Re-introduce additional filters for authorisation and user status

authFilter, userNotBlockedFilter

Change-Id: I04fed94a5b1e9de7f00c8d5dd3351e3c6a24b075
diff --git a/README.md b/README.md
index 5882947..3f37e2e 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,8 @@
 
 If `searchFilter` does not contain any occurrence of `${password}` the user DN found via the filter expression will be authenticated via a regular LDAP bind operation, using the entered password. In this case, depending on the LDAP server, also hashed passwords are supported.
 
+Optionally, the two filters `authFilter` and `userNotBlockedFilter` can be specified, in addition. The first should be used to check whether a known user has also signed the necessary EULA, for example, and the second to check that the known user is not blocked. This will be reflected in the error messages for failed logins.
+
 ###### Example ldap.conf
 
 ```properties
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
index 7608761..92ae6d6 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
@@ -19,6 +19,8 @@
     public final boolean useEmbeddedServer;
     public final String emailAttribute;
     public final String ldif;
+    public final String authFilter;
+    public final String userNotBlockedFilter;
 
     public LDAPConfig(String ldapConfigFilename) throws LdapConfigurationException {
         Map<String, String> ldapConfig = null;
@@ -34,14 +36,14 @@
         searchBase = getConfigOrThrow(ldapConfig, "searchBase");
         sLoginDN = getConfigOrThrow(ldapConfig, "sLoginDN");
         searchFilter = getConfigOrThrow(ldapConfig, "searchFilter");
+        authFilter = ldapConfig.getOrDefault("authFilter", null);
+        userNotBlockedFilter = ldapConfig.getOrDefault("userNotBlockedFilter", null);
         sPwd = ldapConfig.getOrDefault("pwd", "");
         trustStorePath = ldapConfig.getOrDefault("trustStore", "");
         additionalCipherSuites = ldapConfig.getOrDefault("additionalCipherSuites", "");
         useEmbeddedServer = Boolean.parseBoolean(ldapConfig.getOrDefault("useEmbeddedServer", "false"));
         emailAttribute = ldapConfig.getOrDefault("emailAttribute", "mail");
         ldif = ldapConfig.getOrDefault("ldifFile", null);
-
-
     }
 
     static HashMap<String, String> typeCastConvert(Properties prop) {
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
index 9975fcc..603ec38 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
@@ -6,6 +6,7 @@
 
 import com.nimbusds.jose.JOSEException;
 import com.unboundid.ldap.sdk.*;
+import com.unboundid.util.NotNull;
 import com.unboundid.util.ssl.SSLUtil;
 import com.unboundid.util.ssl.TrustAllTrustManager;
 import com.unboundid.util.ssl.TrustStoreTrustManager;
@@ -31,11 +32,9 @@
     public static final int LDAP_AUTH_ROK = 0;
     public static final int LDAP_AUTH_RCONNECT = 1; // cannot connect to LDAP Server
     public static final int LDAP_AUTH_RINTERR = 2; // internal error: cannot verify User+Pwd.
-    /* cannot be distinguished, currently
     public static final int LDAP_AUTH_RUNKNOWN = 3; // User Account or Pwd unknown;
     public static final int LDAP_AUTH_RLOCKED = 4; // User Account locked;
     public static final int LDAP_AUTH_RNOTREG = 5; // User known, but has not registered to KorAP/C2 Service yet;
-     */
     public static final int LDAP_AUTH_RNOEMAIL = 6; // cannot obtain email for sUserDN
     public static final int LDAP_AUTH_RNAUTH = 7; // User Account or Pwd unknown, or not authorized
     final static Boolean DEBUGLOG = false;        // log debug output.
