Commit 11f64453 authored by Marvin S. Addison's avatar Marvin S. Addison
Browse files

Add existing ED usage samples located in middleware.vt.edu/pubs/code.


git-svn-id: https://svn.middleware.vt.edu/svn/ed/edsamples@9917 fa4a4108-76f2-0310-9f0d-ba9fffaf4ff6
parent 01031e36
#include <stdio.h>
#include <ldap.h>
int main(int argc, char* argv[])
{
LDAP* ldap;
LDAPMessage *result, *entry;
BerElement* ber;
char *HOST_NAME = "authn.directory.vt.edu";
int PORT_NUMBER = 389;
char *PASSWORD = "PASSWORD";
char *filter = "(uupid=UUPID)";
char *attrs[] = {"eduPersonPrimaryAffiliation",
"eduPersonAffiliation", NULL};
char *base = "ou=People,dc=vt,dc=edu";
char *attribute = NULL;
char **values = NULL;
char *dn = NULL;
char *cmpAttr = "eduPersonAffiliation";
char *cmpVal = "VT-ACTIVE-MEMBER";
int i, resultCode, version;
/* Initialize an LDAP connection. */
if( (ldap = ldap_init(HOST_NAME, PORT_NUMBER)) == NULL)
{
perror("ldap_init");
return 1;
}
/* Set the version number so that we may use startTLS. */
version = LDAP_VERSION3;
ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
if(ldap_start_tls_s(ldap, NULL, NULL) != LDAP_SUCCESS)
{
ldap_perror(ldap, "ldap_start_tls");
}
resultCode = ldap_search_ext_s(ldap, base, LDAP_SCOPE_SUBTREE,
filter, NULL, 0, NULL, NULL,
NULL, LDAP_NO_LIMIT, &result);
if(resultCode != LDAP_SUCCESS)
{
/* another way to print errors...
fprintf(stderr, "ldap_search_ext_s: %s\n",
ldap_err2string(resultCode));
*/
ldap_perror(ldap, "ldap_search_ext_s");
ldap_unbind_ext_s(ldap, NULL, NULL);
return 1;
}
entry = ldap_first_entry(ldap, result);
if(entry != NULL)
{
dn = ldap_get_dn(ldap, entry);
ldap_msgfree(result);
}
else
{
printf("search on filter: %s returned no entries\n", filter);
ldap_msgfree(result);
ldap_unbind_ext_s(ldap, NULL, NULL);
return 1;
}
/* Bind as a user. If PASSWORD is NULL, resultCode will be LDAP_UNWILLING_TO_PERFORM.
Always make sure password is not NULL. */
resultCode = ldap_simple_bind_s(ldap, dn, PASSWORD);
if(resultCode != LDAP_SUCCESS)
{
ldap_perror(ldap, "ldap_simple_bind_s");
ldap_memfree(dn);
return 1;
}
/* Search for the user. */
resultCode = ldap_search_ext_s(ldap, dn, LDAP_SCOPE_BASE,
filter, attrs, 0, NULL, NULL,
NULL, LDAP_NO_LIMIT, &result);
if( resultCode != LDAP_SUCCESS)
{
ldap_perror(ldap, "ldap_search_ext_s");
ldap_memfree(dn);
return 1;
}
/* Since we are doing a base search, there should be only one
matching entry */
entry = ldap_first_entry(ldap, result);
if(entry != NULL)
{
printf("\ndn: %s\n", dn);
/* Iterate through each attribute in the entry. */
for( attribute = ldap_first_attribute(ldap, entry, &ber);
attribute != NULL;
attribute = ldap_next_attribute(ldap, entry, ber))
{
/*For each attribute, print the name and values.*/
values = ldap_get_values(ldap, entry, attribute);
if( values != NULL)
{
for(i = 0; values[i] != NULL; i++)
{
printf("%s: %s\n", attribute, values[i]);
}
ldap_value_free(values);
}
ldap_memfree(attribute);
}
if(ber != NULL)
{
ber_free(ber, 0);
}
}
/* see if user has a specific affiliation */
resultCode = ldap_compare_s(ldap, dn, cmpAttr, cmpVal);
if(resultCode == LDAP_COMPARE_TRUE)
printf("ldap_compare_s: %s has %s=%s\n", dn, cmpAttr, cmpVal);
else
printf("ldap_compare_s: %s does not have %s=%s\n", dn, cmpAttr, cmpVal);
ldap_msgfree(result);
ldap_memfree(dn);
ldap_unbind_ext_s(ldap, NULL, NULL);
return 0;
}
#include <stdio.h>
#include <ldap.h>
int main(int argc, char* argv[])
{
LDAP* ldap;
