From 3783f3982200f058abdb94e728e63159b02b1dea Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Thu, 07 Mar 2013 09:02:37 +0000
Subject: [PATCH] OPENDJ-655 Message about authentication failures should contain identification of the user for easier analysis.
---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java | 293 ++++++++++++++++++++--------------------------------------
1 files changed, 101 insertions(+), 192 deletions(-)
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
index 1e3e210..41fccaa 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
@@ -29,11 +29,12 @@
-import java.util.Iterator;
import java.util.List;
import java.util.concurrent.locks.Lock;
import org.opends.messages.Message;
+import org.opends.messages.MessageDescriptor.Arg1;
+import org.opends.messages.MessageDescriptor.Arg2;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.api.*;
import org.opends.server.api.plugin.PluginResult;
@@ -608,36 +609,8 @@
if (policy.getLockoutFailureCount() > 0)
{
- pwPolicyState.updateAuthFailureTimes();
- if (pwPolicyState.lockedDueToFailures())
- {
- AccountStatusNotificationType notificationType;
- Message m;
-
- boolean tempLocked;
- int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
- if (lockoutDuration > -1)
- {
- notificationType =
- AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
- tempLocked = true;
-
- m = ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED
- .get(secondsToTimeString(lockoutDuration));
- }
- else
- {
- notificationType =
- AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
- tempLocked = false;
-
- m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
- }
-
- pwPolicyState.generateAccountStatusNotification(notificationType,
- userEntry, m, AccountStatusNotification.createProperties(
- pwPolicyState, tempLocked, -1, null, null));
- }
+ generateAccountStatusNotificationForLockedBindAccount(userEntry,
+ pwPolicyState);
}
}
}
@@ -871,35 +844,8 @@
if (pwPolicyState.getAuthenticationPolicy()
.getLockoutFailureCount() > 0)
{
- pwPolicyState.updateAuthFailureTimes();
- if (pwPolicyState.lockedDueToFailures())
- {
- AccountStatusNotificationType notificationType;
- boolean tempLocked;
- Message m;
-
- int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
- if (lockoutDuration > -1)
- {
- notificationType = AccountStatusNotificationType.
- ACCOUNT_TEMPORARILY_LOCKED;
- tempLocked = true;
- m = ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED.get(
- secondsToTimeString(lockoutDuration));
- }
- else
- {
- notificationType =
- AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
- tempLocked = false;
- m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
- }
-
- pwPolicyState.generateAccountStatusNotification(
- notificationType, saslAuthUserEntry, m,
- AccountStatusNotification.createProperties(
- pwPolicyState, tempLocked, -1, null, null));
- }
+ generateAccountStatusNotificationForLockedBindAccount(
+ saslAuthUserEntry, pwPolicyState);
}
}
}
@@ -910,6 +856,41 @@
+ private void generateAccountStatusNotificationForLockedBindAccount(
+ Entry userEntry, PasswordPolicyState pwPolicyState)
+ {
+ pwPolicyState.updateAuthFailureTimes();
+ if (pwPolicyState.lockedDueToFailures())
+ {
+ AccountStatusNotificationType notificationType;
+ boolean tempLocked;
+ Message m;
+
+ int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
+ if (lockoutDuration > -1)
+ {
+ notificationType =
+ AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
+ tempLocked = true;
+ m =
+ ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED
+ .get(secondsToTimeString(lockoutDuration));
+ }
+ else
+ {
+ notificationType =
+ AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
+ tempLocked = false;
+ m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
+ }
+
+ pwPolicyState.generateAccountStatusNotification(notificationType,
+ userEntry, m, AccountStatusNotification.createProperties(
+ pwPolicyState, tempLocked, -1, null, null));
+ }
+ }
+
+
private boolean invokePreOpPlugins()
{
executePostOpPlugins = true;
@@ -1161,154 +1142,82 @@
protected void setResourceLimits(Entry userEntry)
{
// See if the user's entry contains a custom size limit.
+ Integer customSizeLimit =
+ getIntegerUserAttribute(userEntry, OP_ATTR_USER_SIZE_LIMIT,
+ WARN_BIND_MULTIPLE_USER_SIZE_LIMITS,
+ WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT);
+ if (customSizeLimit != null)
+ {
+ sizeLimit = customSizeLimit;
+ }
+
+ // See if the user's entry contains a custom time limit.
+ Integer customTimeLimit =
+ getIntegerUserAttribute(userEntry, OP_ATTR_USER_TIME_LIMIT,
+ WARN_BIND_MULTIPLE_USER_TIME_LIMITS,
+ WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT);
+ if (customTimeLimit != null)
+ {
+ timeLimit = customTimeLimit;
+ }
+
+ // See if the user's entry contains a custom idle time limit.