@@ -52,14 +51,12 @@
                 return "LDAP Authentication: connecting to LDAP Server failed!";
             case LDAP_AUTH_RINTERR:
                 return "LDAP Authentication failed due to an internal error!";
-/* cannot be distinguished, currently
             case LDAP_AUTH_RUNKNOWN:
                 return "LDAP Authentication failed due to unknown user or password!";
             case LDAP_AUTH_RLOCKED:
                 return "LDAP Authentication: known user is locked!";
             case LDAP_AUTH_RNOTREG:
-                return "LDAP Authentication: known user has not registered yet!";
-*/
+                return "LDAP Authentication: known user, but not registered for this service!";
             case LDAP_AUTH_RNOEMAIL:
                 return "LDAP Authentication: known user, but cannot obtain email!";
             case LDAP_AUTH_RNAUTH:
@@ -83,16 +80,19 @@
             }
         }
 
-        SearchResult srchRes = search(login, password, ldapConfig, !ldapConfig.searchFilter.contains("${password}"));
+        LdapAuth3Result ldapAuth3Result = search(login, password, ldapConfig, !ldapConfig.searchFilter.contains("${password}"), true);
+        SearchResult srchRes = ldapAuth3Result.getSearchResultValue();
 
-        if (srchRes == null || srchRes.getEntryCount() == 0) {
+        if (ldapAuth3Result.getErrorCode() != 0 || srchRes == null || srchRes.getEntryCount() == 0) {
             if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
-            return LDAP_AUTH_RNAUTH;
+            return ldapAuth3Result.getErrorCode();
         }
 
         return LDAP_AUTH_ROK;
     }
-    public static SearchResult search(String login, String password, LDAPConfig ldapConfig, boolean bindWithFoundDN) throws LDAPException {
+
+    @NotNull
+    public static LdapAuth3Result search(String login, String password, LDAPConfig ldapConfig, boolean bindWithFoundDN, boolean applyExtraFilters) {
         Map<String, String> valuesMap = new HashMap<>();
         valuesMap.put("login", login);
         valuesMap.put("password", password);
@@ -108,11 +108,9 @@
             //System.out.printf("LDAP Version      = %d.\n", LDAPConnection.LDAP_V3);
             System.out.printf("LDAP Host & Port  = '%s':%d.\n", ldapConfig.host, ldapConfig.port);
             System.out.printf("Login User = '%s'\n", login);
+            System.out.println("LDAPS " + ldapConfig.useSSL);
         }
 
-        // LDAP Connection:
-        if (DEBUGLOG) System.out.println("LDAPS " + ldapConfig.useSSL);
-
         LDAPConnection lc;
 
         if (ldapConfig.useSSL) {
@@ -131,7 +129,7 @@
             } catch (GeneralSecurityException e) {
                 System.err.printf("Error: login: Connecting to LDAPS Server: failed: '%s'!\n", e);
                 ldapTerminate(null);
-                return null;
+                return new LdapAuth3Result(null, LDAP_AUTH_RCONNECT);
             }
         } else {
             lc = new LDAPConnection();
@@ -144,10 +142,8 @@
             String fullStackTrace = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
             System.err.printf("Error: login: Connecting to LDAP Server: failed: '%s'!\n", fullStackTrace);
             ldapTerminate(lc);
-            return null;
+            return new LdapAuth3Result(null, LDAP_AUTH_RCONNECT);
         }
-
-
         if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
 
         try {
@@ -158,31 +154,28 @@
         } catch (LDAPException e) {
             System.err.printf("Error: login: Binding failed: '%s'!\n", e);
             ldapTerminate(lc);
-            return null;
+            return new LdapAuth3Result(null, LDAP_AUTH_RINTERR);
         }
 
         if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
 
         if (DEBUGLOG) System.out.printf("Finding user '%s'...\n", login);
 
-        SearchResult srchRes;
+        SearchResult srchRes = null;
         try {
-            // SCOPE_SUB = Scope Subtree.