LDAPMessage *result, *entry;
BerElement* ber;
char *HOST_NAME = "id.directory.vt.edu";
int PORT_NUMBER = 389;
char *filter = "(uupid=UUPID)";
char *attrs[] = { NULL };
char *base = "ou=People,dc=vt,dc=edu";
char *attribute = NULL;
char **values = NULL;
char *dn = NULL;
char *cmpAttr = "eduPersonAffiliation";
char *cmpVal = "VT-ACTIVE-MEMBER";
int i, resultCode, version;
struct berval cred;
cred.bv_val = "";
cred.bv_len = strlen(cred.bv_val)*sizeof(char);
/* Initialize an LDAP connection. */
if( (ldap = ldap_init(HOST_NAME, PORT_NUMBER)) == NULL)
{
perror("ldap_init");
return 1;
}
/* Set the version number so that we may use startTLS. */
version = LDAP_VERSION3;
ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
if(ldap_start_tls_s(ldap, NULL, NULL) != LDAP_SUCCESS)
{
ldap_perror(ldap, "ldap_start_tls_s");
}
resultCode = ldap_sasl_bind_s(ldap, NULL, "EXTERNAL", &cred, NULL,
NULL, NULL);
if(resultCode != LDAP_SUCCESS)
{
ldap_perror(ldap, "ldap_sasl_bind_s");
}
resultCode = ldap_search_ext_s(ldap, base, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL,
NULL, LDAP_NO_LIMIT, &result);
if(resultCode != LDAP_SUCCESS)
{
/* another way to print errors...
fprintf(stderr, "ldap_search_ext_s: %s\n",
ldap_err2string(resultCode));
*/
ldap_perror(ldap, "ldap_search_ext_s");
ldap_unbind_ext_s(ldap, NULL, NULL);
return 1;
}
entry = ldap_first_entry(ldap, result);
if(entry != NULL)
dn = ldap_get_dn(ldap, entry);
else
{
printf("search on filter: %s returned no entries\n", filter);
ldap_msgfree(result);
ldap_unbind_ext_s(ldap, NULL, NULL);
return 1;
}
/* print out all attribute/value pairs */
if(entry != NULL)
{
printf("\ndn: %s\n", dn);
/* Iterate through each attribute in the entry. */
for( attribute = ldap_first_attribute(ldap, entry, &ber);
attribute != NULL;
attribute = ldap_next_attribute(ldap, entry, ber))
{
/*For each attribute, print the name and values.*/
values = ldap_get_values(ldap, entry, attribute);
if( values != NULL)
{
for(i = 0; values[i] != NULL; i++)
{
printf("%s: %s\n", attribute, values[i]);
}
ldap_value_free(values);
}
ldap_memfree(attribute);
}
if(ber != NULL)
{
ber_free(ber, 0);
}
}
/* see if user has a specific affiliation */
resultCode = ldap_compare_s(ldap, dn, cmpAttr, cmpVal);
if(resultCode == LDAP_COMPARE_TRUE)
printf("ldap_compare_s: %s has %s=%s\n", dn, cmpAttr, cmpVal);
else
printf("ldap_compare_s: %s does not have %s=%s\n", dn, cmpAttr, cmpVal);
ldap_msgfree(result);
ldap_memfree(dn);
ldap_unbind_ext_s(ldap, NULL, NULL);
return 0;
}
/**
* winldap-edauth.c
* This code is an example of how to connect to ED-Auth,
* search for an entry by a person's UUPID, bind as that
* UUPID, and then determine if that person is an active
* member at VT with the winldap library.
* This illustrates the basic authentication/
* authorization ED-Auth is to be used for.
*
* Notes: * You must have imported the VTCA chain into the
* Windows keystore before this code will work properly.
* This is available at https://vtmwra.eprov.iad.vt.edu/cacert,
* or click on "immediate installation" and run the .exe at
* http://www.pki.vt.edu/download/ie6.html. This will
* automatically install the CA for you.
*
* * You must link this against wldap32.lib
*/
#include <windows.h>
#include <ntldap.h>
#include <winldap.h>
#include <stdio.h>
/**
* Search for the DN with the supplied UUPID, bind as that DN with the
* given credentials, and then determine if the entry has the
* specified affiliation.
