Compare commits

...

2 Commits

  1. 69
      src/de/superx/bin/LdapLockout.java
  2. 55
      src/de/superx/servlet/LdapPasswordChecker.java
  3. 29
      src/de/superx/servlet/UserInitializer.java
  4. 6
      superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x
  5. 4
      superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

69
src/de/superx/bin/LdapLockout.java

@ -0,0 +1,69 @@ @@ -0,0 +1,69 @@
package de.superx.bin;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import de.memtext.util.GetOpts;
import de.superx.servlet.LdapPasswordChecker;
/**
* Klasse zum Sperren von Benutzern, die in LDAP gesperrt sind
* Erwartet Eintrag LdapLockoutFilter in superx_standalone_ldap.properties
*
*
*/
public class LdapLockout {
private static String usage = "Gebrauch: java de.superx.bin.LdapLockout -dbproperties=<<Pfad zu db.properties>> -ldapconfig=<<Pfad zu superx_standalone_ldap.properties>>";
public static void main(String[] args) {
GetOpts.setOpts(args);
String isdrin = GetOpts.isAllRequiredOptionsPresent("-dbproperties,-ldapconfig");
if (isdrin != null) {
System.err.println("Folgende Optionen fehlen: " + isdrin);
System.err.println(usage);
System.exit(1);
}
try {
File f = new File("LdapLockout.log");
if (f.exists())
{
f.delete();
}
LdapPasswordChecker.setup(new File(GetOpts.getValue("-ldapconfig")));
checkUsers(GetOpts.getValue("-dbproperties"));
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkUsers(String dbpropfile) throws Exception {
SxConnection myConnection = new SxConnection();
myConnection.setPropfile(dbpropfile);
Connection con = myConnection.getConnection();
Statement stm = con.createStatement();
ResultSet rs = stm.executeQuery("select benutzer from userinfo order by 1");
PreparedStatement pst = con.prepareStatement(
"update userinfo set max_versuch=0,passwd_sha=null, gueltig_bis=today()-1, info='deaktiviert am '||today() where benutzer=? and max_versuch>0");
LdapPasswordChecker ldappwc = new LdapPasswordChecker();
while (rs.next()) {
String benutzer = rs.getString("benutzer");
System.out.println("Pruefe Nutzer " + benutzer);
if (ldappwc.isUserLocked(benutzer)) {
System.out.println(" - Benutzer " + benutzer + " wird gesperrt");
pst.clearParameters();
pst.setString(1, benutzer);
pst.executeUpdate();
}
}
rs.close();
stm.close();
pst.close();
myConnection.close();
ldappwc.closeServiceCtxForLockout();
}
}

55
src/de/superx/servlet/LdapPasswordChecker.java

@ -37,6 +37,8 @@ public class LdapPasswordChecker { @@ -37,6 +37,8 @@ public class LdapPasswordChecker {
private static boolean hasLdapServiceUserDN = false;
private static boolean wasSetupTestOK = false;
private static boolean isStandaloneTest = false;
//wird nur für Lockout-Funktion benötigt
private DirContext serviceCtxForLockout = null;
public static void main(String[] args) {
isStandaloneTest = true;
@ -63,7 +65,8 @@ public class LdapPasswordChecker { @@ -63,7 +65,8 @@ public class LdapPasswordChecker {
checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute");
if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) {
hasLdapServiceUserDN = true;
System.out.println(" LDAP Passwortkontrolle ServiceUser "+props.getProperty("LdapServiceUserDN")+" aktiviert");
System.out.println(
" LDAP Passwortkontrolle ServiceUser " + props.getProperty("LdapServiceUserDN") + " aktiviert");
// momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring
}
// we don't need all attributes, just let it get the identifying one
@ -92,6 +95,27 @@ public class LdapPasswordChecker { @@ -92,6 +95,27 @@ public class LdapPasswordChecker {
" Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert");
}
public boolean isUserLocked(String benutzer) throws Exception {
if (props.size() == 0)
throw new IllegalStateException(
"LDAP Passwordchecker nicht konfiguiert, setup Methode muss vorher aufgerufen werden");
boolean result = false;
//lazy init, da viele User abgefragt werden
if (serviceCtxForLockout == null) {
serviceCtxForLockout = initContext();
}
NamingEnumeration<SearchResult> searchResults = searchForUserLockedStatus(serviceCtxForLockout, benutzer);
if (searchResults.hasMoreElements()) {
result = true;
}
return result;
}
public void closeServiceCtxForLockout() throws NamingException {
serviceCtxForLockout.close();
}
/**
* Prüft via LDAP ob ein Passwort OK ist
*
@ -144,6 +168,22 @@ public class LdapPasswordChecker { @@ -144,6 +168,22 @@ public class LdapPasswordChecker {
return false;
}
private NamingEnumeration<SearchResult> searchForUserLockedStatus(DirContext serviceCtx, String username)
throws NamingException {
SearchControls sc = new SearchControls();
sc.setReturningAttributes(attributeFilter);
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
// use a search filter to find only the user we want to authenticate
if (StringUtils.isNullOrEmpty(props.getProperty("LdapLockoutFilter")))
{
throw new NamingException("LdapLockoutFilter ist nicht definiert");
}
String searchFilter = StringUtils.replace(props.getProperty("LdapLockoutFilter"), "${0}", username);
return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
}
private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username)
throws NamingException {
SearchControls sc = new SearchControls();
@ -152,12 +192,9 @@ public class LdapPasswordChecker { @@ -152,12 +192,9 @@ public class LdapPasswordChecker {
// use a search filter to find only the user we want to authenticate
String searchFilter = "";
if (props.getProperty("LdapSearchFilter")!=null)
{
if (props.getProperty("LdapSearchFilter") != null) {
searchFilter = StringUtils.replace(props.getProperty("LdapSearchFilter"), "${0}", username);
}
else
{
} else {
searchFilter = "(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
}
// searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))";
@ -181,8 +218,10 @@ public class LdapPasswordChecker { @@ -181,8 +218,10 @@ public class LdapPasswordChecker {
SearchResult result = searchResults.next();
String distinguishedName = result.getNameInNamespace();
if (isStandaloneTest) {
System.out.println(" User "+username +" gefunden - distingushedName(DN/nameInNamespace):"+distinguishedName);
System.out.println(" versuche Authentifizierung für "+distinguishedName+" mit eingegebenen Passwort");
System.out.println(
" User " + username + " gefunden - distingushedName(DN/nameInNamespace):" + distinguishedName);
System.out
.println(" versuche Authentifizierung für " + distinguishedName + " mit eingegebenen Passwort");
}
// attempt another authentication, now with the user, throws exception if
// problem

