Tohuwabohu excorcism

User Tools

Site Tools

Trace: oauth auth0 ldap ansible codebuild tests ecs mysql gruntworks.io
ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ldap [2019/04/01 11:21] – [OpenLDAP and phpldapadmin] skipidarldap [2020/12/27 20:35] (current) – external edit 127.0.0.1
Line 14: Line 14:
  
   * Creating a Partition - http://directory.apache.org/apacheds/basic-ug/1.4.3-adding-partition.html   * Creating a Partition - http://directory.apache.org/apacheds/basic-ug/1.4.3-adding-partition.html
 +
 +  * Introduciton in schema definition - https://www.zytrax.com/books//ldap/ch3/
  
 ===== LDAP Server ===== ===== LDAP Server =====
Line 155: Line 157:
 st State st State
 c Country c Country
 +dn distinguished name, like cn=sadique5,ou=people,dc=ldap,dc=example,dc=com
 </code> </code>
  
Line 213: Line 216:
 123abc 123abc
 </code> </code>
 +
 +
 +== display the configs ==
 +<code>
 +slapcat -b cn=config
 +</code>
 +
 +Or within contianer
 +<code>
 +docker exec ldap slapcat -b cn=config
 +</code>
 +
 +
 +
 +===== LDAP with Spring =====
 +
 +Spring LDAP reference: https://docs.spring.io/autorepo/docs/spring-ldap/current/reference/#dns-as-attribute-values
 +
 +Examples:
 +  * https://github.com/jopek/spring-boot-ldap-useradmin
 +  * https://github.com/ivangfr/springboot-ldap
 +
 +
 +
 +===== Schema extension =====
 +
 +This is an example for an extended schema
 +
 +stored as local.schema
 +<code>
 +
 +# local.schema -- aaainetOrgPerson
 +# $OpenLDAP$
 +## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 +##
 +## Copyright 1998-2014 The OpenLDAP Foundation.
 +## All rights reserved.
 +##
 +## Redistribution and use in source and binary forms, with or without
 +## modification, are permitted only as authorized by the OpenLDAP
 +## Public License.
 +##
 +## A copy of this license is available in the file LICENSE in the
 +## top-level directory of the distribution or, alternatively, at
 +## <http://www.OpenLDAP.org/license.html>.
 +#
 +# aaainetOrgPerson
 +#
 +#   Defines additional attributes required by the SSP
 +#   TODO: request and add unique Private Enterprise Number from IANA Services
 +#
 +
 +attributetype ( 5.12.345.1.123456.3.1.321
 + NAME 'x-company-auth0userId'
 + DESC 'the id identifying ofthe auth0 user'
 + EQUALITY caseIgnoreMatch
 + SUBSTR caseIgnoreSubstringsMatch
 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +attributetype ( 5.12.345.1.123456.3.1.322
 + NAME 'x-company-auth0clientId'
 + DESC 'the clientId of the machine to machine user'
 + EQUALITY caseIgnoreMatch
 + SUBSTR caseIgnoreSubstringsMatch
 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +attributetype ( 5.12.345.1.123456.3.1.323
 + NAME 'x-company-tags'
 + DESC 'the tags field containing all the tags without empty spaces'
 + EQUALITY caseIgnoreMatch
 + SUBSTR caseIgnoreSubstringsMatch
 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +attributetype ( 5.12.345.1.123456.3.1.324
 + NAME 'x-company-b360id'
 + DESC 'the building 360 identifier of a customer'
 + EQUALITY caseIgnoreMatch
 + SUBSTR caseIgnoreSubstringsMatch
 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 +
 +objectclass ( 5.12.345.1.123456.3.1.2
 +    NAME 'x-company-auth0subject'
 + DESC 'auth0 service registered person or machine'
 + AUXILIARY
 + MAY ( x-company-auth0userId $ x-company-auth0clientId ) )
 +
 +objectclass ( 5.12.345.1.123456.3.1.3
 +    NAME 'x-company-hastags'
 + DESC 'an object which has a tag'
 + AUXILIARY
 + MAY ( x-company-tags ) )
 +
 +objectclass ( 5.12.345.1.123456.3.1.4
 +    NAME 'x-company-b360customer'
 + DESC 'b360 customer'
 + AUXILIARY
 + MAY ( x-company-b360id ) )
 +
 +
 +</code>
 +
 +Here is how to build an OpenLdap container with extended schema
 +
 +<code>
 +FROM osixia/openldap:1.2.4
 +
 +RUN mkdir -p /container/service/slapd/assets/config/bootstrap/ldif/custom
 +COPY ./ldif/ /container/service/slapd/assets/config/bootstrap/ldif/custom
 +
 +RUN mkdir -p /container/service/slapd/assets/config/bootstrap/schema
 +COPY ./schema/local.schema /container/service/slapd/assets/config/bootstrap/schema/
 +
 +COPY ./containerscripts/start.sh /usr/bin/start.sh
 +
 +ENTRYPOINT start.sh && /container/tool/run
 +</code>
 +
 +
 +
 +===== Pooling with Spring Boot =====
 +
 +The following code can be used, to activate Pooling (https://docs.spring.io/spring-ldap/docs/1.3.2.RELEASE/reference/html/pooling.html) in a
 +
 + - SpringBoot application
 + - using Spring Data to talk to the Ldap server
 +
 +
 +The important part missing up there - was to pass the `PoolingContextSource` to the `LdapTemplate`
 +
