Archive for November, 2009

Lift-LDAP module updated

lift-ldap
sample_lift_ldap

Some code cleanup …
Now it’s easier to create the user model object and customize it.

  • The LDAPProtoUser defines now the ldapRoles SessionVar to get the user roles or groups.
    Also defines the rolesSearchFilter and rolesNameRegex to search and get the roles/groups.

    
    trait LDAPProtoUser[T <: LDAPProtoUser[T]] extends MegaProtoUser[T] {
        self: T =<
        /**
         * User Roles LDAP search filter
         */
        def rolesSearchFilter: String = "(&(objectclass=groupofnames)(member=%s))"
    
        /**
         * Regular expression to get user roles names
         */
        def rolesNameRegex = ".*cn=(.[^,]*),ou=.*"
    
        object ldapRoles extends SessionVar[List[String]](List())
    
        override def getSingleton: MetaLDAPProtoUser[T]
    
        object uid extends MappedString(this, 64) {
            override def dbIndexed_? = true
        }
    
        object dn extends MappedString(this, 64) {
            override def dbIndexed_? = true
        }
    
        object cn extends MappedString(this, 64) {
            override def dbIndexed_? = true
        }
    
        def getRoles: List[String] = {
            return ldapRoles.get
        }
    
        def setRoles(userDn: String, ldapVendor: LDAPVendor): AnyRef = {
            def getGroupNameFromDn(dn: String): String = {
                val regex = new Regex(rolesNameRegex)
    
                val regex(groupName) = dn
                return groupName
            }
    
            // Search for user roles
            val filter = rolesSearchFilter.format(userDn)
    
            val groups = ldapVendor.search(filter)
            groups.foreach(g => {
                ldapRoles.set(ldapRoles.get + getGroupNameFromDn(g))
            })
        }
    }
    
    
    
  • The user model object only has to redefine the roles search (the ldap search sentence or implement a setRoles function to realize the custom search)

    
    class User extends LDAPProtoUser[User] {
        def getSingleton = User
    }
    
    object User extends User with MetaLDAPProtoUser[User] {
        override def screenWrap = Full(<lift:surround with="default" at="content">
                       <lift:bind />
        </lift:surround>)
    }
    
    

    Overriding default values …

    
    object User extends User with MetaLDAPProtoUser[User] {
        override def loginErrorMessage: String = "'%s' is not a valid user or password does not match"
        override def ldapUserSearch: String = "(&(objectClass=inetOrgPerson)(uid=%s))"
    
        override def rolesNameRegex: String = ".*cn=(.[^,]*),.*"
        override def rolesSearchFilter: String = "(&(objectclass=groupofnames)(!(cancellationdate=*))(member=%s))"
    
        override def screenWrap = Full(<lift:surround with="default" at="content">
                       <lift:bind />
        </lift:surround>)
    }
    

Now have to remove some unused imports 🙂

Lift LDAP

One of the requisites to start using Lift at my work, was to use LDAP authentification.
So i wrote a little module lift-ldap for that and a sample app, it was damn simple !

To use the module,

  • 1. lift-ldap requirements in maven pom.xml
    
    <dependency>
        <groupId>net.liftweb</groupId>
        <artifactId>lift-ldap</artifactId>
        <version>1.0.0</version>
    </dependency>
    
  • 2. Create the user object in src/scala/com/sample/model/User.scala

    
    package com.sample.model
    
    import scala.util.matching.{Regex}
    import scala.xml.{NodeSeq}
    
    // lift ldap
    import net.liftweb.ldap.{LDAPProtoUser, MetaLDAPProtoUser, LDAPVendor, SimpleLDAPVendor}
    
    import net.liftweb.common.{Box, Full}
    import net.liftweb.http.{S, SessionVar}
    import net.liftweb.mapper.{KeyedMetaMapper}
    
    object roles extends SessionVar[List[String]](List())
    
    class User extends LDAPProtoUser[User] {
        def getSingleton = User
    
        def getRoles: List[String] = {
            return roles.get
        }
    }
    
    object User extends User with MetaLDAPProtoUser[User] {
    
        override def screenWrap = Full(
                       
        )
    
        override def dbTableName = "tmp_users"
    
        override def login : NodeSeq = {
            val groupNameRx = new Regex(".*cn=(.*),ou=.*")
    
            def getGroupNameFromDn(dn: String): String = {
                val groupNameRx(groupName) = dn
                return groupName
            }
    
            def setRoles(userDn: String, ldapVendor: LDAPVendor): AnyRef = {
                // buscamos o grupo do usuario
                val filter = "(&(objectclass=groupofnames)(member=" + userDn + "))"
    
                val groups = ldapVendor.search(filter)
                groups.foreach(g => {
                    roles.set(roles.get + getGroupNameFromDn(g))
                })
            }
    
            login(setRoles _)
        }
    }
    
    

    The User object has to provide a setRoles function to the LDAPVendor (when do login),
    so we can customize the way in which we retrieve the credentials from LDAP (from a group of names or a custom object)

  • 3. Initialize the LDAP configuration in Boot.scala (src/main/scala/bootstrap/liftweb/Boot.scala)

    
    We can pass a properties file to the SimpleLDAPVendor
    SimpleLDAPVendor.parameters = () =>
                SimpleLDAPVendor.parametersFromStream(
                    this.getClass().getClassLoader().getResourceAsStream("ldap.properties"))
    
    or just manually :
    SimpleLDAPVendor.parameters = () => Map("ldap.url"  -> "ldap://localhost",
                                            "ldap.base" -> "dc=company,dc=com",
                                            "ldap.userName" -> "...",
                                            "ldap.password" -> "...")
                
