Commonize & simplify LDAP and LDAPS auth

This makes it easy for further instances and projects
outside the IDS to use Kustvakt-full with their own LDAP.

Change-Id: I710f50079348d6cff9fd33376aebda33bc9f408e
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
index 810d22b..53c8a1b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
@@ -1,511 +1,221 @@
-/* - Klasse zum Implementieren einer Benutzer-Authentifikation mittels LDAP
- *   in der IDM-Datenbank (Identit�tsmanagement) von Eric Seubert, IDS.
- * - externe Bibliothek ist Novel JLDAP.
- * 27.01.17/FB
- *
- * Sourcen:
- * - https://www.novell.com/documentation/developer/samplecode/jldap_sample/VerifyPassword.java.html
- * - https://www.novell.com/documentation/developer/samplecode/jldap_sample/LDAPOIDs.java.html
- * - https://www.novell.com/documentation/developer/jldap/jldapenu/data/a90352e.html
- * WICHTIG:
- * - Novell-Bibliothek liefert 0 Treffer, wenn man nacheinander sucht!
- *   Grund daf�r nicht gefunden.
- *
- * Version von unboundID - 19.04.17/FB
- *
- * UnboundID LDAP SDK For Java � 3.2.1
- * The UnboundID LDAP SDK for Java is a fast, comprehensive, and easy-to-use Java API for 
- * communicating with LDAP directory servers and performing related tasks like reading and writing LDIF, 
- * encoding and decoding data using base64 and ASN.1 BER, and performing secure communication. This package 
- * contains the Standard Edition of the LDAP SDK, which is a complete, general-purpose library for 
- * communicating with LDAPv3 directory servers. 
- * TODO:
- * - gesichertes Login mit gesch�tztem Passwort.
- * - Passwort des Admin verschl�sseln.
+/*
+ *   user authentication via LDAP
  */
- 
+
 package de.ids_mannheim.korap.authentication;
 
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.util.Enumeration;
-import java.util.Properties;
-
 import com.nimbusds.jose.JOSEException;
-import com.unboundid.ldap.sdk.Attribute;
-import com.unboundid.ldap.sdk.LDAPConnection;
-import com.unboundid.ldap.sdk.LDAPException;
-import com.unboundid.ldap.sdk.LDAPSearchException;
-import com.unboundid.ldap.sdk.SearchResult;
-import com.unboundid.ldap.sdk.SearchResultEntry;
-import com.unboundid.ldap.sdk.SearchScope;
-
+import com.unboundid.ldap.sdk.*;
+import com.unboundid.util.ssl.SSLUtil;
+import com.unboundid.util.ssl.TrustAllTrustManager;
+import com.unboundid.util.ssl.TrustStoreTrustManager;
 import de.ids_mannheim.korap.config.FullConfiguration;
 import de.ids_mannheim.korap.constant.TokenType;
+import org.apache.commons.text.StringSubstitutor;
+
+import javax.net.ssl.SSLSocketFactory;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
 
 
 /**
- * LDAP Login Tests
- * 
- * @author bodmer, margaretha
+ * LDAP Login
+ *
+ * @author bodmer, margaretha, kupietz
  * @see APIAuthentication
  */
 public class LdapAuth3 extends APIAuthentication {
 
-    /* For SSL Connection to LDAP, see: https://www.novell.com/documentation/developer/jldap/jldapenu/data/cchcbejj.html.
-	 * and use DEFAULT_SSL_PORT.
-     * For now, plain text connection is used.
-	 * FB
-	 */
-	final static Boolean DEBUGLOG 	= false;		// log debug output.
-	final static String attC2 		= "idsC2";		// if value == TRUE: registered for COSMAS II (KorAP) Service.
-	final static String attStatus	= "idsStatus";	// value must be 0..2, 3 = locked account.
-	final static String attEmail	= "mail";		// attribute whose value is the requested email.
-	final static int ldapPort 		= 389; 			//LDAPConnection.DEFAULT_PORT;
-	// final static int ldapVersion	= LDAPConnection.LDAP_V3;
-	final static String ldapHost 	= "ldap.ids-mannheim.de";
-	final static String ldapBase	= "dc=ids-mannheim,dc=de";
-	final static String sLoginDN 	= "cn=casaling,dc=ids-mannheim,dc=de";
-	static String sPwd 				= null;
+    public static final int LDAP_AUTH_ROK = 0;
+    public static final int LDAP_AUTH_RCONNECT = 1; // cannot connect to LDAP Server
+    public static final int LDAP_AUTH_RINTERR = 2; // internal error: cannot verify User+Pwd.
+    /* cannot be distinguished, currently
+    public static final int LDAP_AUTH_RUNKNOWN = 3; // User Account or Pwd unknown;
+    public static final int LDAP_AUTH_RLOCKED = 4; // User Account locked;
+    public static final int LDAP_AUTH_RNOTREG = 5; // User known, but has not registered to KorAP/C2 Service yet;
+     */
+    public static final int LDAP_AUTH_RNOEMAIL = 6; // cannot obtain email for sUserDN
+    public static final int LDAP_AUTH_RNAUTH = 7; // User Account or Pwd unknown, or not authorized
+    final static Boolean DEBUGLOG = false;        // log debug output.
 
