GUACAMOLE-1130: Only retrieve LDAP attributes that are strictly necessary

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java

@@ -197,6 +197,10 @@ public class ObjectQueryService {
      * @param searchHop
      *     The current level of referral depth for this search, used for
      *     limiting the maximum depth to which referrals can go.
+     * 
+     * @param relevantAttributes
+     *     The attribute(s) relevant to return for this search,
+	 *     if all available should be returned pass null as value.
      *
      * @return
      *     A list of all results accessible to the user currently bound under
@@ -208,7 +212,8 @@ public class ObjectQueryService {
      *     guacamole.properties.
      */
     public List<Entry> search(LdapNetworkConnection ldapConnection,
-            Dn baseDN, ExprNode query, int searchHop) throws GuacamoleException {
+            Dn baseDN, ExprNode query, int searchHop,
+            Collection<String> relevantAttributes) throws GuacamoleException {
 
         // Refuse to follow referrals if limit has been reached
         int maxHops = confService.getMaxReferralHops();
@@ -225,12 +230,15 @@ public class ObjectQueryService {
 
         // Search within subtree of given base DN
         SearchRequest request = ldapService.getSearchRequest(baseDN, query);
-            
+        if (relevantAttributes != null) {
+            request.addAttributes(relevantAttributes.toArray(new String[0]));
+        }
+
         // Produce list of all entries in the search result, automatically
         // following referrals if configured to do so
         List<Entry> entries = new ArrayList<>();
-            
         try (SearchCursor results = ldapConnection.search(request)) {
+
             while (results.next()) {
 
                 // Add entry directly if no referral is involved
@@ -251,7 +259,7 @@ public class ObjectQueryService {
                             try (LdapNetworkConnection referralConnection = ldapService.bindAs(url, ldapConnection)) {
                                 if (referralConnection != null) {
                                     logger.debug("Following referral to \"{}\"...", url);
-                                    entries.addAll(search(referralConnection, baseDN, query, searchHop + 1));
+                                    entries.addAll(search(referralConnection, baseDN, query, searchHop + 1, relevantAttributes));
                                 }
                                 else
                                     logger.debug("Could not bind with LDAP "
@@ -329,7 +337,7 @@ public class ObjectQueryService {
             ExprNode filter, Collection<String> attributes, String attributeValue)
             throws GuacamoleException {
         ExprNode query = generateQuery(filter, attributes, attributeValue);
-        return search(ldapConnection, baseDN, query, 0);
+        return search(ldapConnection, baseDN, query, 0, attributes);
     }
 
     /**

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java

@@ -126,7 +126,7 @@ public class ConnectionService {
             // and possibly any groups the user is a member of that are
             // referred to in the seeAlso attribute of the guacConfigGroup.
             List<Entry> results = queryService.search(ldapConnection,
-                    configurationBaseDN, connectionSearchFilter, 0);
+                    configurationBaseDN, connectionSearchFilter, 0, null);
 
             // Return a map of all readable connections
             return queryService.asMap(results, (entry) -> {

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java

@@ -18,8 +18,8 @@
  */
 
 package org.apache.guacamole.auth.ldap.group;
-
 import com.google.inject.Inject;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -192,7 +192,7 @@ public class UserGroupService {
                 ldapConnection,
                 userDN,
                 confService.getUserSearchFilter(),
-                0);
+                0, null);
             // ... there can surely only be one
             if (userEntries.size() != 1)
                 logger.warn("user DN \"{}\" does not return unique value "
@@ -214,13 +214,21 @@ public class UserGroupService {
             }
         }
 
+        // Gather all attributes relevant for a group
+        ArrayList<String> groupAttributes = new ArrayList<String>();
+        groupAttributes.add(confService.getMemberAttribute());
+        confService.getGroupNameAttributes().forEach(
+                       attribute -> groupAttributes.add(attribute)
+                       );
+
         // Get all groups the user is a member of starting at the groupBaseDN,
         // excluding guacConfigGroups
+
         return queryService.search(
             ldapConnection,
             groupBaseDN,
             getGroupSearchFilter(),
-            Collections.singleton(confService.getMemberAttribute()),
+            groupAttributes,
             userIDorDN
         );