search

mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.
Other
1.47k stars 767 forks source link

Save the userDn value in a variable and send it in HTTP header #1191

Closed isedrof closed 7 years ago

isedrof commented 7 years ago

I'm wondring if is there a mean to save the value of UserDN (e.g userDn='uid=user1,ou,comp,ou,org') as a variable and send with the other values (sub, preeered_username,email...) on the Token in the HTTP header ?

I've to get this value and put it inREMOTE_USER variable, because my application verifiy clearance of each user before giving access

Thanks !

jricher commented 7 years ago

You can add custom claims to your ID Token by overriding and implementing your own OIDCTokenService and injecting your implementation as a primary bean.

isedrof commented 7 years ago

I was thinking to add mod_authnz_ldap to my httpd file to get the UserDn and send it with ID_Token what do you think ?

jricher commented 7 years ago

That's completely dependent on your implementation and deployment.

isedrof commented 7 years ago

i added to my LDAP Directory an attribut entrydnwhich contain the value of UserDn, and i put it inFamily_name, but i'm not able to prase it.

The form of this attribut is like : uid=firstname_lastname,ou=comop,ou=Users,o=org

isedrof commented 7 years ago

i found this documentation about operationl attributes

Retrieving operational attributes Ldap Server maintains many operational attributes internally. Example entryUUID is an operational attribute assigns the Universally Unique Identifier (UUID) to the entry. The createTimestamp, modifyTimestamp are also operational attributes assigned to the entry on create or update. These operational attributes does not belong to an object class and hence they were not returned as part of your search or lookup. You need to explicitly request them by their name in your search or build the custom AttributeMapper implementation with matching attribute names. Now let’s try to retrieve the entryUUID, first you need to build the search controls like this,

SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningObjFlag(false);
controls.setReturningAttributes(new String[]{"entryUUID"});

Once you have search control then it’s simply calling search method just like retrieving any other attributes.


ldapTemplate.search("baseName", "(objectclass=person)", controls, new AttributesMapper() {
public Object mapFromAttributes(Attributes attrs) throws NamingException {
Attribute attrUuid = attrs.get("entryUUID");
return attrUuid;
}});

Here is another way to do the same using ContextMapper,

ldapTemplate.search("baseName","(objectclass=person)", 1, new String[]{"entryUUID"},
new ContextMapper(){
public Object mapFromContext(Object ctx) {
DirContextAdapter context = (DirContextAdapter)ctx;
return context.getStringAttributes("entryUUID");
}
})
```;

Let’s add the filter based off of operational attributes like below,

OrFilter orFilter = new OrFilter(); orFilter.or(new GreaterThanOrEqualsFilter("createTimestamp", "YYYYMMDDHHMMSSZ")); orFilter.or(new LessThanOrEqualsFilter("modifyTimestamp", "YYYYMMDDHHMMSSZ"));


Now call the above search with the filter

ldapTemplate.search("baseName", orFilter.encode(), controls, new AttributesMapper() { public Object mapFromAttributes(Attributes attrs) throws NamingException { Attribute attrUuid = attrs.get("entryUUID"); return attrUuid; }});



But i'm not able to add it to the code provided by ldap overlay
isedrof commented 7 years ago

i tried the code below and it works greatly : 

private CacheLoader<String, UserInfo> cacheLoader = new CacheLoader<String, UserInfo>() {
                @Override
                public UserInfo load(String username) throws Exception {

                        SearchControls controls = new SearchControls();
                        controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//                      controls.setReturningObjFlag(true);
                        controls.setReturningAttributes(new String[]{"uid","mail","telephoneNumber","displayName","memberOf","entrydn"});

                        Filter find = new EqualsFilter("uid", username);
                        List res = ldapTemplate.search("", find.encode(),controls, attributesMapper);

                        if (res.isEmpty()) {
                                // user not found, error
                                throw new IllegalArgumentException("User not found: " + username);
                        } else if (res.size() == 1) {
                                // exactly one user found, return them
                                return (UserInfo) res.get(0);
                        } else {
                                // more than one user found, error
                                throw new IllegalArgumentException("User not found: " + username);
                        }

                }

        };