-	/**
-	 * return codes for functions of this class:
-	 */
-
-	public static final int LDAP_AUTH_ROK		= 0; 
-	public static final int LDAP_AUTH_RCONNECT	= 1; // cannot connect to LDAP Server
-	public static final int LDAP_AUTH_RINTERR	= 2; // internal error: cannot verify User+Pwd.
-	public static final int LDAP_AUTH_RUNKNOWN	= 3; // User Account or Pwd unknown;
-	public static final int LDAP_AUTH_RLOCKED	= 4; // User Account locked;
-	public static final int LDAP_AUTH_RNOTREG	= 5; // User known, but has not registered to KorAP/C2 Service yet;
-	public static final int LDAP_AUTH_RNOEMAIL	= 6; // cannot obtain email for sUserDN.
-
-    public LdapAuth3 (FullConfiguration config) throws JOSEException {
+    public LdapAuth3(FullConfiguration config) throws JOSEException {
         super(config);
-    }	
-    
-	
-	@Override
-	public TokenType getTokenType () {
-	    return TokenType.API;
-	}
-	 
-	/**
-	 * getErrMessage:
-	 * returns String Message for LDAP_AUTH_Rxxx code.
-	 * @date 20.04.17/FB
-	 * @param code
-	 * @return Message in string form.
-	 */
-	public static String getErrMessage(int code)
-	
-	{
-	switch(code)
-		{
-	case LDAP_AUTH_ROK: 
-		return "LDAP Authentication successfull.";
-	case LDAP_AUTH_RCONNECT:
-		return "LDAP Authentication: connecting to LDAP Server failed!";
-	case LDAP_AUTH_RINTERR: 
-		return "LDAP Authentication failed due to an internal error!";
-	case LDAP_AUTH_RUNKNOWN:
-		return "LDAP Authentication failed due to unknown user or password!";
-	case LDAP_AUTH_RLOCKED:
-		return "LDAP Authentication: known user is locked!";
-	case LDAP_AUTH_RNOTREG:
-		return "LDAP Authentication: known user has not registered yet for COSMAS II/KorAP!";
-	case LDAP_AUTH_RNOEMAIL:
-		return "LDAP Authentication: known user, but cannot obtain email!";
-	default:
-		return "LDAP Authentication failed with unknown error code!";
-		}
-	} // getErrMessage
-	
-	/**
-	 * ldapCode2StatusCode:
-	 * - converts a LDAP_AUTH_xxx Error Code to an Error Code of StatusCode.java.
-	 * @param base : Base value inside of StatusCode.java reserved for LDAP_AUTH Error Codes.
-	 * @param ldapErrCode : the LDAP_AUTH Error code
-	 * @return the StatusCode in the range reserved for LDAP_AUTH Errors.
-	 * @date 21.04.17/FB
-	 */
-	public int ldapCode2StatusCode(int base, int ldapErrCode)
-	
-	{
-	return base + ldapErrCode;	
-	} // ldapCode2StatusCode
-	
-	/*
-	 *  load properties for LDAP Handling.
-	 *  17.02.17/FB
-	 */
-	
-	static String loadProp(String sConfFile) throws IOException
-	
-	{
-		String sPwd = null;
-		FileInputStream in;
-		Properties prop;
-		
+    }
+
+    public static String getErrMessage(int code) {
+        switch (code) {
+            case LDAP_AUTH_ROK:
+                return "LDAP Authentication successful.";
+            case LDAP_AUTH_RCONNECT:
+                return "LDAP Authentication: connecting to LDAP Server failed!";
+            case LDAP_AUTH_RINTERR:
+                return "LDAP Authentication failed due to an internal error!";
+/* cannot be distinguished, currently
+            case LDAP_AUTH_RUNKNOWN:
+                return "LDAP Authentication failed due to unknown user or password!";
+            case LDAP_AUTH_RLOCKED:
+                return "LDAP Authentication: known user is locked!";
+            case LDAP_AUTH_RNOTREG:
+                return "LDAP Authentication: known user has not registered yet!";
+*/
+            case LDAP_AUTH_RNOEMAIL:
+                return "LDAP Authentication: known user, but cannot obtain email!";
+            case LDAP_AUTH_RNAUTH:
+                return "LDAP Authentication: unknown user or password, or user is locked or not authorized!";
+            default:
+                return "LDAP Authentication failed with unknown error code!";
+        }
+    }
+
+    static HashMap<String, String> typeCastConvert(Properties prop) {
+        Map<String, String> step2 = (Map<String, String>) (Map) prop;
+        return new HashMap<>(step2);
+    }
+
+    static HashMap<String, String> loadProp(String sConfFile) throws IOException {
+        FileInputStream in;
+        Properties prop;
+
         try {
             in = new FileInputStream(sConfFile);
-            }
-        catch( IOException ex )
-            {
-        	System.err.printf("Error: LDAP.loadProp: cannot load Property file '%s'!\n", sConfFile); 
+        } catch (IOException ex) {
+            System.err.printf("Error: LDAP.loadProp: cannot load Property file '%s'!\n", sConfFile);
             ex.printStackTrace();
             return null;
-            }
+        }
 