*/
int main(int argc, char* argv[])
{
LDAP* ld = NULL;
INT retVal = 0;
PCHAR pHost = "authn.directory.vt.edu";
int port = 636;
char* base = "ou=People,dc=vt,dc=edu";
char* filter = "(uupid=UUPID)";
LDAPMessage *result, *entry;
char *dn;
char *pass = "PASSWORD";
char *cmpAttr = "eduPersonAffiliation";
char *cmpVal = "VT-ACTIVE-MEMBER";
ULONG version = LDAP_VERSION3;
SecPkgContext_ConnectionInfo sslInfo;
LONG lv = 0;
printf("\nConnecting to host \"%s\" ...\n",pHost);
// Create an LDAP session.
ld = ldap_sslinit(pHost, port, 1);
if (ld == NULL)
{
printf( "ldap_sslinit failed with 0x%x.\n",GetLastError());
return -1;
}
// Specify version 3; the default is version 2.
printf("Setting Protocol version to 3.\n");
retVal = ldap_set_option(ld,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (retVal != LDAP_SUCCESS)
return 1;
retVal = ldap_set_option(ld,LDAP_OPT_SSL,LDAP_OPT_ON);
// Connect to the server.
retVal = ldap_connect(ld, NULL);
if(retVal == LDAP_SUCCESS)
printf("ldap_connect succeeded \n");
else
{
printf("ldap_connect failed with 0x%x.\n",retVal);
return 1;
}
// Search for the UUPID
retVal = ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, NULL, &result);
if(retVal != LDAP_SUCCESS)
{
printf("ldap_search_s failed with 0x%x.\n",retVal);
return 1;
}
// Get the DN
entry = ldap_first_entry(ld, result);
dn = ldap_get_dn(ld, entry);
ldap_msgfree(result);
// Bind with current credentials.
printf("Binding with dn %s...\n", dn);
retVal = ldap_bind_s(ld,dn,pass,LDAP_AUTH_SIMPLE);
if (retVal != LDAP_SUCCESS)
printf("Bind failed with 0x%x.\n", retVal);
else
printf("Bind as %s succeeded.\n", dn);
// Determine if this person has the affiliation we want
retVal = ldap_compare_s(ld, dn, cmpAttr, cmpVal);
if(retVal != LDAP_COMPARE_TRUE)
printf("ldap_compare_s failed with 0x%x.\n",retVal);
else
printf("%s == %s", cmpAttr, cmpVal);
ldap_memfree(dn);
ldap_unbind_s(ld);
return 0;
}
/**
* winldap-edid.c
* This code is an example of how to connect to ED-ID, do a
* SASL EXTERNAL bind with a client certificate, search for a user,
* print out the user's attributes, and then determine if the user
* has the proper affiliation specified. This is but the tip of the
* iceberg for authorization that can be done with ED-ID.
*
* Notes: * You must have a client certificate that has been issued
* by the VT Middleware CA to connect to ED-ID.
* * You must have a service entry that corresponds to your
* client certificate to be able to view entries
* * You must have imported the VTCA chain into the
* Windows keystore before this code will work properly.
* This is available at https://vtmwra.eprov.iad.vt.edu/cacert,
* or click on "immediate installation" and run the .exe at
* http://www.pki.vt.edu/download/ie6.html. This will
* automatically install the CA for you.
* * Your client certificate must also be in the Windows
* keystore (see Appendix for instructions)
* * You must link this against wldap32.lib
*/
#include <windows.h>
#include <ntldap.h>
#include <winldap.h>
#include <stdio.h>
#include <winber.h>
/**
* Do a SASL EXTERNAL bind, search for the user with the supplied UUPID,
* print all attributes for the person, determine if the person has the
* specified affiliation.
*/
int main(int argc, char* argv[])
{
LDAP* ld = NULL;
INT retVal = 0;
PCHAR pHost = "id.directory.vt.edu";
int port = 636;
char* base = "ou=people,dc=vt,dc=edu";
char* filter = "(uupid=UUPID)";
LDAPMessage *result, *entry;
char *dn;
char *cmpAttr = "eduPersonAffiliation";
char *cmpVal = "VT-ACTIVE-MEMBER";
struct berval cred;
struct berval *servercredp;
ULONG version = LDAP_VERSION3;
cred.bv_val = "";
cred.bv_len = strlen(cred.bv_val)*sizeof(char);
printf("\nConnecting to host \"%s\" ...\n",pHost);
// Create an LDAP session.
ld = ldap_sslinit(pHost, port, 1);
if (ld == NULL)
{
printf( "ldap_sslinit failed with 0x%x.\n",GetLastError());
return -1;
}
// Specify version 3; the default is version 2.
printf("Setting Protocol version to 3.\n");
retVal = ldap_set_option(ld,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
retVal = ldap_set_option(ld,LDAP_OPT_SSL,LDAP_OPT_ON);
// Connect to the server.
