From 2f1fac51afafe0f7df7faee9f2f653c13ff65ed4 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 9 Dec 2018 08:32:16 -0500 Subject: [PATCH 01/18] GUACAMOLE-234: Convert LDAP extension to use Apache Directory LDAP API. --- extensions/guacamole-auth-ldap/pom.xml | 8 +- .../ldap/AuthenticationProviderService.java | 60 +++--- .../auth/ldap/DereferenceAliasesMode.java | 74 ------- .../guacamole/auth/ldap/EscapingService.java | 120 ----------- .../LDAPAuthenticationProviderModule.java | 2 +- .../auth/ldap/LDAPConnectionService.java | 199 ++++++++++++------ .../auth/ldap/ObjectQueryService.java | 149 +++++++------ .../auth/ldap/ReferralAuthHandler.java | 79 ------- .../ldap/{ => conf}/ConfigurationService.java | 53 ++--- .../DereferenceAliasesProperty.java | 19 +- .../ldap/{ => conf}/EncryptionMethod.java | 2 +- .../{ => conf}/EncryptionMethodProperty.java | 2 +- .../{ => conf}/LDAPGuacamoleProperties.java | 56 +++-- .../ldap/conf/LdapDnGuacamoleProperty.java | 49 +++++ .../conf/LdapFilterGuacamoleProperty.java | 52 +++++ .../ldap/{ => conf}/StringListProperty.java | 2 +- .../ldap/connection/ConnectionService.java | 119 ++++++----- .../auth/ldap/group/UserGroupService.java | 69 +++--- .../auth/ldap/user/LDAPUserContext.java | 11 +- .../guacamole/auth/ldap/user/UserService.java | 63 +++--- 20 files changed, 561 insertions(+), 627 deletions(-) delete mode 100644 extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesMode.java delete mode 100644 extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EscapingService.java delete mode 100644 extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/ConfigurationService.java (88%) rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/DereferenceAliasesProperty.java (75%) rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/EncryptionMethod.java (97%) rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/EncryptionMethodProperty.java (97%) rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/LDAPGuacamoleProperties.java (82%) create mode 100644 extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java create mode 100644 extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java rename extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/{ => conf}/StringListProperty.java (98%) diff --git a/extensions/guacamole-auth-ldap/pom.xml b/extensions/guacamole-auth-ldap/pom.xml index 898deaf9a..2dfa5c75a 100644 --- a/extensions/guacamole-auth-ldap/pom.xml +++ b/extensions/guacamole-auth-ldap/pom.xml @@ -141,11 +141,11 @@ provided - + - com.novell.ldap - jldap - 4.3 + org.apache.directory.api + api-all + 2.0.0.AM2 diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index 949d1c87d..fd184898f 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -21,18 +21,23 @@ package org.apache.guacamole.auth.ldap; import com.google.inject.Inject; import com.google.inject.Provider; -import com.novell.ldap.LDAPAttribute; -import com.novell.ldap.LDAPAttributeSet; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPEntry; -import com.novell.ldap.LDAPException; +import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.directory.api.ldap.model.entry.Attribute; +import org.apache.directory.api.ldap.model.entry.Entry; +import org.apache.directory.api.ldap.model.exception.LdapException; +import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapConnectionConfig; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.auth.ldap.group.UserGroupService; import org.apache.guacamole.auth.ldap.user.LDAPAuthenticatedUser; import org.apache.guacamole.auth.ldap.user.LDAPUserContext; @@ -113,16 +118,15 @@ public class AuthenticationProviderService { * If required properties are missing, and thus the user DN cannot be * determined. */ - private String getUserBindDN(String username) - throws GuacamoleException { + private Dn getUserBindDN(String username) throws GuacamoleException { // If a search DN is provided, search the LDAP directory for the DN // corresponding to the given username - String searchBindDN = confService.getSearchBindDN(); + Dn searchBindDN = confService.getSearchBindDN(); if (searchBindDN != null) { // Create an LDAP connection using the search account - LDAPConnection searchConnection = ldapService.bindAs( + LdapConnection searchConnection = ldapService.bindAs( searchBindDN, confService.getSearchBindPassword() ); @@ -136,7 +140,7 @@ public class AuthenticationProviderService { try { // Retrieve all DNs associated with the given username - List userDNs = userService.getUserDNs(searchConnection, username); + List userDNs = userService.getUserDNs(searchConnection, username); if (userDNs.isEmpty()) return null; @@ -179,7 +183,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - private LDAPConnection bindAs(Credentials credentials) + private LdapConnection bindAs(Credentials credentials) throws GuacamoleException { // Get username and password from credentials @@ -199,7 +203,7 @@ public class AuthenticationProviderService { } // Determine user DN - String userDN = getUserBindDN(username); + Dn userDN = getUserBindDN(username); if (userDN == null) { logger.debug("Unable to determine DN for user \"{}\".", username); return null; @@ -230,7 +234,7 @@ public class AuthenticationProviderService { throws GuacamoleException { // Attempt bind - LDAPConnection ldapConnection; + LdapConnection ldapConnection; try { ldapConnection = bindAs(credentials); } @@ -246,10 +250,14 @@ public class AuthenticationProviderService { try { + LdapConnectionConfig ldapConnectionConfig = + ((LdapNetworkConnection) ldapConnection).getConfig(); + Dn authDn = new Dn(ldapConnectionConfig.getName()); + // Retrieve group membership of the user that just authenticated Set effectiveGroups = userGroupService.getParentUserGroupIdentifiers(ldapConnection, - ldapConnection.getAuthenticationDN()); + authDn); // Return AuthenticatedUser if bind succeeds LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); @@ -257,6 +265,9 @@ public class AuthenticationProviderService { return authenticatedUser; } + catch (LdapInvalidDnException e) { + throw new GuacamoleServerException("Invalid DN trying to bind to server.", e); + } // Always disconnect finally { ldapService.disconnect(ldapConnection); @@ -286,7 +297,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs retrieving the user DN or the attributes. */ - private Map getAttributeTokens(LDAPConnection ldapConnection, + private Map getAttributeTokens(LdapConnection ldapConnection, String username) throws GuacamoleException { // Get attributes from configuration information @@ -298,29 +309,28 @@ public class AuthenticationProviderService { // Build LDAP query parameters String[] attrArray = attrList.toArray(new String[attrList.size()]); - String userDN = getUserBindDN(username); + Dn userDN = getUserBindDN(username); Map tokens = new HashMap<>(); try { // Get LDAP attributes by querying LDAP - LDAPEntry userEntry = ldapConnection.read(userDN, attrArray); + Entry userEntry = ldapConnection.lookup(userDN, attrArray); if (userEntry == null) return Collections.emptyMap(); - LDAPAttributeSet attrSet = userEntry.getAttributeSet(); - if (attrSet == null) + Collection attributes = userEntry.getAttributes(); + if (attributes == null) return Collections.emptyMap(); // Convert each retrieved attribute into a corresponding token - for (Object attrObj : attrSet) { - LDAPAttribute attr = (LDAPAttribute)attrObj; - tokens.put(TokenName.canonicalize(attr.getName(), - LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getStringValue()); + for (Attribute attr : attributes) { + tokens.put(TokenName.canonicalize(attr.getId(), + LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getString()); } } - catch (LDAPException e) { + catch (LdapException e) { throw new GuacamoleServerException("Could not query LDAP user attributes.", e); } @@ -347,7 +357,7 @@ public class AuthenticationProviderService { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); - LDAPConnection ldapConnection = bindAs(credentials); + LdapConnection ldapConnection = bindAs(credentials); if (ldapConnection == null) return null; diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesMode.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesMode.java deleted file mode 100644 index 1fd1bea41..000000000 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesMode.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.ldap; - -import com.novell.ldap.LDAPSearchConstraints; - -/** - * Data type that handles acceptable values for configuring - * alias dereferencing behavior when querying LDAP servers. - */ -public enum DereferenceAliasesMode { - - /** - * Never dereference aliases. This is the default. - */ - NEVER(LDAPSearchConstraints.DEREF_NEVER), - - /** - * Aliases are dereferenced below the base object, but not to locate - * the base object itself. So, if the base object is itself an alias - * the search will not complete. - */ - SEARCHING(LDAPSearchConstraints.DEREF_SEARCHING), - - /** - * Aliases are only dereferenced to locate the base object, but not - * after that. So, a search against a base object that is an alias will - * find any subordinates of the real object the alias references, but - * further aliases in the search will not be dereferenced. - */ - FINDING(LDAPSearchConstraints.DEREF_FINDING), - - /** - * Aliases will always be dereferenced, both to locate the base object - * and when handling results returned by the search. - */ - ALWAYS(LDAPSearchConstraints.DEREF_ALWAYS); - - /** - * The integer constant as defined in the JLDAP library that - * the LDAPSearchConstraints class uses to define the - * dereferencing behavior during search operations. - */ - public final int DEREF_VALUE; - - /** - * Initializes the dereference aliases object with the integer - * value the setting maps to per the JLDAP implementation. - * - * @param derefValue - * The value associated with this dereference setting - */ - private DereferenceAliasesMode(int derefValue) { - this.DEREF_VALUE = derefValue; - } - -} diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EscapingService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EscapingService.java deleted file mode 100644 index 5dce2447e..000000000 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EscapingService.java +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.ldap; - -/** - * Service for escaping LDAP filters, distinguished names (DN's), etc. - */ -public class EscapingService { - - /** - * Escapes the given string for use within an LDAP search filter. This - * implementation is provided courtesy of OWASP: - * - * https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java - * - * @param filter - * The string to escape such that it has no special meaning within an - * LDAP search filter. - * - * @return - * The escaped string, safe for use within an LDAP search filter. - */ - public String