    
  • 4. A LoginUtils class (src/main/scala/com/sample/lib/LoginUtil.scala)

    To determine when the user is logged or have some credentials

  • 5. Create the security rules in Boot

    
    
        LiftRules.dispatch.prepend(NamedPF("Login Validation") {
            case Req("group_required" :: page, extension, _) if !LoginUtil.hasAuthority_?("sample_group") =>
                    LoginUtil.redirectIfLogged("/login/group_not_allowed")
            case Req("login_required" :: page , extension, _) if (!LoginUtil.isLogged) =>
                    () => Full(RedirectResponse("/user_mgt/login"))
        })
    

And that’s it 🙂

Scala and ldap

Playing around with Scala, a very nice jvm language!,
found Lift (web framework),
looks simple and funny !

I was looking for ldap authentication with lift,
i wasn’t able to find nothing :(.

So i started to play with it,
Here, I install an openldap server and some simple scala code to play with it.

  • Install openldap and some sample data (using arch linux)

    
    1- sudo pacman -S openldap
    2- slappasswd -h {MD5} -s password (generates ldap password to use it later in config and user ldif file)
       {MD5}X03MO1qnZdYdgyfeuILPmQ==
    
  • Generate the ldap structure in initial_structure.ldif file

    
    dn: dc=company,dc=com
    dc: company
    description: LDAP Main object
    objectClass: organization
    objectClass: dcObject
    o: company.com
    
    dn: ou=Users,dc=company,dc=com
    ou: Users
    objectClass: organizationalUnit
    
    dn: ou=Groups,dc=company,dc=com
    ou: Groups
    objectClass: top
    objectClass: organizationalUnit
    
    dn: cn=main_group,ou=Groups,dc=company,dc=com
    gidNumber: 2000
    objectClass: posixGroup
    objectClass: top
    cn: main_group
    
    dn: cn=secondary_group,ou=Groups,dc=company,dc=com
    gidNumber: 2001
    objectClass: posixGroup
    objectClass: top
    cn: secondary_group
    
  • Configure ldap server in /etc/openldap/slapd.conf

    
    include         /etc/openldap/schema/core.schema
    include         /etc/openldap/schema/cosine.schema
    include         /etc/openldap/schema/courier.schema
    include         /etc/openldap/schema/inetorgperson.schema
    include         /etc/openldap/schema/nis.schema
    
    allow bind_v2
    password-hash {md5}
    
    pidfile   /var/run/slapd.pid
    argsfile  /var/run/slapd.args
    
    database        bdb
    suffix          "dc=company,dc=com"
    rootdn          "cn=admin,dc=company,dc=com"
    rootpw          {MD5}X03MO1qnZdYdgyfeuILPmQ==
    
    directory       /var/lib/openldap/openldap-data
    index   objectClass     eq
    index   uid     eq
    
  • Populate initial ldap structure

    
    sudo /usr/sbin/slapadd -l initial_structure.ldif
    
  • Populate user and group data, for example in file users.ldif

    
    dn: uid=sample_user_1,ou=Users,dc=company,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: sample_user_1
    cn: Test User
    sn: User
    givenName: Test
    userPassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
    loginShell: /bin/bash
    uidNumber: 10000
    gidNumber: 2000
    homeDirectory: /home/users/test/
    
  • Starts ldap server and add users.ldif

    
    sudo /etc/rc.d/sldap start
    ldapadd -x -D "cn=admin,dc=company,dc=com" -f users.ldif -W
    
  • Test ldap server searching for sample_user_1 user
    
    ldapsearch -x -D "cn=admin,dc=company,dc=com" -b "dc=company,dc=com" "(&(uid=sample_user_1))" -W
    


  • And now scala code 🙂
    
    import java.io.FileInputStream
    import java.util.{Hashtable, Properties}
    
    import javax.naming.Context
    import javax.naming.directory.{BasicAttributes, SearchControls}
    import javax.naming.ldap.{LdapName, InitialLdapContext}
    
    import scala.collection.jcl.{MapWrapper}
    import scala.util.logging.{Logged, ConsoleLogger}
    
    implicit def convert(javaMap: Hashtable[String, String]) = {
        Map.empty ++ new MapWrapper[String, String]() {
            def underlying = javaMap
        }
    } 
    
    type StringMap = Map[String, String]
    
    val DEFAULT_URL = "localhost"
    val DEFAULT_BASE_DN = ""
    val DEFAULT_USER = ""
    val DEFAULT_PASSWORD = ""
    
    object SimpleLDAPSearch {
        lazy val ldap: LDAPSearch = {
            if (properties() == null) {
                val p = new Properties()
                p.load(new FileInputStream(propertiesFile()))
    