 +see `new LdapTemplate(poolingLdapContextSource());` in
 +
 +<code>
 +@PropertySource("ldap-${spring.profiles.active}.properties")
 +@Configuration
 +public class LdapConfiguration {
 +
 +  private static Logger LOG = LoggerFactory.getLogger(LdapConfiguration.class);
 +
 +  @Autowired
 +  private Environment env;
 +
 +
 +  @Bean
 +  public LdapContextSource contextSource() {
 +    LdapContextSource contextSource = new LdapContextSource();
 +    contextSource.setUrl(env.getRequiredProperty("ldap.url"));
 +    contextSource.setBase(env.getRequiredProperty("ldap.base"));
 +    contextSource.setUserDn(env.getRequiredProperty("ldap.user"));
 +    contextSource.setPassword(env.getRequiredProperty("ldap.password"));
 +    contextSource.setPooled(false); // pooling is enabled on the wrapper
 +
 +    Map<String, Object> environment = new HashMap<>();
 +
 +    // DEBUGGING
 +    environment.put("com.sun.jndi.ldap.connect.pool.debug", "fine");    // many debug infos
 +    contextSource.setBaseEnvironmentProperties(environment);
 +
 +    return contextSource;
 +  }
 +
 +    /**
 +     * Configure the LDAP connection pool to
 +     * validate connections https://docs.spring.io/spring-ldap/docs/1.3.2.RELEASE/reference/html/pooling.html
 +     *
 +     * so that the connections do not expire in pool
 +     *
 +     * @return
 +     */
 +    @Bean
 +    public ContextSource poolingLdapContextSource() {
 +        PoolingContextSource poolingContextSource = new PoolingContextSource();
 +        poolingContextSource.setDirContextValidator(new DefaultDirContextValidator());
 +        poolingContextSource.setContextSource(contextSource());
 +        poolingContextSource.setTestOnBorrow(true);
 +        poolingContextSource.setTestWhileIdle(true);
 +        poolingContextSource.setTimeBetweenEvictionRunsMillis(60000);
 +        poolingContextSource.setNumTestsPerEvictionRun(3);
 +
 +        TransactionAwareContextSourceProxy proxy = new TransactionAwareContextSourceProxy(poolingContextSource);
 +        return proxy;
 +    }
 +
 +  @Bean
 +  public LdapTemplate ldapTemplate() {
 +    LdapTemplate ldapTemplate = new LdapTemplate(poolingLdapContextSource());
 +    ldapTemplate.setIgnoreNameNotFoundException(true);
 +    return ldapTemplate;
 +  }
 +
 +}
 +</code>
 +
 +
 +
 +===== BaseClass for Spring Data =====
 +
 +<sxh java>
 +public abstract class BaseLdapService<T extends WithLdapId> implements BaseLdapNameAware {
 +
 +    public static final String EMPTY_LDAP_ATTRIBUTE_PLACEHOLDER = "empty";
 +    private static Logger LOG = LoggerFactory.getLogger(BaseLdapService.class);
 +
 +    // Operations IS is the default one
 +    protected enum QueryOperation {
 +        IS, LIKE
 +    }
 +
 +    @Autowired
 +    protected Tools tools;
 +
 +    @Autowired
 +    private LdapTemplate ldapTemplate;
 +
 +    @Autowired
 +    private RoleService roleService;
 +
 +    @Autowired
 +    private GroupService groupService;
 +
 +    @Autowired
 +    private Environment env;
 +
 +    private LdapName baseLdapPath;
 +
 +    @Override
 +    public void setBaseLdapPath(LdapName baseLdapPath) {
 +        this.baseLdapPath = baseLdapPath;
 +    }
 +
 +    protected void initPostConstruct() {
 +        final String baseDn = env.getRequiredProperty("ldap.base");
 +        this.baseLdapPath = LdapUtils.newLdapName(baseDn);
 +    }
 +
 +    public List<T> findByProperty(final String propertyName, Name propertyValue, Class<T> clazz) {
 +        return findByProperty(propertyName, propertyValue, clazz, null);
 +    }
 +
 +    public List<T> findByProperty(final String propertyName, Name propertyValue, Class<T> clazz, Name queryBase) {
 +        String propertyValueStr = null;
 +        if (propertyValue != null) {
 +            propertyValueStr = propertyName.toString();
 +        }
 +        return findByProperty(propertyName, propertyValue.toString(), clazz);
 +    }
 +
 +    public List<T> findByProperty(final String propertyName, String propertyValue, Class<T> clazz) {
 +        return findByProperty(propertyName, propertyValue, clazz, null);
 +    }
 +
 +    public List<T> findByProperty(final String propertyName, String propertyValue, Class<T> clazz, Name queryBase) {
 +        return findByProperty(propertyName, propertyValue, clazz, queryBase, QueryOperation.IS);
 +    }
 +
 +
 +    public List<T> findByProperty(final String propertyName, String propertyValue, Class<T> clazz, Name queryBase, QueryOperation operation) {
 +
 +        // normalize dn
 +        if (propertyName == "dn") {
 +            // for dn value - propertyValue msut be an LdapName