escapeLDAPSearchFilter(String filter) { - StringBuilder sb = new StringBuilder(); - for (int i = 0; i < filter.length(); i++) { - char curChar = filter.charAt(i); - switch (curChar) { - case '\\': - sb.append("\\5c"); - break; - case '*': - sb.append("\\2a"); - break; - case '(': - sb.append("\\28"); - break; - case ')': - sb.append("\\29"); - break; - case '\u0000': - sb.append("\\00"); - break; - default: - sb.append(curChar); - } - } - return sb.toString(); - } - - /** - * Escapes the given string such that it is safe for use within an LDAP - * distinguished name (DN). This implementation is provided courtesy of - * OWASP: - * - * https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java - * - * @param name - * The string to escape such that it has no special meaning within an - * LDAP DN. - * - * @return - * The escaped string, safe for use within an LDAP DN. - */ - public String escapeDN(String name) { - StringBuilder sb = new StringBuilder(); - if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) { - sb.append('\\'); // add the leading backslash if needed - } - for (int i = 0; i < name.length(); i++) { - char curChar = name.charAt(i); - switch (curChar) { - case '\\': - sb.append("\\\\"); - break; - case ',': - sb.append("\\,"); - break; - case '+': - sb.append("\\+"); - break; - case '"': - sb.append("\\\""); - break; - case '<': - sb.append("\\<"); - break; - case '>': - sb.append("\\>"); - break; - case ';': - sb.append("\\;"); - break; - default: - sb.append(curChar); - } - } - if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) { - sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed - } - return sb.toString(); - } - -} diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProviderModule.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProviderModule.java index 23decec6d..9cfaadf63 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProviderModule.java @@ -20,6 +20,7 @@ package org.apache.guacamole.auth.ldap; import com.google.inject.AbstractModule; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.GuacamoleException; @@ -76,7 +77,6 @@ public class LDAPAuthenticationProviderModule extends AbstractModule { // Bind LDAP-specific services bind(ConfigurationService.class); bind(ConnectionService.class); - bind(EscapingService.class); bind(LDAPConnectionService.class); bind(ObjectQueryService.class); bind(UserGroupService.class); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index 3aaf324c9..a2469c483 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -20,14 +20,24 @@ package org.apache.guacamole.auth.ldap; import com.google.inject.Inject; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPConstraints; -import com.novell.ldap.LDAPException; -import com.novell.ldap.LDAPJSSESecureSocketFactory; -import com.novell.ldap.LDAPJSSEStartTLSFactory; -import java.io.UnsupportedEncodingException; +import java.io.IOException; +import org.apache.directory.api.ldap.model.exception.LdapException; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.message.BindRequest; +import org.apache.directory.api.ldap.model.message.BindRequestImpl; +import org.apache.directory.api.ldap.model.message.SearchRequest; +import org.apache.directory.api.ldap.model.message.SearchRequestImpl; +import org.apache.directory.api.ldap.model.message.SearchScope; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.api.ldap.model.url.LdapUrl; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapConnectionConfig; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleUnsupportedException; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; +import org.apache.guacamole.auth.ldap.conf.EncryptionMethod; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,7 +49,7 @@ public class LDAPConnectionService { /** * Logger for this class. */ - private final Logger logger = LoggerFactory.getLogger(LDAPConnectionService.class); + private static final Logger logger = LoggerFactory.getLogger(LDAPConnectionService.class); /** * Service for retrieving LDAP server configuration information. @@ -59,8 +69,11 @@ public class LDAPConnectionService { * If an error occurs while parsing guacamole.properties, or if the * requested encryption method is actually not implemented (a bug). */ - private LDAPConnection createLDAPConnection() throws GuacamoleException { + private LdapNetworkConnection createLDAPConnection() throws GuacamoleException { + String host = confService.getServerHostname(); + int port = confService.getServerPort(); + // Map encryption method to proper connection and socket factory EncryptionMethod encryptionMethod = confService.getEncryptionMethod(); switch (encryptionMethod) { @@ -68,17 +81,17 @@ public class LDAPConnectionService { // Unencrypted LDAP connection case NONE: logger.debug("Connection to LDAP server without encryption."); - return new LDAPConnection(); + return new LdapNetworkConnection(host, port); // LDAP over SSL (LDAPS) case SSL: logger.debug("Connecting to LDAP server using SSL/TLS."); - return new LDAPConnection(new LDAPJSSESecureSocketFactory()); + return new LdapNetworkConnection(host, port, true); // LDAP + STARTTLS case STARTTLS: logger.debug("Connecting to LDAP server using STARTTLS."); - return new LDAPConnection(new LDAPJSSEStartTLSFactory()); + return new LdapNetworkConnection(host, port, false); // The encryption method, though known, is not actually // implemented. If encountered, this would be a bug. @@ -106,47 +119,23 @@ public class LDAPConnectionService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - public LDAPConnection bindAs(String userDN, String password) + public LdapConnection bindAs(Dn userDN, String password) throws GuacamoleException { - // Obtain appropriately-configured LDAPConnection instance - LDAPConnection ldapConnection = createLDAPConnection(); - - // Configure LDAP connection constraints - LDAPConstraints ldapConstraints = ldapConnection.getConstraints(); - if (ldapConstraints == null) - ldapConstraints = new LDAPConstraints(); - - // Set whether or not we follow referrals - ldapConstraints.setReferralFollowing(confService.getFollowReferrals()); - - // Set referral authentication to use the provided credentials. - if (userDN != null && !userDN.isEmpty()) - ldapConstraints.setReferralHandler(new ReferralAuthHandler(userDN, password)); - - // Set the maximum number of referrals we follow - ldapConstraints.setHopLimit(confService.getMaxReferralHops()); - - // Set timelimit to wait for LDAP operations, converting to ms - ldapConstraints.setTimeLimit(confService.getOperationTimeout() * 1000); - - // Apply the constraints to the connection - ldapConnection.setConstraints(ldapConstraints); + // Obtain appropriately-configured LdapConnection instance + LdapNetworkConnection ldapConnection = createLDAPConnection(); try { // Connect to LDAP server - ldapConnection.connect( - confService.getServerHostname(), - confService.getServerPort() - ); + ldapConnection.connect(); // Explicitly start TLS if requested if (confService.getEncryptionMethod() == EncryptionMethod.STARTTLS) - ldapConnection.startTLS(); + ldapConnection.startTls(); } - catch (LDAPException e) { + catch (LdapException e) { logger.error("Unable to connect to LDAP server: {}", e.getMessage()); logger.debug("Failed to connect to LDAP server.", e); return null; @@ -155,31 +144,16 @@ public class LDAPConnectionService { // Bind using provided credentials try { - byte[] passwordBytes; - try { - - // Convert password into corresponding byte array - if (password != null) - passwordBytes = password.getBytes("UTF-8"); - else - passwordBytes = null; - - } - catch (UnsupportedEncodingException e) { - logger.error("Unexpected lack of support for UTF-8: {}", e.getMessage()); - logger.debug("Support for UTF-8 (as required by Java spec) not found.", e); - disconnect(ldapConnection); - return null; - } - - // Bind as user - ldapConnection.bind(LDAPConnection.LDAP_V3, userDN, passwordBytes); + BindRequest bindRequest = new BindRequestImpl(); + bindRequest.setDn(userDN); + bindRequest.setCredentials(password); + ldapConnection.bind(bindRequest); } // Disconnect if an error occurs during bind - catch (LDAPException e) { - logger.debug("LDAP bind failed.", e); + catch (LdapException e) { + logger.debug("Unable to bind to LDAP server.", e); disconnect(ldapConnection); return null; } @@ -187,6 +161,67 @@ public class LDAPConnectionService { return ldapConnection; } + + /** + * Generate a new LdapConnection object for following a referral + * with the given LdapUrl, and copy the username and password + * from the original connection. + * + * @param referralUrl + * The LDAP URL to follow. + * + * @param ldapConfig + * The connection config to use to retrieve username and + * password. + * + * @param hop + * The current hop number of this referral - once the configured + * limit is reached, this method will throw an exception. + * + * @return + * A LdapConnection object that points at the location + * specified in the referralUrl. + * + * @throws GuacamoleException + * If an error occurs parsing out the LdapUrl object or the + * maximum number of referral hops is reached. + */ + public LdapConnection referralConnection(LdapUrl referralUrl, + LdapConnectionConfig ldapConfig, Integer hop) + throws GuacamoleException { + + if (hop >= confService.getMaxReferralHops()) + throw new GuacamoleServerException("Maximum number of referrals reached."); + + LdapConnectionConfig referralConfig = new LdapConnectionConfig(); + + // Copy bind name and password from original config + referralConfig.setName(ldapConfig.getName()); + referralConfig.setCredentials(ldapConfig.getCredentials()); + + // Look for host - if not there, bail out. + String host = referralUrl.getHost(); + if (host == null || host.isEmpty()) + throw new GuacamoleServerException("Referral URL contains no host."); + + referralConfig.setLdapHost(host); + + // Look for port, or assign a default. + int port = referralUrl.getPort(); + if (port < 1) + referralConfig.setLdapPort(389); + else + referralConfig.setLdapPort(port); + + // Deal with SSL connections + if (referralUrl.getScheme().equals(LdapUrl.LDAPS_SCHEME)) + referralConfig.setUseSsl(true); + else + referralConfig.setUseSsl(false); + + return new LdapNetworkConnection(referralConfig); + + } /** * Disconnects the given LDAP connection, logging any failure to do so @@ -195,19 +230,53 @@ public class LDAPConnectionService { * @param ldapConnection * The LDAP connection to disconnect. */ - public void disconnect(LDAPConnection ldapConnection) { + public void disconnect(LdapConnection ldapConnection) { // Attempt disconnect try { - ldapConnection.disconnect(); + ldapConnection.close(); } // Warn if disconnect unexpectedly fails - catch (LDAPException e) { + catch (IOException e) { logger.warn("Unable to disconnect from LDAP server: {}", e.getMessage()); logger.debug("LDAP disconnect