diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java index f0988a741..c7e4819d1 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java @@ -270,7 +270,26 @@ public class ConfigurationService { constraints.setDereference(getDereferenceAliases().DEREF_VALUE); return constraints; + } + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole users. If no filter is specified, + * a default of "(objectClass=*)" is returned. + * + * @return + * The search filter that should be used when querying the + * LDAP server for users that are valid in Guacamole, or + * "(objectClass=*)" if not specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public String getUserSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, + "(objectClass=*)" + ); } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java index 266af8e93..e13264dd8 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java @@ -164,4 +164,14 @@ public class LDAPGuacamoleProperties { }; + /** + * A search filter to apply to user LDAP queries. + */ + public static final StringGuacamoleProperty LDAP_USER_SEARCH_FILTER = new StringGuacamoleProperty() { + + @Override + public String getName() { return "ldap-user-search-filter"; } + + }; + } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index f7c571678..91f1636e5 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -85,11 +85,20 @@ public class UserService { try { + // Build a filter using the configured or default user search filter + // to find all user objects in the LDAP tree + StringBuilder userSearchFilter = new StringBuilder(); + userSearchFilter.append("(&"); + userSearchFilter.append(confService.getUserSearchFilter()); + userSearchFilter.append("("); + userSearchFilter.append(escapingService.escapeLDAPSearchFilter(usernameAttribute)); + userSearchFilter.append("=*))"); + // Find all Guacamole users underneath base DN LDAPSearchResults results = ldapConnection.search( confService.getUserBaseDN(), LDAPConnection.SCOPE_SUB, - "(&(objectClass=*)(" + escapingService.escapeLDAPSearchFilter(usernameAttribute) + "=*))", + userSearchFilter.toString(), null, false, confService.getLDAPSearchConstraints() @@ -188,8 +197,10 @@ public class UserService { List usernameAttributes = confService.getUsernameAttributes(); // Build LDAP query for users having at least one username attribute - // with the specified username as its value - StringBuilder ldapQuery = new StringBuilder("(&(objectClass=*)"); + // and with the configured or default search filter + StringBuilder ldapQuery = new StringBuilder(); + ldapQuery.append("(&"); + ldapQuery.append(confService.getUserSearchFilter()); // Include all attributes within OR clause if there are more than one if (usernameAttributes.size() > 1)