 +            final LdapName ldapName = LdapNameBuilder.newInstance()
 +                    .add(propertyValue)
 +                    .build();
 +            // enforce absolute names
 +            final LdapName absLdapId = tools.toRelativeDn(ldapName);
 +
 +            // write back
 +            propertyValue = absLdapId.toString();
 +        }
 +
 +        final LdapQueryBuilder query = query();
 +        if (queryBase != null) {
 +            // make sure the query base is relative (cut dc=digitaltwin,dc=intra) Otherwise you will get "Base context not found"
 +            final LdapName relQueryBase = tools.toRelativeDn(queryBase);
 +            query.base(relQueryBase);
 +        }
 +
 +        List<T> results = Collections.emptyList();
 +        if (QueryOperation.LIKE.equals(operation)) {
 +            results = ldapTemplate.find(query.where(propertyName).like(propertyValue), clazz);
 +
 +        } else if (QueryOperation.IS.equals(operation)) {
 +            results = ldapTemplate.find(query.where(propertyName).is(propertyValue), clazz);
 +
 +        } else {
 +            throw new RuntimeException("unknown operation");
 +        }
 +
 +
 +        if (results != null) {
 +            results = results.stream().map(t -> deriveTransientProperties(t)).collect(Collectors.toList());
 +        }
 +
 +        return results;
 +    }
 +
 +    protected List<T> find(ContainerCriteria query) {
 +        List<T> found = ldapTemplate.find(query, getServiceRepoType());
 +        if (found != null) {
 +            found = found.stream().map(t -> deriveTransientProperties(t)).collect(Collectors.toList());
 +        }
 +        return found;
 +    }
 +
 +    public List<T> findAll() {
 +        List<T> all = ldapTemplate.findAll(getServiceRepoType());
 +        if (all != null) {
 +            all = all.stream().map(t -> deriveTransientProperties(t)).collect(Collectors.toList());
 +        }
 +        return all;
 +    }
 +
 +    public void bind(Name ldapId, Attributes attributes) {
 +        final LdapName absLdapId = tools.toRelativeDn(ldapId);
 +        ldapTemplate.bind(absLdapId, null, attributes);
 +    }
 +
 +
 +    public Optional<T> findByDn(String ldapIdStr) {
 +        LOG.info("findByDn " + ldapIdStr);
 +        if (ldapIdStr == null) {
 +            return Optional.empty();
 +        }
 +        final LdapName ldapId = LdapNameBuilder.newInstance(ldapIdStr).build();
 +        return this.findByDn(ldapId);
 +    }
 +
 +    public Optional<T> findOne(LdapQuery query) {
 +        try {
 +            return Optional.ofNullable(ldapTemplate.findOne(query, getServiceRepoType()))
 +                    .map(t -> deriveTransientProperties(t));
 +        } catch (Exception e) {
 +            LOG.warn("Exception thrown in findOne", e.getMessage());
 +            return Optional.empty();
 +        }
 +    }
 +
 +    public Optional<T> findByDn(Name ldapId) {
 +        try {
 +            final Name relLdapId = tools.toRelativeDn(ldapId); // require a relative ldap id to for searching, without the domain at the end
 +            final T result = ldapTemplate.findByDn(relLdapId, getServiceRepoType());
 +            return Optional.ofNullable(result)
 +                    .map(t -> deriveTransientProperties(t));
 +        } catch (Exception e) {
 +            LOG.warn("Exception thrown in findByDn", e.getMessage());
 +            return Optional.empty();
 +        }
 +    }
 +
 +    public void delete(String ldapIdStr) {
 +        final LdapName ldapId = LdapNameBuilder.newInstance(ldapIdStr).build();
 +        final LdapName absLdapId = tools.toRelativeDn(ldapId);
 +        this.delete(absLdapId);
 +    }
 +
 +    public void delete(Name ldapId) {
 +        final LdapName relLdapId = tools.toRelativeDn(ldapId);
 +
 +        if (!exists(relLdapId)) {
 +            LOG.warn(String.format("Tried to remove the object %s, but it does not exist", relLdapId.toString()));
 +            return;
 +        }
 +
 +        ldapTemplate.unbind(relLdapId, true);
 +
 +        // remove the id from member-lists in groups
 +        final List<Group> groups = groupService.findGroupsByMember(ldapId);
 +        groups.forEach(group -> {
 +            group.removeMember(ldapId);
 +            groupService.save(group);
 +        });
 +
 +        // remove the id from member-lists in roles
 +        final List<Role> roles = roleService.findRolesByMember(ldapId);
 +        roles.forEach(role -> {
 +            role.removeRoleOccupants(ldapId);
 +            roleService.save(role);
 +        });
 +    }
 +
 +
 +    /**
 +     * For the external use.