failed.", e); } } + + /** + * Generate a SearchRequest object using the given Base DN and filter + * and retrieving other properties from the LDAP configuration service. + * + * @param baseDn + * The LDAP Base DN at which to search the search. + * + * @param filter + * A string representation of a LDAP filter to use for the search. + * + * @return + * The properly-configured SearchRequest object. + * + * @throws GuacamoleException + * If an error occurs retrieving any of the configuration values. + */ + public SearchRequest getSearchRequest(Dn baseDn, ExprNode filter) + throws GuacamoleException { + + SearchRequest searchRequest = new SearchRequestImpl(); + searchRequest.setBase(baseDn); + searchRequest.setDerefAliases(confService.getDereferenceAliases()); + searchRequest.setScope(SearchScope.SUBTREE); + searchRequest.setFilter(filter); + searchRequest.setSizeLimit(confService.getMaxResults()); + searchRequest.setTimeLimit(confService.getOperationTimeout()); + searchRequest.setTypesOnly(false); + + if (confService.getFollowReferrals()) + searchRequest.followReferrals(); + + return searchRequest; + } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index 2196c2fed..b67bb0a9c 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -20,18 +20,32 @@ package org.apache.guacamole.auth.ldap; import com.google.inject.Inject; -import com.novell.ldap.LDAPAttribute; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPEntry; -import com.novell.ldap.LDAPException; -import com.novell.ldap.LDAPReferralException; -import com.novell.ldap.LDAPSearchResults; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.function.Function; +import org.apache.directory.api.ldap.model.cursor.CursorException; +import org.apache.directory.api.ldap.model.cursor.SearchCursor; +import org.apache.directory.api.ldap.model.entry.Attribute; +import org.apache.directory.api.ldap.model.entry.Entry; +import org.apache.directory.api.ldap.model.exception.LdapException; +import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.filter.AndNode; +import org.apache.directory.api.ldap.model.filter.EqualityNode; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.filter.OrNode; +import org.apache.directory.api.ldap.model.message.Referral; +import org.apache.directory.api.ldap.model.message.Response; +import org.apache.directory.api.ldap.model.message.SearchRequest; +import org.apache.directory.api.ldap.model.message.SearchResultEntry; +import org.apache.directory.api.ldap.model.message.SearchResultReference; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.api.ldap.model.url.LdapUrl; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapConnectionConfig; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.net.auth.Identifiable; @@ -50,19 +64,13 @@ public class ObjectQueryService { /** * Logger for this class. */ - private final Logger logger = LoggerFactory.getLogger(ObjectQueryService.class); - + private static final Logger logger = LoggerFactory.getLogger(ObjectQueryService.class); + /** - * Service for escaping parts of LDAP queries. + * Service for connecting to LDAP directory. */ @Inject - private EscapingService escapingService; - - /** - * Service for retrieving LDAP server configuration information. - */ - @Inject - private ConfigurationService confService; + private LDAPConnectionService ldapService; /** * Returns the identifier of the object represented by the given LDAP @@ -86,14 +94,18 @@ public class ObjectQueryService { * The identifier of the object represented by the given LDAP entry, or * null if no attributes declared as containing the identifier of the * object are present on the entry. + * + * @throws LdapInvalidAttributeValueException + * If an error occurs retrieving the value of the identifier attribute. */ - public String getIdentifier(LDAPEntry entry, Collection attributes) { + public String getIdentifier(Entry entry, Collection attributes) + throws LdapInvalidAttributeValueException { // Retrieve the first value of the highest priority identifier attribute for (String identifierAttribute : attributes) { - LDAPAttribute identifier = entry.getAttribute(identifierAttribute); + Attribute identifier = entry.get(identifierAttribute); if (identifier != null) - return identifier.getStringValue(); + return identifier.getString(); } // No identifier attribute is present on the entry @@ -125,42 +137,25 @@ public class ObjectQueryService { * An LDAP query which will search for arbitrary LDAP objects having at * least one of the given attributes set to the specified value. */ - public String generateQuery(String filter, + public ExprNode generateQuery(ExprNode filter, Collection attributes, String attributeValue) { // Build LDAP query for objects having at least one attribute and with // the given search filter - StringBuilder ldapQuery = new StringBuilder(); - ldapQuery.append("(&"); - ldapQuery.append(filter); + AndNode searchFilter = new AndNode(); + searchFilter.addNode(filter); // Include all attributes within OR clause if there are more than one - if (attributes.size() > 1) - ldapQuery.append("(|"); - + OrNode attributeFilter = new OrNode(); + // Add equality comparison for each possible attribute - for (String attribute : attributes) { - ldapQuery.append("("); - ldapQuery.append(escapingService.escapeLDAPSearchFilter(attribute)); + attributes.forEach(attribute -> + attributeFilter.addNode(new EqualityNode(attribute, attributeValue)) + ); - if (attributeValue != null) { - ldapQuery.append("="); - ldapQuery.append(escapingService.escapeLDAPSearchFilter(attributeValue)); - ldapQuery.append(")"); - } - else - ldapQuery.append("=*)"); - - } - - // Close OR clause, if any - if (attributes.size() > 1) - ldapQuery.append(")"); - - // Close overall query (AND clause) - ldapQuery.append(")"); - - return ldapQuery.toString(); + searchFilter.addNode(attributeFilter); + + return searchFilter; } @@ -188,38 +183,42 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LDAPConnection ldapConnection, - String baseDN, String query) throws GuacamoleException { + public List search(LdapConnection ldapConnection, + Dn baseDN, ExprNode query) throws GuacamoleException { logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query); try { + LdapConnectionConfig ldapConnectionConfig = + ((LdapNetworkConnection) ldapConnection).getConfig(); + // Search within subtree of given base DN - LDAPSearchResults results = ldapConnection.search(baseDN, - LDAPConnection.SCOPE_SUB, query, null, false, - confService.getLDAPSearchConstraints()); + SearchRequest request = ldapService.getSearchRequest(baseDN, + query); + + SearchCursor results = ldapConnection.search(request); // Produce list of all entries in the search result, automatically // following referrals if configured to do so - List entries = new ArrayList<>(results.getCount()); - while (results.hasMore()) { + List entries = new ArrayList<>(); + while (results.next()) { - try { - entries.add(results.next()); + Response response = results.get(); + if (response instanceof SearchResultEntry) { + entries.add(((SearchResultEntry) response).getEntry()); } - - // Warn if referrals cannot be followed - catch (LDAPReferralException e) { - if (confService.getFollowReferrals()) { - logger.error("Could not follow referral: {}", e.getFailedReferral()); - logger.debug("Error encountered trying to follow referral.", e); - throw new GuacamoleServerException("Could not follow LDAP referral.", e); - } - else { - logger.warn("Given a referral, but referrals are disabled. Error was: {}", e.getMessage()); - logger.debug("Got a referral, but configured to not follow them.", e); + else if (response instanceof SearchResultReference && + request.isFollowReferrals()) { + + Referral referral = ((SearchResultReference) response).getReferral(); + int referralHop = 0; + for (String url : referral.getLdapUrls()) { + LdapConnection referralConnection = ldapService.referralConnection( + new LdapUrl(url), ldapConnectionConfig, referralHop++); + entries.addAll(search(referralConnection, baseDN, query)); } + } catch (LDAPException e) { @@ -232,7 +231,7 @@ public class ObjectQueryService { return entries; } - catch (LDAPException | GuacamoleException e) { + catch (CursorException | LdapException e) { throw new GuacamoleServerException("Unable to query list of " + "objects from LDAP directory.", e); } @@ -274,10 +273,10 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LDAPConnection ldapConnection, String baseDN, - String filter, Collection attributes, String attributeValue) + public List search(LdapConnection ldapConnection, Dn baseDN, + ExprNode filter, Collection attributes, String attributeValue) throws GuacamoleException { - String query = generateQuery(filter, attributes, attributeValue); + ExprNode query = generateQuery(filter, attributes, attributeValue); return search(ldapConnection, baseDN, query); } @@ -302,15 +301,15 @@ public class ObjectQueryService { * {@link Map} under its corresponding identifier. */ public Map - asMap(List entries, Function mapper) { + asMap(List entries, Function mapper) { // Convert each entry to the corresponding Guacamole API object Map objects = new HashMap<>(entries.size()); - for (LDAPEntry entry : entries) { + for (Entry entry : entries) { ObjectType object = mapper.apply(entry); if (object == null) { - logger.debug("Ignoring object \"{}\".", entry.getDN()); + logger.debug("Ignoring object \"{}\".", entry.getDn().toString()); continue; } @@ -320,7 +319,7 @@ public class ObjectQueryService { if (objects.putIfAbsent(identifier, object) != null) logger.warn("Multiple objects ambiguously map to the " + "same identifier (\"{}\"). Ignoring \"{}\" as " - + "a duplicate.", identifier, entry.getDN()); + + "a duplicate.", identifier, entry.getDn().toString()); } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java deleted file mode 100644 index a5e359a66..000000000 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.ldap; - -import com.novell.ldap.LDAPAuthHandler; -import com.novell.ldap.LDAPAuthProvider; -import java.io.UnsupportedEncodingException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Class that implements the necessary authentication handling - * for following referrals in LDAP connections. - */ -public class ReferralAuthHandler implements LDAPAuthHandler { - - /** - * Logger for this class. - */ - private final Logger logger = LoggerFactory.getLogger(ReferralAuthHandler.class); - - /** - * The LDAPAuthProvider object that will be set and returned to the referral handler. - */ - private final LDAPAuthProvider ldapAuth; - - /** - * Creates a ReferralAuthHandler object to handle authentication when - * following referrals in a LDAP connection, using the provided dn and - * password. - * - * @param dn - * The distinguished name to use for the referral login. - * - * @param password - * The password to use for the referral login. - */ - public