-            if (DEBUGLOG) System.out.printf("Finding Filter: '%s'.\n", insensitiveSearchFilter);
+            if (DEBUGLOG) System.out.printf("Searching with searchFilter: '%s'.\n", insensitiveSearchFilter);
 
             srchRes = lc.search(ldapConfig.searchBase, SearchScope.SUB, searchFilterInstance);
 
-            if (DEBUGLOG) System.out.printf("Finding '%s': %d entries.\n", login, srchRes.getEntryCount());
+            if (DEBUGLOG) System.out.printf("Found '%s': %d entries.\n", login, srchRes.getEntryCount());
         } catch (LDAPSearchException e) {
             System.err.printf("Error: Search for User failed: '%s'!\n", e);
-            ldapTerminate(lc);
-            return null;
         }
 
         if (srchRes == null || srchRes.getEntryCount() == 0) {
             if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
             ldapTerminate(lc);
-            return null;
+            return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
         }
 
         if (bindWithFoundDN) {
@@ -191,16 +184,52 @@
             try {
                 // bind to server:
                 if (DEBUGLOG) System.out.printf("Binding with '%s' ...\n", matchedDN);
-                lc.bind(matchedDN, password);
+                BindResult bindResult = lc.bind(matchedDN, password);
                 if (DEBUGLOG) System.out.print("Binding: OK.\n");
+                if (!bindResult.getResultCode().equals(ResultCode.SUCCESS)) {
+                    ldapTerminate(lc);
+                    return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
+                }
             } catch (LDAPException e) {
                 System.err.printf("Error: login: Binding failed: '%s'!\n", e);
                 ldapTerminate(lc);
-                return null;
+                return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
+            }
+        }
+
+        if (applyExtraFilters) {
+            if (ldapConfig.authFilter != null && !ldapConfig.authFilter.isEmpty()) {
+                srchRes = applyAdditionalFilter(login, ldapConfig, ldapConfig.authFilter, searchFilterInstance, lc);
+                if (srchRes == null || srchRes.getEntryCount() == 0) {
+                    ldapTerminate(lc);
+                    return new LdapAuth3Result(null, LDAP_AUTH_RNOTREG);
+                }
+            }
+
+            if (ldapConfig.userNotBlockedFilter != null && !ldapConfig.userNotBlockedFilter.isEmpty()) {
+                srchRes = applyAdditionalFilter(login, ldapConfig, ldapConfig.userNotBlockedFilter, searchFilterInstance, lc);
+                if (srchRes == null || srchRes.getEntryCount() == 0) {
+                    ldapTerminate(lc);
+                    return new LdapAuth3Result(null, LDAP_AUTH_RLOCKED);
+                }
             }
         }
 
         ldapTerminate(lc);
+        return new LdapAuth3Result(srchRes, LDAP_AUTH_ROK);
+    }
+
+    private static SearchResult applyAdditionalFilter(String login, LDAPConfig ldapConfig, String searchFilterInstance, String extraFilter, LDAPConnection lc) {
+        SearchResult srchRes;
+        srchRes = null;
+        try {
+            String combindedFilterInstance = "(&" + searchFilterInstance + extraFilter + ")";
+            if (DEBUGLOG) System.out.printf("Searching with additional Filter: '%s'.\n", extraFilter);
+            srchRes = lc.search(ldapConfig.searchBase, SearchScope.SUB, combindedFilterInstance);
+            if (DEBUGLOG) System.out.printf("Found '%s': %d entries.\n", login, srchRes.getEntryCount());
+        } catch (LDAPSearchException e) {
+            System.err.printf("Error: Search for User failed: '%s'!\n", e);
+        }
         return srchRes;
     }
 
@@ -209,7 +238,7 @@
         LDAPConfig ldapConfig = new LDAPConfig(ldapConfigFilename);
         final String emailAttribute = ldapConfig.emailAttribute;
 
-        SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig, false);
+        SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig, false, false).getSearchResultValue();
 
         if (searchResult == null) {
             return null;
@@ -246,4 +275,26 @@
         return TokenType.API;
     }
 
+    public static class LdapAuth3Result {
+        final int errorCode;
+        final Object value;
+
+
+        public LdapAuth3Result(Object value, int errorCode) {