 +     * Checks, whether the given object exists.
 +     * Catches the exceptions, which flow, when the object - does not exist, returning false.
 +     *
 +     * @param object - the ldap entity
 +     * @return
 +     */
 +    public boolean exists(T object) {
 +        try {
 +            return existsCanThrow(object);
 +        } catch (org.springframework.ldap.NameNotFoundException | org.springframework.web.server.ResponseStatusException | java.util.NoSuchElementException | NullPointerException e) {
 +            return false;
 +        }
 +    }
 +
 +    /**
 +     * Secure for checking if a user exists.
 +     * Will catch any "Entity not found" runtime exception
 +     *
 +     * @param name - the ldap name
 +     * @return
 +     */
 +    public boolean exists(Name name) {
 +        try {
 +            final LdapName absLdapId = tools.toRelativeDn(name);
 +            return existsCanThrow(absLdapId);
 +        } catch (org.springframework.ldap.NameNotFoundException | org.springframework.web.server.ResponseStatusException | java.util.NoSuchElementException e) {
 +            return false;
 +        }
 +    }
 +
 +    /**
 +     * Secure for checking if a user exists.
 +     * Will catch any "Entity not found" runtime exception
 +     *
 +     * @param ldapName - the ldap name
 +     * @return
 +     */
 +    public boolean exists(String ldapName) {
 +        try {
 +            LdapName name = LdapNameBuilder.newInstance(ldapName).build();
 +            final LdapName absLdapId = tools.toRelativeDn(name);
 +            return exists(absLdapId);
 +        } catch (org.springframework.ldap.InvalidNameException e) {
 +            return false;
 +        }
 +    }
 +
 +
 +    protected Name replacePrefixInName(Name original, Name replacementSnippet) {
 +        LdapName copyOrig = LdapNameBuilder.newInstance(original).build();
 +        LdapName copySnippet = LdapNameBuilder.newInstance(replacementSnippet).build();
 +
 +        return replaceBySnippetInName(copyOrig, 0, copySnippet);
 +    }
 +
 +    /**
 +     * Replaces a piece of the original name - by a given snippet.
 +     * Start replacing at the given index. In ou=tenant1AdminGroup,ou=Groups,ou=tenant1,ou=Tenants - the index 0 value is "ou=tenant1AdminGroup"
 +     * <p>
 +     * The length of the original - must be larger, than that of the snippet
 +     *
 +     * @param original           - the name where to replace a piece by a snippet
 +     * @param origIndexStart     - the index where to start replacement
 +     * @param replacementSnippet - the snippet to insert into the original
 +     * @return
 +     */
 +    private Name replaceBySnippetInName(LdapName original, int origIndexStart, LdapName replacementSnippet) {
 +        Assert.isTrue(original != null, "Name must be not null");
 +        Assert.isTrue(replacementSnippet != null, "Name must be not null");
 +        Assert.isTrue(original.size() >= replacementSnippet.size(), "Name must be not null");
 +
 +
 +        if (!replacementSnippet.isEmpty()) {
 +            final List<Rdn> rdnsOrig = original.getRdns(); // [ou=Tenants;ou=tenant1; ou=Groups; ou=tenant1AdminGroup]
 +            final List<Rdn> rdnsReplacementSnippet = replacementSnippet.getRdns();  // [ou=Groups; ou=tenant1AdminGroupRENAMED; ]
 +
 +            final List<Rdn> rdnsOrigRev = new ArrayList<>(rdnsOrig); // [ou=tenant1AdminGroup; ou=Groups; ou=tenant1; ou=Tenants ]
 +            Collections.reverse(rdnsOrigRev);
 +
 +            final List<Rdn> rdnsReplacementSnippetRev = new ArrayList<>(rdnsReplacementSnippet);
 +            Collections.reverse(rdnsReplacementSnippetRev); // [ou=tenant1AdminGroupRENAMED; ou=Groups;]
 +
 +            // cut away a piece of orig, to be replaced by snippet
 +            final List<Rdn> preOrigRndRev = new ArrayList<>(rdnsOrigRev.subList(0, origIndexStart));
 +            final List<Rdn> postOrigRndRev = new ArrayList<>(rdnsOrigRev.subList(origIndexStart + rdnsReplacementSnippet.size(), rdnsOrigRev.size()));
 +
 +            // insert snippet
 +            final List<Rdn> result = new ArrayList<>();
 +            result.addAll(preOrigRndRev);
 +            result.addAll(rdnsReplacementSnippetRev);
 +            result.addAll(postOrigRndRev);
 +
 +            // switch interface
 +            Collections.reverse(result); // reverse back prior to making a Name out of it
 +            final Name copyOriginalRev = LdapNameBuilder.newInstance().build().addAll(result);
 +
 +            return LdapNameBuilder.newInstance(copyOriginalRev).build();
 +        }
 +
 +        // copy original to return a copy - not the same object. To have a consistant behaviour on empty snippet.
