From 5da7c7e5999872857aa19930901a4cc7cb324454 Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Mon, 12 Sep 2011 09:46:42 +0000
Subject: [PATCH] Issue OPENDJ-262: Implement pass through authentication (PTA)

---
 opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java |   49 +++++++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java b/opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java
index ad6ae4c..d4f332b 100644
--- a/opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java
+++ b/opends/src/server/org/opends/server/extensions/LDAPPassThroughAuthenticationPolicyFactory.java
@@ -80,7 +80,6 @@
   // TODO: handle password policy response controls? AD?
   // TODO: periodically ping offline servers in order to detect when they come
   // back.
-  // FIXME: validate host/port (check port in range).
 
   /**
    * An LDAP connection which will be used in order to search for or
@@ -1637,8 +1636,8 @@
         final LDAPPassThroughAuthenticationPolicyCfg configuration,
         final List<Message> unacceptableReasons)
     {
-      // The configuration is always valid.
-      return true;
+      return LDAPPassThroughAuthenticationPolicyFactory.this
+          .isConfigurationAcceptable(configuration, unacceptableReasons);
     }
 
 
@@ -1674,6 +1673,11 @@
     {
       this.configuration = configuration;
 
+      // Use two pools per server: one for authentication (bind) and one for
+      // searches. Even if the searches are performed anonymously we cannot use
+      // the same pool, otherwise they will be performed as the most recently
+      // authenticated user.
+
       // Create load-balancers for primary servers.
       final LoadBalancer primarySearchLoadBalancer;
       final LoadBalancer primaryBindLoadBalancer;
@@ -1858,7 +1862,44 @@
       final LDAPPassThroughAuthenticationPolicyCfg configuration,
       final List<Message> unacceptableReasons)
   {
-    // The configuration is always valid.
+    // Check that the port numbers are valid. We won't actually try and connect
+    // to the server since they may not be available (hence we have fail-over
+    // capabilities).
+    boolean configurationIsAcceptable = true;
+
+    for (String hostPort : configuration.getPrimaryRemoteLDAPServer())
+    {
+      configurationIsAcceptable &= isServerAddressValid(configuration,
+          unacceptableReasons, hostPort);
+    }
+
+    for (String hostPort : configuration.getSecondaryRemoteLDAPServer())
+    {
+      configurationIsAcceptable &= isServerAddressValid(configuration,
+          unacceptableReasons, hostPort);
+    }
+
+    return configurationIsAcceptable;
+  }
+
+
+
+  private static boolean isServerAddressValid(
+      final LDAPPassThroughAuthenticationPolicyCfg configuration,
+      final List<Message> unacceptableReasons, String hostPort)
+  {
+    final int colonIndex = hostPort.lastIndexOf(":");
+    final int port = Integer.parseInt(hostPort.substring(colonIndex + 1));
+    if (port < 1 || port > 65535)
+    {
+      if (unacceptableReasons != null)
+      {
+        Message msg = ERR_LDAP_PTA_INVALID_PORT_NUMBER.get(
+            String.valueOf(configuration.dn()), hostPort);
+        unacceptableReasons.add(msg);
+      }
+      return false;
+    }
     return true;
   }
 

--
Gitblit v1.10.0