Uni Hildesheim LdapLockout-Funktion

src/de/superx/bin/LdapLockout.java

@@ -0,0 +1,69 @@
+package de.superx.bin;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.Statement;
+
+import de.memtext.util.GetOpts;
+import de.superx.servlet.LdapPasswordChecker;
+/**
+ * Klasse zum Sperren von Benutzern, die in LDAP gesperrt sind
+ * Erwartet Eintrag LdapLockoutFilter in superx_standalone_ldap.properties
+ * 
+ *
+ */
+public class LdapLockout {
+	private static String usage = "Gebrauch: java de.superx.bin.LdapLockout -dbproperties=<<Pfad zu db.properties>> -ldapconfig=<<Pfad zu superx_standalone_ldap.properties>>";
+	public static void main(String[] args) {
+		GetOpts.setOpts(args);
+		String isdrin = GetOpts.isAllRequiredOptionsPresent("-dbproperties,-ldapconfig");
+		if (isdrin != null) {
+			System.err.println("Folgende Optionen fehlen: " + isdrin);
+			System.err.println(usage);
+			System.exit(1);
+		}
+
+		try {
+			File f = new File("LdapLockout.log");
+			if (f.exists())
+			{
+				f.delete();
+			}
+		    LdapPasswordChecker.setup(new File(GetOpts.getValue("-ldapconfig")));
+			checkUsers(GetOpts.getValue("-dbproperties"));
+		    
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+
+	private static void checkUsers(String dbpropfile) throws Exception {
+		SxConnection myConnection = new SxConnection();
+		myConnection.setPropfile(dbpropfile);
+		Connection con = myConnection.getConnection();
+		Statement stm = con.createStatement();
+		ResultSet rs = stm.executeQuery("select benutzer from userinfo order by 1");
+		PreparedStatement pst = con.prepareStatement(
+				"update userinfo set max_versuch=0,passwd_sha=null, gueltig_bis=today()-1, info='deaktiviert am '||today() where benutzer=? and max_versuch>0");
+		LdapPasswordChecker ldappwc = new LdapPasswordChecker();
+		while (rs.next()) {
+			String benutzer = rs.getString("benutzer");
+		      System.out.println("Pruefe Nutzer " + benutzer);
+			if (ldappwc.isUserLocked(benutzer)) {
+				System.out.println(" - Benutzer " + benutzer + " wird gesperrt");
+				pst.clearParameters();
+				pst.setString(1, benutzer);
+				pst.executeUpdate();
+			}
+		}
+		rs.close();
+		stm.close();
+		pst.close();
+		myConnection.close();
+		ldappwc.closeServiceCtxForLockout();
+	}
+}

src/de/superx/servlet/LdapPasswordChecker.java

@@ -37,6 +37,8 @@ public class LdapPasswordChecker {
 	private static boolean hasLdapServiceUserDN = false;
 	private static boolean wasSetupTestOK = false;
 	private static boolean isStandaloneTest = false;
+	//wird nur für Lockout-Funktion benötigt
+	private DirContext serviceCtxForLockout = null;
 
 	public static void main(String[] args) {
 		isStandaloneTest = true;
@@ -47,8 +49,8 @@ public class LdapPasswordChecker {
 
 		try {
 			setup(new File(args[0]));
-		LdapPasswordChecker lpc=new LdapPasswordChecker();
-	    lpc.isLdapPasswordOK(false, "default", args[1], args[2]);
+			LdapPasswordChecker lpc = new LdapPasswordChecker();
+			lpc.isLdapPasswordOK(false, "default", args[1], args[2]);
 		} catch (Exception e) {
 			e.printStackTrace();
 		}
@@ -63,12 +65,13 @@ public class LdapPasswordChecker {
 		checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute");
 		if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) {
 			hasLdapServiceUserDN = true;
-			System.out.println(" LDAP Passwortkontrolle ServiceUser "+props.getProperty("LdapServiceUserDN")+" aktiviert");
+			System.out.println(
+					" LDAP Passwortkontrolle ServiceUser " + props.getProperty("LdapServiceUserDN") + " aktiviert");
 			// momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring
 		}
 		// we don't need all attributes, just let it get the identifying one
 		LdapPasswordChecker.attributeFilter[0] = props.getProperty("LdapIdentifyingAttribute");
-
+		
 		// Verbindungstest wirft Exception bei Fehler
 		boolean isJustSetupTest = true;
 		String mandantenIDNichtRelevant = "default";
@@ -92,6 +95,27 @@ public class LdapPasswordChecker {
 					" Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert");
 	}
 