 +        return LdapNameBuilder.newInstance(original).build();
 +    }
 +
 +    /**
 +     * Checks, whether the given object exists
 +     *
 +     * @param t
 +     * @return
 +     */
 +    protected boolean existsCanThrow(T t) throws org.springframework.ldap.NameNotFoundException, org.springframework.web.server.ResponseStatusException {
 +        return t != null && true == existsCanThrow(t.getId());
 +    }
 +
 +    /**
 +     * Checks, whether the given object exists
 +     *
 +     * @param name
 +     * @return
 +     */
 +    protected boolean existsCanThrow(Name name) throws org.springframework.ldap.NameNotFoundException, org.springframework.web.server.ResponseStatusException {
 +        return findByDn(name).isPresent();
 +    }
 +
 +
 +    protected Optional<T> findOneByAttribute(String ldapAttributeName, String ldapAttributeValue, Class<T> clazz) {
 +        return findOneByAttribute(ldapAttributeName, ldapAttributeValue, clazz, LdapUtils.emptyLdapName());
 +    }
 +
 +    /**
 +     * Gets the 0 or 1 object by the given attribute.
 +     * If more objects are found - there will be an exception.
 +     *
 +     * @param ldapAttributeName  - the name of the attribute
 +     * @param ldapAttributeValue - the attribute value
 +     * @param clazz              - the output type
 +     * @return
 +     */
 +    protected Optional<T> findOneByAttribute(String ldapAttributeName, String ldapAttributeValue, Class<T> clazz, Name baseTenantRdn) {
 +        try {
 +            List<T> objList = ldapTemplate.find(query().base(baseTenantRdn).where(ldapAttributeName).is(ldapAttributeValue), clazz);
 +            if(objList != null) {
 +                objList = objList.stream().map(t -> deriveTransientProperties(t)).collect(Collectors.toList());
 +            }
 +            Assert.isTrue(objList.size() <= 1, String.format("Expect max one object attr %s and value %s. Found %s instead. %s", ldapAttributeName, ldapAttributeValue, objList.size(), objList));
 +            if (objList.isEmpty()) {
 +                return Optional.empty();
 +            }
 +            T obj = objList.get(0);
 +            return Optional.of(obj);
 +
 +        } catch (org.springframework.ldap.NameNotFoundException | java.util.NoSuchElementException e) {
 +            return Optional.empty();
 +        }
 +    }
 +
 +
 +    /**
 +     * Derives properties in the object, before the object is returned
 +     *
 +     * @param object
 +     * @return
 +     */
 +    T deriveTransientProperties(T object) {
 +        // nothing on default
 +        return object;
 +    }
 +
 +    List<T> deriveTransientProperties(List<T> list) {
 +        if(list == null){
 +            return list;
 +        }
 +        final List<T> result = list.stream().map(t -> deriveTransientProperties(t)).collect(Collectors.toList());
 +        return result;
 +    }
 +
 +    /**
 +     * Catch the null value and fill in some string
 +     * if a value is not set/known
 +     * so that LDAP doesnt throw an error
 +     *
 +     * @param str - the string which may be null
 +     * @return - the str or some default placeholder string to be stored in LDAP
 +     */
 +    protected String nullToString(String str) {
 +        if (str == null) {
 +            return EMPTY_LDAP_ATTRIBUTE_PLACEHOLDER;
 +        }
 +        return str;
 +    }
 +
 +
 +    public LdapTemplate getLdapTemplate() {
 +        return ldapTemplate;
 +    }
 +
 +    /**
 +     * Build the attributes, which will be used to save the LDAP entity.