-        if( DEBUGLOG ) System.out.println("Debug: loaded: " + sConfFile);
-	    
+        if (DEBUGLOG) System.out.println("Debug: loaded: " + sConfFile);
+
         prop = new Properties();
-        Enumeration<?> e;
-        
+
         try {
             prop.load(in);
-            e = prop.propertyNames();
+            return typeCastConvert(prop);
+        } catch (IOException ex) {
+            ex.printStackTrace();
+        }
 
-            while( e.hasMoreElements() )
-                {
-                String key = (String)e.nextElement();
-                String val = prop.getProperty(key);
-                if( key.compareTo("pwd") == 0 )
-                	return val; 
-                
-                //System.out.println("Property '" + key + "' = '" + val + "'.");
+        return new HashMap<>();
+    }
+
+    public static int login(String sUserDN, String sUserPwd, String ldapConfigFilename) throws LDAPException {
+
+        sUserDN = Filter.encodeValue(sUserDN);
+        sUserPwd = Filter.encodeValue(sUserPwd);
+
+        Map<String, String> ldapConfig;
+        try {
+            ldapConfig = loadProp(ldapConfigFilename);
+        } catch (IOException e) {
+            System.out.println("Error: LDAPAuth.login: cannot load Property file!");
+            return LDAP_AUTH_RINTERR;
+        }
+
+        final Boolean ldapS = Boolean.parseBoolean(ldapConfig.getOrDefault("ldapS", "false"));
+        final String ldapHost = ldapConfig.getOrDefault("ldapHost", "localhost");
+        final int ldapPort = Integer.parseInt(ldapConfig.getOrDefault("ldapPort", (ldapS ? "636" : "389")));
+        final String ldapBase = ldapConfig.getOrDefault("ldapBase", "dc=example,dc=com");
+        final String sLoginDN = ldapConfig.getOrDefault("sLoginDN", "cn=admin,dc=example,dc=com");
+        final String ldapFilter = ldapConfig.getOrDefault("ldapFilter", "(&(|(&(mail=${username})(idsC2Password=${password}))(&(idsC2Profile=${username})(idsC2Password=${password})))(&(idsC2=TRUE)(|(idsStatus=1)(|(idsStatus=0)(xidsStatus=\00)))))");
+        final String sPwd = ldapConfig.getOrDefault("pwd", "");
+        final String trustStorePath = ldapConfig.getOrDefault("trustStore", null);
+
+        Map<String, String> valuesMap = new HashMap<>();
+        valuesMap.put("username", sUserDN);
+        valuesMap.put("password", sUserPwd);
+        StringSubstitutor sub = new StringSubstitutor(valuesMap);
+        String ldapFilterInstance = sub.replace(ldapFilter);
+
+        if (DEBUGLOG) {
+            //System.out.printf("LDAP Version      = %d.\n", LDAPConnection.LDAP_V3);
+            System.out.printf("LDAP Host & Port  = '%s':%d.\n", ldapHost, ldapPort);
+            System.out.printf("Login User = '%s'\n", sUserDN);
+        }
+
+        // LDAP Connection:
+        if (DEBUGLOG) System.out.println("LDAPS " + ldapS);
+
+        LDAPConnection lc = null;
+
+        if (ldapS) {
+            try {
+                SSLUtil sslUtil;
+                if (trustStorePath != null && !trustStorePath.isEmpty()) {
+                    sslUtil = new SSLUtil(new TrustStoreTrustManager(trustStorePath));
+                } else {
+                    sslUtil = new SSLUtil(new TrustAllTrustManager());
                 }
-             }
-          catch( IOException ex )
-             {
-             ex.printStackTrace();
-             }
+                SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
+                lc = new LDAPConnection(socketFactory, ldapHost, ldapPort);
+            } catch (GeneralSecurityException e) {
+                System.err.printf("Error: login: Connecting to LDAPS Server: failed: '%s'!\n", e);
+                return ldapTerminate(lc, LDAP_AUTH_RCONNECT);
+            }
+        } else {
+            lc = new LDAPConnection();
+            try {
+                lc.connect(ldapHost, ldapPort);
+                if (DEBUGLOG && ldapS) System.out.println("LDAPS Connection = OK\n");
+                if (DEBUGLOG && !ldapS) System.out.println("LDAP Connection = OK\n");
+            } catch (LDAPException e) {
+                System.err.printf("Error: login: Connecting to LDAP Server: failed: '%s'!\n", e);
+                return ldapTerminate(lc, LDAP_AUTH_RCONNECT);
+            }
+        }
 