+            this.errorCode = errorCode;
+            this.value = value;
+        }
+
+        public int getErrorCode() {
+            return errorCode;
+        }
+
+        public Object getValue() {
+            return value;
+        }
+
+        public SearchResult getSearchResultValue() {
+            return (SearchResult) value;
+        }
+    }
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java b/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java
index 48d5c88..c926579 100644
--- a/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java
+++ b/full/src/test/java/de/ids_mannheim/korap/authentication/LdapAuth3Test.java
@@ -16,8 +16,7 @@
 
 import java.security.GeneralSecurityException;
 
-import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RNAUTH;
-import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_ROK;
+import static de.ids_mannheim.korap.authentication.LdapAuth3.*;
 import static org.junit.Assert.assertEquals;
 
 public class LdapAuth3Test {
@@ -59,26 +58,31 @@
     }
 
     @Test
-    public void testLoginWithUsername() throws LDAPException {
-        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAP_CONF));
+    public void loginWithExtraProfileNameWorks() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser123", "password", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testLoginWithUid() throws LDAPException {
+    public void loginWithUidWorks() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "password", TEST_LDAP_CONF));
+    }
+
+    @Test
+    public void loginWithUidAndBase64PasswordWorks() throws LDAPException {
         final byte[] passwordBytes = StaticUtils.getBytes("password");
         String pw = Base64.encode(passwordBytes);
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", pw, TEST_LDAP_CONF));
     }
 
     @Test
-    public void testLoginWithEmail() throws LDAPException {
+    public void loginWithEmailWorks() throws LDAPException {
         final byte[] passwordBytes = StaticUtils.getBytes("password");
         String pw = Base64.encode(passwordBytes);
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser@example.com", pw, TEST_LDAP_CONF));
     }
 
     @Test
-    public void testAllLoginPwCombinations() throws LDAPException {
+    public void allLoginPasswordCombinationsWork() throws LDAPException {
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("uid", "userPassword", TEST_LDAP_CONF));
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("uid", "extraPassword", TEST_LDAP_CONF));
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("mail@example.org", "userPassword", TEST_LDAP_CONF));
@@ -88,68 +92,80 @@
     }
 
     @Test
-    public void testFailingLoginWithWrongEmail() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("notestuser@example.com", "topsecret", TEST_LDAP_CONF));
+    public void loginWithWrongEmailFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("notestuser@example.com", "topsecret", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testFailingLoginWithEmailAndWrongPassword() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser@example.com", "wrongpw", TEST_LDAP_CONF));
+    public void loginWithEmailAndWrongPasswordFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("testuser@example.com", "wrongpw", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testFailingLoginWithUsernameAndWrongPassword() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "wrongpw", TEST_LDAP_CONF));
+    public void loginWithUsernameAndWrongPasswordFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("testuser", "wrongpw", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testFailingLoginWithoutC2Attr() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("doe", "topsecret", TEST_LDAP_CONF));
+    public void loginOfNotRegisteredUserFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RNOTREG, LdapAuth3.login("not_registered_user", "topsecret", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testFailingLoginWithoutBadStatus() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("berserker", "topsecret", TEST_LDAP_CONF));
+    public void blockedUserIsRefused() throws LDAPException {
+        assertEquals(LDAP_AUTH_RLOCKED, LdapAuth3.login("nameOfBlockedUser", "topsecret", TEST_LDAP_CONF));
     }
 
