001 /* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020 package org.apache.directory.server.ldap.handlers.bind.gssapi; 021 022 023 import javax.naming.Context; 024 import javax.security.auth.kerberos.KerberosPrincipal; 025 import javax.security.sasl.AuthorizeCallback; 026 027 import org.apache.directory.server.core.CoreSession; 028 import org.apache.directory.server.core.LdapPrincipal; 029 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry; 030 import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal; 031 import org.apache.directory.server.ldap.LdapSession; 032 import org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler; 033 import org.apache.directory.server.ldap.handlers.bind.SaslConstants; 034 import org.apache.directory.shared.ldap.constants.AuthenticationLevel; 035 import org.apache.directory.shared.ldap.entry.EntryAttribute; 036 import org.apache.directory.shared.ldap.message.internal.InternalBindRequest; 037 import org.apache.directory.shared.ldap.name.DN; 038 import org.apache.directory.shared.ldap.util.StringTools; 039 import org.slf4j.Logger; 040 import org.slf4j.LoggerFactory; 041 042 043 /** 044 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 045 * @version $Rev$, $Date$ 046 */ 047 public class GssapiCallbackHandler extends AbstractSaslCallbackHandler 048 { 049 private static final Logger LOG = LoggerFactory.getLogger( GssapiCallbackHandler.class ); 050 051 052 /** 053 * Creates a new instance of GssapiCallbackHandler. 054 * 055 * @param session the mina IO session 056 * @param bindRequest the bind message 057 * @param directoryService the directory service core 058 */ 059 public GssapiCallbackHandler( LdapSession ldapSession, CoreSession adminSession, InternalBindRequest bindRequest ) 060 { 061 super( adminSession.getDirectoryService(), bindRequest ); 062 this.ldapSession = ldapSession; 063 this.adminSession = adminSession; 064 } 065 066 067 protected EntryAttribute lookupPassword( String username, String password ) 068 { 069 // do nothing, password not used by GSSAPI 070 return null; 071 } 072 073 074 protected void authorize( AuthorizeCallback authorizeCB ) throws Exception 075 { 076 LOG.debug( "Processing conversion of principal name to DN." ); 077 078 String username = authorizeCB.getAuthorizationID(); 079 080 // find the user's entry 081 GetPrincipal getPrincipal = new GetPrincipal( new KerberosPrincipal( username ) ); 082 PrincipalStoreEntry entry = ( PrincipalStoreEntry ) getPrincipal.execute( adminSession, new DN( ldapSession 083 .getLdapServer().getSearchBaseDn() ) ); 084 String bindDn = entry.getDistinguishedName(); 085 086 LOG.debug( "Converted username {} to DN {}.", username, bindDn ); 087 088 LdapPrincipal ldapPrincipal = new LdapPrincipal( new DN( entry.getDistinguishedName() ), 089 AuthenticationLevel.STRONG, StringTools.EMPTY_BYTES ); 090 ldapSession.putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal ); 091 ldapSession.putSaslProperty( Context.SECURITY_PRINCIPAL, bindDn ); 092 093 authorizeCB.setAuthorizedID( bindDn ); 094 authorizeCB.setAuthorized( true ); 095 } 096 }