-		return sPwd;
 
-	} // loadProp
+        if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
 
-	/**
-	 * ldapLogin
-	 * Arguments:
-	 * sUserDN  : either COSMAS II specific Account Name or IDS wide (IDM) account name;
-	 * sUserPwd : either COSMAS II specific Password     or IDS wide (IDM) password;
-	 * return   : 0 = OK, User Account + Pwd are OK, no restrictions;
-	 *            1 = internal error: cannot verify User+Pwd;
-	 *            2 = User Account or Pwd unknown;
-	 *            3 = User Account locked;
-	 *            4 = User known, but has not registered to KorAP/C2 Service yet;
-	 * LDAP Attributes that are checked (definition by Eric Seubert, 02.02.17):
-	 *  idsC2 = TRUE  -> Zugang zu C2 (registriert und zugelassen)
-	 *  idsC2 = FALSE (bzw Attribut nicht vorhanden) 
-	 *		            -> kein Zugang zu C2 (nicht zugelassen, egal ob registriert oder nicht)
-	 *
-	 *	idsStatus = 0 -> Nutzerkennung OK;
-	 *	idsStatus = 1 -> Nutzer ist kein aktiver IDS-Mitarbeiter
-	 *  idsStatus = 3 -> Nutzer ist LDAP-weit gesperrt
-	 */
+        try {
+            // bind to server:
+            if (DEBUGLOG) System.out.printf("Binding with '%s' ...\n", sLoginDN);
+            lc.bind(sLoginDN, sPwd);
+            if (DEBUGLOG) System.out.printf("Binding: OK.\n");
+        } catch (LDAPException e) {
+            System.err.printf("Error: login: Binding failed: '%s'!\n", e);
+            return ldapTerminate(lc, LDAP_AUTH_RINTERR);
+        }
 
-	public static int login(String sUserDN, String sUserPwd, String ldapConfig) throws LDAPException
+        if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
 
-	{
-	String sUserC2DN	= sUserDN;
-	String sUserC2Pwd	= sUserPwd;
+        if (DEBUGLOG) System.out.printf("Finding user '%s'...\n", sUserDN);
 
-	/* login with e-mail - 15.09.21/FB:
-	 */
-	String ldapFilter = String.format("(|(&(mail=%s)(userPassword=%s))(&(uid=%s)(userPassword=%s))(&(idsC2Profile=%s)(idsC2Password=%s)))",
-			sUserDN, sUserPwd, sUserDN, sUserPwd, sUserC2DN, sUserC2Pwd);
-	/* without e-mail login:
-	 * String ldapFilter = String.format("(|(&(uid=%s)(userPassword=%s))(&(idsC2Profile=%s)(idsC2Password=%s)))",
-												 sUserDN, sUserPwd, sUserC2DN, sUserC2Pwd);
-	 */
-	SearchResult srchRes = null;
+        SearchResult srchRes;
+        try {
+            // SCOPE_SUB = Scope Subtree.
+            if (DEBUGLOG) System.out.printf("Finding Filter: '%s'.\n", ldapFilterInstance);
 
-	try{
-		sPwd = loadProp(ldapConfig);
-		}
-	catch( IOException e )
-		{
-		System.out.println("Error: LDAPAuth.login: cannot load Property file!");
-		return LDAP_AUTH_RINTERR;
-		}
-															
-	if( DEBUGLOG )
-		{
-		//System.out.printf("LDAP Version      = %d.\n", LDAPConnection.LDAP_V3);
-		System.out.printf("LDAP Host & Port  = '%s':%d.\n", ldapHost, ldapPort);
-		System.out.printf("Login User & Pwd  = '%s' + '%s'\n", sUserDN, sUserPwd);
-		}
+            srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilterInstance);
 
-	// LDAP Connection:
-	if( DEBUGLOG ) System.out.println("");
+            if (DEBUGLOG) System.out.printf("Finding '%s': %d entries.\n", sUserDN, srchRes.getEntryCount());
+        } catch (LDAPSearchException e) {
+            System.err.printf("Error: login: Search for User failed: '%s'!\n", e);
+            return ldapTerminate(lc, LDAP_AUTH_RNAUTH);
+        }
 
-	LDAPConnection lc = new LDAPConnection();
-	try {
-		// connect to LDAP Server:
-		lc.connect(ldapHost, ldapPort);
-		if( DEBUGLOG ) System.out.println("LDAP Connection = OK\n");
-		}
-	catch( LDAPException e) 	
-		{
-		System.err.printf("Error: login: Connecting to LDAP Server: failed: '%s'!\n", e.toString());
-		return ldapTerminate(lc, LDAP_AUTH_RCONNECT);
-		}
+        if (srchRes.getEntryCount() == 0) {
+            if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", sUserDN);
+            return ldapTerminate(lc, LDAP_AUTH_RNAUTH);
+        }
 