                // automatically calls convert(javaMap: Hashtable[String, String])
                properties = () => p.asInstanceOf[StringMap]
            }
    
            new LDAPSearch(properties()) with ConsoleLogger
        }
    
        var properties: () => StringMap = () => null
        var propertiesFile: () => String = {
            () => "DEFAULT_PROPERTIES_FILE.properties"
        }
    }
    
    class LDAPSearch(parameters: StringMap) extends Logged {
        lazy val initialContext = getInitialContext(parameters)
    
        def search(filter: String) : List[String] = {
            log("--> LDAPSearch.search: Searching for '%s'".format(filter))
    
            var list = List[String]()
    
            val ctx = initialContext
    
            if (!ctx.isEmpty) {
                val result = ctx.get.search(parameters.getOrElse("ldap.base", DEFAULT_BASE_DN),
                                            filter,
                                            getSearchControls())
    
                while(result.hasMore()) {
                    var r = result.next()
                    list = list ::: List(r.getName)
                }
            }
    
            return list
        }
    
        def bindUser(dn: String, password: String) : Boolean = {
            log("--> LDAPSearch.bindUser: Try to bind user '%s'".format(dn))
    
            var result = false
    
            try {
                var env = new Hashtable[String, String]()
                env.put(Context.PROVIDER_URL, parameters.getOrElse("ldap.url", DEFAULT_URL))
                env.put(Context.SECURITY_AUTHENTICATION, "simple")
                env.put(Context.SECURITY_PRINCIPAL, dn + "," + parameters.get("ldap.base"))
                env.put(Context.SECURITY_CREDENTIALS, password)
                env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
    
                var ctx = Some(new InitialLdapContext(env, null))
    
                result = !ctx.isEmpty
                ctx.get.close
            }
            catch {
                case e: Exception => println(e)
            }
    
            log("--> LDAPSearch.bindUser: Bind successfull ? %s".format(result))
    
            return result
        }
    
        private def getInitialContext(props: StringMap) : Option[InitialLdapContext] = {
    
            log("--> LDAPSearch.getInitialContext: Get initial context from '%s'".format(props.get("ldap.url")))
    
            var env = new Hashtable[String, String]()
            env.put(Context.PROVIDER_URL, props.getOrElse("ldap.url", DEFAULT_URL))
            env.put(Context.SECURITY_AUTHENTICATION, "simple")
            env.put(Context.SECURITY_PRINCIPAL, props.getOrElse("ldap.userName", DEFAULT_USER))
            env.put(Context.SECURITY_CREDENTIALS, props.getOrElse("ldap.password", DEFAULT_PASSWORD))
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
    
            return Some(new InitialLdapContext(env, null))
        }
    
        private def getSearchControls() : SearchControls = {
            val searchAttributes = new Array[String](1)
            searchAttributes(0) = "cn"
    
            val constraints = new SearchControls()
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE)
            constraints.setReturningAttributes(searchAttributes)
            return constraints
        }
    }
    
    // SimpleLDAPSearch.propertiesFile = () => "ldap.properties"
    
    SimpleLDAPSearch.properties = () => {
        Map("ldap.url" -> "ldap://localhost",
            "ldap.userName" -> "cn=admin,dc=company,dc=com",
            "ldap.password" -> "password",
            "ldap.base" -> "dc=company,dc=com")
    }
    
    val list1 = SimpleLDAPSearch.ldap.search("(uid=sample_user_1)")
    println(SimpleLDAPSearch.ldap.bindUser(list1(0), "password"))
    

    The code is not exactly perfect,
    but shows how simple can scala be.

Here’s my favourites lines of code :

  • Automatically convert types

    
    implicit def convert(javaMap: Hashtable[String, String]) = {
        Map.empty ++ new MapWrapper[String, String]() {
            def underlying = javaMap
        }
    }
    

    To automatically convert a java.util.Hashtable (java.util.Properties) into a scala Map,
    Example :

    
    val hashtable: java.util.Hastable[String, String] = new java.util.Hashtable[String, String]()
    hashtable.put("some_key", "some_value")
    
    val map = hashtable.asInstanceOf[Map[String, String]]
    
  • A var that contains a method that returns the ldap properties file

    
    object SimpleLDAPSearch {
        var propertiesFile: () => String = {
            () => "DEFAULT_PROPERTIES_FILE.properties"
        }
    ..
    // The SimpleLDAPSearch singleton propertiesFile method can be override in any moment
    SimpleLDAPSearch.propertiesFile = () => "/tmp/ldap.properties"