Text = Convert.ToString(port);
int timeout = Settings.Store.LdapTimeout;
timeoutTextBox.Text = Convert.ToString(timeout);
int encryptionMethod = Settings.Store.EncryptionMethod;
m_encryptionMethodCb.SelectedIndex = encryptionMethod;
bool reqCert = Settings.Store.RequireCert;
validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked;
string serverCertFile = Settings.Store.ServerCertFile;
sslCertFileTextBox.Text = serverCertFile;
string searchDn = Settings.Store.SearchDN;
searchDnTextBox.Text = searchDn;
string searchPw = Settings.Store.GetEncryptedSetting("SearchPW");
searchPassTextBox.Text = searchPw;
string grpDnPattern = Settings.Store.GroupDnPattern;
this.groupDNPattern.Text = grpDnPattern;
string grpMemberAttrib = Settings.Store.GroupMemberAttrib;
this.groupMemberAttrTB.Text = grpMemberAttrib;
string GroupGidAttrib = Settings.Store.GroupGidAttrib;
this.groupGidAttr.Text = GroupGidAttrib;
string GroupGidAttribIU = Settings.Store.GroupGidAttribIU;
this.groupGidAttrIU.Text = GroupGidAttribIU;
int derefValue = Settings.Store.Dereference;
this.DereferenceComboBox.SelectedIndex = derefValue;
// Authentication tab
bool allowEmpty = Settings.Store.AllowEmptyPasswords;
this.allowEmptyPwCB.Checked = allowEmpty;
string dnPattern = Settings.Store.DnPattern;
dnPatternTextBox.Text = dnPattern;
bool doSearch = Settings.Store.DoSearch;
searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked;
string filter = Settings.Store.SearchFilter;
searchFilterTextBox.Text = filter;
bool useAuth = Settings.Store.UseAuthBindForAuthzAndGateway;
m_useAuthBindForAuthzAndGatewayCb.Checked = useAuth;
string[] searchContexts = Settings.Store.SearchContexts;
string ctxs = "";
for (int i = 0; i < searchContexts.Count(); i++)
{
string ctx = searchContexts[i];
if (i < searchContexts.Count() - 1)
{
ctxs += ctx + "\r\n";
}
else
{
ctxs += ctx;
}
}
searchContextsTextBox.Text = ctxs;
/////////////// Authorization tab /////////////////
this.authzRuleMemberComboBox.SelectedIndex = 0;
this.authzRuleActionComboBox.SelectedIndex = 0;
this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth;
this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError;
this.authzApplyToAllUsersCB.Checked = Settings.Store.AuthzApplyToAllUsers;
List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules();
// The last one should be the default rule
if (lst.Count > 0 &&
lst[lst.Count - 1].RuleCondition == GroupRule.Condition.ALWAYS)
{
GroupAuthzRule rule = lst[lst.Count - 1];
if (rule.AllowOnMatch)
{
this.authzDefaultAllowRB.Checked = true;
}
else
{
this.authzDefaultDenyRB.Checked = true;
}
lst.RemoveAt(lst.Count - 1);
}
else
{
// The list is empty or the last rule is not a default rule.
