Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License.
018 *
019 */
020package org.apache.directory.server.ldap.handlers.sasl.ntlm;
021
022
023import javax.naming.Context;
024import javax.security.sasl.SaslException;
025
026import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
027import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
028import org.apache.directory.api.ldap.model.message.BindRequest;
029import org.apache.directory.api.ldap.model.name.Dn;
030import org.apache.directory.api.util.Strings;
031import org.apache.directory.server.core.api.CoreSession;
032import org.apache.directory.server.core.api.LdapPrincipal;
033import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
034import org.apache.directory.server.i18n.I18n;
035import org.apache.directory.server.ldap.LdapSession;
036import org.apache.directory.server.ldap.handlers.sasl.AbstractSaslServer;
037import org.apache.directory.server.ldap.handlers.sasl.SaslConstants;
038
039
040/**
041 * A SaslServer implementation for NTLM based SASL mechanism.  This is
042 * required unfortunately because the JDK's SASL provider does not support
043 * this mechanism.
044 *
045 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
046 */
047public class NtlmSaslServer extends AbstractSaslServer
048{
049    /** The different states during a NTLM negotiation */
050    enum NegotiationState
051    {
052        INITIALIZED, TYPE_1_RECEIVED, TYPE_2_SENT, TYPE_3_RECEIVED, COMPLETED
053    }
054
055    /** The current state */
056    private NegotiationState state = NegotiationState.INITIALIZED;
057    private final NtlmProvider provider;
058
059
060    public NtlmSaslServer( NtlmProvider provider, BindRequest bindRequest, LdapSession ldapSession,
061        CoreSession adminSession )
062    {
063        super( ldapSession, adminSession, bindRequest );
064        this.provider = provider;
065    }
066
067
068    /**
069     * {@inheritDoc}
070     */
071    public String getMechanismName()
072    {
073        return SupportedSaslMechanisms.NTLM;
074    }
075
076
077    protected void responseRecieved()
078    {
079        switch ( state )
080        {
081            case INITIALIZED:
082                state = NegotiationState.TYPE_1_RECEIVED;
083                break;
084
085            case TYPE_1_RECEIVED:
086                throw new IllegalStateException( I18n.err( I18n.ERR_660 ) );
087
088            case TYPE_2_SENT:
089                state = NegotiationState.TYPE_3_RECEIVED;
090                break;
091
092            case TYPE_3_RECEIVED:
093                throw new IllegalStateException( I18n.err( I18n.ERR_661 ) );
094
095            case COMPLETED:
096                throw new IllegalStateException( I18n.err( I18n.ERR_662 ) );
097
098            default:
099                throw new IllegalStateException( "Unexpected negotiation state " + state );
100        }
101    }
102
103
104    protected void responseSent()
105    {
106        switch ( state )
107        {
108            case INITIALIZED:
109                throw new IllegalStateException( I18n.err( I18n.ERR_663 ) );
110
111            case TYPE_1_RECEIVED:
112                state = NegotiationState.TYPE_2_SENT;
113                break;
114
115            case TYPE_2_SENT:
116                throw new IllegalStateException( I18n.err( I18n.ERR_664 ) );
117
118            case TYPE_3_RECEIVED:
119                state = NegotiationState.COMPLETED;
120                break;
121
122            case COMPLETED:
123                throw new IllegalStateException( I18n.err( I18n.ERR_662 ) );
124
125            default:
126                throw new IllegalStateException( "Unexpected negotiation state " + state );
127        }
128    }
129
130
131    /**
132     * {@inheritDoc}
133     */
134    public byte[] evaluateResponse( byte[] response ) throws SaslException
135    {
136        if ( response == null )
137        {
138            throw new IllegalArgumentException( I18n.err( I18n.ERR_666 ) );
139        }
140
141        if ( response.length == 0 )
142        {
143            throw new IllegalArgumentException( I18n.err( I18n.ERR_667 ) );
144        }
145
146        responseRecieved();
147        byte[] retval = null;
148
149        switch ( state )
150        {
151            case TYPE_1_RECEIVED:
152                try
153                {
154                    retval = provider.generateChallenge( getLdapSession().getIoSession(), response );
155                }
156                catch ( Exception e )
157                {
158                    throw new SaslException( I18n.err( I18n.ERR_668 ), e );
159                }
160
161                break;
162
163            case TYPE_3_RECEIVED:
164                boolean result;
165                try
166                {
167                    result = provider.authenticate( getLdapSession().getIoSession(), response );
168                    Dn dn = getBindRequest().getDn();
169                    
170                    if ( dn == null )
171                    {
172                        dn = new Dn( getLdapSession().getLdapServer().getDirectoryService().getSchemaManager() );
173                    }
174                    else if ( !dn.isSchemaAware() ) 
175                    {
176                        dn = new Dn( getLdapSession().getLdapServer().getDirectoryService().getSchemaManager(), dn );
177                    }
178                    
179                    LdapPrincipal ldapPrincipal = new LdapPrincipal( getAdminSession().getDirectoryService()
180                        .getSchemaManager(),
181                        dn, AuthenticationLevel.STRONG );
182                    getLdapSession().putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal );
183                    getLdapSession()
184                        .putSaslProperty( Context.SECURITY_PRINCIPAL, getBindRequest().getName() );
185                }
186                catch ( Exception e )
187                {
188                    throw new SaslException( I18n.err( I18n.ERR_669 ), e );
189                }
190
191                if ( !result )
192                {
193                    throw new SaslException( I18n.err( I18n.ERR_670 ) );
194                }
195
196                break;
197
198            case INITIALIZED:
199            case TYPE_2_SENT:
200            case COMPLETED:
201            default:
202                throw new IllegalStateException( "Unexpected negotiation state " + state );
203        }
204
205        responseSent();
206        return retval;
207    }
208
209
210    /**
211     * Try to authenticate the usr against the underlying LDAP server.
212     */
213    private CoreSession authenticate( String user, String password ) throws Exception
214    {
215        BindOperationContext bindContext = new BindOperationContext( getLdapSession().getCoreSession() );
216        bindContext.setDn( new Dn( user ) );
217        bindContext.setCredentials( Strings.getBytesUtf8( password ) );
218
219        getAdminSession().getDirectoryService().getOperationManager().bind( bindContext );
220
221        return bindContext.getSession();
222    }
223
224
225    /**
226     * {@inheritDoc}
227     */
228    public boolean isComplete()
229    {
230        return state == NegotiationState.COMPLETED;
231    }
232}