-	if( DEBUGLOG ) 
-		System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
-	
-	try {
-		// bind to server:
-		if( DEBUGLOG ) System.out.printf("Binding with '%s' + '%s'...\n", sLoginDN, sPwd);
-		lc.bind(sLoginDN, sPwd);
-		if( DEBUGLOG ) System.out.printf("Binding: OK.\n");
-		}
-	catch( LDAPException e )
-		{
-		System.err.printf("Error: login: Binding failed: '%s'!\n", e.toString());
-		return ldapTerminate(lc, LDAP_AUTH_RINTERR);
-		}
+        return ldapTerminate(lc, LDAP_AUTH_ROK); // OK.
+    }
 
-	if( DEBUGLOG ) 
-		System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
-		
-	if( DEBUGLOG ) System.out.printf("Finding user '%s'...\n", sUserDN);
-	try{
-		// SCOPE_SUB = Scope Subtree.
-		if( DEBUGLOG ) System.out.printf("Finding Filter: '%s'.\n", ldapFilter);
+    public static int ldapTerminate(LDAPConnection lc, int ret) {
+        if (DEBUGLOG) System.out.println("Terminating...");
 
-		// hier werden alle Attribute abgefragt:
-		//srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilter, null);
-		// wir fragen nur diese Attribute ab:
-		srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilter, attStatus, attC2);
+        lc.close(null);
+        if (DEBUGLOG) System.out.println("closing connection: done.\n");
+        return ret;
+    }
 