ReferralAuthHandler(String dn, String password) { - byte[] passwordBytes; - try { - - // Convert password into corresponding byte array - if (password != null) - passwordBytes = password.getBytes("UTF-8"); - else - passwordBytes = null; - - } - catch (UnsupportedEncodingException e) { - logger.error("Unexpected lack of support for UTF-8: {}", e.getMessage()); - logger.debug("Support for UTF-8 (as required by Java spec) not found.", e); - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } - ldapAuth = new LDAPAuthProvider(dn, passwordBytes); - } - - @Override - public LDAPAuthProvider getAuthProvider(String host, int port) { - return ldapAuth; - } - -} diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java similarity index 88% rename from extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java rename to extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index e8ea0ace5..13e125f1a 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -17,27 +17,23 @@ * under the License. */ -package org.apache.guacamole.auth.ldap; +package org.apache.guacamole.auth.ldap.conf; import com.google.inject.Inject; -import com.novell.ldap.LDAPSearchConstraints; import java.util.Collections; import java.util.List; +import org.apache.directory.api.ldap.model.filter.EqualityNode; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.message.AliasDerefMode; +import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * Service for retrieving configuration information regarding the LDAP server. */ public class ConfigurationService { - /** - * Logger for this class. - */ - private final Logger logger = LoggerFactory.getLogger(ConfigurationService.class); - /** * The Guacamole server environment. */ @@ -113,7 +109,7 @@ public class ConfigurationService { * If guacamole.properties cannot be parsed, or if the user base DN * property is not specified. */ - public String getUserBaseDN() throws GuacamoleException { + public Dn getUserBaseDN() throws GuacamoleException { return environment.getRequiredProperty( LDAPGuacamoleProperties.LDAP_USER_BASE_DN ); @@ -132,7 +128,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public String getConfigurationBaseDN() throws GuacamoleException { + public Dn getConfigurationBaseDN() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_CONFIG_BASE_DN ); @@ -168,7 +164,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public String getGroupBaseDN() throws GuacamoleException { + public Dn getGroupBaseDN() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_GROUP_BASE_DN ); @@ -187,7 +183,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public String getSearchBindDN() throws GuacamoleException { + public Dn getSearchBindDN() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN ); @@ -242,7 +238,7 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - private int getMaxResults() throws GuacamoleException { + public int getMaxResults() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_MAX_SEARCH_RESULTS, 1000 @@ -262,10 +258,10 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - private DereferenceAliasesMode getDereferenceAliases() throws GuacamoleException { + public AliasDerefMode getDereferenceAliases() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES, - DereferenceAliasesMode.NEVER + AliasDerefMode.NEVER_DEREF_ALIASES ); } @@ -287,27 +283,6 @@ public class ConfigurationService { ); } - /** - * Returns a set of LDAPSearchConstraints to apply globally - * to all LDAP searches. - * - * @return - * A LDAPSearchConstraints object containing constraints - * to be applied to all LDAP search operations. - * - * @throws GuacamoleException - * If guacamole.properties cannot be parsed. - */ - public LDAPSearchConstraints getLDAPSearchConstraints() throws GuacamoleException { - - LDAPSearchConstraints constraints = new LDAPSearchConstraints(); - - constraints.setMaxResults(getMaxResults()); - constraints.setDereference(getDereferenceAliases().DEREF_VALUE); - - return constraints; - } - /** * Returns the maximum number of referral hops to follow. * @@ -338,10 +313,10 @@ public class ConfigurationService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - public String getUserSearchFilter() throws GuacamoleException { + public ExprNode getUserSearchFilter() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, - "(objectClass=*)" + new EqualityNode("objectClass","*") ); } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java similarity index 75% rename from extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesProperty.java rename to extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java index 60b89c4b6..87a8b7865 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java @@ -17,21 +17,22 @@ * under the License. */ -package org.apache.guacamole.auth.ldap; +package org.apache.guacamole.auth.ldap.conf; +import org.apache.directory.api.ldap.model.message.AliasDerefMode; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.properties.GuacamoleProperty; /** - * A GuacamoleProperty with a value of DereferenceAliases. The possible strings + * A GuacamoleProperty with a value of AliasDerefMode. The possible strings * "never", "searching", "finding", and "always" are mapped to their values as a - * DereferenceAliases enum. Anything else results in a parse error. + * AliasDerefMode object. Anything else results in a parse error. */ -public abstract class DereferenceAliasesProperty implements GuacamoleProperty { +public abstract class DereferenceAliasesProperty implements GuacamoleProperty { @Override - public DereferenceAliasesMode parseValue(String value) throws GuacamoleException { + public AliasDerefMode parseValue(String value) throws GuacamoleException { // No value provided, so return null. if (value == null) @@ -39,19 +40,19 @@ public abstract class DereferenceAliasesProperty implements GuacamoleProperty { + + @Override + public Dn parseValue(String value) throws GuacamoleException { + + if (value == null) + return null; + + try { + return new Dn(value); + } + catch (LdapInvalidDnException e) { + throw new GuacamoleServerException("Invalid DN specified in configuration.", e); + } + + } + +} \ No newline at end of file diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java new file mode 100644 index 000000000..d7c2d45d0 --- /dev/null +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java @@ -0,0 +1,52 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.ldap.conf; + +import java.text.ParseException; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.filter.FilterParser; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.properties.GuacamoleProperty; + +/** + * A GuacamoleProperty with a value of AliasDerefMode. The possible strings + * "never", "searching", "finding", and "always" are mapped to their values as a + * AliasDerefMode object. Anything else results in a parse error. + */ +public abstract class LdapFilterGuacamoleProperty implements GuacamoleProperty { + + @Override + public ExprNode parseValue(String value) throws GuacamoleException { + + // No value provided, so return null. + if (value == null) + return null; + + try { + return FilterParser.parse(value); + } + catch (ParseException e) { + throw new GuacamoleServerException("Error parsing filter", e); + } + + } + +} diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/StringListProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/StringListProperty.java similarity index 98% rename from extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/StringListProperty.java rename to extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/StringListProperty.java index 908d922f3..f7057e9f6 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/StringListProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/StringListProperty.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.ldap; +package org.apache.guacamole.auth.ldap.conf; import java.util.Arrays; import java.util.List; diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index 2f2b67480..1fce3c6ba 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -20,17 +20,23 @@ package org.apache.guacamole.auth.ldap.connection; import com.google.inject.Inject; -import com.novell.ldap.LDAPAttribute; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPEntry; -import com.novell.ldap.LDAPException; import java.util.Collections; -import java.util.Enumeration; import java.util.List; import java.util.Map; +import org.apache.directory.api.ldap.model.entry.Attribute; +import org.apache.directory.api.ldap.model.entry.Entry; +import org.apache.directory.api.ldap.model.exception.LdapException; +import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.filter.AndNode; +import org.apache.directory.api.ldap.model.filter.EqualityNode; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.filter.OrNode; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapConnectionConfig; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; -import org.apache.guacamole.auth.ldap.ConfigurationService; -import org.apache.guacamole.auth.ldap.EscapingService; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.ldap.ObjectQueryService; @@ -53,13 +59,7 @@ public class ConnectionService { /** * Logger for this class. */ - private final Logger logger = LoggerFactory.getLogger(ConnectionService.class); - - /** - * Service for escaping parts of LDAP queries. - */ - @Inject - private EscapingService escapingService; + private static final Logger logger = LoggerFactory.getLogger(ConnectionService.class); /** * Service for retrieving LDAP server configuration information. @@ -100,65 +100,88 @@ public class ConnectionService { * If an error occurs preventing retrieval of connections. */ public Map getConnections(AuthenticatedUser user, - LDAPConnection ldapConnection) throws GuacamoleException { + LdapConnection ldapConnection) throws GuacamoleException { // Do not return any connections if base DN is not specified - String configurationBaseDN = confService.getConfigurationBaseDN(); + Dn configurationBaseDN = confService.getConfigurationBaseDN(); if (configurationBaseDN == null) return Collections.emptyMap(); try { // Pull the current user DN from the LDAP connection - String userDN = ldapConnection.getAuthenticationDN(); + LdapConnectionConfig ldapConnectionConfig = + ((LdapNetworkConnection) ldapConnection).getConfig(); + Dn userDN = new Dn(ldapConnectionConfig.getName()); // getConnections() will only be called after a connection has been // authenticated (via non-anonymous bind), thus userDN cannot // possibly be null - assert(userDN != null); + assert (userDN != null); // Get the search filter for finding connections accessible by the // current user - String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection); + ExprNode connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection); // Find all Guacamole connections for