Add binding for LDAP & AD authentication (#722)

Author: maximthomas

openam-authentication/openam-auth-ad/src/main/java/com/sun/identity/authentication/modules/ad/AD.java

@@ -24,6 +24,7 @@
  *
  * $Id: AD.java,v 1.3 2008/06/25 05:41:55 qcheng Exp $
  *
+ *  Portions Copyrighted 2024 3A Systems LLC
  */
 
 
@@ -77,6 +78,10 @@ public boolean initializeLDAP() throws AuthLoginException{
         }
 
         ldapUtil.setAD(true);
+
+        String bindingUserDomain = CollectionHelper.getMapAttr(currentConfig, "openam-binding-user-domain");
+        ldapUtil.setBindingUserDomain(bindingUserDomain);
+
         return returnValue;
     }
 }

openam-authentication/openam-auth-ad/src/main/resources/amAuthAD.properties

@@ -27,6 +27,7 @@
 #
 # Portions Copyrighted 2011-2016 ForgeRock AS.
 # Portions Copyrighted 2012 Open Source Solution Technology Corporation
+# Portions Copyrighted 2024 3A Systems LLC
 
 onlinehelp.doc=adauth.html
 authentication=Authentication Modules
@@ -68,6 +69,8 @@ server. A single entry must be in the format:<br/><br/><code>server:port</code><
 Multiple entries allow associations between OpenAM servers and an Active Directory server. \
 The format is:<br/><br/><code>local server name | server:port</code><br/><br/>\
 <i>NB </i>The local server name is the full name of the server from the list of servers and sites.
+a1021=Users Domain
+a1021.help=If set appended to a username via `@` symbol for authentication
 a103=DN to Start User Search
 a103.help=The search for accounts to be authenticated start from this base DN 
 a103.help.txt=For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search \
@@ -76,7 +79,8 @@ The format is as follows:<br/><br/><code>local server name | search DN</code><br
 a104=Bind User DN
 a104.help=The DN of an admin user used by the module to authentication to the LDAP server
 a104.help.txt=The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/>\
-<i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.
+<i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.<br/><br/>\
+If empty, using LDAP bind request for authentication.
 a104.help.uri=#tbd
 a105=Bind User Password
 a105.help=The password of the administration account.

openam-authentication/openam-auth-ad/src/main/resources/amAuthAD.xml

@@ -27,6 +27,7 @@
     $Id: amAuthAD.xml,v 1.5 2008/06/25 05:45:41 qcheng Exp $
 
     Portions Copyrighted 2013-2016 ForgeRock AS.
+    Portions Copyrighted 2024 3A Systems LLC
 -->
 
 <!DOCTYPE ServicesConfiguration
@@ -38,7 +39,7 @@
         <Schema
             serviceHierarchy="/DSAMEConfig/authentication/sunAMAuthADService"
             i18nFileName="amAuthAD"
-            revisionNumber="30"
+            revisionNumber="31"
             i18nKey="sunAMAuthADServiceDescription"
             resourceName="activedirectory">
 
