Github user guoyuepeng commented on a diff in the pull request: https://github.com/apache/incubator-griffin/pull/441#discussion_r226866713 --- Diff: service/src/main/java/org/apache/griffin/core/login/LoginServiceLdapImpl.java --- @@ -48,68 +53,137 @@ Licensed to the Apache Software Foundation (ASF) under one private String searchBase; private String searchPattern; private SearchControls searchControls; + private boolean sslSkipVerify; + private String bindDN; + private String bindPassword; public LoginServiceLdapImpl(String url, String email, String searchBase, - String searchPattern) { + String searchPattern, boolean sslSkipVerify, + String bindDN, String bindPassword) { this.url = url; this.email = email; this.searchBase = searchBase; this.searchPattern = searchPattern; + this.sslSkipVerify = sslSkipVerify; + this.bindDN = bindDN; + this.bindPassword = bindPassword; SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); this.searchControls = searchControls; } @Override public ResponseEntity<Map<String, Object>> login(Map<String, String> map) { - String ntAccount = map.get("username"); + String username = map.get("username"); String password = map.get("password"); - String searchFilter = searchPattern.replace("{0}", ntAccount); + + // use separate bind credentials, if bindDN is provided + String bindAccount = StringUtils.isEmpty(this.bindDN) ? username : this.bindDN; + String bindPassword = StringUtils.isEmpty(this.bindDN) ? password : this.bindPassword; + String searchFilter = searchPattern.replace("{0}", username); + LdapContext ctx = null; try { - LdapContext ctx = getContextInstance(ntAccount, password); + ctx = getContextInstance(toPrincipal(bindAccount), bindPassword); + NamingEnumeration<SearchResult> results = ctx.search(searchBase, searchFilter, searchControls); - String fullName = getFullName(results, ntAccount); + SearchResult userObject = getSingleUser(results); + + // verify password if different bind user is used + if (!StringUtils.equals(username, bindAccount)) { + String userDN = getAttributeValue(userObject, "distinguishedName", toPrincipal(username)); + checkPassword(userDN, password); + } + Map<String, Object> message = new HashMap<>(); - message.put("ntAccount", ntAccount); - message.put("fullName", fullName); + message.put("ntAccount", username); + message.put("fullName", getFullName(userObject, username)); message.put("status", 0); return new ResponseEntity<>(message, HttpStatus.OK); - } catch (NamingException e) { - LOGGER.warn("User {} failed to login with LDAP auth. {}", ntAccount, + } catch (AuthenticationException e) { + LOGGER.warn("User {} failed to login with LDAP auth. {}", username, e.getMessage()); + } catch (NamingException e) { + LOGGER.warn(String.format("User %s failed to login with LDAP auth.", username), e); + } finally { --- End diff -- LGTM
---