the given user by // looking for direct membership in the guacConfigGroup // and possibly any groups the user is a member of that are // referred to in the seeAlso attribute of the guacConfigGroup. - List results = queryService.search(ldapConnection, configurationBaseDN, connectionSearchFilter); + List results = queryService.search(ldapConnection, configurationBaseDN, connectionSearchFilter); // Return a map of all readable connections return queryService.asMap(results, (entry) -> { // Get common name (CN) - LDAPAttribute cn = entry.getAttribute("cn"); + Attribute cn = entry.get("cn"); + String cnName; + if (cn == null) { logger.warn("guacConfigGroup is missing a cn."); return null; } + + try { + cnName = cn.getString(); + } + catch (LdapInvalidAttributeValueException e) { + logger.error("Invalid value for CN attribute.", e.getMessage()); + return null; + } // Get associated protocol - LDAPAttribute protocol = entry.getAttribute("guacConfigProtocol"); + Attribute protocol = entry.get("guacConfigProtocol"); if (protocol == null) { logger.warn("guacConfigGroup \"{}\" is missing the " + "required \"guacConfigProtocol\" attribute.", - cn.getStringValue()); + cnName); return null; } // Set protocol GuacamoleConfiguration config = new GuacamoleConfiguration(); - config.setProtocol(protocol.getStringValue()); + try { + config.setProtocol(protocol.getString()); + } + catch (LdapInvalidAttributeValueException e) { + logger.error("Invalid value of the protocol entry.", e.getMessage()); + return null; + } // Get parameters, if any - LDAPAttribute parameterAttribute = entry.getAttribute("guacConfigParameter"); + Attribute parameterAttribute = entry.get("guacConfigParameter"); if (parameterAttribute != null) { // For each parameter - Enumeration parameters = parameterAttribute.getStringValues(); - while (parameters.hasMoreElements()) { - - String parameter = (String) parameters.nextElement(); + while (parameterAttribute.size() > 0) { + String parameter; + try { + parameter = parameterAttribute.getString(); + } + catch (LdapInvalidAttributeValueException e) { + return null; + } + parameterAttribute.remove(parameter); // Parse parameter int equals = parameter.indexOf('='); @@ -177,8 +200,7 @@ public class ConnectionService { } // Store connection using cn for both identifier and name - String name = cn.getStringValue(); - Connection connection = new SimpleConnection(name, name, config, true); + Connection connection = new SimpleConnection(cnName, cnName, config, true); connection.setParentIdentifier(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP); // Inject LDAP-specific tokens only if LDAP handled user @@ -192,7 +214,7 @@ public class ConnectionService { }); } - catch (LDAPException e) { + catch (LdapException e) { throw new GuacamoleServerException("Error while querying for connections.", e); } @@ -219,34 +241,33 @@ public class ConnectionService { * @throws GuacamoleException * If an error occurs retrieving the group base DN. */ - private String getConnectionSearchFilter(String userDN, - LDAPConnection ldapConnection) - throws LDAPException, GuacamoleException { + private ExprNode getConnectionSearchFilter(Dn userDN, + LdapConnection ldapConnection) + throws LdapException, GuacamoleException { - // Create a search filter for the connection search - StringBuilder connectionSearchFilter = new StringBuilder(); + AndNode searchFilter = new AndNode(); // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value - connectionSearchFilter.append("(&(objectClass=guacConfigGroup)"); - connectionSearchFilter.append("(|("); - connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter( - confService.getMemberAttribute())); - connectionSearchFilter.append("="); - connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN)); - connectionSearchFilter.append(")"); + searchFilter.addNode(new EqualityNode("objectClass","guacConfigGroup")); + + // Apply group filters + OrNode groupFilter = new OrNode(); + groupFilter.addNode(new EqualityNode(confService.getMemberAttribute(), + userDN.toString())); // Additionally filter by group membership if the current user is a // member of any user groups - List userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN); + List userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN); if (!userGroups.isEmpty()) { - for (LDAPEntry entry : userGroups) - connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")"); + userGroups.forEach(entry -> + groupFilter.addNode(new EqualityNode("seeAlso",entry.getDn().toString())) + ); } // Complete the search filter. - connectionSearchFilter.append("))"); + searchFilter.addNode(groupFilter); - return connectionSearchFilter.toString(); + return searchFilter; } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 3315beb78..7d73003f7 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -20,15 +20,20 @@ package org.apache.guacamole.auth.ldap.group; import com.google.inject.Inject; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPEntry; import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.guacamole.auth.ldap.ConfigurationService; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.api.ldap.model.entry.Entry; +import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.filter.EqualityNode; +import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.filter.NotNode; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.ObjectQueryService; import org.apache.guacamole.net.auth.UserGroup; @@ -72,17 +77,17 @@ public class UserGroupService { * @throws GuacamoleException * If guacamole.properties cannot be parsed. */ - private String getGroupSearchFilter() throws GuacamoleException { + private ExprNode getGroupSearchFilter() throws GuacamoleException { // Explicitly exclude guacConfigGroup object class only if it should // be assumed to be defined (query may fail due to no such object // class existing otherwise) if (confService.getConfigurationBaseDN() != null) - return "(!(objectClass=guacConfigGroup))"; + return new NotNode(new EqualityNode("objectClass","guacConfigGroup")); // Read any object as a group if LDAP is not being used for connection // storage (guacConfigGroup) - return "(objectClass=*)"; + return new EqualityNode("objectCalss","*"); } @@ -102,17 +107,17 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Map getUserGroups(LDAPConnection ldapConnection) + public Map getUserGroups(LdapConnection ldapConnection) throws GuacamoleException { // Do not return any user groups if base DN is not specified - String groupBaseDN = confService.getGroupBaseDN(); + Dn groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN == null) return Collections.emptyMap(); // Retrieve all visible user groups which are not guacConfigGroups Collection attributes = confService.getGroupNameAttributes(); - List results = queryService.search( + List results = queryService.search( ldapConnection, groupBaseDN, getGroupSearchFilter(), @@ -125,13 +130,18 @@ public class UserGroupService { return queryService.asMap(results, entry -> { // Translate entry into UserGroup object having proper identifier - String name = queryService.getIdentifier(entry, attributes); - if (name != null) - return new SimpleUserGroup(name); + try { + String name = queryService.getIdentifier(entry, attributes); + if (name != null) + return new SimpleUserGroup(name); + } + catch (LdapInvalidAttributeValueException e) { + return null; + } // Ignore user groups which lack a name attribute logger.debug("User group \"{}\" is missing a name attribute " - + "and will be ignored.", entry.getDN()); + + "and will be ignored.", entry.getDn().toString()); return null; }); @@ -157,11 +167,11 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public List getParentUserGroupEntries(LDAPConnection ldapConnection, - String userDN) throws GuacamoleException { + public List getParentUserGroupEntries(LdapConnection ldapConnection, + Dn userDN) throws GuacamoleException { // Do not return any user groups if base DN is not specified - String groupBaseDN = confService.getGroupBaseDN(); + Dn groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN == null) return Collections.emptyList(); @@ -172,7 +182,7 @@ public class UserGroupService { groupBaseDN, getGroupSearchFilter(), Collections.singleton(confService.getMemberAttribute()), - userDN + userDN.toString() ); } @@ -196,24 +206,29 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Set getParentUserGroupIdentifiers(LDAPConnection ldapConnection, - String userDN) throws GuacamoleException { + public Set getParentUserGroupIdentifiers(LdapConnection ldapConnection, + Dn userDN) throws GuacamoleException { Collection attributes = confService.getGroupNameAttributes(); - List userGroups = getParentUserGroupEntries(ldapConnection, userDN); + List userGroups = getParentUserGroupEntries(ldapConnection, userDN); Set identifiers = new HashSet<>(userGroups.size()); userGroups.forEach(entry -> { // Determine unique identifier for user group - String name = queryService.getIdentifier(entry, attributes); - if (name != null) - identifiers.add(name); + try { + String name = queryService.getIdentifier(entry, attributes); + if (name != null) + identifiers.add(name); - // Ignore user groups which lack a name attribute - else - logger.debug("User group \"{}\" is missing a name attribute " - + "and will be ignored.", entry.getDN()); + // Ignore user groups which lack a name attribute + else + logger.debug("User group \"{}\" is missing a name attribute " + + "and will be ignored.", entry.getDn().toString()); + } + catch (LdapInvalidAttributeValueException e) { + logger.debug("User group missing identifier.", e.getMessage()); + } }); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java index 5505f7ec1..5d7e3e73e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java @@ -20,8 +20,8 @@ package org.apache.guacamole.auth.ldap.user; import com.google.inject.Inject; -import com.novell.ldap.LDAPConnection; import java.util.Collections; +import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; @@ -39,8 +39,6 @@ import org.apache.guacamole.net.auth.simple.SimpleConnectionGroup; import org.apache.guacamole.net.auth.simple.SimpleDirectory; import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleUser; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * An LDAP-specific implementation of UserContext which queries all Guacamole @@ -48,11 +46,6 @@ import org.slf4j.LoggerFactory; */ public class LDAPUserContext extends AbstractUserContext { - /** - * Logger for this class. - */ - private final Logger logger = LoggerFactory.getLogger(LDAPUserContext.class); - /** * Service for retrieving Guacamole connections from the LDAP server. */ @@ -124,7 +117,7 @@ public class LDAPUserContext extends AbstractUserContext { * If associated data stored within the LDAP directory cannot be * queried due to an error. */ - public void init(AuthenticatedUser