StartTLS for LDAP (OF-66)

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11509 b35dd754-fafc-0310-a699-88a17e54d16e

StartTLS for LDAP (OF-66)
git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11509 b35dd754-fafc-0310-a699-88a17e54d16e
a073e3df · guus · 1d2f0759 · a073e3df · a073e3df
Commit a073e3df authored Jan 10, 2010 by guus
Showing with 349 additions and 33 deletions

LdapManager.java src/java/org/jivesoftware/openfire/ldap/LdapManager.java +283 -33

JiveInitialLdapContext.java src/java/org/jivesoftware/util/JiveInitialLdapContext.java +66 -0

No files found.
--- a/src/java/org/jivesoftware/openfire/ldap/LdapManager.java
+++ b/src/java/org/jivesoftware/openfire/ldap/LdapManager.java
@@ -41,15 +41,18 @@ import javax.naming.directory.InitialDirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.Control;
-import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
 import javax.naming.ldap.PagedResultsControl;
 import javax.naming.ldap.PagedResultsResponseControl;
 import javax.naming.ldap.SortControl;
+import javax.naming.ldap.StartTlsRequest;
+import javax.naming.ldap.StartTlsResponse;
+import javax.net.ssl.SSLSession;
 import org.jivesoftware.openfire.group.GroupNotFoundException;
 import org.jivesoftware.openfire.user.UserNotFoundException;
 import org.jivesoftware.util.JiveGlobals;
+import org.jivesoftware.util.JiveInitialLdapContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -79,6 +82,7 @@ import org.slf4j.LoggerFactory;
 *      <li>ldap.groupSearchFilter</li>
 *      <li>ldap.debugEnabled</li>
 *      <li>ldap.sslEnabled</li>
+ *      <li>ldap.startTlsEnabled</li>
 *      <li>ldap.autoFollowReferrals</li>
 *      <li>ldap.autoFollowAliasReferrals</li>
 *      <li>ldap.initialContextFactory --  if this value is not specified,
@@ -177,6 +181,7 @@ public class LdapManager {
    private boolean subTreeSearch;
    private boolean encloseUserDN;
    private boolean encloseGroupDN;
+    private boolean startTlsEnabled = false;
    private String groupNameField;
    private String groupMemberField;
@@ -228,6 +233,7 @@ public class LdapManager {
        JiveGlobals.migrateProperty("ldap.adminPassword");
        JiveGlobals.migrateProperty("ldap.debugEnabled");
        JiveGlobals.migrateProperty("ldap.sslEnabled");
+        JiveGlobals.migrateProperty("ldap.startTlsEnabled");
        JiveGlobals.migrateProperty("ldap.autoFollowReferrals");
        JiveGlobals.migrateProperty("ldap.autoFollowAliasReferrals");
        JiveGlobals.migrateProperty("ldap.encloseUserDN");
@@ -353,6 +359,11 @@ public class LdapManager {
        if (sslEnabledStr != null) {
            sslEnabled = Boolean.valueOf(sslEnabledStr);
        }
+        startTlsEnabled = false;
+        String startTlsEnabledStr = properties.get("ldap.startTlsEnabled");
+        if (startTlsEnabledStr != null) {
+            startTlsEnabled = Boolean.valueOf(startTlsEnabledStr);
+        }
        followReferrals = false;
        String followReferralsStr = properties.get("ldap.autoFollowReferrals");
        if (followReferralsStr != null) {
@@ -406,6 +417,7 @@ public class LdapManager {
        buf.append("\t subTreeSearch:").append(subTreeSearch).append("\n");
        buf.append("\t ldapDebugEnabled: ").append(ldapDebugEnabled).append("\n");
        buf.append("\t sslEnabled: ").append(sslEnabled).append("\n");
+        buf.append("\t startTlsEnabled: ").append(startTlsEnabled).append("\n");
        buf.append("\t initialContextFactory: ").append(initialContextFactory).append("\n");
        buf.append("\t connectionPoolEnabled: ").append(connectionPoolEnabled).append("\n");
        buf.append("\t autoFollowReferrals: ").append(followReferrals).append("\n");
@@ -459,12 +471,16 @@ public class LdapManager {
        boolean debug = Log.isDebugEnabled();
        if (debug) {
            Log.debug("LdapManager: Creating a DirContext in LdapManager.getContext()...");
+        	if (!sslEnabled && !startTlsEnabled)
+        		Log.debug("LdapManager: Warning: Using unencrypted connection to LDAP service!");
        }
        // Set up the environment for creating the initial context
        Hashtable<String, Object> env = new Hashtable<String, Object>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
        env.put(Context.PROVIDER_URL, getProviderURL(baseDN));
+        // SSL
        if (sslEnabled) {
            env.put("java.naming.ldap.factory.socket",
                    "org.jivesoftware.util.SimpleSSLSocketFactory");
@@ -473,12 +489,16 @@ public class LdapManager {
        // Use simple authentication to connect as the admin.
