瀏覽代碼

HPCC-20241 Retrieve User Details from LDAP server

In session based ESP, the ISecUser may not contains the User
Details because ESP does not authenticate every request and
the User Details are not filled in. WsAccount should retrieve
User Details directly from LDAP server.

Signed-off-by: wangkx <kevin.wang@lexisnexis.com>
wangkx 6 年之前
父節點
當前提交
d74ed0ef38
共有 2 個文件被更改,包括 36 次插入2 次删除
  1. 13 1
      esp/services/ws_account/ws_accountService.cpp
  2. 23 1
      system/security/LdapSecurity/ldapconnection.cpp

+ 13 - 1
esp/services/ws_account/ws_accountService.cpp

@@ -150,7 +150,19 @@ bool Cws_accountEx::onMyAccount(IEspContext &context, IEspMyAccountRequest &req,
 {
 {
     try
     try
     {
     {
-        ISecUser* user = context.queryUser();
+        ISecUser* userInContext = context.queryUser();
+        if (!userInContext)
+            throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "User not set in EspContext");
+
+        CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
+        if (!secmgr)
+        {
+            resp.setUsername(userInContext->getName());
+            return true;
+        }
+
+        const char* userName = userInContext->getName();
+        Owned<ISecUser> user = secmgr->findUser(userName);
         if(user != NULL)
         if(user != NULL)
         {
         {
             CDateTime dt;
             CDateTime dt;

+ 23 - 1
system/security/LdapSecurity/ldapconnection.cpp

@@ -2040,7 +2040,7 @@ public:
             Owned<ILdapConnection> lconn = m_connections->getConnection();
             Owned<ILdapConnection> lconn = m_connections->getConnection();
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
 
 
-            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", NULL};
+            char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", "distinguishedName", "userAccountControl", "pwdLastSet", NULL};
             CLDAPMessage searchResult;
             CLDAPMessage searchResult;
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
 
@@ -2050,6 +2050,7 @@ public:
                 return false;
                 return false;
             }
             }
 
 
+            bool accountPwdNeverExpires = false;
             ((CLdapSecUser*)&user)->setPosixenabled(false);
             ((CLdapSecUser*)&user)->setPosixenabled(false);
             // Go through the search results by checking message types
             // Go through the search results by checking message types
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
@@ -2076,6 +2077,27 @@ public:
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
                         else if(stricmp(attribute, "loginshell") == 0)
                         else if(stricmp(attribute, "loginshell") == 0)
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
+                        else if(stricmp(attribute, "distinguishedName") == 0)
+                            ((CLdapSecUser*)&user)->setDistinguishedName(vals.queryCharValue(0));
+                        else if((stricmp(attribute, "userAccountControl") == 0))
+                        {
+                            //UF_DONT_EXPIRE_PASSWD 0x10000
+                            CLDAPGetValuesLenWrapper vals(ld, message, attribute);
+                            if (vals.hasValues())
+                                if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
+                                    accountPwdNeverExpires = true;
+                        }
+                        else if(stricmp(attribute, "pwdLastSet") == 0)
+                        {
+                            CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
+                            if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires && valsLen.hasValues())
+                            {
+                                CDateTime expiry;
+                                char * val = (char*)valsLen.queryCharValue(0);
+                                calcPWExpiry(expiry, (unsigned)strlen(val), val);
+                                ((CLdapSecUser*)&user)->setPasswordExpiration(expiry);
+                            }
+                        }
                         else if(stricmp(attribute, "objectClass") == 0)
                         else if(stricmp(attribute, "objectClass") == 0)
                         {
                         {
                             int valind = 0;
                             int valind = 0;