user, LDAPConnection ldapConnection) + public void init(AuthenticatedUser user, LdapConnection ldapConnection) throws GuacamoleException { // Query all accessible users diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index 3f12ae829..a5fcb4142 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -20,16 +20,19 @@ package org.apache.guacamole.auth.ldap.user; import com.google.inject.Inject; -import com.novell.ldap.LDAPConnection; -import com.novell.ldap.LDAPEntry; import java.util.ArrayList; import java.util.Collection; import java.util.List; import java.util.Map; -import org.apache.guacamole.auth.ldap.ConfigurationService; -import org.apache.guacamole.auth.ldap.EscapingService; +import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.api.ldap.model.entry.Entry; +import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; +import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.ldap.LDAPGuacamoleProperties; +import org.apache.guacamole.GuacamoleServerException; +import org.apache.guacamole.auth.ldap.conf.LDAPGuacamoleProperties; import org.apache.guacamole.auth.ldap.ObjectQueryService; import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.simple.SimpleUser; @@ -45,13 +48,7 @@ public class UserService { /** * Logger for this class. */ - private final Logger logger = LoggerFactory.getLogger(UserService.class); - - /** - * Service for escaping parts of LDAP queries. - */ - @Inject - private EscapingService escapingService; + private static final Logger logger = LoggerFactory.getLogger(UserService.class); /** * Service for retrieving LDAP server configuration information. @@ -81,12 +78,12 @@ public class UserService { * @throws GuacamoleException * If an error occurs preventing retrieval of users. */ - public Map getUsers(LDAPConnection ldapConnection) + public Map getUsers(LdapConnection ldapConnection) throws GuacamoleException { // Retrieve all visible user objects Collection attributes = confService.getUsernameAttributes(); - List results = queryService.search(ldapConnection, + List results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), attributes, @@ -96,15 +93,20 @@ public class UserService { return queryService.asMap(results, entry -> { // Get username from record - String username = queryService.getIdentifier(entry, attributes); - if (username == null) { - logger.warn("User \"{}\" is missing a username attribute " - + "and will be ignored.", entry.getDN()); + try { + String username = queryService.getIdentifier(entry, attributes); + if (username == null) { + logger.warn("User \"{}\" is missing a username attribute " + + "and will be ignored.", entry.getDn().toString()); + return null; + } + + return new SimpleUser(username); + } + catch (LdapInvalidAttributeValueException e) { return null; } - return new SimpleUser(username); - }); } @@ -130,19 +132,19 @@ public class UserService { * If an error occurs while querying the user DNs, or if the username * attribute property cannot be parsed within guacamole.properties. */ - public List getUserDNs(LDAPConnection ldapConnection, + public List getUserDNs(LdapConnection ldapConnection, String username) throws GuacamoleException { // Retrieve user objects having a matching username - List results = queryService.search(ldapConnection, + List results = queryService.search(ldapConnection, confService.getUserBaseDN(), confService.getUserSearchFilter(), confService.getUsernameAttributes(), username); // Build list of all DNs for retrieved users - List userDNs = new ArrayList<>(results.size()); - results.forEach(entry -> userDNs.add(entry.getDN())); + List userDNs = new ArrayList<>(results.size()); + results.forEach(entry -> userDNs.add(entry.getDn())); return userDNs; @@ -164,7 +166,7 @@ public class UserService { * If required properties are missing, and thus the user DN cannot be * determined. */ - public String deriveUserDN(String username) + public Dn deriveUserDN(String username) throws GuacamoleException { // Pull username attributes from properties @@ -181,10 +183,13 @@ public class UserService { } // Derive user DN from base DN - return - escapingService.escapeDN(usernameAttributes.get(0)) - + "=" + escapingService.escapeDN(username) - + "," + confService.getUserBaseDN(); + try { + return new Dn(usernameAttributes.get(0) + "=" + username + + "," + confService.getUserBaseDN().toString()); + } + catch (LdapInvalidDnException e) { + throw new GuacamoleServerException("Error trying to derive user DN.", e); + } } From 5777d93fdc73971ebe939b5058b1683e8b51b84b Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 9 Dec 2018 09:48:01 -0500 Subject: [PATCH 02/18] GUACAMOLE-234: Clean up some LDAP implementation details. --- .../guacamole/auth/ldap/connection/ConnectionService.java | 6 ++++-- .../guacamole/auth/ldap/group/UserGroupService.java | 2 +- .../org/apache/guacamole/auth/ldap/user/UserService.java | 8 +++++--- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index 1fce3c6ba..ec48faea2 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -134,13 +134,14 @@ public class ConnectionService { // Get common name (CN) Attribute cn = entry.get("cn"); - String cnName; if (cn == null) { logger.warn("guacConfigGroup is missing a cn."); return null; } + String cnName; + try { cnName = cn.getString(); } @@ -179,6 +180,7 @@ public class ConnectionService { parameter = parameterAttribute.getString(); } catch (LdapInvalidAttributeValueException e) { + logger.warn("Parameter value not valid for {}", cnName, e); return null; } parameterAttribute.remove(parameter); @@ -235,7 +237,7 @@ public class ConnectionService { * An LDAP search filter which queries all guacConfigGroup objects * accessible by the user having the given DN. * - * @throws LDAPException + * @throws LdapException * If an error occurs preventing retrieval of user groups. * * @throws GuacamoleException diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 7d73003f7..b31eaab81 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -50,7 +50,7 @@ public class UserGroupService { /** * Logger for this class. */ - private final Logger logger = LoggerFactory.getLogger(UserGroupService.class); + private static final Logger logger = LoggerFactory.getLogger(UserGroupService.class); /** * Service for retrieving LDAP server configuration information. diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index a5fcb4142..937723116 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -29,6 +29,7 @@ import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.api.ldap.model.name.Rdn; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; @@ -104,6 +105,7 @@ public class UserService { return new SimpleUser(username); } catch (LdapInvalidAttributeValueException e) { + return null; } @@ -184,10 +186,10 @@ public class UserService { // Derive user DN from base DN try { - return new Dn(usernameAttributes.get(0) + "=" + username - + "," + confService.getUserBaseDN().toString()); + return new Dn(new Rdn(usernameAttributes.get(0), username), + confService.getUserBaseDN()); } - catch (LdapInvalidDnException e) { + catch (LdapInvalidAttributeValueException | LdapInvalidDnException e) { throw new GuacamoleServerException("Error trying to derive user DN.", e); } From 41e3b8ca566b9bb649f072ff3c00641e64a89aaa Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 9 Dec 2018 10:42:12 -0500 Subject: [PATCH 03/18] GUACAMOLE-234: Clean up comments. --- .../auth/ldap/LDAPConnectionService.java | 16 +++++++++------- .../auth/ldap/conf/ConfigurationService.java | 6 ++++-- .../ldap/conf/DereferenceAliasesProperty.java | 4 ++-- .../auth/ldap/conf/LdapDnGuacamoleProperty.java | 3 ++- .../ldap/conf/LdapFilterGuacamoleProperty.java | 7 ++++--- .../auth/ldap/user/LDAPUserContext.java | 2 +- 6 files changed, 22 insertions(+), 16 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index a2469c483..7bf09c630 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -58,12 +58,14 @@ public class LDAPConnectionService { private ConfigurationService confService; /** - * Creates a new instance of LDAPConnection, configured as required to use - * whichever encryption method is requested within guacamole.properties. + * Creates a new instance of LdapNetworkConnection, configured as required + * to use whichever encryption method is requested within + * guacamole.properties. * * @return - * A new LDAPConnection instance which has already been configured to - * use the encryption method requested within guacamole.properties. + * A new LdapNetworkConnection instance which has already been + * configured to use the encryption method requested within + * guacamole.properties. * * @throws GuacamoleException * If an error occurs while parsing guacamole.properties, or if the @@ -91,7 +93,7 @@ public class LDAPConnectionService { // LDAP + STARTTLS case STARTTLS: logger.debug("Connecting to LDAP server using STARTTLS."); - return new LdapNetworkConnection(host, port, false); + return new LdapNetworkConnection(host, port); // The encryption method, though known, is not actually // implemented. If encountered, this would be a bug. @@ -122,7 +124,7 @@ public class LDAPConnectionService { public LdapConnection bindAs(Dn userDN, String password) throws GuacamoleException { - // Obtain appropriately-configured LdapConnection instance + // Obtain appropriately-configured LdapNetworkConnection instance LdapNetworkConnection ldapConnection = createLDAPConnection(); try { @@ -171,7 +173,7 @@ public class LDAPConnectionService { * The LDAP URL to follow. * * @param ldapConfig - * The connection config to use to retrieve username and + * The connection configuration to use to retrieve username and * password. * * @param hop diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 13e125f1a..126b343d9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -284,7 +284,8 @@ public class ConfigurationService { } /** - * Returns the maximum number of referral hops to follow. + * Returns the maximum number of referral hops to follow. By default + * a maximum of 5 hops is allowed. * * @return * The maximum number of referral hops to follow @@ -338,7 +339,8 @@ public class ConfigurationService { } /** - * Returns names for custom LDAP user attributes. + * Returns names for custom LDAP user attributes. By default no + * attributes will be returned. * * @return * Custom LDAP user attributes as configured in guacamole.properties. diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java index 87a8b7865..b33aa191a 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java @@ -26,8 +26,8 @@ import org.apache.guacamole.properties.GuacamoleProperty; /** * A GuacamoleProperty with a value of AliasDerefMode. The possible strings - * "never", "searching", "finding", and "always" are mapped to their values as a - * AliasDerefMode object. Anything else results in a parse error. + * "never", "searching", "finding", and "always" are