问题
I work with liferay-5.2.3 and I integrated LDAP
using this configuration :
in portal-ext.properties I make this lines :
ldap.import.method=group
system.community.roles=TestGr
and in liferay I make this configuration :
I activated the authentication using ldap .
I created two groups in LDAP :
TestGroup1 and TestGroup2
User import is periodic every hour As shown in the configuration
I tried to create Four users in ldap :
user1 under testGroup1
user2 under testGroup2
user3 , user4 out of the two previous groups
Import of users is done correctly : only user1 and user2 will be create in the database of liferay .
The problem is when I tried to authenticate with user3
I found that the user3 is created in the liferay database
Despite the fact that the user3 does not exist in the two groups TestGroup1 and TestGroup2
I think that the solution is to disable import users from ldap after login or also check existing users in some groups before the import ( Which exists in the configuration ).
Updated :
this is the code of LDAPAuth class :
package com.liferay.portal.security.auth;
import com.liferay.portal.NoSuchUserException;
import com.liferay.portal.PasswordExpiredException;
import com.liferay.portal.UserLockoutException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.model.User;
import com.liferay.portal.security.ldap.PortalLDAPUtil;
import com.liferay.portal.security.pwd.PwdEncryptor;
import com.liferay.portal.service.UserLocalServiceUtil;
import com.liferay.portal.util.PrefsPropsUtil;
import com.liferay.portal.util.PropsValues;
import com.liferay.portlet.admin.util.OmniadminUtil;
import java.util.Hashtable;
import java.util.Map;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
public class LDAPAuth
implements Authenticator
{
public static final String AUTH_METHOD_BIND = "bind";
public static final String AUTH_METHOD_PASSWORD_COMPARE = "password-compare";
public static final String RESULT_PASSWORD_RESET = "2.16.840.1.113730.3.4.4";
public static final String RESULT_PASSWORD_EXP_WARNING = "2.16.840.1.113730.3.4.5";
private static Log _log = LogFactoryUtil.getLog(LDAPAuth.class);
public int authenticateByEmailAddress(long companyId, String emailAddress, String password, Map<String, String[]> headerMap, Map<String, String[]> parameterMap)
throws AuthException
{
try
{
return authenticate(companyId, emailAddress, "", 0L, password);
}
catch (Exception e)
{
_log.error(e, e);
}
throw new AuthException(e);
}
public int authenticateByScreenName(long companyId, String screenName, String password, Map<String, String[]> headerMap, Map<String, String[]> parameterMap)
throws AuthException
{
try
{
return authenticate(companyId, "", screenName, 0L, password);
}
catch (Exception e)
{
_log.error(e, e);
}
throw new AuthException(e);
}
public int authenticateByUserId(long companyId, long userId, String password, Map<String, String[]> headerMap, Map<String, String[]> parameterMap)
throws AuthException
{
try
{
return authenticate(companyId, "", "", userId, password);
}
catch (Exception e)
{
_log.error(e, e);
}
throw new AuthException(e);
}
protected int authenticate(long companyId, String emailAddress, String screenName, long userId, String password)
throws Exception
{
if (!PortalLDAPUtil.isAuthEnabled(companyId)) {
if (_log.isDebugEnabled()) {
_log.debug("Authenticator is not enabled");
}
return 1;
}
if (_log.isDebugEnabled()) {
_log.debug("Authenticator is enabled");
}
if (authenticateOmniadmin(companyId, emailAddress, screenName, userId) == 1)
{
return 1;
}
String baseDN = PrefsPropsUtil.getString(companyId, "ldap.base.dn");
LdapContext ctx = PortalLDAPUtil.getContext(companyId);
if (ctx == null) {
return authenticateRequired(companyId, userId, emailAddress, -1);
}
String filter = PortalLDAPUtil.getAuthSearchFilter(companyId, emailAddress, screenName, String.valueOf(userId));
try
{
SearchControls cons = new SearchControls(2, 1L, 0, null, false, false);
NamingEnumeration enu = ctx.search(baseDN, filter, cons);
SearchResult result;
if (enu.hasMoreElements()) {
if (_log.isDebugEnabled()) {
_log.debug("Search filter returned at least one result");
}
result = (SearchResult)enu.nextElement();
String fullUserDN = PortalLDAPUtil.getNameInNamespace(companyId, result);
Attributes attrs = PortalLDAPUtil.getUserAttributes(companyId, ctx, fullUserDN);
LDAPAuthResult ldapAuthResult = authenticate(ctx, companyId, attrs, fullUserDN, password);
String errorMessage = ldapAuthResult.getErrorMessage();
if (errorMessage != null) {