-		if( DEBUGLOG ) System.out.printf("Finding '%s': %d entries.\n", sUserDN, srchRes.getEntryCount());
-		}
-	catch( LDAPSearchException e )
-		{
-		System.err.printf("Error: login: Search for User failed: '%s'!\n", e.toString());
-		return ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
-		}
-
-	if( srchRes.getEntryCount() == 0 )
-		{
-		if( DEBUGLOG ) System.out.printf("Finding '%s': no entry found!\n", sUserDN);
-		return ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
-		}
-
-	if( DEBUGLOG ) System.out.println("Display results:");
-
-	Boolean
-		bStatus = false,
-		bC2     = false;
-	
-	// Attribute pr�fen:
-	for (SearchResultEntry e : srchRes.getSearchEntries())
-		{
-		for( Attribute attr : e.getAttributes() )
-			{
-			Integer val;
-
-			if( DEBUGLOG ) 
-				System.out.printf(" att: '%s'='%s'.\n", attr.getName(), attr.getValue());
-
-			// checking pertinent attribut/value pairs:
-			// "idsStatus": values 0=OK, 1=inaktiv=OK, 2-3 = locked account.
-			if( attr.getName().equals(attStatus) )
-				{
-				if( (val = attr.getValueAsInteger()) == null || (val != 0 && val != 1) )
-					{
-					if( DEBUGLOG ) System.out.printf("idsStatus = '%s' -> User locked!\n", attr.getValue());
-					return ldapTerminate(lc, LDAP_AUTH_RLOCKED);
-					}
-				if( DEBUGLOG ) System.out.printf(" att: '%s'='%s': OK.\n", attr.getName(), attr.getValue());
-				bStatus = true;
-				}
-
-			// "c2IDS" must be set to "TRUE" = User known, but has not yet registered to C2 Service -> KorAP Service.
-			if( attr.getName().equals(attC2) ) 
-				{
-				if( attr.getValue().equals("FALSE") )
-					{
-					if( DEBUGLOG ) 
-						System.out.printf("idsC2 = '%s'-> User known, but has not registered C2/KorAP Service yet!\n", 
-							attr.getValue());
-					return ldapTerminate(lc, LDAP_AUTH_RNOTREG);
-					}
-				if( DEBUGLOG ) 
-					System.out.printf(" att: idsC2 = '%s'-> registered User: OK.\n", attr.getValue());
-				bC2 = true;
-				}
-			}
-
-		if( DEBUGLOG ) System.out.println();
-		}
-
-	if( bStatus == true && bC2 == true )
-		{
-		return ldapTerminate(lc, LDAP_AUTH_ROK); // OK.
-		}
-	else
-		return ldapTerminate(lc, LDAP_AUTH_RNOTREG); // Attribute konnten nicht gepr�ft werden.
-	
-	} // ldapLogin
-
-	/**
-	 *                getEmail():
-	 * 
-	 * Arguments:
-	 * sUserDN  	: either COSMAS II specific Account Name or IDS wide (IDM) account name;
-	 * ldapConfig	: path+file name of LDAP configuration file.
-	 * 
-	 * Returns		: the requested Email of sUserDN.
-	 * Notices:
-	 * - no password needed. Assuming that sUserDN is already authorized and active.
-	 * 
-	 * 
-	 * 16.09.21/FB
-	 */
-
-	public static String getEmail(String sUserDN, String ldapConfig) throws LDAPException
-
-	{
-	final String func = "LdapAuth3.getEmail";
-	
-	// sUSerDN is either C2/KorAP specific account name or the IDS wide account name:
-	String ldapFilter = String.format("(|(uid=%s)(idsC2Profile=%s))", sUserDN, sUserDN);
-
-	SearchResult srchRes = null;
-
-	try{
-		sPwd = loadProp(ldapConfig);
-		}
-	catch( IOException e )
-		{
-		System.err.printf("Error: %s: cannot load Property file '%s'!", func, ldapConfig);
-		return null;
-		}
-															
-	if( DEBUGLOG )
-		{
-		//System.out.printf("LDAP Version      = %d.\n", LDAPConnection.LDAP_V3);
-		System.out.printf("%s: LDAP Host & Port  = '%s':%d.\n", func, ldapHost, ldapPort);
-		System.out.printf("%s: User Account      = '%s'\n", func, sUserDN);
-		}
-
-	// LDAP Connection:
-	if( DEBUGLOG ) System.out.println("");
-
-	LDAPConnection 
-		lc = new LDAPConnection();
-	
-	try {
-		// connect to LDAP Server:
-		lc.connect(ldapHost, ldapPort);
-		if( DEBUGLOG ) System.out.println("LDAP Connection = OK\n");
-		}
-	catch( LDAPException e) 	
-		{
-		System.err.printf("Error: %s: Connecting to LDAP Server: failed: '%s'!\n", func, e.toString());
-		ldapTerminate(lc, LDAP_AUTH_RCONNECT);
-		return null;
-		}
-
-	if( DEBUGLOG ) 
-		System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
-	
-	try {
-		// bind to server:
-		if( DEBUGLOG ) System.out.printf("Binding with '%s' + '%s'...\n", sLoginDN, sPwd);
-		lc.bind(sLoginDN, sPwd);
-		if( DEBUGLOG ) System.out.printf("Binding: OK.\n");
-		}
-	catch( LDAPException e )
-		{
-		System.err.printf("Error: %s: Binding failed: '%s'!\n", func, e.toString());
-		ldapTerminate(lc, LDAP_AUTH_RINTERR);
-		return null;
-		}
-
-	if( DEBUGLOG ) 
-		System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
-		
-	if( DEBUGLOG ) System.out.printf("Finding user '%s'...\n", sUserDN);
-	try{
-		// SCOPE_SUB = Scope Subtree.
-		if( DEBUGLOG ) System.out.printf("Finding Filter: '%s'.\n", ldapFilter);
-
-		// requested attribute is attEmail:
-		srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilter, attEmail);
-
-		if( DEBUGLOG ) System.out.printf("Finding '%s': %d entries.\n", sUserDN, srchRes.getEntryCount());
-		}
-	catch( LDAPSearchException e )
-		{
-		System.err.printf("Error: %s: Search for User '%s' failed: '%s'!\n", func, sUserDN, e.toString());
-		ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
-		return null;
-		}
-
-	if( srchRes.getEntryCount() == 0 )
-		{
-		if( DEBUGLOG ) System.out.printf("Error: %s: account '%s': 0 entries found!\n", func, sUserDN);
-		ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
-		return null;
-		}
-
-	if( DEBUGLOG ) System.out.printf("Debug: %s: Extract email from results.\n", func);
-
-	// Now get email from result.
-	// expected: 1 result with 1 attribute value:
-	
-	SearchResultEntry 
-		e;
-	Attribute
-		attr;
-	String
-		email;
-	
-	if( (e = srchRes.getSearchEntries().get(0)) != null &&
-		(attr = e.getAttribute(attEmail)) != null && 
-		(email = attr.getValue()) != null )
-		{
-		// return email:
-		if( DEBUGLOG ) 
-			System.out.printf("Debug: %s: account '%s' has email = '%s'.\n", func, sUserDN, email);
-		ldapTerminate(lc, LDAP_AUTH_ROK); // OK.
-		return email;
-		}
-	
-	// cannot obtain email from result:
-	System.err.printf("Error: %s: account '%s': no attribute '%s' for email found!\n", func, sUserDN, attEmail);
-	
-	ldapTerminate(lc, LDAP_AUTH_RNOEMAIL); // no email found.
-	return null;
-	} // getEmail
-
-/**
- * ldapTerminate
- */
- 
-public static int ldapTerminate(LDAPConnection lc, int ret)
-
-	{
-	if( DEBUGLOG ) System.out.println("Terminating...");
-	/*
-	try{
-		lc.finalize();
-		if( DEBUGLOG ) System.out.println("Debug: finalize: OK.");
-		}
-	catch( LDAPException e )
-		{
-		System.out.printf("finalize failed: '%s'!\n", e.toString());
-		}
-	*/
-
-	lc.close(null);
-	if( DEBUGLOG ) System.out.println("closing connection: done.\n");
-	return ret;
-	} // ldapTerminate
+    @Override
+    public TokenType getTokenType() {
+        return TokenType.API;
+    }
 
