001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.ldap.handlers.sasl.ntlm; 021 022 023import javax.naming.Context; 024import javax.security.sasl.SaslException; 025 026import org.apache.directory.api.ldap.model.constants.AuthenticationLevel; 027import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms; 028import org.apache.directory.api.ldap.model.message.BindRequest; 029import org.apache.directory.api.ldap.model.name.Dn; 030import org.apache.directory.api.util.Strings; 031import org.apache.directory.server.core.api.CoreSession; 032import org.apache.directory.server.core.api.LdapPrincipal; 033import org.apache.directory.server.core.api.interceptor.context.BindOperationContext; 034import org.apache.directory.server.i18n.I18n; 035import org.apache.directory.server.ldap.LdapSession; 036import org.apache.directory.server.ldap.handlers.sasl.AbstractSaslServer; 037import org.apache.directory.server.ldap.handlers.sasl.SaslConstants; 038 039 040/** 041 * A SaslServer implementation for NTLM based SASL mechanism. This is 042 * required unfortunately because the JDK's SASL provider does not support 043 * this mechanism. 044 * 045 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 046 */ 047public class NtlmSaslServer extends AbstractSaslServer 048{ 049 /** The different states during a NTLM negotiation */ 050 enum NegotiationState 051 { 052 INITIALIZED, TYPE_1_RECEIVED, TYPE_2_SENT, TYPE_3_RECEIVED, COMPLETED 053 } 054 055 /** The current state */ 056 private NegotiationState state = NegotiationState.INITIALIZED; 057 private final NtlmProvider provider; 058 059 060 public NtlmSaslServer( NtlmProvider provider, BindRequest bindRequest, LdapSession ldapSession, 061 CoreSession adminSession ) 062 { 063 super( ldapSession, adminSession, bindRequest ); 064 this.provider = provider; 065 } 066 067 068 /** 069 * {@inheritDoc} 070 */ 071 public String getMechanismName() 072 { 073 return SupportedSaslMechanisms.NTLM; 074 } 075 076 077 protected void responseRecieved() 078 { 079 switch ( state ) 080 { 081 case INITIALIZED: 082 state = NegotiationState.TYPE_1_RECEIVED; 083 break; 084 085 case TYPE_1_RECEIVED: 086 throw new IllegalStateException( I18n.err( I18n.ERR_660 ) ); 087 088 case TYPE_2_SENT: 089 state = NegotiationState.TYPE_3_RECEIVED; 090 break; 091 092 case TYPE_3_RECEIVED: 093 throw new IllegalStateException( I18n.err( I18n.ERR_661 ) ); 094 095 case COMPLETED: 096 throw new IllegalStateException( I18n.err( I18n.ERR_662 ) ); 097 098 default: 099 throw new IllegalStateException( "Unexpected negotiation state " + state ); 100 } 101 } 102 103 104 protected void responseSent() 105 { 106 switch ( state ) 107 { 108 case INITIALIZED: 109 throw new IllegalStateException( I18n.err( I18n.ERR_663 ) ); 110 111 case TYPE_1_RECEIVED: 112 state = NegotiationState.TYPE_2_SENT; 113 break; 114 115 case TYPE_2_SENT: 116 throw new IllegalStateException( I18n.err( I18n.ERR_664 ) ); 117 118 case TYPE_3_RECEIVED: 119 state = NegotiationState.COMPLETED; 120 break; 121 122 case COMPLETED: 123 throw new IllegalStateException( I18n.err( I18n.ERR_662 ) ); 124 125 default: 126 throw new IllegalStateException( "Unexpected negotiation state " + state ); 127 } 128 } 129 130 131 /** 132 * {@inheritDoc} 133 */ 134 public byte[] evaluateResponse( byte[] response ) throws SaslException 135 { 136 if ( response == null ) 137 { 138 throw new IllegalArgumentException( I18n.err( I18n.ERR_666 ) ); 139 } 140 141 if ( response.length == 0 ) 142 { 143 throw new IllegalArgumentException( I18n.err( I18n.ERR_667 ) ); 144 } 145 146 responseRecieved(); 147 byte[] retval = null; 148 149 switch ( state ) 150 { 151 case TYPE_1_RECEIVED: 152 try 153 { 154 retval = provider.generateChallenge( getLdapSession().getIoSession(), response ); 155 } 156 catch ( Exception e ) 157 { 158 throw new SaslException( I18n.err( I18n.ERR_668 ), e ); 159 } 160 161 break; 162 163 case TYPE_3_RECEIVED: 164 boolean result; 165 try 166 { 167 result = provider.authenticate( getLdapSession().getIoSession(), response ); 168 Dn dn = getBindRequest().getDn(); 169 170 if ( dn == null ) 171 { 172 dn = new Dn( getLdapSession().getLdapServer().getDirectoryService().getSchemaManager() ); 173 } 174 else if ( !dn.isSchemaAware() ) 175 { 176 dn = new Dn( getLdapSession().getLdapServer().getDirectoryService().getSchemaManager(), dn ); 177 } 178 179 LdapPrincipal ldapPrincipal = new LdapPrincipal( getAdminSession().getDirectoryService() 180 .getSchemaManager(), 181 dn, AuthenticationLevel.STRONG ); 182 getLdapSession().putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal ); 183 getLdapSession() 184 .putSaslProperty( Context.SECURITY_PRINCIPAL, getBindRequest().getName() ); 185 } 186 catch ( Exception e ) 187 { 188 throw new SaslException( I18n.err( I18n.ERR_669 ), e ); 189 } 190 191 if ( !result ) 192 { 193 throw new SaslException( I18n.err( I18n.ERR_670 ) ); 194 } 195 196 break; 197 198 case INITIALIZED: 199 case TYPE_2_SENT: 200 case COMPLETED: 201 default: 202 throw new IllegalStateException( "Unexpected negotiation state " + state ); 203 } 204 205 responseSent(); 206 return retval; 207 } 208 209 210 /** 211 * Try to authenticate the usr against the underlying LDAP server. 212 */ 213 private CoreSession authenticate( String user, String password ) throws Exception 214 { 215 BindOperationContext bindContext = new BindOperationContext( getLdapSession().getCoreSession() ); 216 bindContext.setDn( new Dn( user ) ); 217 bindContext.setCredentials( Strings.getBytesUtf8( password ) ); 218 219 getAdminSession().getDirectoryService().getOperationManager().bind( bindContext ); 220 221 return bindContext.getSession(); 222 } 223 224 225 /** 226 * {@inheritDoc} 227 */ 228 public boolean isComplete() 229 { 230 return state == NegotiationState.COMPLETED; 231 } 232}