mapped to their values as + * an AliasDerefMode object. Anything else results in a parse error. */ public abstract class DereferenceAliasesProperty implements GuacamoleProperty { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java index 23b09b92b..f9be1ae4f 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java @@ -27,7 +27,8 @@ import org.apache.guacamole.properties.GuacamoleProperty; /** * A GuacamoleProperty that converts a string to a Dn that can be used - * in LDAP connections. + * in LDAP connections. An exception is thrown if the provided DN is invalid + * and cannot be parsed. */ public abstract class LdapDnGuacamoleProperty implements GuacamoleProperty { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java index d7c2d45d0..3c99b11a4 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java @@ -27,9 +27,10 @@ import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.properties.GuacamoleProperty; /** - * A GuacamoleProperty with a value of AliasDerefMode. The possible strings - * "never", "searching", "finding", and "always" are mapped to their values as a - * AliasDerefMode object. Anything else results in a parse error. + * A GuacamoleProperty with a value of an ExprNode query filter. The string + * provided is passed through the FilterParser returning the ExprNode object, + * or an exception is thrown if the filter is invalid and cannot be correctly + * parsed. */ public abstract class LdapFilterGuacamoleProperty implements GuacamoleProperty { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java index 5d7e3e73e..b87bca0c4 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java @@ -102,7 +102,7 @@ public class LDAPUserContext extends AbstractUserContext { /** * Initializes this UserContext using the provided AuthenticatedUser and - * LDAPConnection. + * LdapConnection. * * @param user * The AuthenticatedUser representing the user that authenticated. This From 288fcb5e13d51c1156ae886847cf986f5f9656a5 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sun, 9 Dec 2018 10:55:39 -0500 Subject: [PATCH 04/18] GUACAMOLE-234: Exclude slf4j from Apache Directory dependency. --- extensions/guacamole-auth-ldap/pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/extensions/guacamole-auth-ldap/pom.xml b/extensions/guacamole-auth-ldap/pom.xml index 2dfa5c75a..624b0f02b 100644 --- a/extensions/guacamole-auth-ldap/pom.xml +++ b/extensions/guacamole-auth-ldap/pom.xml @@ -146,6 +146,12 @@ org.apache.directory.api api-all 2.0.0.AM2 + + + org.slf4j + slf4j-api + + From 4aa4489b785c1f9b6223d5c40cb2231c647032a8 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Fri, 14 Dec 2018 13:13:47 -0500 Subject: [PATCH 05/18] GUACAMOLE-234: Correct LDAP filter mispelling. --- .../org/apache/guacamole/auth/ldap/group/UserGroupService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index b31eaab81..986181b61 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -87,7 +87,7 @@ public class UserGroupService { // Read any object as a group if LDAP is not being used for connection // storage (guacConfigGroup) - return new EqualityNode("objectCalss","*"); + return new EqualityNode("objectClass","*"); } From d0b1d7639e889a664d34f50dabec5b9c82a22b7c Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Fri, 14 Dec 2018 19:42:08 -0500 Subject: [PATCH 06/18] GUACAMOLE-234: Clean up comments, instanceof, and type-casting. --- .../ldap/AuthenticationProviderService.java | 32 ++++--------------- .../auth/ldap/LDAPConnectionService.java | 22 +++++++------ .../auth/ldap/ObjectQueryService.java | 23 +++++-------- .../ldap/conf/LdapDnGuacamoleProperty.java | 2 +- .../conf/LdapFilterGuacamoleProperty.java | 2 +- .../ldap/connection/ConnectionService.java | 8 ++--- .../auth/ldap/group/UserGroupService.java | 8 ++--- .../auth/ldap/user/LDAPAuthenticatedUser.java | 6 ++-- .../auth/ldap/user/LDAPUserContext.java | 6 ++-- .../guacamole/auth/ldap/user/UserService.java | 6 ++-- 10 files changed, 47 insertions(+), 68 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index fd184898f..ef01acd8c 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -32,7 +32,6 @@ import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapException; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.name.Dn; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapConnectionConfig; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; @@ -44,8 +43,6 @@ import org.apache.guacamole.auth.ldap.user.LDAPUserContext; import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.Credentials; -import org.apache.guacamole.net.auth.credentials.CredentialsInfo; -import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.apache.guacamole.token.TokenName; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -126,7 +123,7 @@ public class AuthenticationProviderService { if (searchBindDN != null) { // Create an LDAP connection using the search account - LdapConnection searchConnection = ldapService.bindAs( + LdapNetworkConnection searchConnection = ldapService.bindAs( searchBindDN, confService.getSearchBindPassword() ); @@ -183,7 +180,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - private LdapConnection bindAs(Credentials credentials) + private LdapNetworkConnection bindAs(Credentials credentials) throws GuacamoleException { // Get username and password from credentials @@ -234,24 +231,11 @@ public class AuthenticationProviderService { throws GuacamoleException { // Attempt bind - LdapConnection ldapConnection; - try { - ldapConnection = bindAs(credentials); - } - catch (GuacamoleException e) { - logger.error("Cannot bind with LDAP server: {}", e.getMessage()); - logger.debug("Error binding with LDAP server.", e); - ldapConnection = null; - } - - // If bind fails, permission to login is denied - if (ldapConnection == null) - throw new GuacamoleInvalidCredentialsException("Permission denied.", CredentialsInfo.USERNAME_PASSWORD); - + LdapNetworkConnection ldapConnection = bindAs(credentials); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); + try { - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); Dn authDn = new Dn(ldapConnectionConfig.getName()); // Retrieve group membership of the user that just authenticated @@ -297,7 +281,7 @@ public class AuthenticationProviderService { * @throws GuacamoleException * If an error occurs retrieving the user DN or the attributes. */ - private Map getAttributeTokens(LdapConnection ldapConnection, + private Map getAttributeTokens(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Get attributes from configuration information @@ -357,9 +341,7 @@ public class AuthenticationProviderService { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); - LdapConnection ldapConnection = bindAs(credentials); - if (ldapConnection == null) - return null; + LdapNetworkConnection ldapConnection = bindAs(credentials); try { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index 7bf09c630..744936d31 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -38,6 +38,8 @@ import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleUnsupportedException; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.auth.ldap.conf.EncryptionMethod; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -121,7 +123,7 @@ public class LDAPConnectionService { * @throws GuacamoleException * If an error occurs while binding to the LDAP server. */ - public LdapConnection bindAs(Dn userDN, String password) + public LdapNetworkConnection bindAs(Dn userDN, String password) throws GuacamoleException { // Obtain appropriately-configured LdapNetworkConnection instance @@ -138,9 +140,7 @@ public class LDAPConnectionService { } catch (LdapException e) { - logger.error("Unable to connect to LDAP server: {}", e.getMessage()); - logger.debug("Failed to connect to LDAP server.", e); - return null; + throw new GuacamoleServerException("Error connecting to LDAP server.", e); } // Bind using provided credentials @@ -156,8 +156,12 @@ public class LDAPConnectionService { // Disconnect if an error occurs during bind catch (LdapException e) { logger.debug("Unable to bind to LDAP server.", e); + throw new GuacamoleInvalidCredentialsException( + "Unable to bind to the LDAP server.", + CredentialsInfo.USERNAME_PASSWORD); + } + finally { disconnect(ldapConnection); - return null; } return ldapConnection; @@ -165,7 +169,7 @@ public class LDAPConnectionService { } /** - * Generate a new LdapConnection object for following a referral + * Generate a new LdapNetworkConnection object for following a referral * with the given LdapUrl, and copy the username and password * from the original connection. * @@ -181,15 +185,15 @@ public class LDAPConnectionService { * limit is reached, this method will throw an exception. * * @return - * A LdapConnection object that points at the location + * A LdapNetworkConnection object that points at the location * specified in the referralUrl. * * @throws GuacamoleException * If an error occurs parsing out the LdapUrl object or the * maximum number of referral hops is reached. */ - public LdapConnection referralConnection(LdapUrl referralUrl, - LdapConnectionConfig ldapConfig, Integer hop) + public LdapNetworkConnection referralConnection(LdapUrl referralUrl, + LdapConnectionConfig ldapConfig, int hop) throws GuacamoleException { if (hop >= confService.getMaxReferralHops()) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index b67bb0a9c..6df617ae7 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -37,13 +37,9 @@ import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.OrNode; import org.apache.directory.api.ldap.model.message.Referral; -import org.apache.directory.api.ldap.model.message.Response; import org.apache.directory.api.ldap.model.message.SearchRequest; -import org.apache.directory.api.ldap.model.message.SearchResultEntry; -import org.apache.directory.api.ldap.model.message.SearchResultReference; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.api.ldap.model.url.LdapUrl; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapConnectionConfig; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; @@ -183,15 +179,14 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LdapConnection ldapConnection, + public List search(LdapNetworkConnection ldapConnection, Dn baseDN, ExprNode query) throws GuacamoleException { logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query); try { - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); // Search within subtree of given base DN SearchRequest request = ldapService.getSearchRequest(baseDN, @@ -204,17 +199,15 @@ public class ObjectQueryService { List entries = new ArrayList<>(); while (results.next()) { - Response response = results.get(); - if (response instanceof SearchResultEntry) { - entries.add(((SearchResultEntry) response).getEntry()); + if (results.isEntry()) { + entries.add(results.getEntry()); } - else if (response instanceof