Compare commits

...

2 Commits

  1. 69
      src/de/superx/bin/LdapLockout.java
  2. 73
      src/de/superx/servlet/LdapPasswordChecker.java
  3. 31
      src/de/superx/servlet/UserInitializer.java
  4. 6
      superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x
  5. 4
      superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

69
src/de/superx/bin/LdapLockout.java

@ -0,0 +1,69 @@
package de.superx.bin;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import de.memtext.util.GetOpts;
import de.superx.servlet.LdapPasswordChecker;
/**
* Klasse zum Sperren von Benutzern, die in LDAP gesperrt sind
* Erwartet Eintrag LdapLockoutFilter in superx_standalone_ldap.properties
*
*
*/
public class LdapLockout {
private static String usage = "Gebrauch: java de.superx.bin.LdapLockout -dbproperties=<<Pfad zu db.properties>> -ldapconfig=<<Pfad zu superx_standalone_ldap.properties>>";
public static void main(String[] args) {
GetOpts.setOpts(args);
String isdrin = GetOpts.isAllRequiredOptionsPresent("-dbproperties,-ldapconfig");
if (isdrin != null) {
System.err.println("Folgende Optionen fehlen: " + isdrin);
System.err.println(usage);
System.exit(1);
}
try {
File f = new File("LdapLockout.log");
if (f.exists())
{
f.delete();
}
LdapPasswordChecker.setup(new File(GetOpts.getValue("-ldapconfig")));
checkUsers(GetOpts.getValue("-dbproperties"));
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkUsers(String dbpropfile) throws Exception {
SxConnection myConnection = new SxConnection();
myConnection.setPropfile(dbpropfile);
Connection con = myConnection.getConnection();
Statement stm = con.createStatement();
ResultSet rs = stm.executeQuery("select benutzer from userinfo order by 1");
PreparedStatement pst = con.prepareStatement(
"update userinfo set max_versuch=0,passwd_sha=null, gueltig_bis=today()-1, info='deaktiviert am '||today() where benutzer=? and max_versuch>0");
LdapPasswordChecker ldappwc = new LdapPasswordChecker();
while (rs.next()) {
String benutzer = rs.getString("benutzer");
System.out.println("Pruefe Nutzer " + benutzer);
if (ldappwc.isUserLocked(benutzer)) {
System.out.println(" - Benutzer " + benutzer + " wird gesperrt");
pst.clearParameters();
pst.setString(1, benutzer);
pst.executeUpdate();
}
}
rs.close();
stm.close();
pst.close();
myConnection.close();
ldappwc.closeServiceCtxForLockout();
}
}

