AMBARI-3006. Having spaces within authentication.ldap.baseDn or authentication.ldap.managerDn will not connect to LDAP server on Active Directory. (Maksim Kononenko via mahadev)

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java

@@ -18,16 +18,17 @@
 package org.apache.ambari.server.security.authorization;
 
 import com.google.inject.Inject;
+import java.util.List;
 import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.security.ClientSecurityType;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 
@@ -76,8 +77,10 @@ public class AmbariLdapAuthenticationProvider implements AuthenticationProvider
   private LdapAuthenticationProvider loadLdapAuthenticationProvider() {
     if (reloadLdapServerProperties()) {
       log.info("LDAP Properties changed - rebuilding Context");
-      DefaultSpringSecurityContextSource springSecurityContextSource =
-              new DefaultSpringSecurityContextSource(ldapServerProperties.get().getLdapUrls(), ldapServerProperties.get().getBaseDN());
+      LdapContextSource springSecurityContextSource = new LdapContextSource();
+      List<String> ldapUrls = ldapServerProperties.get().getLdapUrls();
+      springSecurityContextSource.setUrls(ldapUrls.toArray(new String[ldapUrls.size()]));
+      springSecurityContextSource.setBase(ldapServerProperties.get().getBaseDN());
 
       if (!ldapServerProperties.get().isAnonymousBind()) {
         springSecurityContextSource.setUserDn(ldapServerProperties.get().getManagerDn());

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDNWithSpaceTest.java

@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.Guice;
+import com.google.inject.Inject;
+import com.google.inject.Injector;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.orm.GuiceJpaInitializer;
+import org.apache.ambari.server.orm.dao.RoleDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.RoleEntity;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.apache.ambari.server.security.ClientSecurityType;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.ldap.server.ApacheDSContainer;
+
+import static org.junit.Assert.*;
+
+public class AmbariLdapAuthenticationProviderForDNWithSpaceTest {
+  private static ApacheDSContainer apacheDSContainer;
+  private static Injector injector;
+
+  @Inject
+  private AmbariLdapAuthenticationProvider authenticationProvider;
+  @Inject
+  private UserDAO userDAO;
+  @Inject
+  private RoleDAO roleDAO;
+  @Inject
+  Configuration configuration;
+
+  @BeforeClass
+  public static void beforeClass() throws Exception{
+    injector = Guice.createInjector(new AuthorizationTestModuleForLdapDNWithSpace());
+    injector.getInstance(GuiceJpaInitializer.class);
+
+    apacheDSContainer = new ApacheDSContainer("dc=ambari,dc=the apache,dc=org", "classpath:/users_for_dn_with_space.ldif");
+    apacheDSContainer.setPort(33389);
+    apacheDSContainer.afterPropertiesSet();
+  }
+
+  @Before
+  public void setUp() {
+    injector.injectMembers(this);
+    configuration.setClientSecurityType(ClientSecurityType.LDAP);
+  }
+
+  @Test(expected = BadCredentialsException.class)
+  public void testBadCredential() throws Exception {
+    Authentication authentication = new UsernamePasswordAuthenticationToken("notFound", "wrong");
+    authenticationProvider.authenticate(authentication);
+  }
+
+  @Test
+  public void testAuthenticate() throws Exception {
+    assertNull("User alread exists in DB", userDAO.findLdapUserByName("the allowedUser"));
+    Authentication authentication = new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+    Authentication result = authenticationProvider.authenticate(authentication);
+    assertTrue(result.isAuthenticated());
+    assertNotNull("User was not created", userDAO.findLdapUserByName("the allowedUser"));
+    result = authenticationProvider.authenticate(authentication);
+    assertTrue(result.isAuthenticated());
+  }
+
+  @Test
+  public void testDisabled() throws Exception {
+    configuration.setClientSecurityType(ClientSecurityType.LOCAL);
+    Authentication authentication = new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+    Authentication auth = authenticationProvider.authenticate(authentication);
+    assertTrue(auth == null);
+  }
+
+  @Test
+  public void testLdapAdminGroupToRolesMapping() throws Exception {
+
+    Authentication authentication;
+
+    authentication =
+        new UsernamePasswordAuthenticationToken("allowedAdmin", "password");
+    Authentication result = authenticationProvider.authenticate(authentication);
+    assertTrue(result.isAuthenticated());
+
+    UserEntity allowedAdminEntity = userDAO.findLdapUserByName("allowedAdmin");
+
+    authentication =
+        new UsernamePasswordAuthenticationToken("the allowedUser", "password");
+    authenticationProvider.authenticate(authentication);
+    UserEntity allowedUserEntity = userDAO.findLdapUserByName("the allowedUser");
+
+
+    RoleEntity adminRole = roleDAO.findByName(
+        configuration.getConfigsMap().get(Configuration.ADMIN_ROLE_NAME_KEY));
+    RoleEntity userRole = roleDAO.findByName(
+        configuration.getConfigsMap().get(Configuration.USER_ROLE_NAME_KEY));
+
+
+    assertTrue(allowedAdminEntity.getRoleEntities().contains(userRole));
+    assertTrue(allowedAdminEntity.getRoleEntities().contains(adminRole));
+
+    assertTrue(allowedUserEntity.getRoleEntities().contains(userRole));
+    assertFalse(allowedUserEntity.getRoleEntities().contains(adminRole));
+
+
+  }
+
+  @AfterClass
+  public static void afterClass() {
+    apacheDSContainer.stop();
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModuleForLdapDNWithSpace.java

@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ambari.server.security.authorization;
+
+import com.google.inject.AbstractModule;
+import java.util.Properties;
+import org.apache.ambari.server.configuration.Configuration;
+import org.apache.ambari.server.controller.ControllerModule;
+
+public class AuthorizationTestModuleForLdapDNWithSpace extends AbstractModule {
+  @Override
+  protected void configure() {
+    Properties properties = new Properties();
+    properties.setProperty(Configuration.CLIENT_SECURITY_KEY, "ldap");
+    properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "in-memory");
+    properties.setProperty(Configuration.METADETA_DIR_PATH,
+        "src/test/resources/stacks");
+    properties.setProperty(Configuration.SERVER_VERSION_FILE,
+        "target/version");
+    properties.setProperty(Configuration.OS_VERSION_KEY,
+        "centos5");
+    //make ambari detect active configuration
+    properties.setProperty(Configuration.LDAP_BASE_DN_KEY, "dc=ambari,dc=the apache,dc=org");
+    properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=the groups,dc=ambari,dc=the apache,dc=org");
+
+    try {
+      install(new ControllerModule(properties));
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+}

ambari-server/src/test/resources/users_for_dn_with_space.ldif

@@ -0,0 +1,51 @@
+dn: ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: the groups
+
+dn: ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: the people
+
+dn: uid=the allowedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: CraigWalls
+sn: Walls
+uid: the allowedUser
+userPassword:password
+
+dn: uid=deniedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: JohnSmith
+sn: Smith
+uid: deniedUser
+userPassword:password
+
+dn: cn=admin,ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:groupOfNames
+cn: admin
+member: uid=the allowedUser,ou=the people,dc=ambari,dc=the apache,dc=org
+
+dn: uid=allowedAdmin,ou=the people,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: CraigWalls
+sn: Walls
+uid: allowedAdmin
+userPassword:password
+
+dn: cn=Ambari Administrators,ou=the groups,dc=ambari,dc=the apache,dc=org
+objectclass:top
+objectclass:group
+cn: Ambari Administrators
+member: uid=allowedAdmin,ou=the people,dc=ambari,dc=the apache,dc=org