retVal = ldap_connect(ld, NULL);
if(retVal == LDAP_SUCCESS)
printf("ldap_connect succeeded \n");
else
{
printf("ldap_connect failed with 0x%x.\n",retVal);
return 1;
}
// Perform a SASL EXTERNAL bind. The CN of your client certificate
// will be your service's UUSID
retVal = ldap_sasl_bind_s(ld, "", "EXTERNAL" , &cred, NULL, NULL, &servercredp);
if(retVal != LDAP_SUCCESS)
printf("ldap_sasl_bind_s failed with 0x%x\n", retVal);
else
printf("ldap_sasl_bind_s succeeded\n");
// Search for a person by UUPID
retVal = ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, NULL, &result);
if(retVal != LDAP_SUCCESS)
printf("ldap_search_s failed with 0x%x.\n",retVal);
// Get the first entry and its DN
entry = ldap_first_entry(ld, result);
dn = ldap_get_dn(ld, entry);
// Print out all viewable attributes for the person
if(entry != NULL)
{
char *attribute;
BerElement *ber;
char **values;
for(attribute = ldap_first_attribute(ld, entry, &ber);
attribute != NULL;
attribute = ldap_next_attribute(ld, entry, ber))
{
if((values = ldap_get_values(ld, entry, attribute)) != NULL)
{
for(int i = 0; values[i] != NULL; i++)
{
printf("%s: %s\n", attribute, values[i]);
}
ldap_value_free(values);
}
ldap_memfree(attribute);
}
if(ber != NULL)
{
ber_free(ber, 0);
}
}
ldap_msgfree(result);
// Determine if the person has the specified affiliation
retVal = ldap_compare_s(ld, dn, cmpAttr, cmpVal);
if(retVal != LDAP_COMPARE_TRUE)
printf("ldap_compare_s failed with 0x%x.\n",retVal);
else
printf("\n%s == %s", cmpAttr, cmpVal);
ldap_memfree(dn);
ldap_unbind_s(ld);
return 0;
}
import edu.vt.middleware.ldap.ed.EdAuth;
/**
* <p>
* EdAuthLibTest provides a test for the EdAuth class.
* </p>
*/
public final class EdAuthLibTest
{
public void doTest()
throws Exception
{
String uupid = "UUPID";
String credential = "PASSWORD";
String filter = "AUTHORIZATION FILTER";
final EdAuth auth = new EdAuth();
if (auth.authenticateAndAuthorize(uupid, credential, filter)) {
System.out.println("Primary affiliation: "+
auth.getPrimaryAffiliation(uupid, credential));
final String[] affil = auth.getAffiliations(uupid, credential);
System.out.println("Affiliations: ");
for (int i = 0; i < affil.length; i++) {
System.out.println(" "+affil[i]);
}
} else {
System.out.println("Authentication or Authorization failed");
}
}
public static void main(final String[] args)
throws Exception
{
final EdAuthLibTest test = new EdAuthLibTest();
test.doTest();
}
}
import java.io.IOException;
import java.util.Hashtable;
import java.util.ArrayList;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
public class EdAuthTlsExample
{
public static void main(String[] args) {
if (args.length < 2) {
System.err.println("USAGE: EdAuthTlsExample uupid pass");
return;
}
String hostName = "ldap://authn.directory.vt.edu";
String baseDn = "ou=People,dc=vt,dc=edu";
String pid = args[0];
String credential = args[1];
// Set up JNDI context for an anonymous search for uupid
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, hostName);
env.put("java.naming.ldap.version", "3");
LdapContext ctx = null;
StartTlsResponse tls = null;
try {
ctx = new InitialLdapContext(env, null);
// Authentication must be performed over a secure channel
tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
tls.negotiate();
// Perform anonymous lookup of user DN based on uupid attribute
BasicAttributes attrs = new BasicAttributes("uupid", pid);
String[] retAttrs = new String[] { "dn" };
NamingEnumeration ne1 = ctx.search(baseDn, attrs, retAttrs);
SearchResult pidSearchResult = (SearchResult) ne1.next();
if (pidSearchResult == null) {
System.out.println(pid+" not found in ED-Auth");
return;
}
String userDn = pidSearchResult.getNameInNamespace();
System.out.println("Found user DN "+userDn);
// Authenticate the user and search for privileged attributes
// belonging to authenticated user
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, credential);
ctx.reconnect(null);
NamingEnumeration ne2 = ctx.search(baseDn, attrs);
while (ne2.hasMore()) {
SearchResult sr = (SearchResult) ne2.next();
NamingEnumeration attributes = sr.getAttributes().getAll();
while (attributes.hasMore()) {
Attribute attr = (Attribute) attributes.next();
System.out.println(attr.getID());
NamingEnumeration values = attr.getAll();
while (values.hasMore()) {
System.out.println("\t" + values.next());
}
}
}
} catch (IOException e) {
System.err.println("TLS negotiation error:");
e.printStackTrace();
} catch (NamingException e) {
System.err.println("JNDI error:");
e.printStackTrace();
} finally {
if (tls != null) {
try {
// Tear down TLS connection
tls.close();
} catch (IOException e) {
System.err.println("Error tearing down TLS connection.");
}
}