@@ -60,24 +61,31 @@
                     order="200"
                     resourceName="secondaryLdapServer">
                 </AttributeSchema>
+                <AttributeSchema name="openam-binding-user-domain"
+                                 type="single"
+                                 syntax="string"
+                                 i18nKey="a1021"
+                                 order="210"
+                                 resourceName="userDomain">
+                </AttributeSchema>
                 <AttributeSchema name="iplanet-am-auth-ldap-base-dn"
                     type="list"
                     syntax="dn"
                     i18nKey="a103"
                     order="300"
-                                 resourceName="userSearchStartDN">
+                    resourceName="userSearchStartDN">
                     <DefaultValues>
                         <Value>@UM_NORMALIZED_ORGBASE@</Value>
                     </DefaultValues>
                 </AttributeSchema>
                 <AttributeSchema name="iplanet-am-auth-ldap-bind-dn"
                     type="single"
-                    syntax="dn"
+                    syntax="string"
                     i18nKey="a104"
                     order="400"
                     resourceName="userBindDN">
                     <DefaultValues>
-                        <Value>@UM_DS_DIRMGRDN@</Value>
+                        <Value></Value>
                     </DefaultValues>
                 </AttributeSchema>
                 <AttributeSchema name="iplanet-am-auth-ldap-bind-passwd"
@@ -94,7 +102,7 @@
                     order="600"
                     resourceName="userProfileRetrievalAttribute">
                     <DefaultValues>
-                        <Value>@USER_NAMING_ATTR@</Value>
+                        <Value>sAMAccountName</Value>
                     </DefaultValues>
                 </AttributeSchema>
                 <AttributeSchema name="iplanet-am-auth-ldap-user-search-attributes"
@@ -104,7 +112,7 @@
                     order="700"
                     resourceName="userSearchAttributes">
                     <DefaultValues>
-                        <Value>@USER_NAMING_ATTR@</Value>
+                        <Value>sAMAccountName</Value>
                     </DefaultValues>
                 </AttributeSchema>
                 <AttributeSchema name="iplanet-am-auth-ldap-search-filter"
@@ -249,7 +257,7 @@
                         order="100"
                         resourceName="primaryLdapServer">
                         <DefaultValues>
-                            <Value>@UM_DIRECTORY_SERVER@:@UM_DIRECTORY_PORT@</Value>
+                            <Value></Value>
                         </DefaultValues>
                     </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-server2"
@@ -259,6 +267,13 @@
                         order="200"
                         resourceName="secondaryLdapServer">
                     </AttributeSchema>
+                    <AttributeSchema name="openam-binding-user-domain"
+                                     type="single"
+                                     syntax="string"
+                                     i18nKey="a1021"
+                                     order="210"
+                                     resourceName="userDomain">
+                    </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-base-dn"
                         type="list"
                         syntax="dn"
@@ -271,12 +286,12 @@
                     </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-bind-dn"
                         type="single"
-                        syntax="dn"
+                        syntax="string"
                         i18nKey="a104"
                         order="400"
                         resourceName="userBindDN">
                         <DefaultValues>
-                            <Value>@UM_DS_DIRMGRDN@</Value>
+                            <Value></Value>
                         </DefaultValues>
                     </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-bind-passwd"
@@ -293,7 +308,7 @@
                         order="600"
                         resourceName="userProfileRetrievalAttribute">
                         <DefaultValues>
-                            <Value>@USER_NAMING_ATTR@</Value>
+                            <Value>sAMAccountName</Value>
                         </DefaultValues>
                     </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-user-search-attributes"
@@ -303,7 +318,7 @@
                         order="700"
                         resourceName="userSearchAttributes">
                         <DefaultValues>
-                            <Value>@USER_NAMING_ATTR@</Value>
+                            <Value>sAMAccountName</Value>
                         </DefaultValues>
                     </AttributeSchema>
                     <AttributeSchema name="iplanet-am-auth-ldap-search-filter"

openam-authentication/openam-auth-ldap/src/main/java/com/sun/identity/authentication/modules/ldap/LDAP.java

@@ -26,6 +26,7 @@
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
  * Portions Copyrighted 2019 Open Source Solution Technology Corporation
+ * Portions Copyrighted 2024 3A Systems LLC
  */
 
 package com.sun.identity.authentication.modules.ldap;
@@ -56,6 +57,7 @@
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 
+import org.apache.commons.lang.StringUtils;
 import org.forgerock.openam.ldap.LDAPAuthUtils;
 import org.forgerock.openam.ldap.LDAPUtilException;
 import org.forgerock.openam.ldap.ModuleState;
@@ -86,6 +88,8 @@ public class LDAP extends AMLoginModule {
     private String regEx;
     private String currentConfigName;
     private String bindDN;
+
+    private Boolean useBindingForAuth = false;
     private String protocolVersion;
     private int currentState;
     protected LDAPAuthUtils ldapUtil;
@@ -113,7 +117,7 @@ enum LoginScreen {
         ACCOUNT_LOCKED(5, "accountLocked");
 
         private static final Map<Integer,LoginScreen> lookup =
-                new HashMap<Integer,LoginScreen>();
+                new HashMap<>();
 
         static {
             for(LoginScreen ls : EnumSet.allOf(LoginScreen.class)) {
@@ -180,9 +184,6 @@ public boolean initializeLDAP() throws AuthLoginException {
 