throw new Exception("Default rule not found in rule list.");
}
// The rest of the rules
foreach (GroupAuthzRule rule in lst)
{
this.authzRulesListBox.Items.Add(rule);
}
///////////////// Gateway tab /////////////////
List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules();
foreach (GroupGatewayRule rule in gwLst)
{
this.gatewayRulesListBox.Items.Add(rule);
}
////////////// Change Password tab ///////////////
List <PasswordAttributeEntry> attribs = CPAttributeSettings.Load();
foreach (PasswordAttributeEntry entry in attribs)
{
this.passwordAttributesDGV.Rows.Add(entry.Name, entry.Method);
}
///////////// Login Script ////////////////
txt_script_serverurl.Text = Settings.Store.SFTPServerURL;
txt_script_user.Text = Settings.Store.SFTPUser;
txt_script_password.Text = Settings.Store.SFTPPassword;
txt_script_fingerprint.Text = Settings.Store.SFTPFingerprint;
txt_script_path.Text = Settings.Store.SFTPScriptPath;
txt_script_path_2.Text = Settings.Store.SFTPScriptPath2;
txt_script_group_list_path.Text = Settings.Store.SFTPGroupListPath;
txt_script_cmd_login.Text = Settings.Store.CMDLoginScript;
txt_script_cmd_logoff.Text = Settings.Store.CMDLogoffScript;
}
public BooleanResult AuthorizeUser(SessionProperties properties)
{
////m_logger.Debug("LDAP Plugin Authorization");
bool requireAuth = Settings.Store.AuthzRequireAuth;
// Get the authz rules from registry
List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules();
// Get the LDAP server object
LdapServer serv = properties.GetTrackedSingle <LdapServer>();
// If LDAP server object is not found, then something went wrong in authentication.
// We allow or deny based on setting
if (serv == null)
{
////m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available.");
// LdapServer is not available, allow or deny based on settings.
return(new BooleanResult()
{
Success = Settings.Store.AuthzAllowOnError,
Message = "LDAP server unavailable."
});
}
// If we require authentication, and we failed to auth this user, then we
// fail authorization. Note that we do this AFTER checking the LDAP server object
// because we may want to succeed if the authentication failed due to server
// being unavailable.
PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>();
if (requireAuth && !WeAuthedThisUser(actInfo))
{
////m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth.");
return(new BooleanResult()
{
Success = false,
Message = "Deny because LDAP authentication failed, or did not execute."
});
}
// Apply the authorization rules
try
{
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
// Bind for searching if we have rules to process. If there's only one, it's the
// default rule which doesn't require searching the LDAP tree.
if (rules.Count > 0)
{
this.BindForAuthzOrGatewaySearch(serv);
}
foreach (GroupAuthzRule rule in rules)
{
bool inGroup = false;
string path = rule.path.Replace("%u", userInfo.Username);
string filter = rule.filter.Replace("%u", userInfo.Username);
inGroup = serv.GetUserAttribValue(path, filter, rule.SearchScope, new string[] { "dn" }).Count > 0;
////m_logger.DebugFormat("User {0} {1} {2} {3}", userInfo.Username, inGroup ? "is" : "is not", filter, path);
if (rule.RuleMatch(inGroup))
{
if (rule.AllowOnMatch)
{
return new BooleanResult()
{
Success = true,
Message = string.Format("Allow via rule: \"{0}\"", rule.ToString())
}
}
;
else
{
return new BooleanResult()
{
Success = false,
Message = string.Format("Deny via rule: \"{0}\"", rule.ToString())
}
};
}
}
// If there is no matching rule use default. allow or deny
if ((bool)Settings.Store.AuthzDefault)
{
return new BooleanResult()
{
Success = true, Message = ""
}
}
;
else
{
return new BooleanResult()
{
Success = false, Message = String.Format("You are not allowed to login! No matching rule found! Default rule:{0}", (bool)Settings.Store.AuthzDefault ? "Allow" : "Deny")
}
};
}
catch (Exception e)
{
if (e is LdapException)
{
LdapException ldapEx = (e as LdapException);
if (ldapEx.ErrorCode == 81)
{
// Server can't be contacted, set server object to null
////m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message);
serv.Close();
properties.AddTrackedSingle <LdapServer>(null);
return(new BooleanResult
{
Success = Settings.Store.AuthzAllowOnError,
Message = "Failed to contact LDAP server."
});
}
else if (ldapEx.ErrorCode == 49)
{
// This is invalid credentials, return false, but server object should remain connected
////m_logger.ErrorFormat("LDAP bind failed: invalid credentials.");
return(new BooleanResult
{
Success = false,
Message = "Authorization via LDAP failed. Invalid credentials."
