صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
RONCC
/
Big-Data-HPC-Platform
دنبال کردن 1
ستاره دار 0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
فهرست منبع

HPCC-20241 Retrieve User Details from LDAP server

In session based ESP, the ISecUser may not contains the User
Details because ESP does not authenticate every request and
the User Details are not filled in. WsAccount should retrieve
User Details directly from LDAP server.

Signed-off-by: wangkx <kevin.wang@lexisnexis.com>
wangkx 6 سال پیش
والد
88eda098e4
کامیت
d74ed0ef38
2فایلهای تغییر یافته به همراه36 افزوده شده و 2 حذف شده
نمای یکپارچه نمایش آمار تفاوت ها
  1. 13 1
      esp/services/ws_account/ws_accountService.cpp
  2. 23 1
      system/security/LdapSecurity/ldapconnection.cpp

+ 13 - 1
esp/services/ws_account/ws_accountService.cpp
مشاهده فایل 

@@ -150,7 +150,19 @@ bool Cws_accountEx::onMyAccount(IEspContext &context, IEspMyAccountRequest &req,
 
 {
 
 {
 
     try
 
     try
 
     {
 
     {
 
-        ISecUser* user = context.queryUser();
 
+        ISecUser* userInContext = context.queryUser();
 
+        if (!userInContext)
 
+            throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "User not set in EspContext");
 
+
 
+        CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
 
+        if (!secmgr)
 
+        {
 
+            resp.setUsername(userInContext->getName());
 
+            return true;
 
+        }
 
+
 
+        const char* userName = userInContext->getName();
 
+        Owned<ISecUser> user = secmgr->findUser(userName);
 
         if(user != NULL)
 
         if(user != NULL)
 
         {
 
         {
 
             CDateTime dt;
 
             CDateTime dt;

+ 23 - 1
system/security/LdapSecurity/ldapconnection.cpp
مشاهده فایل 

@@ -2040,7 +2040,7 @@ public:
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
 
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
 
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
 
 
 
-            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", NULL};
 
+            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", "distinguishedName", "userAccountControl", "pwdLastSet", NULL};
 
             CLDAPMessage searchResult;
 
             CLDAPMessage searchResult;
 
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
 
 
@@ -2050,6 +2050,7 @@ public:
 
                 return false;
 
                 return false;
 
             }
 
             }
 
 
 
+            bool accountPwdNeverExpires = false;
 
             ((CLdapSecUser*)&user)->setPosixenabled(false);
 
             ((CLdapSecUser*)&user)->setPosixenabled(false);
 
             // Go through the search results by checking message types
 
             // Go through the search results by checking message types
 
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
 
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
 
@@ -2076,6 +2077,27 @@ public:
 
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
 
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
 
                         else if(stricmp(attribute, "loginshell") == 0)
 
                         else if(stricmp(attribute, "loginshell") == 0)
 
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
 
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
 
+                        else if(stricmp(attribute, "distinguishedName") == 0)
 
+                            ((CLdapSecUser*)&user)->setDistinguishedName(vals.queryCharValue(0));
 
+                        else if((stricmp(attribute, "userAccountControl") == 0))
 
+                        {
 
+                            //UF_DONT_EXPIRE_PASSWD 0x10000
 
+                            CLDAPGetValuesLenWrapper vals(ld, message, attribute);
 
+                            if (vals.hasValues())
 
+                                if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
 
+                                    accountPwdNeverExpires = true;
 
+                        }
 
+                        else if(stricmp(attribute, "pwdLastSet") == 0)
 
+                        {
 
+                            CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
 
+                            if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires && valsLen.hasValues())
 
+                            {
 
+                                CDateTime expiry;
 
+                                char * val = (char*)valsLen.queryCharValue(0);
 
+                                calcPWExpiry(expiry, (unsigned)strlen(val), val);
 
+                                ((CLdapSecUser*)&user)->setPasswordExpiration(expiry);
 
+                            }
 
+                        }
 
                         else if(stricmp(attribute, "objectClass") == 0)
 
                         else if(stricmp(attribute, "objectClass") == 0)
 
                         {
 
                         {
 
                             int valind = 0;
 
                             int valind = 0;