29
src/de/superx/servlet/UserInitializer.java

@ -3,6 +3,7 @@ package de.superx.servlet; @@ -3,6 +3,7 @@ package de.superx.servlet;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.Date;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@ -508,6 +509,7 @@ public class UserInitializer { @@ -508,6 +509,7 @@ public class UserInitializer {
String client_ip = request.getRemoteAddr();
String client_dns = request.getRemoteHost();
String protend = "";
userid = null;
// System.out.println("c1");
if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) {
@ -518,10 +520,14 @@ public class UserInitializer { @@ -518,10 +520,14 @@ public class UserInitializer {
Connection myConnection = null;
try {
myConnection = SxPools.getConnection(mandantenID);
boolean isUserinfoMitGueltigkeit=checkUserinfoMitGueltigkeit(myConnection);
String select="select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch from userinfo where benutzer = ? ";
if (isUserinfoMitGueltigkeit) {
select+= "and ( (gueltig_von is null or gueltig_von<=today()) and (gueltig_bis is null or gueltig_bis>=today()) )";
}
Statement stm = myConnection.createStatement();
PreparedStatement pst = myConnection
.prepareStatement("select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch"
+ " from userinfo where benutzer = ?");
.prepareStatement(select);
pst.setString(1, user);
ResultSet rs = pst.executeQuery();
while (rs.next()) {
@ -543,7 +549,7 @@ public class UserInitializer { @@ -543,7 +549,7 @@ public class UserInitializer {
int akt_versuch = rs.getInt(5);
int max_versuch = rs.getInt(6);
if (akt_versuch > max_versuch) {
if (akt_versuch > max_versuch|| max_versuch==0) {
rs.close();
pst.close();
stm.close();
@ -561,7 +567,7 @@ public class UserInitializer { @@ -561,7 +567,7 @@ public class UserInitializer {
+ "'" + protend);
stm.close();
myConnection.close();
throw new NichtAngemeldetException("Kein Benutzer " + user + " in Datenbank vorhanden");
throw new NichtAngemeldetException("Kein gültiger Benutzer " + user + " in Datenbank vorhanden");
}
if (passwort == null)
passwort = "dummy"; // bei LDAP oder so
@ -618,7 +624,22 @@ public class UserInitializer { @@ -618,7 +624,22 @@ public class UserInitializer {
}
}
private boolean checkUserinfoMitGueltigkeit(Connection dbConnection) throws SQLException
{
boolean result=false;
Statement stm = dbConnection.createStatement();
DatabaseMetaData md = dbConnection.getMetaData();
ResultSet rs = md.getColumns(null, null, "userinfo", null);
while (rs.next()) {
if (rs.getString(4).equals("gueltig_von")) {
result=true;
}
}
rs.close();
return result;
}
private void updateLastLogin(Connection myConnection) throws SQLException {
PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?");
pst3.setInt(1, userid.intValue());

6
superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x

@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
#!/bin/bash
if [ "$1" = "" ]
then echo "Aufruf: sx_ldap_lockout.x Pfad/zu/db.properties pfad/zu/superx_standalone_ldap.properties"
exit 0
fi
java -cp "$JDBC_CLASSPATH" de.superx.bin.LdapLockout -dbproperties:$1 -ldapconfig:$2

4
superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

@ -1728,6 +1728,8 @@ @@ -1728,6 +1728,8 @@
default ="0" notnull ="false" description="Darf der User Projekte sehen" />
<column name="extern_role_id" type="INTEGER" size="9"
default="" notnull="false" />
<column name="gueltig_von" type="date" description="Beginn Gültigkeit"/>
<column name="gueltig_bis" type="date" description="Ende Gültigkeit"/>
</columns>
<indexes>
<index name="i_userinfo" type="unique">
@ -10524,6 +10526,8 @@ Außerdem können Sie hier dem Benutzer Berechtigungen über Gruppen, Sachgebiet @@ -10524,6 +10526,8 @@ Außerdem können Sie hier dem Benutzer Berechtigungen über Gruppen, Sachgebiet
<customfield name="name" nullFieldValue=""/>
<customfield name="email" nullFieldValue=""/>
<customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/>
<customfield name="gueltig_von" nullFieldValue=""/>
<customfield name="gueltig_bis" nullFieldValue=""/>
<customfield name="max_versuch" nullFieldValue=""/>
<customfield name="akt_versuch" nullFieldValue=""/>
<customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/>

Loading…
Cancel
Save