 +     *
 +     * @param t
 +     * @return
 +     */
 +    protected abstract Attributes buildAttributes(T t);
 +
 +    /**
 +     * The type of the T parameter, which will
 +     *
 +     * @return
 +     */
 +    protected abstract Class<T> getServiceRepoType();
 +
 +
 +    protected void replaceIdInGroups(Name oldMemberId, Name newMemberId) {
 +        final Name newMemberAbsDn = tools.toAbsoluteDn(newMemberId);
 +        final Name oldMemberAbsDn = tools.toAbsoluteDn(oldMemberId);
 +
 +        // update teh role membership
 +        // update teh group membership
 +        // groups
 +        final Collection<Group> groups = groupService.findByMember(oldMemberAbsDn);
 +        for (Group group : groups) {
 +            group.removeMember(oldMemberAbsDn);
 +            group.addMember(newMemberAbsDn);
 +            groupService.save(group);
 +        }
 +    }
 +
 +    protected void replaceIdInRoles(Name oldMemberId, Name newMemberId) {
 +        final Name newMemberAbsDn = tools.toAbsoluteDn(newMemberId);
 +        final Name oldMemberAbsDn = tools.toAbsoluteDn(oldMemberId);
 +
 +        // roles
 +        // The user has moved - we need to update role references.
 +        List<Role> roles = roleService.findRolesByMember(oldMemberAbsDn);
 +        roles.parallelStream().forEach(role -> {
 +            role.removeRoleOccupants(oldMemberAbsDn);
 +            role.addRoleOccupant(newMemberAbsDn);
 +            roleService.save(role);
 +        });
 +    }
 +
 +
 +//
 +//    /**
 +//     * Should save the object, if necessary - give it a new id.
 +//     * @param modifiedOrNew
 +//     * @return
 +//     */
 +//    public abstract T save(T modifiedOrNew);
 +
 +    /**
 +     * Save a one. Create if new. Update if exists. Generate a new id, if necessary.
 +     *
 +     * @param objectWithId
 +     * @return
 +     */
 +    public final T save(T objectWithId) {
 +        validate(objectWithId);
 +
 +        // is it a new role without an id? Try to derive the id from the tenant.
 +        if (!exists(objectWithId)) {
 +
 +            Name objectId = objectWithId.getId();
 +
 +            // init the id, if necessary
 +            if (objectId == null) {
 +                objectId = generateId(objectWithId);
 +
 +                // write the id back to the object
 +                objectWithId.setId(objectId);
 +            }
 +
 +            initNewObjectBeforeSaving(objectWithId);
 +
 +            // store a new one
 +            final Attributes attributes = filterNullOrEmptyAttributes(buildAttributes(objectWithId));
 +            bind(objectWithId.getId(), attributes);
 +
 +        } else {
 +            // check, if the id must be adopted on the changed properties (cn/ou/..)
 +            final Name oldId = LdapNameBuilder.newInstance(objectWithId.getId()).build();
 +            final Name idFromObjectProperties = applyAttributesToId(oldId, objectWithId);
 +
 +            if (!idFromObjectProperties.toString().equals(oldId.toString())) {
 +                // override the old id
 +                objectWithId.setId(idFromObjectProperties);
 +                // persist
 +                update(oldId, objectWithId);
 +            } else {
 +                // persist
 +                update(objectWithId);
 +            }
 +        }
 +
 +        return objectWithId;
 +    }
 +
 +    /**
 +     * This filter is applied BEFORE BIND.
 +     * Bind doe not except NULL arguments, opposed to "update".
 +     * <p>
 +     * In "update" setting an argument to null is for removing it.
 +     * In "bind" setting an argument to null causes a  org.springframework.ldap.InvalidAttributeValueException
 +     *
 +     * @param buildAttributes
 +     * @return
 +     */
 +    protected Attributes filterNullOrEmptyAttributes(Attributes buildAttributes) {
 +        if (!(buildAttributes instanceof BasicAttributes)){
 +            return buildAttributes;
 +        }
 +        final BasicAttributes result = (BasicAttributes) buildAttributes.clone();
 +        final Iterator<? extends Attribute> attributesIterator = buildAttributes.getAll().asIterator();
 +
 +        while (attributesIterator.hasNext()) {
 +            final Attribute attribute = attributesIterator.next();
 +
 +            boolean invalidAttribute = true;
 +            try {
 +                invalidAttribute = (attribute.get() == null); // not null
 +
 +            } catch (java.util.NoSuchElementException e) {
 +                invalidAttribute = false; // invalid, because the value was empty
 +
 +            } catch (NamingException e) {
 +                // rethrow, because the error was in the wrong name of the attribure - user should know
 +                throw new RuntimeException(e);
 +            }
 +
 +            if (invalidAttribute) {
 +                result.remove(attribute.getID());
 +            }
 +        }
 +        return result;
 +    }
 +
 +    /**
 +     * Apply the attributes in the new object - to the id.