 }
-
diff --git a/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java b/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java
new file mode 100644
index 0000000..dc9e3ae
--- /dev/null
+++ b/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java
@@ -0,0 +1,135 @@
+package de.ids_mannheim.korap.authentication;
+
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.util.Base64;
+import com.unboundid.util.StaticUtils;
+import com.unboundid.util.ssl.KeyStoreKeyManager;
+import com.unboundid.util.ssl.SSLUtil;
+import com.unboundid.util.ssl.TrustAllTrustManager;
+import com.unboundid.util.ssl.TrustStoreTrustManager;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.security.GeneralSecurityException;
+
+import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_ROK;
+import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RNAUTH;
+import static org.junit.Assert.assertEquals;
+
+public class LdapAuth3Test {
+    public static final String TEST_LDAP_PROPERTIES = "src/test/resources/test-ldap.properties";
+    public static final String TEST_LDAPS_PROPERTIES = "src/test/resources/test-ldaps.properties";
+    public static final String TEST_LDAPS_TS_PROPERTIES = "src/test/resources/test-ldaps-with-truststore.properties";
+    public static final String TEST_LDAP_USERS_LDIF = "src/test/resources/test-ldap-users.ldif";
+    private static final String keyStorePath = "src/test/resources/keystore.p12";
+    static InMemoryDirectoryServer server;
+
+    @BeforeClass
+    public static void startDirectoryServer() throws LDAPException, GeneralSecurityException {
+        InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com");
+        config.addAdditionalBindCredentials("cn=admin,dc=example,dc=com", "adminpassword");
+        config.setSchema(null);
+
+        final SSLUtil serverSSLUtil = new SSLUtil(new KeyStoreKeyManager(keyStorePath, "password".toCharArray(), "PKCS12", "server-cert"), new TrustStoreTrustManager(keyStorePath));
+
+        final SSLUtil clientSslUtil = new SSLUtil(new TrustAllTrustManager());
+
+        config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("LDAP", // Listener name
+                        null, // Listen address. (null = listen on all interfaces)
+                        3268, // Listen port (0 = automatically choose an available port)
+                        clientSslUtil.createSSLSocketFactory()), // StartTLS factory
+                InMemoryListenerConfig.createLDAPSConfig("LDAPS", // Listener name
+                        null, // Listen address. (null = listen on all interfaces)
+                        3269, // Listen port (0 = automatically choose an available port)
+                        serverSSLUtil.createSSLServerSocketFactory(), clientSslUtil.createSSLSocketFactory()));
+        server = new InMemoryDirectoryServer(config);
+
+        String configPath = TEST_LDAP_USERS_LDIF;
+        server.importFromLDIF(true, configPath);
+        server.startListening();
+    }
+
+    @AfterClass
+    public static void ShutDownDirectoryServer() {
+        server.shutDown(true);
+    }
+
+    @Test
+    public void testLoginWithUsername() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testLoginWithUid() throws LDAPException {
+        final byte[] passwordBytes = StaticUtils.getBytes("password");
+        String pw = Base64.encode(passwordBytes);
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", pw, TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testLoginWithEmail() throws LDAPException {
+        final byte[] passwordBytes = StaticUtils.getBytes("password");
+        String pw = Base64.encode(passwordBytes);
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser@example.com", pw, TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingLoginWithWrongEmail() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("notestuser@example.com", "topsecret", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingLoginWithEmailAndWrongPassword() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser@example.com", "wrongpw", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingLoginWithUsernameAndWrongPassword() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "wrongpw", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingLoginWithoutC2Attr() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("doe", "topsecret", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingLoginWithoutBadStatus() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("berserker", "topsecret", TEST_LDAP_PROPERTIES));
+    }
+
+    @Test