});
}
}
// Unexpected error, let the PluginDriver catch
////m_logger.ErrorFormat("Error during authorization: {0}", e);
throw;
}
}
private void LoadSettings()
{
string[] ldapHosts = Settings.Store.LdapHost;
string hosts = "";
for (int i = 0; i < ldapHosts.Count(); i++)
{
string host = ldapHosts[i];
if (i < ldapHosts.Count() - 1)
{
hosts += host + " ";
}
else
{
hosts += host;
}
}
ldapHostTextBox.Text = hosts;
int port = Settings.Store.LdapPort;
ldapPortTextBox.Text = Convert.ToString(port);
int timeout = Settings.Store.LdapTimeout;
timeoutTextBox.Text = Convert.ToString(timeout);
bool useSsl = Settings.Store.UseSsl;
useSslCheckBox.CheckState = useSsl ? CheckState.Checked : CheckState.Unchecked;
bool reqCert = Settings.Store.RequireCert;
validateServerCertCheckBox.CheckState = reqCert ? CheckState.Checked : CheckState.Unchecked;
string serverCertFile = Settings.Store.ServerCertFile;
sslCertFileTextBox.Text = serverCertFile;
string searchDn = Settings.Store.SearchDN;
searchDnTextBox.Text = searchDn;
string searchPw = Settings.Store.GetEncryptedSetting("SearchPW");
searchPassTextBox.Text = searchPw;
string grpDnPattern = Settings.Store.GroupDnPattern;
this.groupDNPattern.Text = grpDnPattern;
string grpMemberAttrib = Settings.Store.GroupMemberAttrib;
this.groupMemberAttrTB.Text = grpMemberAttrib;
int derefValue = Settings.Store.Dereference;
this.DereferenceComboBox.SelectedIndex = derefValue;
// Authentication tab
bool allowEmpty = Settings.Store.AllowEmptyPasswords;
this.allowEmptyPwCB.Checked = allowEmpty;
string dnPattern = Settings.Store.DnPattern;
dnPatternTextBox.Text = dnPattern;
bool doSearch = Settings.Store.DoSearch;
searchForDnCheckBox.CheckState = doSearch ? CheckState.Checked : CheckState.Unchecked;
string filter = Settings.Store.SearchFilter;
searchFilterTextBox.Text = filter;
string[] searchContexts = Settings.Store.SearchContexts;
string ctxs = "";
for (int i = 0; i < searchContexts.Count(); i++)
{
string ctx = searchContexts[i];
if (i < searchContexts.Count() - 1)
{
ctxs += ctx + "\r\n";
}
else
{
ctxs += ctx;
}
}
searchContextsTextBox.Text = ctxs;
/////////////// Authorization tab /////////////////
this.authzRuleMemberComboBox.SelectedIndex = 0;
this.authzRuleActionComboBox.SelectedIndex = 0;
this.authzRequireAuthCB.Checked = Settings.Store.AuthzRequireAuth;
this.authzAllowOnErrorCB.Checked = Settings.Store.AuthzAllowOnError;
List <GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules();
// The last one should be the default rule
if (lst.Count > 0 &&
lst[lst.Count - 1].RuleCondition == GroupRule.Condition.ALWAYS)
{
GroupAuthzRule rule = lst[lst.Count - 1];
if (rule.AllowOnMatch)
{
this.authzDefaultAllowRB.Checked = true;
}
else
{
this.authzDefaultDenyRB.Checked = true;
}
lst.RemoveAt(lst.Count - 1);
}
else
{
// The list is empty or the last rule is not a default rule.
throw new Exception("Default rule not found in rule list.");
}
// The rest of the rules
foreach (GroupAuthzRule rule in lst)
{
this.authzRulesListBox.Items.Add(rule);
}
///////////////// Gateway tab /////////////////
List <GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules();
foreach (GroupGatewayRule rule in gwLst)
{
this.gatewayRulesListBox.Items.Add(rule);
}
}