 +     * Here you get the chance to adopt the LDAP id - if the properties have changed.
 +     *
 +     * @param oldId
 +     * @param objectWithId
 +     * @return
 +     */
 +    protected abstract Name applyAttributesToId(Name oldId, T objectWithId);
 +
 +
 +    /**
 +     * The object must exist already.
 +     * Save, when the id has changed.
 +     * May fall back to the creation of a new one, if no explicit id is provided.
 +     * Will clean up the old object, if the
 +     *
 +     * @param originalId the existing id of an existing role.
 +     * @param modified   the role, populated with new data. May contain a new id.
 +     * @return the updated entry
 +     */
 +    public final T update(final Name originalId, T modified) {
 +
 +        final Name newId = modified.getId();
 +        Assert.isTrue(newId != null, String.format("The new object %s is expected to have a new id in it.", modified));
 +
 +        if (originalId != null && !originalId.equals(newId)) {
 +            Assert.isTrue(exists(originalId), String.format("The object with id %s is expected to exist already, as this method sujest renaming of ids.", originalId));
 +
 +            // renaming the objects id
 +            rename(originalId, newId);
 +
 +            // now update the membership
 +            updateMembershipInLdapObjectsOnIdChange(tools.toAbsoluteDn(originalId), tools.toAbsoluteDn(newId));
 +        }
 +
 +        // persist
 +        update(modified);
 +
 +        return modified;
 +    }
 +
 +    public T rename(Name oldId, Name newId) {
 +        Assert.isTrue(newId != null, "Can not rename to null");
 +        Assert.isTrue(exists(oldId), String.format("The object with the id %s does not exist. Cant rename it.", oldId));
 +        if (!newId.equals(oldId)) {
 +            ldapTemplate.rename(oldId, newId);
 +        }
 +        return findByDn(newId).orElseThrow();
 +    }
 +
 +    /**
 +     * The object must exist already.
 +     *
 +     * @param t
 +     * @return
 +     */
 +    protected T update(T t) {
 +        final Name anyDn = t.getId();
 +        final LdapName absLdapId = tools.toRelativeDn(anyDn);
 +
 +        final Iterator<? extends Attribute> attributesIterator = buildAttributes(t).getAll().asIterator();
 +        while (attributesIterator.hasNext()) {
 +            final Attribute attribute = attributesIterator.next();
 +            ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attribute);
 +            ldapTemplate.modifyAttributes(absLdapId, new ModificationItem[]{item});
 +        }
 +        return t;
 +    }
 +
 +    protected void initNewObjectBeforeSaving(T objectWithId) {
 +        // nothing on default
 +    }
 +
 +
 +    /**
 +     * Generates a new id.
 +     *
 +     * @param objectWithId - the objectWithId used as data container. Probably will not have an id yet but all the information to generate one.
 +     * @return
 +     */
 +    public abstract Name generateId(T objectWithId);
 +
 +    /**
 +     * Update the membership in the ldap objects on id change.
 +     * Implementation depends on the type of the objects.
 +     * Users will have to update membership in Groups, roles.
 +     * Groups will have to update membership in roles only etc.
 +     *
 +     * @param oldMemberAbsDn
 +     * @param newMemberAbsDn
 +     */
 +    protected abstract void updateMembershipInLdapObjectsOnIdChange(LdapName oldMemberAbsDn, LdapName newMemberAbsDn);
 +
 +    /**
 +     * Validate a modified object here. E.g. when it is updated.