+    public void testSecureLoginWithUsername() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAPS_PROPERTIES));
+    }
+
+    @Test
+    public void testSecureLoginWithTrustStoreAndUsername() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAPS_TS_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingSecureLoginWithTrustStoreAndUsernameAndWrongPW() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "topsecrets", TEST_LDAPS_TS_PROPERTIES));
+    }
+
+    @Test
+    public void testPasswordWithAsterisk() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("test", "top*ecret", TEST_LDAPS_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingEscapedPW() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "top*", TEST_LDAPS_TS_PROPERTIES));
+    }
+
+    @Test
+    public void testFailingIllegalPW() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "*", TEST_LDAPS_TS_PROPERTIES));
+    }
+
+}
diff --git a/full/src/test/resources/keystore.p12 b/full/src/test/resources/keystore.p12
new file mode 100644
index 0000000..a1d7980
--- /dev/null
+++ b/full/src/test/resources/keystore.p12
Binary files differ
diff --git a/full/src/test/resources/test-ldap-users.ldif b/full/src/test/resources/test-ldap-users.ldif
new file mode 100644
index 0000000..a965181
--- /dev/null
+++ b/full/src/test/resources/test-ldap-users.ldif
@@ -0,0 +1,66 @@
+dn: dc=example,dc=com
+dc: example
+ou: people
+objectClass: dcObject
+objectClass: organizationalUnit
+
+dn: ou=people,dc=example,dc=com
+ou: people
+objectClass: organizationalUnit
+
+dn: uid=testuser,ou=people,dc=example,dc=com
+cn: Peter Testuser
+sn: Testuser
+givenName: Peter
+mail: testuser@example.com
+userPassword: cGFzc3dvcmQ=
+displayName: Dr. Peter Testuser
+idsC2: TRUE
+idsC2Profile: testuser
+idsC2Password: topsecret
+idsC2News: TRUE
+title: Herr
+uid: testuser
+
+dn: uid=test,ou=people,dc=example,dc=com
+cn: Peter Test
+sn: Test
+givenName: Peter
+mail: test@example.com
+userPassword: top*ecret
+displayName: Dr. Peter Test
+idsC2: TRUE
+idsStatus: 1
+idsC2Profile: test
+idsC2Password: top*ecret
+uid: test
+
+dn: uid=doe,ou=people,dc=example,dc=com
+cn: John Doe
+sn: doe
+givenName: John
+mail: doe@example.com
+userPassword: cGFzc3dvcmQ=
+displayName: Dr. John Doe
+idsStatus: 0
+idsC2: FALSE
+idsC2Profile: doe
+idsC2Password: topsecret
+idsC2News: TRUE
+title: Herr
+uid: doe
+
+dn: uid=berserker,ou=people,dc=example,dc=com
+cn: Bernd Berserker
+sn: berserker
+givenName: Joe
+mail: berserker@example.com
+userPassword: cGFzc3dvcmQ=
+displayName: berserk
+idsStatus: 2
+idsC2: TRUE
+idsC2Profile: doe
+idsC2Password: topsecret
+idsC2News: TRUE
+title: Herr
+uid: berserk
diff --git a/full/src/test/resources/test-ldap.properties b/full/src/test/resources/test-ldap.properties
new file mode 100644
index 0000000..aa27f14
--- /dev/null
+++ b/full/src/test/resources/test-ldap.properties
@@ -0,0 +1,6 @@
+ldapHost=localhost
+ldapPort=3268
+ldapBase=dc=example,dc=com
+sLoginDN=cn=admin,dc=example,dc=com
+pwd=adminpassword
+ldapFilter=(&(|(&(|(uid=${username})(mail=${username}))(userPassword=${password}))(&(idsC2Profile=${username})(idsC2Password=${password})))(&(idsC2=TRUE)(|(idsStatus=1)(|(idsStatus=0)(!(idsStatus=*))))))
diff --git a/full/src/test/resources/test-ldaps-with-truststore.properties b/full/src/test/resources/test-ldaps-with-truststore.properties
new file mode 100644
index 0000000..d785301
--- /dev/null
+++ b/full/src/test/resources/test-ldaps-with-truststore.properties
@@ -0,0 +1,8 @@
+ldapHost=localhost
+ldapPort=3269
+ldapS=true
+trustStore=src/test/resources/truststore.jks
+ldapBase=dc=example,dc=com
+sLoginDN=cn=admin,dc=example,dc=com
+pwd=adminpassword
+ldapFilter=(&(|(&(|(uid=${username})(mail=${username}))(userPassword=${password}))(&(idsC2Profile=${username})(idsC2Password=${password})))(&(idsC2=TRUE)(|(idsStatus=1)(|(idsStatus=0)(!(idsStatus=*))))))
diff --git a/full/src/test/resources/test-ldaps.properties b/full/src/test/resources/test-ldaps.properties
new file mode 100644
index 0000000..732076f
--- /dev/null
+++ b/full/src/test/resources/test-ldaps.properties
@@ -0,0 +1,8 @@
+ldapHost=localhost
+ldapPort=3269
+ldapS=true
+trustStore=
+ldapBase=dc=example,dc=com
+sLoginDN=cn=admin,dc=example,dc=com
+pwd=adminpassword
+ldapFilter=(&(|(&(|(uid=${username})(mail=${username}))(userPassword=${password}))(&(idsC2Profile=${username})(idsC2Password=${password})))(&(idsC2=TRUE)(|(idsStatus=1)(|(idsStatus=0)(!(idsStatus=*))))))
diff --git a/full/src/test/resources/truststore.jks b/full/src/test/resources/truststore.jks
new file mode 100644
index 0000000..50804be
--- /dev/null
+++ b/full/src/test/resources/truststore.jks
Binary files differ