Github user guoyuepeng commented on a diff in the pull request:
https://github.com/apache/incubator-griffin/pull/441#discussion_r226866713
--- Diff:
service/src/main/java/org/apache/griffin/core/login/LoginServiceLdapImpl.java
---
@@ -48,68 +53,137 @@ Licensed to the Apache Software Foundation (ASF) under
one
private String searchBase;
private String searchPattern;
private SearchControls searchControls;
+ private boolean sslSkipVerify;
+ private String bindDN;
+ private String bindPassword;
public LoginServiceLdapImpl(String url, String email, String
searchBase,
- String searchPattern) {
+ String searchPattern, boolean
sslSkipVerify,
+ String bindDN, String bindPassword) {
this.url = url;
this.email = email;
this.searchBase = searchBase;
this.searchPattern = searchPattern;
+ this.sslSkipVerify = sslSkipVerify;
+ this.bindDN = bindDN;
+ this.bindPassword = bindPassword;
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
this.searchControls = searchControls;
}
@Override
public ResponseEntity<Map<String, Object>> login(Map<String, String>
map) {
- String ntAccount = map.get("username");
+ String username = map.get("username");
String password = map.get("password");
- String searchFilter = searchPattern.replace("{0}", ntAccount);
+
+ // use separate bind credentials, if bindDN is provided
+ String bindAccount = StringUtils.isEmpty(this.bindDN) ? username :
this.bindDN;
+ String bindPassword = StringUtils.isEmpty(this.bindDN) ? password
: this.bindPassword;
+ String searchFilter = searchPattern.replace("{0}", username);
+ LdapContext ctx = null;
try {
- LdapContext ctx = getContextInstance(ntAccount, password);
+ ctx = getContextInstance(toPrincipal(bindAccount),
bindPassword);
+
NamingEnumeration<SearchResult> results =
ctx.search(searchBase,
searchFilter, searchControls);
- String fullName = getFullName(results, ntAccount);
+ SearchResult userObject = getSingleUser(results);
+
+ // verify password if different bind user is used
+ if (!StringUtils.equals(username, bindAccount)) {
+ String userDN = getAttributeValue(userObject,
"distinguishedName", toPrincipal(username));
+ checkPassword(userDN, password);
+ }
+
Map<String, Object> message = new HashMap<>();
- message.put("ntAccount", ntAccount);
- message.put("fullName", fullName);
+ message.put("ntAccount", username);
+ message.put("fullName", getFullName(userObject, username));
message.put("status", 0);
return new ResponseEntity<>(message, HttpStatus.OK);
- } catch (NamingException e) {
- LOGGER.warn("User {} failed to login with LDAP auth. {}",
ntAccount,
+ } catch (AuthenticationException e) {
+ LOGGER.warn("User {} failed to login with LDAP auth. {}",
username,
e.getMessage());
+ } catch (NamingException e) {
+ LOGGER.warn(String.format("User %s failed to login with LDAP
auth.", username), e);
+ } finally {
--- End diff --
LGTM
---