73
src/de/superx/servlet/LdapPasswordChecker.java

@ -37,6 +37,8 @@ public class LdapPasswordChecker {
private static boolean hasLdapServiceUserDN = false; private static boolean hasLdapServiceUserDN = false;
private static boolean wasSetupTestOK = false; private static boolean wasSetupTestOK = false;
private static boolean isStandaloneTest = false; private static boolean isStandaloneTest = false;
//wird nur für Lockout-Funktion benötigt
private DirContext serviceCtxForLockout = null;
public static void main(String[] args) { public static void main(String[] args) {
isStandaloneTest = true; isStandaloneTest = true;
@ -47,8 +49,8 @@ public class LdapPasswordChecker {
try { try {
setup(new File(args[0])); setup(new File(args[0]));
LdapPasswordChecker lpc=new LdapPasswordChecker(); LdapPasswordChecker lpc = new LdapPasswordChecker();
lpc.isLdapPasswordOK(false, "default", args[1], args[2]); lpc.isLdapPasswordOK(false, "default", args[1], args[2]);
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();
} }
@ -63,12 +65,13 @@ public class LdapPasswordChecker {
checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute"); checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute");
if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) { if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) {
hasLdapServiceUserDN = true; hasLdapServiceUserDN = true;
System.out.println(" LDAP Passwortkontrolle ServiceUser "+props.getProperty("LdapServiceUserDN")+" aktiviert"); System.out.println(
" LDAP Passwortkontrolle ServiceUser " + props.getProperty("LdapServiceUserDN") + " aktiviert");
// momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring // momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring
} }
// we don't need all attributes, just let it get the identifying one // we don't need all attributes, just let it get the identifying one
LdapPasswordChecker.attributeFilter[0] = props.getProperty("LdapIdentifyingAttribute"); LdapPasswordChecker.attributeFilter[0] = props.getProperty("LdapIdentifyingAttribute");
// Verbindungstest wirft Exception bei Fehler // Verbindungstest wirft Exception bei Fehler
boolean isJustSetupTest = true; boolean isJustSetupTest = true;
String mandantenIDNichtRelevant = "default"; String mandantenIDNichtRelevant = "default";
@ -92,6 +95,27 @@ public class LdapPasswordChecker {
" Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert"); " Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert");
} }
public boolean isUserLocked(String benutzer) throws Exception {
if (props.size() == 0)
throw new IllegalStateException(
"LDAP Passwordchecker nicht konfiguiert, setup Methode muss vorher aufgerufen werden");
boolean result = false;
//lazy init, da viele User abgefragt werden
if (serviceCtxForLockout == null) {
serviceCtxForLockout = initContext();
}
NamingEnumeration<SearchResult> searchResults = searchForUserLockedStatus(serviceCtxForLockout, benutzer);
if (searchResults.hasMoreElements()) {
result = true;
}
return result;
}
public void closeServiceCtxForLockout() throws NamingException {
serviceCtxForLockout.close();
}
/** /**
* Prüft via LDAP ob ein Passwort OK ist * Prüft via LDAP ob ein Passwort OK ist
* *
@ -113,7 +137,7 @@ public class LdapPasswordChecker {
try { try {
serviceCtx = initContext(); serviceCtx = initContext();
if (isStandaloneTest) { if (isStandaloneTest) {
System.out.println("Reine Kontrolle, ob User "+username+ " existiert"); System.out.println("Reine Kontrolle, ob User " + username + " existiert");
} }
NamingEnumeration<SearchResult> searchResults = searchForUser(serviceCtx, username); NamingEnumeration<SearchResult> searchResults = searchForUser(serviceCtx, username);
if (!isJustSetupTest) { if (!isJustSetupTest) {
@ -139,29 +163,42 @@ public class LdapPasswordChecker {
} }
} }
//System.out.println(new Date().getTime() - start.getTime()); // System.out.println(new Date().getTime() - start.getTime());
} }
return false; return false;
} }
private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username) private NamingEnumeration<SearchResult> searchForUserLockedStatus(DirContext serviceCtx, String username)
throws NamingException { throws NamingException {
SearchControls sc = new SearchControls(); SearchControls sc = new SearchControls();
sc.setReturningAttributes(attributeFilter); sc.setReturningAttributes(attributeFilter);
sc.setSearchScope(SearchControls.SUBTREE_SCOPE); sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
// use a search filter to find only the user we want to authenticate // use a search filter to find only the user we want to authenticate
String searchFilter = ""; if (StringUtils.isNullOrEmpty(props.getProperty("LdapLockoutFilter")))
if (props.getProperty("LdapSearchFilter")!=null)
{ {
searchFilter=StringUtils.replace(props.getProperty("LdapSearchFilter"),"${0}", username ); throw new NamingException("LdapLockoutFilter ist nicht definiert");
} }
else String searchFilter = StringUtils.replace(props.getProperty("LdapLockoutFilter"), "${0}", username);
{
searchFilter="(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")"; return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
}
private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username)
throws NamingException {
SearchControls sc = new SearchControls();
sc.setReturningAttributes(attributeFilter);
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
// use a search filter to find only the user we want to authenticate
String searchFilter = "";
if (props.getProperty("LdapSearchFilter") != null) {
searchFilter = StringUtils.replace(props.getProperty("LdapSearchFilter"), "${0}", username);
} else {
searchFilter = "(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
} }
//searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))"; // searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))";
return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc); return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
} }
@ -181,8 +218,10 @@ public class LdapPasswordChecker {
SearchResult result = searchResults.next(); SearchResult result = searchResults.next();
String distinguishedName = result.getNameInNamespace(); String distinguishedName = result.getNameInNamespace();
if (isStandaloneTest) { if (isStandaloneTest) {
System.out.println(" User "+username +" gefunden - distingushedName(DN/nameInNamespace):"+distinguishedName); System.out.println(
System.out.println(" versuche Authentifizierung für "+distinguishedName+" mit eingegebenen Passwort"); " User " + username + " gefunden - distingushedName(DN/nameInNamespace):" + distinguishedName);
System.out
.println(" versuche Authentifizierung für " + distinguishedName + " mit eingegebenen Passwort");
} }
// attempt another authentication, now with the user, throws exception if // attempt another authentication, now with the user, throws exception if
// problem // problem