+	public boolean isUserLocked(String benutzer) throws Exception {
+		if (props.size() == 0)
+			throw new IllegalStateException(
+					"LDAP Passwordchecker nicht konfiguiert, setup Methode muss vorher aufgerufen werden");
+		boolean result = false;
+        //lazy init, da viele User abgefragt werden
+		if (serviceCtxForLockout == null) {
+			serviceCtxForLockout = initContext();
+		}
+
+		NamingEnumeration<SearchResult> searchResults = searchForUserLockedStatus(serviceCtxForLockout, benutzer);
+		if (searchResults.hasMoreElements()) {
+			result = true;
+		}
+		return result;
+	}
+
+	public void closeServiceCtxForLockout() throws NamingException {
+		serviceCtxForLockout.close();
+	}
+
 	/**
 	 * Prüft via LDAP ob ein Passwort OK ist
 	 * 
@@ -113,7 +137,7 @@ public class LdapPasswordChecker {
 		try {
 			serviceCtx = initContext();
 			if (isStandaloneTest) {
-				System.out.println("Reine Kontrolle, ob User "+username+ " existiert");
+				System.out.println("Reine Kontrolle, ob User " + username + " existiert");
 			}
 			NamingEnumeration<SearchResult> searchResults = searchForUser(serviceCtx, username);
 			if (!isJustSetupTest) {
@@ -139,29 +163,42 @@ public class LdapPasswordChecker {
 				}
 
 			}
-			//System.out.println(new Date().getTime() - start.getTime());
+			// System.out.println(new Date().getTime() - start.getTime());
 		}
 		return false;
 	}
 
-	private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username)
+	private NamingEnumeration<SearchResult> searchForUserLockedStatus(DirContext serviceCtx, String username)
 			throws NamingException {
 		SearchControls sc = new SearchControls();
 		sc.setReturningAttributes(attributeFilter);
 		sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
 		// use a search filter to find only the user we want to authenticate
-		String searchFilter = "";
-		if (props.getProperty("LdapSearchFilter")!=null)
+		if (StringUtils.isNullOrEmpty(props.getProperty("LdapLockoutFilter")))
 		{
-		    searchFilter=StringUtils.replace(props.getProperty("LdapSearchFilter"),"${0}", username );
+			throw new NamingException("LdapLockoutFilter ist nicht definiert");
 		}
-		else
-		{
-		 searchFilter="(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
+		String searchFilter = StringUtils.replace(props.getProperty("LdapLockoutFilter"), "${0}", username);
+
+		return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
+	}
+
+	private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username)
+			throws NamingException {
+		SearchControls sc = new SearchControls();
+		sc.setReturningAttributes(attributeFilter);
+		sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
+
+		// use a search filter to find only the user we want to authenticate
+		String searchFilter = "";
+		if (props.getProperty("LdapSearchFilter") != null) {
+			searchFilter = StringUtils.replace(props.getProperty("LdapSearchFilter"), "${0}", username);
+		} else {
+			searchFilter = "(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
 		}
-		//searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))";
-		
+		// searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))";
+
 		return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
 	}
 
@@ -181,8 +218,10 @@ public class LdapPasswordChecker {
 			SearchResult result = searchResults.next();
 			String distinguishedName = result.getNameInNamespace();
 			if (isStandaloneTest) {
-				System.out.println(" User "+username +" gefunden - distingushedName(DN/nameInNamespace):"+distinguishedName);
-				System.out.println(" versuche Authentifizierung für "+distinguishedName+" mit eingegebenen Passwort");
+				System.out.println(
+						" User " + username + " gefunden - distingushedName(DN/nameInNamespace):" + distinguishedName);
+				System.out
+						.println(" versuche Authentifizierung für " + distinguishedName + " mit eingegebenen Passwort");
 			}
 			// attempt another authentication, now with the user, throws exception if
 			// problem

