首頁 探索 說明
登入
RONCC
/
Big-Data-HPC-Platform
關註 1
讚好 0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
瀏覽代碼

HPCC-20241 Retrieve User Details from LDAP server

In session based ESP, the ISecUser may not contains the User
Details because ESP does not authenticate every request and
the User Details are not filled in. WsAccount should retrieve
User Details directly from LDAP server.

Signed-off-by: wangkx <kevin.wang@lexisnexis.com>
wangkx 6 年之前
父節點
88eda098e4
當前提交
d74ed0ef38
共有 2 個文件被更改,包括 36 次插入2 次删除
統一視圖 顯示文件統計
  1. 13 1
      esp/services/ws_account/ws_accountService.cpp
  2. 23 1
      system/security/LdapSecurity/ldapconnection.cpp

+ 13 - 1
esp/services/ws_account/ws_accountService.cpp
查看文件 

@@ -150,7 +150,19 @@ bool Cws_accountEx::onMyAccount(IEspContext &context, IEspMyAccountRequest &req,
 
 {
 
 {
 
     try
 
     try
 
     {
 
     {
 
-        ISecUser* user = context.queryUser();
 
+        ISecUser* userInContext = context.queryUser();
 
+        if (!userInContext)
 
+            throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "User not set in EspContext");
 
+
 
+        CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
 
+        if (!secmgr)
 
+        {
 
+            resp.setUsername(userInContext->getName());
 
+            return true;
 
+        }
 
+
 
+        const char* userName = userInContext->getName();
 
+        Owned<ISecUser> user = secmgr->findUser(userName);
 
         if(user != NULL)
 
         if(user != NULL)
 
         {
 
         {
 
             CDateTime dt;
 
             CDateTime dt;

+ 23 - 1
system/security/LdapSecurity/ldapconnection.cpp
查看文件 

@@ -2040,7 +2040,7 @@ public:
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
 
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
 
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
 
 
 
-            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", NULL};
 
+            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", "distinguishedName", "userAccountControl", "pwdLastSet", NULL};
 
             CLDAPMessage searchResult;
 
             CLDAPMessage searchResult;
 
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
 
 
@@ -2050,6 +2050,7 @@ public:
 
                 return false;
 
                 return false;
 
             }
 
             }
 
 
 
+            bool accountPwdNeverExpires = false;
 
             ((CLdapSecUser*)&user)->setPosixenabled(false);
 
             ((CLdapSecUser*)&user)->setPosixenabled(false);
 
             // Go through the search results by checking message types
 
             // Go through the search results by checking message types
 
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
 
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
 
@@ -2076,6 +2077,27 @@ public:
 
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
 
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
 
                         else if(stricmp(attribute, "loginshell") == 0)
 
                         else if(stricmp(attribute, "loginshell") == 0)
 
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
 
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
 
+                        else if(stricmp(attribute, "distinguishedName") == 0)
 
+                            ((CLdapSecUser*)&user)->setDistinguishedName(vals.queryCharValue(0));
 
+                        else if((stricmp(attribute, "userAccountControl") == 0))
 
+                        {
 
+                            //UF_DONT_EXPIRE_PASSWD 0x10000
 
+                            CLDAPGetValuesLenWrapper vals(ld, message, attribute);
 
+                            if (vals.hasValues())
 
+                                if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
 
+                                    accountPwdNeverExpires = true;
 
+                        }
 
+                        else if(stricmp(attribute, "pwdLastSet") == 0)
 
+                        {
 
+                            CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
 
+                            if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires && valsLen.hasValues())
 
+                            {
 
+                                CDateTime expiry;
 
+                                char * val = (char*)valsLen.queryCharValue(0);
 
+                                calcPWExpiry(expiry, (unsigned)strlen(val), val);
 
+                                ((CLdapSecUser*)&user)->setPasswordExpiration(expiry);
 
+                            }
 
+                        }
 
                         else if(stricmp(attribute, "objectClass") == 0)
 
                         else if(stricmp(attribute, "objectClass") == 0)
 
                         {
 
                         {
 
                             int valind = 0;
 
                             int valind = 0;