001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied. See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 *
019 */
020 package org.apache.directory.server.ldap.handlers.bind.gssapi;
021
022
023 import javax.naming.Context;
024 import javax.security.auth.kerberos.KerberosPrincipal;
025 import javax.security.sasl.AuthorizeCallback;
026
027 import org.apache.directory.server.core.CoreSession;
028 import org.apache.directory.server.core.authn.LdapPrincipal;
029 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
030 import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal;
031 import org.apache.directory.server.ldap.LdapSession;
032 import org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler;
033 import org.apache.directory.server.ldap.handlers.bind.SaslConstants;
034 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
035 import org.apache.directory.shared.ldap.entry.EntryAttribute;
036 import org.apache.directory.shared.ldap.message.InternalBindRequest;
037 import org.apache.directory.shared.ldap.name.LdapDN;
038 import org.apache.directory.shared.ldap.util.StringTools;
039 import org.slf4j.Logger;
040 import org.slf4j.LoggerFactory;
041
042
043 /**
044 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
045 * @version $Rev$, $Date$
046 */
047 public class GssapiCallbackHandler extends AbstractSaslCallbackHandler
048 {
049 private static final Logger LOG = LoggerFactory.getLogger( GssapiCallbackHandler.class );
050
051
052 /**
053 * Creates a new instance of GssapiCallbackHandler.
054 *
055 * @param session the mina IO session
056 * @param bindRequest the bind message
057 * @param directoryService the directory service core
058 */
059 public GssapiCallbackHandler( LdapSession ldapSession, CoreSession adminSession, InternalBindRequest bindRequest )
060 {
061 super( adminSession.getDirectoryService(), bindRequest );
062 this.ldapSession = ldapSession;
063 this.adminSession = adminSession;
064 }
065
066
067 protected EntryAttribute lookupPassword( String username, String password )
068 {
069 // do nothing, password not used by GSSAPI
070 return null;
071 }
072
073
074 protected void authorize( AuthorizeCallback authorizeCB ) throws Exception
075 {
076 LOG.debug( "Processing conversion of principal name to DN." );
077
078 String username = authorizeCB.getAuthorizationID();
079
080 // find the user's entry
081 GetPrincipal getPrincipal = new GetPrincipal( new KerberosPrincipal( username ) );
082 PrincipalStoreEntry entry = ( PrincipalStoreEntry ) getPrincipal.execute( adminSession, new LdapDN( ldapSession
083 .getLdapServer().getSearchBaseDn() ) );
084 String bindDn = entry.getDistinguishedName();
085
086 LOG.debug( "Converted username {} to DN {}.", username, bindDn );
087
088 LdapPrincipal ldapPrincipal = new LdapPrincipal( new LdapDN( entry.getDistinguishedName() ),
089 AuthenticationLevel.STRONG, StringTools.EMPTY_BYTES );
090 ldapSession.putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal );
091 ldapSession.putSaslProperty( Context.SECURITY_PRINCIPAL, bindDn );
092
093 authorizeCB.setAuthorizedID( bindDn );
094 authorizeCB.setAuthorized( true );
095 }
096 }