        if (adminDN != null) {
+            /* If startTLS is requested we MUST NOT bind() before
+             * the secure connection has been established. */
+			if (!(startTlsEnabled && !sslEnabled)) {
 				env.put(Context.SECURITY_AUTHENTICATION, "simple");
 				env.put(Context.SECURITY_PRINCIPAL, adminDN);
 				if (adminPassword != null) {
 					env.put(Context.SECURITY_CREDENTIALS, adminPassword);
 				}
 			}
+        }
        // No login information so attempt to use anonymous login.
        else {
            env.put(Context.SECURITY_AUTHENTICATION, "none");
@@ -488,8 +508,19 @@ public class LdapManager {
            env.put("com.sun.jndi.ldap.trace.ber", System.err);
        }
        if (connectionPoolEnabled) { 
+        	if (!startTlsEnabled)
        		env.put("com.sun.jndi.ldap.connect.pool", "true");
+        	else { 
+        		if (debug) {
+        			// See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html
+        			// "When Not to Use Pooling" 
+        			Log.debug("LdapManager: connection pooling was requested but has been disabled because of StartTLS.");
+        		}
+        		env.put("com.sun.jndi.ldap.connect.pool", "false");
        	}
+        } else
+        	env.put("com.sun.jndi.ldap.connect.pool", "false");
        if (followReferrals) {
            env.put(Context.REFERRAL, "follow");
        }
@@ -501,10 +532,60 @@ public class LdapManager {
            Log.debug("LdapManager: Created hashtable with context values, attempting to create context...");
        }
        // Create new initial context
-        LdapContext context = new InitialLdapContext(env, null);
+        JiveInitialLdapContext context = new JiveInitialLdapContext(env, null);
+        // TLS http://www.ietf.org/rfc/rfc2830.txt ("1.3.6.1.4.1.1466.20037")
+		if (startTlsEnabled && !sslEnabled) {
+			if (debug) {
+				Log.debug("LdapManager: ... StartTlsRequest");
+			}
+			if (followReferrals)
+				Log.warn("\tConnections to referrals are unencrypted! If you do not want this, please turn off ldap.autoFollowReferrals");
+			// Perform a StartTLS extended operation
+			StartTlsResponse tls = (StartTlsResponse) 
+				context.extendedOperation(new StartTlsRequest());
+			/* Open a TLS connection (over the existing LDAP association) and
+			   get details of the negotiated TLS session: cipher suite, 
+			   peer certificate, etc. */
+			try {
+				SSLSession session = tls.negotiate(new org.jivesoftware.util.SimpleSSLSocketFactory());
+				context.setTlsResponse(tls);
+				context.setSslSession(session);
+				if (debug) {
+					Log.debug("LdapManager: ... peer host: " 
+							+ session.getPeerHost() 
+							+ ", CipherSuite: " + session.getCipherSuite());
+				}
+				/* Set login credentials only if SSL session has been
+				 * negotiated successfully - otherwise user/password
+				 * could be transmitted in clear text. */
+				if (adminDN != null) {
+					context.addToEnvironment(
+							Context.SECURITY_AUTHENTICATION,
+							"simple");
+					context.addToEnvironment(
+							Context.SECURITY_PRINCIPAL,
+							adminDN);
+					if (adminPassword != null)
+						context.addToEnvironment(
+								Context.SECURITY_CREDENTIALS,
+								adminPassword);
+				}
+			} catch (java.io.IOException ex) {
+				Log.error(ex.getMessage(), ex);
+			}
+		}
        if (debug) {
            Log.debug("LdapManager: ... context created successfully, returning.");
        }
        return context;
    }
@@ -520,9 +601,12 @@ public class LdapManager {
        boolean debug = Log.isDebugEnabled();
        if (debug) {
            Log.debug("LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: " + userDN + "...");
+           	if (!sslEnabled && !startTlsEnabled)
+           		Log.debug("LdapManager: Warning: Using unencrypted connection to LDAP service!");
        }
-        DirContext ctx = null;
+        JiveInitialLdapContext ctx = null;
        try {
            // See if the user authenticates.
