OO-598: option to create or not LDAP users on login

d4f65305 · srosse · 507e867c · d4f65305 · d4f65305 · d4f65305
Commit d4f65305 authored 11 years ago by srosse
--- a/src/main/java/org/olat/ldap/LDAPLoginModule.java
+++ b/src/main/java/org/olat/ldap/LDAPLoginModule.java
@@ -80,6 +80,10 @@ public class LDAPLoginModule implements Initializable {
 	// List of bases where to find users
 	private static List<String> ldapBases;
 	private static Integer connectionTimeout;
+	/**
+	 * Create LDAP users on the fly when authenticated successfully
+	 */
+	private boolean createUsersOnLogin;
 	// Use a valid ldap password and save it as olat password to reduce dependency
 	// to LDAP server availability and allow WeDAV access
 	private static boolean cacheLDAPPwdAsOLATPwdOnLogin;
@@ -581,7 +585,11 @@ public class LDAPLoginModule implements Initializable {
 	public void setCacheLDAPPwdAsOLATPwdOnLogin(boolean cacheLDAPPwdAsOLATPwdOnLogin) {
 		LDAPLoginModule.cacheLDAPPwdAsOLATPwdOnLogin = cacheLDAPPwdAsOLATPwdOnLogin;
 	}
-	
+
+	public void setCreateUsersOnLogin(boolean createUsersOnLogin) {
+		this.createUsersOnLogin = createUsersOnLogin;
+	}
+
 	public void setConvertExistingLocalUsersToLDAPUsers(boolean convertExistingLocalUsersToLDAPUsers) {
 		LDAPLoginModule.convertExistingLocalUsersToLDAPUsers = convertExistingLocalUsersToLDAPUsers;
 	}
@@ -703,6 +711,10 @@ public class LDAPLoginModule implements Initializable {
 	public static String getLdapSyncCronSyncExpression() {
 		return ldapSyncCronSyncExpression;
 	}
+	
+	public boolean isCreateUsersOnLogin() {
+		return createUsersOnLogin;
+	}

 	public static boolean isCacheLDAPPwdAsOLATPwdOnLogin() {
 		return cacheLDAPPwdAsOLATPwdOnLogin;

--- a/src/main/java/org/olat/ldap/_spring/ldapContext.xml
+++ b/src/main/java/org/olat/ldap/_spring/ldapContext.xml
@@ -3,7 +3,7 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="
  http://www.springframework.org/schema/beans 
-  http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+  http://www.springframework.org/schema/beans/spring-beans.xsd">

   	<!--
 		*****************************************
@@ -37,6 +37,7 @@
 		<property name="trustStoreLocation" value="${ldap.trustStoreLocation}"/>
 		<property name="trustStorePwd" value="${ldap.trustStorePwd}"/>
 		<property name="trustStoreType" value="${ldap.trustStoreType}"/>
+		<property name="createUsersOnLogin" value="${ldap.ldapCreateUsersOnLogin}" />
 		<!-- 
 			When users log in via LDAP, the system can keep a copy of the password as encrypted
 			hash in the database. This makes OLAT more independent from an offline LDAP server 

--- a/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
+++ b/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
@@ -254,17 +254,25 @@ protected void event(UserRequest ureq, Component source, Event event) {
 	}
 	
 	public static Identity authenticate(String username, String pwd, LDAPError ldapError) {
+		final LDAPLoginModule ldapModule = CoreSpringFactory.getImpl(LDAPLoginModule.class);
+		final LDAPLoginManager ldapManager = CoreSpringFactory.getImpl(LDAPLoginManager.class);
+		final BaseSecurity secMgr = BaseSecurityManager.getInstance();
 		
-		LDAPLoginManager ldapManager = (LDAPLoginManager) CoreSpringFactory.getBean(LDAPLoginManager.class);
+		//authenticate against LDAP server
 		Attributes attrs = ldapManager.bindUser(username, pwd, ldapError);
-		
 		if (ldapError.isEmpty() && attrs != null) { 
 			Identity identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
-			if (!ldapError.isEmpty()) return null;
+			if (!ldapError.isEmpty()) {
+				return null;
+			}
 			if (identity == null) {
-				// User authenticated but not yet existing - create as new OLAT user
-				ldapManager.createAndPersistUser(attrs);
-				identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
+				if(ldapModule.isCreateUsersOnLogin()) {
+					// User authenticated but not yet existing - create as new OLAT user
+					ldapManager.createAndPersistUser(attrs);
+					identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
+				} else {
+					ldapError.insert("login.notauthenticated");
+				}
 			} else {
 				// User does already exist - just sync attributes
 				Map<String, String> olatProToSync = ldapManager.prepareUserPropertyForSync(attrs, identity);
@@ -274,7 +282,7 @@ protected void event(UserRequest ureq, Component source, Event event) {
 			}
 			// Add or update an OLAT authentication token for this user if configured in the module
 			if (identity != null && LDAPLoginModule.isCacheLDAPPwdAsOLATPwdOnLogin()) {
-				BaseSecurity secMgr = BaseSecurityManager.getInstance();
+				
 				Authentication auth = secMgr.findAuthentication(identity, BaseSecurityModule.getDefaultAuthProviderIdentifier());
 				if (auth == null) {
 					// Create new authentication token

--- a/src/main/resources/serviceconfig/olat.properties
+++ b/src/main/resources/serviceconfig/olat.properties
@@ -707,6 +707,8 @@ ldap.sslEnabled=false
 ldap.trustStoreLocation=/usr/lib/j2sdk1.5-sun/jre/lib/security/cacerts
 ldap.trustStorePwd=changeit
 ldap.trustStoreType=JKS
+# Create LDAP users on the fly when authenticated successfully
+ldap.ldapCreateUsersOnLogin=true
 # When users log in via LDAP, the system can keep a copy of the password as encrypted
 # hash in the database. This makes OLAT more independent from an offline LDAP server
 # and users can use their LDAP password to use the WebDAV functionality.