             String baseDN = CollectionHelper.getServerMapAttr(
                 currentConfig, "iplanet-am-auth-ldap-base-dn");
-            if (baseDN == null) {
-                debug.error("BaseDN for search was null");
-            }
 
             String pLen = CollectionHelper.getMapAttr(currentConfig,
                 "iplanet-am-auth-ldap-min-password-length");
@@ -193,8 +194,14 @@ public boolean initializeLDAP() throws AuthLoginException {
                     debug.error("LDAP.initializeLDAP : " + pLen, ex);
                 }
             }
-            bindDN = CollectionHelper.getMapAttr(currentConfig,
-                "iplanet-am-auth-ldap-bind-dn", "");
+
+            bindDN = CollectionHelper.getMapAttr(currentConfig, "iplanet-am-auth-ldap-bind-dn", "");
+
+            useBindingForAuth = StringUtils.isEmpty(bindDN);
+            if (baseDN == null && !useBindingForAuth) {
+                debug.error("BaseDN for search was null");
+            }
+
             char[] bindPassword = CollectionHelper.getMapAttr(
                 currentConfig, "iplanet-am-auth-ldap-bind-passwd", "").toCharArray();
             String userNamingAttr = CollectionHelper.getMapAttr(
@@ -255,7 +262,7 @@ public boolean initializeLDAP() throws AuthLoginException {
 
             isProfileCreationEnabled = isDynamicProfileCreationEnabled();
             // set the optional attributes here
-            ldapUtil = new LDAPAuthUtils(primaryServers, secondaryServers, isSecure, bundle, baseDN, debug);
+            ldapUtil = new LDAPAuthUtils(primaryServers, secondaryServers, isSecure, bundle, baseDN, useBindingForAuth, debug);
             ldapUtil.setScope(searchScope);
             ldapUtil.setFilter(searchFilter);
             ldapUtil.setUserNamingAttribute(userNamingAttr);
@@ -273,9 +280,11 @@ public boolean initializeLDAP() throws AuthLoginException {
             ldapUtil.setHeartBeatTimeUnit(heartBeatTimeUnit);
             ldapUtil.setOperationTimeout(operationTimeout);
             ldapUtil.setProtocolVersion(protocolVersion);
+            ldapUtil.setUseBindingForAuth(useBindingForAuth);
 
             if (debug.messageEnabled()) {
                 debug.message("bindDN-> " + bindDN
+                        + "\nuseBindingForAuth-> " + useBindingForAuth
                         + "\nrequiredPasswordLength-> " + requiredPasswordLength
                         + "\nbaseDN-> " + baseDN
                         + "\nuserNamingAttr-> " + userNamingAttr

openam-authentication/openam-auth-ldap/src/main/resources/amAuthLDAP.properties

@@ -26,6 +26,7 @@
 #
 # Portions Copyrighted 2011-2016 ForgeRock AS.
 # Portions Copyrighted 2012-2019 Open Source Solution Technology Corporation
+# Portions Copyrighted 2024 3A Systems LLC
 
 onlinehelp.doc=ldapauth.html
 authentication=Authentication Modules

openam-authentication/openam-auth-ldap/src/main/resources/amAuthLDAP.xml

@@ -28,6 +28,7 @@
 
     Portions Copyrighted 2011-2016 ForgeRock AS.
     Portions Copyrighted 2019 Open Source Solution Technology Corporation
+    Portions Copyrighted 2024 3A Systems LLC
 -->
 
 <!DOCTYPE ServicesConfiguration