            Hashtable<String, Object> env = new Hashtable<String, Object>();
@@ -533,11 +617,20 @@ public class LdapManager {
                        "org.jivesoftware.util.SimpleSSLSocketFactory");
                env.put(Context.SECURITY_PROTOCOL, "ssl");
            }
+            /* If startTLS is requested we MUST NOT bind() before
+             * the secure connection has been established. */
+            if (!(startTlsEnabled && !sslEnabled)) {
 				env.put(Context.SECURITY_AUTHENTICATION, "simple");
 				env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
 				env.put(Context.SECURITY_CREDENTIALS, password);
+			} else {
+				if (followReferrals)
+					Log.warn("\tConnections to referrals are unencrypted! If you do not want this, please turn off ldap.autoFollowReferrals");
+			}
 			// Specify timeout to be 10 seconds, only on non SSL since SSL connections
-            // break with a timemout.
+            // break with a timeout.
            if (!sslEnabled) {
                env.put("com.sun.jndi.ldap.connect.timeout", "10000");
            }
@@ -557,7 +650,49 @@ public class LdapManager {
            if (debug) {
                Log.debug("LdapManager: Created context values, attempting to create context...");
            }
-            ctx = new InitialDirContext(env);
+            ctx = new JiveInitialLdapContext(env, null);
+            if (startTlsEnabled && !sslEnabled) {
+    			if (debug) {
+    				Log.debug("LdapManager: ... StartTlsRequest");
+    			}
+    			// Perform a StartTLS extended operation
+    			StartTlsResponse tls = (StartTlsResponse) 
+    				ctx.extendedOperation(new StartTlsRequest());
+    			/* Open a TLS connection (over the existing LDAP association) and
+    			   get details of the negotiated TLS session: cipher suite, 
+    			   peer certificate, etc. */
+    			try {
+    				SSLSession session = tls.negotiate(new org.jivesoftware.util.SimpleSSLSocketFactory());
+    				ctx.setTlsResponse(tls);
+    				ctx.setSslSession(session);
+    				if (debug) {
+    					Log.debug("LdapManager: ... peer host: " 
+    							+ session.getPeerHost() 
+    							+ ", CipherSuite: " + session.getCipherSuite());
+    				}
+    				ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
+    				ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, 
+    						userDN + "," + baseDN);
+    				ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
+    			} catch (java.io.IOException ex) {
+    				Log.error(ex.getMessage(), ex);
+    			}
+				// make at least one lookup to check authorization
+				lookupExistence(
+						ctx, 
+						userDN + "," + baseDN,
+						new String[] {usernameField});
+            }
            if (debug) {
                Log.debug("LdapManager: ... context created successfully, returning.");
            }
@@ -583,9 +718,14 @@ public class LdapManager {
                        env.put("java.naming.ldap.factory.socket", "org.jivesoftware.util.SimpleSSLSocketFactory");
                        env.put(Context.SECURITY_PROTOCOL, "ssl");
                    }
+                    /* If startTLS is requested we MUST NOT bind() before
+                     * the secure connection has been established. */
+                    if (!(startTlsEnabled && !sslEnabled)) {
                    	env.put(Context.SECURITY_AUTHENTICATION, "simple");
                    	env.put(Context.SECURITY_PRINCIPAL, userDN + "," + alternateBaseDN);
                    	env.put(Context.SECURITY_CREDENTIALS, password);
+                    }
                    // Specify timeout to be 10 seconds, only on non SSL since SSL connections
                    // break with a timemout.
                    if (!sslEnabled) {
@@ -603,7 +743,48 @@ public class LdapManager {
                    if (debug) {
                        Log.debug("LdapManager: Created context values, attempting to create context...");
                    }
-                    ctx = new InitialDirContext(env);
+                    ctx = new JiveInitialLdapContext(env, null);
+                    if (startTlsEnabled && !sslEnabled) {
+            			if (debug) {
+            				Log.debug("LdapManager: ... StartTlsRequest");
+            			}
+            			// Perform a StartTLS extended operation
+            			StartTlsResponse tls = (StartTlsResponse) 
+            				ctx.extendedOperation(new StartTlsRequest());
+            			/* Open a TLS connection (over the existing LDAP association) and
+            			   get details of the negotiated TLS session: cipher suite, 
+            			   peer certificate, etc. */
+            			try {
+            				SSLSession session = tls.negotiate(new org.jivesoftware.util.SimpleSSLSocketFactory());
+            				ctx.setTlsResponse(tls);
+            				ctx.setSslSession(session);
+            				if (debug) {
+            					Log.debug("LdapManager: ... peer host: " 
+            							+ session.getPeerHost() 
+            							+ ", CipherSuite: " + session.getCipherSuite());
+            				}
+            				ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
+            				ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, 
+            						userDN + "," + alternateBaseDN);
+            				ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
+            			} catch (java.io.IOException ex) {
+            				Log.error(ex.getMessage(), ex);
+            			}
+        				// make at least one lookup to check user authorization
+        				lookupExistence(
+        						ctx, 
+        						userDN + "," + alternateBaseDN,
+        						new String[] {usernameField});
+                    }
                }
                catch (NamingException e) {
                    if (debug) {
@@ -632,6 +813,55 @@ public class LdapManager {
        return true;
    }
+    /** 
+     * Looks up an LDAP object by its DN and returns <tt>true</tt> if
+     * the search was successful.