31
src/de/superx/servlet/UserInitializer.java

@ -3,6 +3,7 @@ package de.superx.servlet;
import java.io.IOException; import java.io.IOException;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.Date; import java.sql.Date;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -508,6 +509,7 @@ public class UserInitializer {
String client_ip = request.getRemoteAddr(); String client_ip = request.getRemoteAddr();
String client_dns = request.getRemoteHost(); String client_dns = request.getRemoteHost();
String protend = ""; String protend = "";
userid = null; userid = null;
// System.out.println("c1"); // System.out.println("c1");
if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) { if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) {
@ -518,10 +520,14 @@ public class UserInitializer {
Connection myConnection = null; Connection myConnection = null;
try { try {
myConnection = SxPools.getConnection(mandantenID); myConnection = SxPools.getConnection(mandantenID);
boolean isUserinfoMitGueltigkeit=checkUserinfoMitGueltigkeit(myConnection);
String select="select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch from userinfo where benutzer = ? ";
if (isUserinfoMitGueltigkeit) {
select+= "and ( (gueltig_von is null or gueltig_von<=today()) and (gueltig_bis is null or gueltig_bis>=today()) )";
}
Statement stm = myConnection.createStatement(); Statement stm = myConnection.createStatement();
PreparedStatement pst = myConnection PreparedStatement pst = myConnection
.prepareStatement("select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch" .prepareStatement(select);
+ " from userinfo where benutzer = ?");
pst.setString(1, user); pst.setString(1, user);
ResultSet rs = pst.executeQuery(); ResultSet rs = pst.executeQuery();
while (rs.next()) { while (rs.next()) {
@ -543,7 +549,7 @@ public class UserInitializer {
int akt_versuch = rs.getInt(5); int akt_versuch = rs.getInt(5);
int max_versuch = rs.getInt(6); int max_versuch = rs.getInt(6);
if (akt_versuch > max_versuch) { if (akt_versuch > max_versuch|| max_versuch==0) {
rs.close(); rs.close();
pst.close(); pst.close();
stm.close(); stm.close();
@ -561,7 +567,7 @@ public class UserInitializer {
+ "'" + protend); + "'" + protend);
stm.close(); stm.close();
myConnection.close(); myConnection.close();
throw new NichtAngemeldetException("Kein Benutzer " + user + " in Datenbank vorhanden"); throw new NichtAngemeldetException("Kein gültiger Benutzer " + user + " in Datenbank vorhanden");
} }
if (passwort == null) if (passwort == null)
passwort = "dummy"; // bei LDAP oder so passwort = "dummy"; // bei LDAP oder so
@ -618,7 +624,22 @@ public class UserInitializer {
} }
} }
private boolean checkUserinfoMitGueltigkeit(Connection dbConnection) throws SQLException
{
boolean result=false;
Statement stm = dbConnection.createStatement();
DatabaseMetaData md = dbConnection.getMetaData();
ResultSet rs = md.getColumns(null, null, "userinfo", null);
while (rs.next()) {
if (rs.getString(4).equals("gueltig_von")) {
result=true;
}
}
rs.close();
return result;
}
private void updateLastLogin(Connection myConnection) throws SQLException { private void updateLastLogin(Connection myConnection) throws SQLException {
PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?"); PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?");
pst3.setInt(1, userid.intValue()); pst3.setInt(1, userid.intValue());

6
superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x

@ -0,0 +1,6 @@
#!/bin/bash
if [ "$1" = "" ]
then echo "Aufruf: sx_ldap_lockout.x Pfad/zu/db.properties pfad/zu/superx_standalone_ldap.properties"
exit 0
fi
java -cp "$JDBC_CLASSPATH" de.superx.bin.LdapLockout -dbproperties:$1 -ldapconfig:$2

4
superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

@ -1728,6 +1728,8 @@
default ="0" notnull ="false" description="Darf der User Projekte sehen" /> default ="0" notnull ="false" description="Darf der User Projekte sehen" />
<column name="extern_role_id" type="INTEGER" size="9" <column name="extern_role_id" type="INTEGER" size="9"
default="" notnull="false" /> default="" notnull="false" />
<column name="gueltig_von" type="date" description="Beginn Gültigkeit"/>
<column name="gueltig_bis" type="date" description="Ende Gültigkeit"/>
</columns> </columns>
<indexes> <indexes>
<index name="i_userinfo" type="unique"> <index name="i_userinfo" type="unique">
@ -10524,6 +10526,8 @@ Außerdem können Sie hier dem Benutzer Berechtigungen über Gruppen, Sachgebiet
<customfield name="name" nullFieldValue=""/> <customfield name="name" nullFieldValue=""/>
<customfield name="email" nullFieldValue=""/> <customfield name="email" nullFieldValue=""/>
<customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/> <customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/>
<customfield name="gueltig_von" nullFieldValue=""/>
<customfield name="gueltig_bis" nullFieldValue=""/>
<customfield name="max_versuch" nullFieldValue=""/> <customfield name="max_versuch" nullFieldValue=""/>
<customfield name="akt_versuch" nullFieldValue=""/> <customfield name="akt_versuch" nullFieldValue=""/>
<customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/> <customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/>

Loading…
Cancel
Save