From 4ac1d1bb64833f2a97a186714e6eab29c9ee0093 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 2 May 2020 15:41:06 -0400 Subject: [PATCH] GUACAMOLE-944: Allow search bind usernames in non-DN format. --- .../ldap/AuthenticationProviderService.java | 15 ++++++++------ .../auth/ldap/LDAPConnectionService.java | 20 ++++++++++--------- .../auth/ldap/conf/ConfigurationService.java | 4 ++-- .../ldap/conf/LDAPGuacamoleProperties.java | 15 ++++++++------ 4 files changed, 31 insertions(+), 23 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index e6b79e10e..833674c1b 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -119,18 +119,19 @@ public class AuthenticationProviderService { // If a search DN is provided, search the LDAP directory for the DN // corresponding to the given username - Dn searchBindDN = confService.getSearchBindDN(); - if (searchBindDN != null) { + String searchBindLogon = confService.getSearchBindDN(); + if (searchBindLogon != null) { // Create an LDAP connection using the search account LdapNetworkConnection searchConnection = ldapService.bindAs( - searchBindDN, + searchBindLogon, confService.getSearchBindPassword() ); // Warn of failure to find if (searchConnection == null) { - logger.error("Unable to bind using search DN \"{}\"", searchBindDN); + logger.error("Unable to bind using search DN \"{}\"", + searchBindLogon); return null; } @@ -203,7 +204,8 @@ public class AuthenticationProviderService { } // Attempt bind - LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password); + LdapNetworkConnection ldapConnection = + ldapService.bindAs(bindDn.getName(), password); if (ldapConnection == null) throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD); @@ -315,7 +317,8 @@ public class AuthenticationProviderService { if (authenticatedUser instanceof LDAPAuthenticatedUser) { Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); - LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); + LdapNetworkConnection ldapConnection = + ldapService.bindAs(bindDn.getName(), credentials.getPassword()); if (ldapConnection == null) { logger.debug("LDAP bind succeeded for \"{}\" during " + "authentication but failed during data retrieval.", diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index a16c7de92..d93ae23a8 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -239,11 +239,11 @@ public class LDAPConnectionService { * bound. */ private LdapNetworkConnection bindAs(LdapNetworkConnection ldapConnection, - Dn userDN, String password) { + String bindUser, String password) { // Add credentials to existing config LdapConnectionConfig config = ldapConnection.getConfig(); - config.setName(userDN.getName()); + config.setName(bindUser); config.setCredentials(password); try { @@ -255,7 +255,8 @@ public class LDAPConnectionService { // only at the debug level (such failures are expected) catch (LdapAuthenticationException e) { ldapConnection.close(); - logger.debug("Bind attempt with LDAP server as user \"{}\" failed.", userDN, e); + logger.debug("Bind attempt with LDAP server as user \"{}\" failed.", + bindUser, e); return null; } @@ -264,7 +265,8 @@ public class LDAPConnectionService { catch (LdapException e) { ldapConnection.close(); logger.error("Binding with the LDAP server at \"{}\" as user " - + "\"{}\" failed: {}", config.getLdapHost(), userDN, e.getMessage()); + + "\"{}\" failed: {}", config.getLdapHost(), bindUser, + e.getMessage()); logger.debug("Unable to bind to LDAP server.", e); return null; } @@ -318,7 +320,7 @@ public class LDAPConnectionService { } // Bind using username/password from existing connection - return bindAs(ldapConnection, userDN, password); + return bindAs(ldapConnection, userDN.getName(), password); } @@ -327,8 +329,8 @@ public class LDAPConnectionService { * hostname, port, and encryption method of the LDAP server are determined * from guacamole.properties. * - * @param userDN - * The DN of the user to bind as, or null to bind anonymously. + * @param bindUser + * The DN or UPN of the user to bind as, or null to bind anonymously. * * @param password * The password to use when binding as the specified user, or null to @@ -342,9 +344,9 @@ public class LDAPConnectionService { * If an error occurs while parsing guacamole.properties, or if the * configured encryption method is actually not implemented (a bug). */ - public LdapNetworkConnection bindAs(Dn userDN, String password) + public LdapNetworkConnection bindAs(String bindUser, String password) throws GuacamoleException { - return bindAs(createLDAPConnection(), userDN, password); + return bindAs(createLDAPConnection(), bindUser, password); } /** diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 47597b982..769d4c39d 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -171,7 +171,7 @@ public class ConfigurationService { } /** - * Returns the DN that should be used when searching for the DNs of users + * Returns the login that should be used when searching for the DNs of users * attempting to authenticate. If no such search should be performed, null * is returned. * @@ -183,7 +183,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public Dn getSearchBindDN() throws GuacamoleException { + public String getSearchBindDN() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN ); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java index e6ec51861..231362970 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java @@ -128,13 +128,16 @@ public class LDAPGuacamoleProperties { }; /** - * The DN of the user that the LDAP authentication should bind as when - * searching for the user accounts of users attempting to log in. If not - * specified, the DNs of users attempting to log in will be derived from - * the LDAP_BASE_DN and LDAP_USERNAME_ATTRIBUTE directly. + * The user that the LDAP extension should bind as when searching for the + * accounts of users attempting to log in. The format of this parameter + * will vary based on the LDAP server implementation - often it is expected + * to be in full LDAP DN format; however various LDAP server implementations + * allow this to be in other formats (e.g. Active Directory allows + * User Principal Name, or UPN, format). For this reason the configuration + * allows this to be any string. */ - public static final LdapDnGuacamoleProperty LDAP_SEARCH_BIND_DN = - new LdapDnGuacamoleProperty() { + public static final StringGuacamoleProperty LDAP_SEARCH_BIND_DN = + new StringGuacamoleProperty() { @Override public String getName() { return "ldap-search-bind-dn"; }