+     * 
+     * @param ctx the Context to use for the lookup.
+     * @param dn the object's dn to lookup.
+     * @return true if the lookup was successful.
+     * @throws NamingException if login credentials were wrong.
+     */
+    private Boolean lookupExistence(InitialDirContext ctx, String dn, String[] returnattrs) throws NamingException {
+    	boolean debug = Log.isDebugEnabled();
+        if (debug) {
+            Log.debug("LdapManager: In lookupExistence(ctx, dn, returnattrs), searchdn is: " + dn); 
+        }
+        // Bind to the object's DN
+        ctx.addToEnvironment(Context.PROVIDER_URL, getProviderURL(dn));
+    	String filter = "(&(objectClass=*))";
+		SearchControls srcnt = new SearchControls();
+		srcnt.setSearchScope(SearchControls.OBJECT_SCOPE);
+		srcnt.setReturningAttributes(returnattrs);
+		NamingEnumeration<SearchResult> answer = null;
+		try {
+			answer = ctx.search(
+					"",
+					filter,
+					srcnt);
+		} catch (javax.naming.NameNotFoundException nex) {
+			// DN not found
+		} catch (NamingException ex){
+			throw ex;
+		}
+		if (answer == null || !answer.hasMoreElements())
+		{
+            Log.debug("LdapManager: .... lookupExistence: DN not found.");
+			return false;
+		}
+		else
+		{
+			Log.debug("LdapManager: .... lookupExistence: DN found.");
+			return true;
+		}
+    }
    /**
     * Finds a user's dn using their username. Normally, this search will
     * be performed using the field "uid", but this can be changed by setting
@@ -721,7 +951,7 @@ public class LdapManager {
            }
            constraints.setReturningAttributes(new String[] { usernameField });
-            NamingEnumeration answer = ctx.search("", getSearchFilter(), new String[] {username},
+            NamingEnumeration<SearchResult> answer = ctx.search("", getSearchFilter(), new String[] {username},
                    constraints);
            if (debug) {
@@ -734,7 +964,7 @@ public class LdapManager {
                }
                throw new UserNotFoundException("Username " + username + " not found");
            }
-            String userDN = ((SearchResult)answer.next()).getName();
+            String userDN = answer.next().getName();
            // Make sure there are no more search results. If there are, then
            // the username isn't unique on the LDAP server (a perfectly possible
            // scenario since only fully qualified dn's need to be unqiue).
@@ -866,7 +1096,7 @@ public class LdapManager {
            constraints.setReturningAttributes(new String[] { groupNameField });
            String filter = MessageFormat.format(getGroupSearchFilter(), groupname);
-            NamingEnumeration answer = ctx.search("", filter, constraints);
+            NamingEnumeration<SearchResult> answer = ctx.search("", filter, constraints);
            if (debug) {
                Log.debug("LdapManager: ... search finished");
@@ -878,7 +1108,7 @@ public class LdapManager {
                }
                throw new GroupNotFoundException("Groupname " + groupname + " not found");
            }
-            String groupDN = ((SearchResult)answer.next()).getName();
+            String groupDN = answer.next().getName();
            // Make sure there are no more search results. If there are, then
            // the groupname isn't unique on the LDAP server (a perfectly possible
            // scenario since only fully qualified dn's need to be unqiue).
@@ -1047,6 +1277,26 @@ public class LdapManager {
        properties.put("ldap.sslEnabled", Boolean.toString(sslEnabled));
    }
+    /**
+     * Returns true if LDAP connection is via START or not. TLS is turned off by default.
+     *
+     * @return true if StartTLS connections are enabled or not.
+     */
+    public boolean isStartTlsEnabled() {
+        return startTlsEnabled;
+    }
+    /**
+     * Sets whether the connection to the LDAP server should be made via StartTLS or not.
+     *
+     * @param startTlsEnabled true if StartTLS should be used, false otherwise.