 +     * Especially check, if the cn/ou or other field participating in the id - must be aligned with the current state of the object
 +     *
 +     * @param modifiedObject
 +     * @throws IllegalArgumentException - when the validation fails. User the Asser.* style for the checks and catch them in the RestController
 +     */
 +    protected void validate(T modifiedObject) throws IllegalArgumentException {
 +        // no default validation
 +    }
 +
 +}
 +
 +</sxh>
 +
 +
 +
 +
 +==== LDAP tools ====
 +
 +<sxh java>
 +
 +@Component
 +public class Tools {
 +
 +    private static Logger LOG = LoggerFactory.getLogger(Tools.class);
 +
 +    private final LdapName baseLdapPath;
 +
 +    @Autowired
 +    public Tools(Environment env) {
 +        this.baseLdapPath = LdapUtils.newLdapName(env.getRequiredProperty("ldap.base"));
 +    }
 +
 +    public static final <T> List<T> toList(Iterable<T> i) {
 +        return StreamSupport.stream(i.spliterator(), true).collect(Collectors.toList());
 +    }
 +
 +    public LdapName toAbsoluteDn(Name relativeName) {
 +        // check if already absolute
 +        if (relativeName.startsWith(baseLdapPath)) {
 +            LOG.info(String.format("The dn %s already contains the baseLdapPath %s so skip reappending it", relativeName, baseLdapPath));
 +            return LdapNameBuilder.newInstance(relativeName)
 +                    .build();
 +        } else {
 +            return LdapNameBuilder.newInstance(baseLdapPath)
 +                    .add(relativeName)
 +                    .build();
 +        }
 +    }
 +
 +    public static Optional<LdapName> toLdapId(String str) {
 +        try {
 +            return Optional.of(LdapNameBuilder.newInstance(str).build());
 +        } catch (NullPointerException | org.springframework.ldap.InvalidNameException e) {
 +            return Optional.empty();
 +        }
 +    }
 +
 +    public static boolean isLdapId(String str) {
 +        try {
 +            LdapName name = LdapNameBuilder.newInstance(str).build();
 +            return true;
 +        } catch (NullPointerException | org.springframework.ldap.InvalidNameException e) {
 +            return false;
 +        }
 +    }
 +
 +    public LdapName toRelativeDn(Name absoluteName) {
 +        Name name = absoluteName;
 +        if (absoluteName.startsWith(baseLdapPath)) {
 +            name = absoluteName.getSuffix(baseLdapPath.size());
 +        }
 +        LOG.info(String.format("The dn %s doesnt contains the baseLdapPath %s so skip reappending it", absoluteName, baseLdapPath));
 +        return LdapNameBuilder.newInstance(name).build();
 +    }
 +
 +
 +    /**
 +     * The relative DN is typically what is needed to perform lookups and searches in
 +     * the LDAP tree, whereas the absolute DN is needed when authenticating and when
 +     * an LDAP entry is referred to in e.g. a group. This wrapper class contains
 +     * both of these representations.
 +     * <p>
 +     * See LdapEntryIdentification.class comment
 +     *
 +     * @param ldapIds
 +     * @return
 +     */
 +    public List<Name> toAbsLdapIds(Collection<Name> ldapIds) {
 +        final ArrayList<Name> list = new ArrayList<>();
 +        ldapIds.forEach(ldapId -> {
 +            final LdapName absLdapId = toAbsoluteDn(ldapId);
 +            list.add(absLdapId);
 +        });
 +        return list;
 +    }
 +
 +
 +    public boolean ldapNameContainsSegment(final Name ldapName, final Name fragment) {
 +        if (ldapName == null || fragment == null || ldapName.size() < fragment.size()) {
 +            return false;
 +        }
 +
 +        // Create an empty list
 +        final List<String> listLdapName = new ArrayList<>();
 +        ldapName.getAll().asIterator().forEachRemaining(listLdapName::add);
 +
 +        final List<String> listFragment = new ArrayList<>();
 +        fragment.getAll().asIterator().forEachRemaining(listFragment::add);
 +
 +        // is the fragment like "ou=People" present on the path?
 +        return (Collections.indexOfSubList(listLdapName, listFragment) != -1);
 +    }
 +
 +    /**
 +     * Assumes that tags are separated by empty spaces
 +     *
 +     * @param tags
 +     * @return
 +     */
 +    public List<String> toTagsList(final String tags) {
 +        if (tags == null ) return null;
 +        if (tags.isEmpty() ) return Collections.EMPTY_LIST;
 +        final String[] tagsList = tags.trim().split("[ ]+");
 +        return Arrays.asList(tagsList);
 +    }
 +
 +
 +
 +
 +
 +    /**
 +     * Takes two ldap names and replaces the suffix
 +     * by cutting off the length of suffix from the ldapName and appending the suffix
 +     *
 +     * The suffix will be appended on the right side of String.
 +     * Eg in "cn=dudidum,ou=People,ou=BIGFISH,ou=Tenants" the suffix with size 2 is "ou=BIGFISH,ou=Tenants"
 +     *
 +     * @param ldapName  - name, the suffix of which sould be replaced
 +     * @param newSuffix - suffix to append.
 +     * @return name with new suffix
 +     */
 +    public LdapName replaceSuffix(final LdapName ldapName, final LdapName newSuffix) {
 +        Assert.isTrue(ldapName.size() >= newSuffix.size(), String.format("The length of the ldapName %s must be bigger, than that of suffix %s", ldapName, newSuffix));
 +        if (newSuffix.size() == 0) return ldapName;
 +
 +        try {
 +            // cut off the the initial suffix, prepare merge with new suffix
 +            final LdapName copyName = LdapUtils.newLdapName(ldapName);
 +            for (int i = 0; i < newSuffix.size(); i++) {
 +                copyName.remove(0);
 +            }
 +            copyName.addAll(0, newSuffix);
 +            return copyName;
 +
 +        } catch (InvalidNameException e) {
 +            throw new RuntimeException(e);
 +        }
 +    }
 +}
 +
 +</sxh>
 +
  
ldap.1554117693.txt.gz · Last modified: (external edit)