+ // idleTimeLimit = 1000L * Long.parseLong(v.getValue().toString());
+ Integer customIdleTimeLimitInSec =
+ getIntegerUserAttribute(userEntry, OP_ATTR_USER_IDLE_TIME_LIMIT,
+ WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS,
+ WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT);
+ if (customIdleTimeLimitInSec != null)
+ {
+ idleTimeLimit = 1000L * customIdleTimeLimitInSec;
+ }
+
+ // See if the user's entry contains a custom lookthrough limit.
+ Integer customLookthroughLimit =
+ getIntegerUserAttribute(userEntry, OP_ATTR_USER_LOOKTHROUGH_LIMIT,
+ WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS,
+ WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT);
+ if (customLookthroughLimit != null)
+ {
+ lookthroughLimit = customLookthroughLimit;
+ }
+ }
+
+ private Integer getIntegerUserAttribute(Entry userEntry,
+ String attributeTypeName,
+ Arg1<CharSequence> nonUniqueAttributeMessage,
+ Arg2<CharSequence, CharSequence> cannotProcessAttributeMessage)
+ {
AttributeType attrType =
- DirectoryServer.getAttributeType(OP_ATTR_USER_SIZE_LIMIT, true);
+ DirectoryServer.getAttributeType(attributeTypeName, true);
List<Attribute> attrList = userEntry.getAttribute(attrType);
if ((attrList != null) && (attrList.size() == 1))
{
Attribute a = attrList.get(0);
- Iterator<AttributeValue> iterator = a.iterator();
- if (iterator.hasNext())
+ if (a.size() == 1)
{
- AttributeValue v = iterator.next();
- if (iterator.hasNext())
+ AttributeValue v = a.iterator().next();
+ try
{
- logError(WARN_BIND_MULTIPLE_USER_SIZE_LIMITS.get(
- String.valueOf(userEntry.getDN())));
+ return Integer.valueOf(v.getValue().toString());
}
- else
+ catch (Exception e)
{
- try
+ if (debugEnabled())
{
- sizeLimit = Integer.parseInt(v.getValue().toString());
+ TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
- catch (Exception e)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, e);
- }
- logError(WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT.get(
- v.getValue().toString(),
- String.valueOf(userEntry.getDN())));
- }
+ logError(cannotProcessAttributeMessage.get(v.getValue().toString(),
+ String.valueOf(userEntry.getDN())));
}
}
- }
-
-
- // See if the user's entry contains a custom time limit.
- attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_TIME_LIMIT, true);
- attrList = userEntry.getAttribute(attrType);
- if ((attrList != null) && (attrList.size() == 1))
- {
- Attribute a = attrList.get(0);
- Iterator<AttributeValue> iterator = a.iterator();
- if (iterator.hasNext())
+ else if (a.size() > 1)
{
- AttributeValue v = iterator.next();
- if (iterator.hasNext())
- {
- logError(WARN_BIND_MULTIPLE_USER_TIME_LIMITS.get(
- String.valueOf(userEntry.getDN())));
- }
- else
- {
- try
- {
- timeLimit = Integer.parseInt(v.getValue().toString());
- }
- catch (Exception e)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, e);
- }
-
- logError(WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT.get(
- v.getValue().toString(),
- String.valueOf(userEntry.getDN())));
- }
- }
+ logError(nonUniqueAttributeMessage.get(String
+ .valueOf(userEntry.getDN())));
}
}
-
-
- // See if the user's entry contains a custom idle time limit.
- attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_IDLE_TIME_LIMIT,
- true);
- attrList = userEntry.getAttribute(attrType);
- if ((attrList != null) && (attrList.size() == 1))
- {
- Attribute a = attrList.get(0);
- Iterator<AttributeValue> iterator = a.iterator();
- if (iterator.hasNext())
- {
- AttributeValue v = iterator.next();
- if (iterator.hasNext())
- {
- logError(WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS.get(
- String.valueOf(userEntry.getDN())));
- }
- else
- {
- try
- {
- idleTimeLimit = 1000L * Long.parseLong(v.getValue().toString());
- }
- catch (Exception e)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, e);
- }
-
- logError(WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT.get(
- v.getValue().toString(),
- String.valueOf(userEntry.getDN())));
- }
- }
- }
- }
-
-
- // See if the user's entry contains a custom lookthrough limit.
- attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_LOOKTHROUGH_LIMIT,
- true);
- attrList = userEntry.getAttribute(attrType);
- if ((attrList != null) && (attrList.size() == 1))
- {
- Attribute a = attrList.get(0);
- Iterator<AttributeValue> iterator = a.iterator();
- if (iterator.hasNext())
- {
- AttributeValue v = iterator.next();
- if (iterator.hasNext())
- {
- logError(WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS.get(
- String.valueOf(userEntry.getDN())));
- }
- else
- {
- try
- {
- lookthroughLimit = Integer.parseInt(v.getValue().toString());
- }
- catch (Exception e)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, e);
- }
-
- logError(WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT.get(
- v.getValue().toString(),
- String.valueOf(userEntry.getDN())));
- }
- }
- }
- }
+ return null;
}
}
-
--
Gitblit v1.10.0