     @Test
-    public void testSecureLoginWithUsername() throws LDAPException {
-        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAPS_CONF));
+    public void loginWithUsernameOverSSLWorks() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "password", TEST_LDAPS_CONF));
     }
 
     @Test
-    public void testSecureLoginWithTrustStoreAndUsername() throws LDAPException {
-        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "topsecret", TEST_LDAPS_TS_CONF));
+    public void loginOnTrustedServerWorks() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "password", TEST_LDAPS_TS_CONF));
     }
 
     @Test
-    public void testFailingSecureLoginWithTrustStoreAndUsernameAndWrongPW() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "topsecrets", TEST_LDAPS_TS_CONF));
+    public void loginOnTrustedServerWithWrongPassswordFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("testuser", "topsecrets", TEST_LDAPS_TS_CONF));
     }
 
     @Test
-    public void testPasswordWithAsterisk() throws LDAPException {
+    public void passwordWithAsteriskWorks() throws LDAPException {
         assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("test", "top*ecret", TEST_LDAPS_CONF));
     }
 
     @Test
-    public void testFailingEscapedPW() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "top*", TEST_LDAPS_TS_CONF));
+    public void passwordWithGlobOperatorFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("testuser", "passw*", TEST_LDAPS_TS_CONF));
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "password", TEST_LDAPS_TS_CONF));
     }
 
     @Test
-    public void testFailingIllegalPW() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("testuser", "*", TEST_LDAPS_TS_CONF));
+    public void passwordWithExistenceOperatorFails() throws LDAPException {
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("testuser", "*", TEST_LDAPS_TS_CONF));
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("testuser", "password", TEST_LDAPS_TS_CONF));
     }
 
     @Test
-    public void testGettingMailForUid() throws LDAPException {
+    public void gettingMailAttributeForUid() throws LDAPException {
         assertEquals("testuser@example.com", LdapAuth3.getEmail("testuser", TEST_LDAP_CONF));
         assertEquals("peter@example.org", LdapAuth3.getEmail("testuser2", TEST_LDAPS_CONF));
         assertEquals(null, LdapAuth3.getEmail("non-exsting", TEST_LDAPS_CONF));
     }
 
     @Test
+    public void gettingMailAttributeForNotRegisteredUserWorks() throws LDAPException {
+        assertEquals("not_registered_user@example.com", LdapAuth3.getEmail("not_registered_user", TEST_LDAP_CONF));
+    }
+
+    @Test
+    public void gettingMailAttributeForBlockedUserWorks() throws LDAPException {
+        assertEquals("nameOfBlockedUser@example.com", LdapAuth3.getEmail("nameOfBlockedUser", TEST_LDAP_CONF));
+    }
+
+    @Test
     public void canLoadLdapConfig() {
         LDAPConfig ldapConfig = new LDAPConfig(TEST_LDAPS_CONF);
         assertEquals(3269, ldapConfig.port);
diff --git a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
index 196451e..9e9700e 100644
--- a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
@@ -14,8 +14,8 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.KeySpec;
 
-import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RNAUTH;
 import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_ROK;
+import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RUNKNOWN;
 import static org.junit.Assert.assertEquals;
 
 public class EmbeddedLdapServerTest {
@@ -49,7 +49,7 @@
 
     @Test
     public void asteriskPasswordsFail() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user1", "*", TEST_EMBEDDED_LDAP_CONF));
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("user1", "*", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
@@ -66,12 +66,12 @@
 
     @Test
     public void loginWithUnEncodedPBKDF2PasswordFails() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user5", "password5", TEST_EMBEDDED_LDAP_CONF));
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("user5", "password5", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
     public void unauthorizedUsersAreNotAllowed() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("yuser", "password", TEST_EMBEDDED_LDAP_CONF));