+     */
+    public void setStartTlsEnabled(boolean startTlsEnabled) {
+        this.startTlsEnabled = startTlsEnabled;
+        properties.put("ldap.startTlsEnabled", Boolean.toString(startTlsEnabled));
+    }
    /**
     * Returns the LDAP field name that the username lookup will be performed
     * on. By default this is "uid".
@@ -1607,7 +1857,7 @@ public class LdapManager {
            // Run through all pages of results (one page is also possible  ;)  )
            do {
                cookie = null;
-                NamingEnumeration answer = ctx.search("", searchFilter, searchControls);
+                NamingEnumeration<SearchResult> answer = ctx.search("", searchFilter, searchControls);
                // Examine all of the results on this page
                while (answer.hasMoreElements()) {
@@ -1622,7 +1872,7 @@ public class LdapManager {
                    }
                    // Get the next result.
-                    String result = (String)((SearchResult)answer.next()).getAttributes().get(attribute).get();
+                    String result = (String)answer.next().getAttributes().get(attribute).get();
                    // Remove suffixToTrim if set
                    if (suffixToTrim != null && suffixToTrim.length() > 0 && result.endsWith(suffixToTrim)) {
                        result = result.substring(0,result.length()-suffixToTrim.length());
@@ -1664,7 +1914,7 @@ public class LdapManager {
                // Run through all pages of results (one page is also possible  ;)  )
                do {
                    cookie = null;
-                    NamingEnumeration answer = ctx2.search("", searchFilter, searchControls);
+                    NamingEnumeration<SearchResult> answer = ctx2.search("", searchFilter, searchControls);
                    // Examine all of the results on this page
                    while (answer.hasMoreElements()) {
@@ -1679,7 +1929,7 @@ public class LdapManager {
                        }
                        // Get the next result.
-                        String result = (String)((SearchResult)answer.next()).getAttributes().get(attribute).get();
+                        String result = (String)answer.next().getAttributes().get(attribute).get();
                        // Remove suffixToTrim if set
                        if (suffixToTrim != null && suffixToTrim.length() > 0 && result.endsWith(suffixToTrim)) {
                            result = result.substring(0,result.length()-suffixToTrim.length());
@@ -1800,7 +2050,7 @@ public class LdapManager {
            // Run through all pages of results (one page is also possible  ;)  )
            do {
                cookie = null;
-                NamingEnumeration answer = ctx.search("", searchFilter, searchControls);
+                NamingEnumeration<SearchResult> answer = ctx.search("", searchFilter, searchControls);
                // Examine all of the results on this page
                while (answer.hasMoreElements()) {
@@ -1837,7 +2087,7 @@ public class LdapManager {
                // Run through all pages of results (one page is also possible  ;)  )
                do {
                    cookie = null;
-                    NamingEnumeration answer = ctx2.search("", searchFilter, searchControls);
+                    NamingEnumeration<SearchResult> answer = ctx2.search("", searchFilter, searchControls);
                    // Examine all of the results on this page
                    while (answer.hasMoreElements()) {

--- a/src/java/org/jivesoftware/util/JiveInitialLdapContext.java
+++ b/src/java/org/jivesoftware/util/JiveInitialLdapContext.java
+/**
+ * $RCSfile$
+ * $Revision: 2698 $
+ * $Date: 2005-08-19 15:28:16 -0300 (Fri, 19 Aug 2005) $
+ *
+ * Copyright (C) 2004-2008 Jive Software. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jivesoftware.util;
+import java.util.Hashtable;
+import javax.naming.NamingException;
+import javax.naming.ldap.Control;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.StartTlsResponse;
+import javax.net.ssl.SSLSession;
+/**
+ * A class that extends the Java's InitialLdapContext class with
+ * two properties to store the SSLSession and the StartTlsResponse
+ * objects. This is necessary when using the StartTLS extension.
+ */
+public class JiveInitialLdapContext extends InitialLdapContext {
+	private StartTlsResponse tlsResp;
+	private SSLSession sslSess;
+	public JiveInitialLdapContext(Hashtable<?, ?> arg0, Control[] arg1)
+			throws NamingException {
+		super(arg0, arg1);
+	}
+	public JiveInitialLdapContext() throws NamingException {
+		super();
+	}
+	public StartTlsResponse getTlsResponse() {
+		return tlsResp;
+	}
+	public void setTlsResponse(StartTlsResponse tlsResp) {
+		this.tlsResp = tlsResp;
+	}
+	public SSLSession getSslSession() {
+		return sslSess;
+	}
+	public void setSslSession(SSLSession sslSess) {
+		this.sslSess = sslSess;
+	}
+}