3

I am having trouble finding the roles a user belongs to, I've tried the following code and it gives a lot of attributes, but what I am interested in is what roles the user belongs to in a certain app.

The user I am searching for belongs to the following two groups (userrole and adminrole). How do I retreive this information?

DN: cn=userrole,ou=roles,ou=appname,ou=apps,ou=groups,dc=example,dc=no

DN: cn=adminrole,ou=roles,ou=appname,ou=apps,ou=groups,dc=example,dc=no

private final String host = "host.example.com";
private final int port = 389;
private final String bindDn = "uid=appname,ou=systems,dc=example,dc=no";
private final String password = "password";
private final String searchDn = "dc=example,dc=no";

public SearchResultEntry getUserDetails(String username) {
    try {
        final LDAPConnection connection = new LDAPConnection(host, port,
                bindDn, password);
        SearchResult searchResults;
        searchResults = connection.search(searchDn, SearchScope.SUB,
                "(uid=" + username + ")", "+");

        if (searchResults.getEntryCount() == 1) {
            SearchResultEntry entry = searchResults.getSearchEntries().get(
                    0);
            connection.close();
            return entry;
        } else {
            LOGGER.error("NOT FOUND!");
            connection.close();
            return null;
        }
    } catch (LDAPException e) {
        LOGGER.error("Exception");
        return null;
    }
}
kajafls
  • 89
  • 1
  • 2
  • 11

2 Answers2

1

Use the following function. Assumption that you works with SUN LDAP (you use uid):

Edited

private boolean isGroupContainUser(LDAPConnection ldapConnection, String groupDn, String userDn) throws LDAPException {
    boolean ret = false;
    Entry groupEntry = ldapConnection.getEntry(groupDn);

    String[] memberValues = groupEntry.getAttributeValues("uniquemember");
    if (memberValues != null) {
        DN ldapUserDn = new DN(userDn);
        for (String memberEntryDnString : memberValues) {
            DN memberEntryDn = new DN(memberEntryDnString);
            if (memberEntryDn.equals(ldapUserDn)) {
                ret = true;
                break;
            }
        }
    }
    return ret;
}
Michael
  • 10,063
  • 18
  • 65
  • 104
  • 2
    Consider using matching rules instead of `String#equalsIgnoreCase()`. In this case, a DN matching rule. For example, the two DNs `cn=abc, ou=people, dc=example, dc=com` and `cn=abc,ou=people,dc=example,dc=com` are equivalent (differing only in whitespace, which is not significant in a DN) yet `String#equalsIgnoreCase()` would not consider the two DNs to be the same. – Terry Gardner Jul 30 '13 at 13:57
  • Thanks! I have updated the answer. I looked that in the code and see that `Dn.equals` do the job. Correct? – Michael Jul 31 '13 at 07:56
0

The server might support either memberOf or isMemberOf. These are attributes (in most servers these attributes are virtual, that is, they do not occupy any storage and are generated upon client request) whose presence in an object indicates the group membership of the object. Here is an example that assumes the server supports the isMemberOf attribute:

String[] getGroupMembership() {

    try {

        // SSL can be supported by using a SocketFactory
        SocketFactory socketFactory = createSocketFactory();

        LDAPConnectionOptions options = new LDAPConnectionOptions();
        options.setConnectTimeoutMillis(connectTimeoutMillis);

        // Try to connect to a single server. It is also possible to use
        // a 'ServerSet' for support of multiple servers.
        LDAPConnection ldapConnection =
            new LDAPConnection(socketFactory,options,hostname,port,
                userDN,userPassword); 

        try {

            // Some broken directory servers, most notably the old Sun 
            // directory servers, do not support the legal filter "(&)".
            // If this is the case, use the present filter "(objectClass=*)"
            // instead. 
            SearchRequest searchRequest =
               new SearchRequest(userDN,SearchScope.BASE,"(&)","isMemberOf");
            searchRequest.setResponseTimeoutMillis(responseTimeoutMillis);

            SearchResult searchResult = ldapConnection.search(searchRequest);

            if(searchResult.getEntryCount() == 1) {
                Entry entry = searchResult.getSearchEntry(userDN);
                return getAttributeValues("isMemberOf");
           }

        } catch(LDAPException ex) {
            // Handle the exception
        } finally {
            ldapConnection.close();
        }

    } catch(LDAPException ldapException) {
        // Handle the connection exception here
    } 

    return null;
}

see also

robd
  • 9,646
  • 5
  • 40
  • 59
Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • What is the best way to solve the problem to find all user groups in LDAP?? As you said, `memberOf` is virtual attribute and not exists in most customer LDAPs. I see only that it is possible to iterate over all groups in LDAP and check if the group `member` attribute (http://tools.ietf.org/html/rfc4519#section-2.17) contains the user DN. It is not so good from the performance point of view. Can you suggest a better solution? – Michael Jul 31 '13 at 11:14
  • 1
    If the server does not support `memberOf` or `isMemberOf`, I cannot think of a better alternative - except to migrate to a server that supports one of those attributes. – Terry Gardner Jul 31 '13 at 17:51