+        assertEquals(LDAP_AUTH_RUNKNOWN, LdapAuth3.login("yuser", "password", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
diff --git a/full/src/test/resources/test-ldap-users.ldif b/full/src/test/resources/test-ldap-users.ldif
index af687a8..b35a919 100644
--- a/full/src/test/resources/test-ldap-users.ldif
+++ b/full/src/test/resources/test-ldap-users.ldif
@@ -15,11 +15,9 @@
 mail: testuser@example.com
 userPassword: cGFzc3dvcmQ=
 displayName: Dr. Peter Testuser
-extra: TRUE
-extraProfile: testuser
-extraPassword: topsecret
-extraNews: TRUE
-title: Herr
+registered: TRUE
+extraProfile: testuser123
+extraPassword: password
 uid: testuser
 
 dn: uid=test,ou=people,dc=example,dc=com
@@ -29,41 +27,28 @@
 mail: test@example.com
 userPassword: top*ecret
 displayName: Dr. Peter Test
-extra: TRUE
-idsStatus: 1
+registered: TRUE
+userStatus: 1
 extraProfile: test
 extraPassword: top*ecret
 uid: test
 
-dn: uid=doe,ou=people,dc=example,dc=com
-cn: John Doe
-sn: doe
-givenName: John
-mail: doe@example.com
+dn: uid=not_registered_user,ou=people,dc=example,dc=com
+mail: not_registered_user@example.com
 userPassword: cGFzc3dvcmQ=
-displayName: Dr. John Doe
-idsStatus: 0
-extra: FALSE
-extraProfile: doe
+userStatus: 0
+registered: FALSE
+extraProfile: not_registered_user
 extraPassword: topsecret
-extraNews: TRUE
-title: Herr
-uid: doe
+uid: not_registered_user
 
-dn: uid=berserk,ou=people,dc=example,dc=com
-cn: Bernd Berserker
-sn: berserker
-givenName: Joe
-mail: berserker@example.com
+dn: uid=nameOfBlockedUser,ou=people,dc=example,dc=com
+mail: nameOfBlockedUser@example.com
 userPassword: cGFzc3dvcmQ=
-displayName: berserk
-idsStatus: 2
-extra: TRUE
-extraProfile: doe
+userStatus: 2
+registered: TRUE
 extraPassword: topsecret
-extraNews: TRUE
-title: Herr
-uid: berserk
+uid: nameOfBlockedUser
 
 dn: uid=testuser2,ou=people,dc=example,dc=com
 cn: Peter Testuser
@@ -72,8 +57,8 @@
 mail: peter@example.org
 userPassword: cGFzc3dvcmQ=
 displayName: Dr. Peter Testuser
-idsStatus: 0
-extra: TRUE
+userStatus: 0
+registered: TRUE
 extraProfile: testuser2
 extraPassword: topsecret
 extraNews: TRUE
@@ -83,7 +68,7 @@
 dn: uid=uid,ou=people,dc=example,dc=com
 mail: mail@example.org
 userPassword: userPassword
-extra: TRUE
+registered: TRUE
 extraProfile: extraProfile
 extraPassword: extraPassword
 uid: uid
diff --git a/full/src/test/resources/test-ldap.conf b/full/src/test/resources/test-ldap.conf
index 1bccb3b..614275c 100644
--- a/full/src/test/resources/test-ldap.conf
+++ b/full/src/test/resources/test-ldap.conf
@@ -3,4 +3,6 @@
 searchBase=dc=example,dc=com
 sLoginDN=cn=admin,dc=example,dc=com
 pwd=adminpassword
-searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password}))(extra=TRUE)(|(idsStatus=0)(idsStatus=1)(!(idsStatus=*))))
+searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password})))
+authFilter=(registered=TRUE)
+userNotBlockedFilter=(|(userStatus=0)(userStatus=1)(!(userStatus=*)))
diff --git a/full/src/test/resources/test-ldaps-with-truststore.conf b/full/src/test/resources/test-ldaps-with-truststore.conf
index 788de73..22d0899 100644
--- a/full/src/test/resources/test-ldaps-with-truststore.conf
+++ b/full/src/test/resources/test-ldaps-with-truststore.conf
@@ -5,4 +5,6 @@
 searchBase=dc=example,dc=com
 sLoginDN=cn=admin,dc=example,dc=com
 pwd=adminpassword
-searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password}))(extra=TRUE)(|(idsStatus=0)(idsStatus=1)(!(idsStatus=*))))
+searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password})))
+authFilter=(registered=TRUE)
+userNotBlockedFilter=(|(userStatus=0)(userStatus=1)(!(userStatus=*)))
diff --git a/full/src/test/resources/test-ldaps.conf b/full/src/test/resources/test-ldaps.conf
index 9b414be..dfbed4f 100644
--- a/full/src/test/resources/test-ldaps.conf
+++ b/full/src/test/resources/test-ldaps.conf
@@ -5,4 +5,6 @@
 searchBase=dc=example,dc=com
 sLoginDN=cn=admin,dc=example,dc=com
 pwd=adminpassword
-searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password}))(extra=TRUE)(|(idsStatus=0)(idsStatus=1)(!(idsStatus=*))))
+searchFilter=(&(|(uid=${login})(mail=${login})(extraProfile=${login}))(|(userPassword=${password})(extraPassword=${password})))
+authFilter=(registered=TRUE)
+userNotBlockedFilter=(|(userStatus=0)(userStatus=1)(!(userStatus=*)))