if (errorMessage.indexOf(PrefsPropsUtil.getString(companyId, "ldap.error.user.lockout")) != -1)
{
throw new UserLockoutException();
}
if (errorMessage.indexOf(PrefsPropsUtil.getString(companyId, "ldap.error.password.expired")) != -1)
{
throw new PasswordExpiredException();
}
}
if (!ldapAuthResult.isAuthenticated()) {
int i = authenticateRequired(companyId, userId, emailAddress, -1);
return i;
}
User user = PortalLDAPUtil.importLDAPUser(companyId, ctx, attrs, password, true);
String resultCode = ldapAuthResult.getResponseControl();
if (resultCode.equals("2.16.840.1.113730.3.4.4")) {
UserLocalServiceUtil.updatePasswordReset(user.getUserId(), true);
}
else if (resultCode.equals("2.16.840.1.113730.3.4.5"))
{
UserLocalServiceUtil.updatePasswordReset(user.getUserId(), true);
}
}
else
{
if (_log.isDebugEnabled()) {
_log.debug("Search filter did not return any results");
}
result = authenticateRequired(companyId, userId, emailAddress, 0);
return result;
}
enu.close();
}
catch (Exception e) {
_log.error("Problem accessing LDAP server: " + e.getMessage());
if (authenticateRequired(companyId, userId, emailAddress, -1) == -1)
{
throw e;
}
}
finally {
if (ctx != null) {
ctx.close();
}
}
return 1;
}
protected LDAPAuthResult authenticate(LdapContext ctx, long companyId, Attributes attrs, String userDN, String password)
throws Exception
{
LDAPAuthResult ldapAuthResult = new LDAPAuthResult();
String authMethod = PrefsPropsUtil.getString(companyId, "ldap.auth.method");
InitialLdapContext innerCtx = null;
if (authMethod.equals("bind")) {
try {
Hashtable env = ctx.getEnvironment();
env.put("java.naming.security.principal", userDN);
env.put("java.naming.security.credentials", password);
env.put("java.naming.referral", PrefsPropsUtil.getString(companyId, "ldap.referral"));
env.put("com.sun.jndi.ldap.connect.pool", "false");
innerCtx = new InitialLdapContext(env, null);
Control[] responseControls = innerCtx.getResponseControls();
ldapAuthResult.setAuthenticated(true);
ldapAuthResult.setResponseControl(responseControls);
}
catch (Exception e) {
if (_log.isDebugEnabled()) {
_log.debug("Failed to bind to the LDAP server with userDN " + userDN + " and password " + password);
}
_log.error("Failed to bind to the LDAP server: " + e.getMessage());
ldapAuthResult.setAuthenticated(false);
ldapAuthResult.setErrorMessage(e.getMessage());
}
finally {
if (innerCtx != null) {
innerCtx.close();
}
}
}
else if (authMethod.equals("password-compare")) {
Attribute userPassword = attrs.get("userPassword");
if (userPassword != null) {
String ldapPassword = new String((byte[])(byte[])userPassword.get());
String encryptedPassword = password;
String algorithm = PrefsPropsUtil.getString(companyId, "ldap.auth.password.encryption.algorithm");
if (Validator.isNotNull(algorithm)) {
encryptedPassword = "{" + algorithm + "}" + PwdEncryptor.encrypt(algorithm, password, ldapPassword);
}
if (ldapPassword.equals(encryptedPassword)) {
ldapAuthResult.setAuthenticated(true);
}
else {
ldapAuthResult.setAuthenticated(false);
if (_log.isWarnEnabled()) {
_log.warn("Passwords do not match for userDN " + userDN);
}
}
}
}
return ldapAuthResult;
}
protected int authenticateOmniadmin(long companyId, String emailAddress, String screenName, long userId)
throws Exception
{
if (PropsValues.AUTH_PIPELINE_ENABLE_LIFERAY_CHECK) {
if (userId > 0L) {
if (OmniadminUtil.isOmniadmin(userId)) {
return 1;
}
}
else if (Validator.isNotNull(emailAddress)) {
try {
User user = UserLocalServiceUtil.getUserByEmailAddress(companyId, emailAddress);
if (OmniadminUtil.isOmniadmin(user.getUserId()))
return 1;
}
catch (NoSuchUserException nsue)
{
}
}
else if (Validator.isNotNull(screenName)) {
try {
User user = UserLocalServiceUtil.getUserByScreenName(companyId, screenName);
if (OmniadminUtil.isOmniadmin(user.getUserId())) {
return 1;
}
}
catch (NoSuchUserException nsue)
{
}
}
}
return -1;
}
protected int authenticateRequired(long companyId, long userId, String emailAddress, int failureCode)
throws Exception
{
if (PrefsPropsUtil.getBoolean(companyId, "ldap.auth.required"))
{
return failureCode;
}
return 1;
}
}
Is there anyone who can help me to modify this class ( exactly authenticateByEmailAddress methode) in order to check the user's group in ldap in login state
meaning in login methode check user only in :
testGroup1 and testGroup2 and not in all locations in ldap
来源:https://stackoverflow.com/questions/41361468/liferay-disable-import-users-after-login-or-check-existing-users-in-some-groups