2009-02-06 21:05:24 +01:00
|
|
|
/*
|
|
|
|
|
* The MIT License
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
|
|
|
|
|
*
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
|
|
|
* in the Software without restriction, including without limitation the rights
|
|
|
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
|
|
|
* furnished to do so, subject to the following conditions:
|
|
|
|
|
*
|
|
|
|
|
* The above copyright notice and this permission notice shall be included in
|
|
|
|
|
* all copies or substantial portions of the Software.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
|
|
|
* THE SOFTWARE.
|
|
|
|
|
*/
|
2008-01-04 08:13:30 +01:00
|
|
|
import org.acegisecurity.providers.ProviderManager
|
|
|
|
|
import org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider
|
|
|
|
|
import org.acegisecurity.providers.ldap.LdapAuthenticationProvider
|
2008-04-11 08:39:46 +02:00
|
|
|
import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2
|
2008-01-04 08:13:30 +01:00
|
|
|
import org.acegisecurity.ldap.DefaultInitialDirContextFactory
|
2008-01-05 01:17:06 +01:00
|
|
|
import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch
|
2008-01-19 18:42:15 +01:00
|
|
|
import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider
|
2008-01-19 18:58:09 +01:00
|
|
|
import hudson.model.Hudson
|
2009-02-26 04:21:23 +01:00
|
|
|
import hudson.security.LDAPSecurityRealm.AuthoritiesPopulatorImpl
|
2009-01-29 18:29:26 +01:00
|
|
|
import hudson.Util
|
2009-02-26 04:21:23 +01:00
|
|
|
import javax.naming.Context
|
2008-01-04 08:13:30 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Configure LDAP as the authentication realm.
|
|
|
|
|
|
|
|
|
|
Authentication is performed by doing LDAP bind.
|
2008-01-05 01:17:06 +01:00
|
|
|
The 'instance' object refers to the instance of LDAPSecurityRealm
|
2008-01-04 08:13:30 +01:00
|
|
|
*/
|
|
|
|
|
|
2008-01-05 01:17:06 +01:00
|
|
|
initialDirContextFactory(DefaultInitialDirContextFactory, instance.getLDAPURL() ) {
|
2008-06-13 23:59:57 +02:00
|
|
|
if(instance.managerDN!=null) {
|
|
|
|
|
managerDn = instance.managerDN;
|
|
|
|
|
managerPassword = instance.getManagerPassword();
|
|
|
|
|
}
|
2009-02-26 04:21:23 +01:00
|
|
|
extraEnvVars = [(Context.REFERRAL):"follow"];
|
2008-01-04 08:13:30 +01:00
|
|
|
}
|
|
|
|
|
|
2008-01-25 03:08:03 +01:00
|
|
|
ldapUserSearch(FilterBasedLdapUserSearch, instance.userSearchBase, instance.userSearch, initialDirContextFactory) {
|
|
|
|
|
searchSubtree=true
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-11 08:39:46 +02:00
|
|
|
bindAuthenticator(BindAuthenticator2,initialDirContextFactory) {
|
2008-01-05 01:17:06 +01:00
|
|
|
// this is when you the user name can be translated into DN.
|
|
|
|
|
// userDnPatterns = [
|
|
|
|
|
// "uid={0},ou=people"
|
|
|
|
|
// ]
|
|
|
|
|
// this is when we need to find it.
|
2008-01-25 03:05:08 +01:00
|
|
|
userSearch = ldapUserSearch;
|
2008-01-04 08:13:30 +01:00
|
|
|
}
|
2008-01-25 03:05:08 +01:00
|
|
|
|
2009-09-24 20:02:30 +02:00
|
|
|
authoritiesPopulator(AuthoritiesPopulatorImpl, initialDirContextFactory, instance.groupSearchBase) {
|
2009-01-29 18:29:26 +01:00
|
|
|
// see DefaultLdapAuthoritiesPopulator for other possible configurations
|
|
|
|
|
searchSubtree = true;
|
2009-03-04 21:09:03 +01:00
|
|
|
groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))";
|
2009-08-15 04:38:23 +02:00
|
|
|
// rolePrefix = "ROLE_"; // Default is "ROLE_"
|
|
|
|
|
// convertToUpperCase = false; // Default is true
|
2008-01-04 08:13:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
authenticationManager(ProviderManager) {
|
|
|
|
|
providers = [
|
|
|
|
|
// talk to LDAP
|
|
|
|
|
bean(LdapAuthenticationProvider,bindAuthenticator,authoritiesPopulator),
|
2008-01-19 18:42:15 +01:00
|
|
|
|
|
|
|
|
// these providers apply everywhere
|
|
|
|
|
bean(RememberMeAuthenticationProvider) {
|
2008-01-19 18:58:09 +01:00
|
|
|
key = Hudson.getInstance().getSecretKey();
|
2008-01-19 18:42:15 +01:00
|
|
|
},
|
2008-01-04 08:13:30 +01:00
|
|
|
// this doesn't mean we allow anonymous access.
|
|
|
|
|
// we just authenticate anonymous users as such,
|
|
|
|
|
// so that later authorization can reject them if so configured
|
|
|
|
|
bean(AnonymousAuthenticationProvider) {
|
|
|
|
|
key = "anonymous"
|
|
|
|
|
}
|
|
|
|
|
]
|
2009-03-04 21:09:03 +01:00
|
|
|
}
|
