Hi,
I am building a custum authentication mechanism, where the enduser gets mapped to an alias.
I've followed some articles and came up with the code below, which works fine.
Now I don't know how to proceed with password expiry.
How to detect the password is expired.
How to follow up on expiry, presenting a password change page.
Any help much appreciated!
This is my code so far.
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
importClass(Packages.com.ibm.security.access.user.User);
importClass(Packages.java.util.Properties);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
function trace(msg) {
//com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils=ALL
IDMappingExtUtils.traceString("IdpMap " + msg);
}
trace("Started");
var IDP_LDAP_ATTR = "businessCategory";
var REQUIRED_LDAP_SUFFIX = "c=nl";
var prps = new java.util.Properties();
prps.put("ldap.enable-last-login","true");
prps.put("ldap.login-failures-persistent","true");
var username = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "username");
var password = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "password");
if(username == null || password == null) {
//This is likely the first time through
//Display the default template page here -
//to challenge for the username and password
success.setValue(false);
} else {
//Second time around, or parameters provided directly.
var hlpr = new UserLookupHelper();
// Init with our ISAM RTE username/password config
hlpr.init(false, prps);
// Default Error message to display on failure
var errorString = "Username or Password not correct.";
//False unless told otherwise
success.setValue(false);
// First, try and get the user
// If the entry provided was the username, we can use that.
var user = hlpr.getUser(username);
if(user != null) {
//Found a user - try and authenticate
var authn = user.authenticate(password);
if(authn) {
//Authentication has succeeded
trace("Authentication has succeeded " + username);
// New Error message to display on failure
errorString = "Not possible to authenticate.";
//Try searching the alias account
var searched = hlpr.search(IDP_LDAP_ATTR,username,2);
if(searched.length == 1) {
//Just one result
trace("Found user " + searched[0] + " from idp " + username + ".");
if (searched[0].toLowerCase().endsWith(REQUIRED_LDAP_SUFFIX)) {
user = hlpr.getUserByNativeId(searched[0]);
trace("ISAM user " + user.getId() + ".");
//Mark this mechanism as having completed.
//Set the username attribute in the response token.
//Add anything else you want to the cred here.
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "itfim_override_targeturl_attr", "/mobile-demo/diag/");
context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", user.getId());
success.setValue(true);
} else {
//Mark this mechanism unsuccessful.
//The user found has the wrong ldap suffix
trace("User " + searched[0] + " has the wrong ldap suffix");
macros.put("@ERROR_MESSAGE@", errorString);
success.setValue(false);
}
} else {
// Either do some magic, or just return a fail response.
if (searched.length > 1) {
// It would seem that the username attribute isn't unique
trace("Username attribute not unique in ldap.");
} else {
// It would seem that the username attribute isn't found
trace("Username attribute not found in ldap.");
}
macros.put("@ERROR_MESSAGE@", errorString);
success.setValue(false);
}
} else {
//Authentication has failed
trace("Authentication has failed " + username);
//Mark this mechanism unsuccessful.
//This will return the configured default template.
macros.put("@ERROR_MESSAGE@", errorString);
success.setValue(false);
}
} else {
trace("Username not found " + username);
//No user found by either means - throw generic error
macros.put("@ERROR_MESSAGE@", errorString);
success.setValue(false);
}
}
trace("Ended");
------------------------------
Paul van den Brink
------------------------------