src/de/superx/servlet/UserInitializer.java

@@ -3,6 +3,7 @@ package de.superx.servlet;
 import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.sql.Connection;
+import java.sql.DatabaseMetaData;
 import java.sql.Date;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -508,6 +509,7 @@ public class UserInitializer {
 		String client_ip = request.getRemoteAddr();
 		String client_dns = request.getRemoteHost();
 		String protend = "";
+		
 		userid = null;
 		// System.out.println("c1");
 		if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) {
@@ -518,10 +520,14 @@ public class UserInitializer {
 		Connection myConnection = null;
 		try {
 			myConnection = SxPools.getConnection(mandantenID);
+			boolean isUserinfoMitGueltigkeit=checkUserinfoMitGueltigkeit(myConnection);
+			String select="select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch from userinfo where benutzer = ? ";
+			if (isUserinfoMitGueltigkeit) {
+				select+= "and ( (gueltig_von is null or gueltig_von<=today()) and (gueltig_bis is null or gueltig_bis>=today()) )";
+			}
 			Statement stm = myConnection.createStatement();
 			PreparedStatement pst = myConnection
-					.prepareStatement("select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch"
-							+ " from userinfo where benutzer = ?");
+					.prepareStatement(select);
 			pst.setString(1, user);
 			ResultSet rs = pst.executeQuery();
 			while (rs.next()) {
@@ -543,7 +549,7 @@ public class UserInitializer {
 				int akt_versuch = rs.getInt(5);
 				int max_versuch = rs.getInt(6);
 
-				if (akt_versuch > max_versuch) {
+				if (akt_versuch > max_versuch|| max_versuch==0) {
 					rs.close();
 					pst.close();
 					stm.close();
@@ -561,7 +567,7 @@ public class UserInitializer {
 						+ "'" + protend);
 				stm.close();
 				myConnection.close();
-				throw new NichtAngemeldetException("Kein Benutzer " + user + " in Datenbank vorhanden");
+				throw new NichtAngemeldetException("Kein gültiger Benutzer " + user + " in Datenbank vorhanden");
 			}
 			if (passwort == null)
 				passwort = "dummy"; // bei LDAP oder so
@@ -618,7 +624,22 @@ public class UserInitializer {
 
 		}
 	}
-
+	private boolean checkUserinfoMitGueltigkeit(Connection dbConnection) throws SQLException
+	{
+		boolean result=false;
+		Statement stm = dbConnection.createStatement();
+			DatabaseMetaData md = dbConnection.getMetaData();
+	
+			ResultSet	rs = md.getColumns(null, null, "userinfo", null);
+			while (rs.next()) {
+					if (rs.getString(4).equals("gueltig_von")) {
+					result=true;	
+				}
+			}
+			rs.close();
+			return result;
+			
+	}
 	private void updateLastLogin(Connection myConnection) throws SQLException {
 		PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?");
 		pst3.setInt(1, userid.intValue());

superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x

@@ -0,0 +1,6 @@
+#!/bin/bash
+if [ "$1" = "" ]
+   then echo "Aufruf: sx_ldap_lockout.x Pfad/zu/db.properties pfad/zu/superx_standalone_ldap.properties"
+	exit 0
+fi
+java -cp "$JDBC_CLASSPATH" de.superx.bin.LdapLockout -dbproperties:$1 -ldapconfig:$2

superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

@@ -1728,6 +1728,8 @@
 				default ="0" notnull ="false" description="Darf der User Projekte sehen" />
 				<column name="extern_role_id" type="INTEGER" size="9"
                     default="" notnull="false" />
+                <column name="gueltig_von" type="date" description="Beginn Gültigkeit"/>
+                <column name="gueltig_bis" type="date" description="Ende Gültigkeit"/>
 			</columns>
 			<indexes>
 				<index name="i_userinfo" type="unique">
@@ -10524,6 +10526,8 @@ Außerdem können Sie hier dem Benutzer Berechtigungen über Gruppen, Sachgebiet
 <customfield name="name" nullFieldValue=""/>
 <customfield name="email" nullFieldValue=""/>
 <customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/>
+<customfield name="gueltig_von" nullFieldValue=""/>
+<customfield name="gueltig_bis" nullFieldValue=""/>
 <customfield name="max_versuch" nullFieldValue=""/>
 <customfield name="akt_versuch" nullFieldValue=""/>
 <customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/>