SearchResultReference && - request.isFollowReferrals()) { + else if (results.isReferral() && request.isFollowReferrals()) { - Referral referral = ((SearchResultReference) response).getReferral(); + Referral referral = results.getReferral(); int referralHop = 0; for (String url : referral.getLdapUrls()) { - LdapConnection referralConnection = ldapService.referralConnection( + LdapNetworkConnection referralConnection = ldapService.referralConnection( new LdapUrl(url), ldapConnectionConfig, referralHop++); entries.addAll(search(referralConnection, baseDN, query)); } @@ -273,7 +266,7 @@ public class ObjectQueryService { * information required to execute the query cannot be read from * guacamole.properties. */ - public List search(LdapConnection ldapConnection, Dn baseDN, + public List search(LdapNetworkConnection ldapConnection, Dn baseDN, ExprNode filter, Collection attributes, String attributeValue) throws GuacamoleException { ExprNode query = generateQuery(filter, attributes, attributeValue); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java index f9be1ae4f..c782c97b8 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java @@ -42,7 +42,7 @@ public abstract class LdapDnGuacamoleProperty implements GuacamoleProperty { return new Dn(value); } catch (LdapInvalidDnException e) { - throw new GuacamoleServerException("Invalid DN specified in configuration.", e); + throw new GuacamoleServerException("The DN \"" + value + "\" is invalid.", e); } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java index 3c99b11a4..01b41c964 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java @@ -45,7 +45,7 @@ public abstract class LdapFilterGuacamoleProperty implements GuacamoleProperty getConnections(AuthenticatedUser user, - LdapConnection ldapConnection) throws GuacamoleException { + LdapNetworkConnection ldapConnection) throws GuacamoleException { // Do not return any connections if base DN is not specified Dn configurationBaseDN = confService.getConfigurationBaseDN(); @@ -110,8 +109,7 @@ public class ConnectionService { try { // Pull the current user DN from the LDAP connection - LdapConnectionConfig ldapConnectionConfig = - ((LdapNetworkConnection) ldapConnection).getConfig(); + LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); Dn userDN = new Dn(ldapConnectionConfig.getName()); // getConnections() will only be called after a connection has been @@ -244,7 +242,7 @@ public class ConnectionService { * If an error occurs retrieving the group base DN. */ private ExprNode getConnectionSearchFilter(Dn userDN, - LdapConnection ldapConnection) + LdapNetworkConnection ldapConnection) throws LdapException, GuacamoleException { AndNode searchFilter = new AndNode(); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 986181b61..cf29a2bb9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -26,13 +26,13 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.NotNode; import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.ObjectQueryService; @@ -107,7 +107,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Map getUserGroups(LdapConnection ldapConnection) + public Map getUserGroups(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Do not return any user groups if base DN is not specified @@ -167,7 +167,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public List getParentUserGroupEntries(LdapConnection ldapConnection, + public List getParentUserGroupEntries(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { // Do not return any user groups if base DN is not specified @@ -206,7 +206,7 @@ public class UserGroupService { * @throws GuacamoleException * If an error occurs preventing retrieval of user groups. */ - public Set getParentUserGroupIdentifiers(LdapConnection ldapConnection, + public Set getParentUserGroupIdentifiers(LdapNetworkConnection ldapConnection, Dn userDN) throws GuacamoleException { Collection attributes = confService.getGroupNameAttributes(); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java index cafc461d6..db36fc0b4 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java @@ -23,6 +23,7 @@ import com.google.inject.Inject; import java.util.Collections; import java.util.Map; import java.util.Set; +import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.net.auth.AbstractAuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.Credentials; @@ -72,13 +73,14 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser { * The unique identifiers of all user groups which affect the * permissions available to this user. */ - public void init(Credentials credentials, Map tokens, Set effectiveGroups) { + public void init(Credentials credentials, Map tokens, + Set effectiveGroups) { this.credentials = credentials; this.tokens = Collections.unmodifiableMap(tokens); this.effectiveGroups = effectiveGroups; setIdentifier(credentials.getUsername()); } - + /** * Returns a Map of all name/value pairs that should be applied as * parameter tokens when connections are established using this diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java index b87bca0c4..b5c789e1e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java @@ -21,7 +21,7 @@ package org.apache.guacamole.auth.ldap.user; import com.google.inject.Inject; import java.util.Collections; -import org.apache.directory.ldap.client.api.LdapConnection; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; @@ -102,7 +102,7 @@ public class LDAPUserContext extends AbstractUserContext { /** * Initializes this UserContext using the provided AuthenticatedUser and - * LdapConnection. + * LdapNetworkConnection. * * @param user * The AuthenticatedUser representing the user that authenticated. This @@ -117,7 +117,7 @@ public class LDAPUserContext extends AbstractUserContext { * If associated data stored within the LDAP directory cannot be * queried due to an error. */ - public void init(AuthenticatedUser user, LdapConnection ldapConnection) + public void init(AuthenticatedUser user, LdapNetworkConnection ldapConnection) throws GuacamoleException { // Query all accessible users diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index 937723116..ba2998387 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -24,12 +24,12 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; import java.util.Map; -import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.api.ldap.model.name.Rdn; +import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; @@ -79,7 +79,7 @@ public class UserService { * @throws GuacamoleException * If an error occurs preventing retrieval of users. */ - public Map getUsers(LdapConnection ldapConnection) + public Map getUsers(LdapNetworkConnection ldapConnection) throws GuacamoleException { // Retrieve all visible user objects @@ -134,7 +134,7 @@ public class UserService { * If an error occurs while querying the user DNs, or if the username * attribute property cannot be parsed within guacamole.properties. */ - public List getUserDNs(LdapConnection ldapConnection, + public List getUserDNs(LdapNetworkConnection ldapConnection, String username) throws GuacamoleException { // Retrieve user objects having a matching username From 7a17b7f935941154ebf18b3f42ceb04cdea1cd22 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Fri, 14 Dec 2018 20:41:29 -0500 Subject: [PATCH 07/18] GUACAMOLE-234: Add storage for the LDAP Bind DN to LDAPAuthenticateduser. --- .../ldap/AuthenticationProviderService.java | 114 ++++++------------ .../auth/ldap/user/LDAPAuthenticatedUser.java | 21 +++- 2 files changed, 57 insertions(+), 78 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index ef01acd8c..e53b233c5 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -30,9 +30,7 @@ import java.util.Set; import org.apache.directory.api.ldap.model.entry.Attribute; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapException; -import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; import org.apache.directory.api.ldap.model.name.Dn; -import org.apache.directory.ldap.client.api.LdapConnectionConfig; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; @@ -44,6 +42,8 @@ import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.token.TokenName; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -164,53 +164,6 @@ public class AuthenticationProviderService { } - /** - * Binds to the LDAP server using the provided Guacamole credentials. The - * DN of the user is derived using the LDAP configuration properties - * provided in guacamole.properties, as is the server hostname and port - * information. - * - * @param credentials - * The credentials to use to bind to the LDAP server. - * - * @return - * A bound LDAP connection, or null if the connection could not be - * bound. - * - * @throws GuacamoleException - * If an error occurs while binding to the LDAP server. - */ - private LdapNetworkConnection bindAs(Credentials credentials) - throws GuacamoleException { - - // Get username and password from credentials - String username = credentials.getUsername(); - String password = credentials.getPassword(); - - // Require username - if (username == null || username.isEmpty()) { - logger.debug("Anonymous bind is not currently allowed by the LDAP authentication provider."); - return null; - } - - // Require password, and do not allow anonymous binding - if (password == null || password.isEmpty()) { - logger.debug("Anonymous bind is not currently allowed by the LDAP authentication provider."); - return null; - } - - // Determine user DN - Dn userDN = getUserBindDN(username); - if (userDN == null) { - logger.debug("Unable to determine DN for user \"{}\".", username); - return null; - } - - // Bind using user's DN - return ldapService.bindAs(userDN, password); - - } - /** * Returns an AuthenticatedUser representing the user authenticated by the * given credentials. Also adds custom LDAP attributes to the @@ -229,33 +182,40 @@ public class AuthenticationProviderService { */ public LDAPAuthenticatedUser authenticateUser(Credentials credentials) throws GuacamoleException { - - // Attempt bind - LdapNetworkConnection ldapConnection = bindAs(credentials); - LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig(); - try { - - Dn authDn = new Dn(ldapConnectionConfig.getName()); + String username = credentials.getUsername(); + String password = credentials.getPassword(); + + // Username and password are required + if (username == null + || username.isEmpty() + || password == null + || password.isEmpty()) { + throw new GuacamoleInvalidCredentialsException( + "Anonymous bind is not currently allowed by the LDAP" + + " authentication provider.", CredentialsInfo.USERNAME_PASSWORD); + } + + Dn bindDn = getUserBindDN(username); + if (bindDn == null || bindDn.isEmpty()) { + throw new GuacamoleInvalidCredentialsException("Unable to determine" + + " DN of user " + username, CredentialsInfo.USERNAME_PASSWORD); + } + + // Attempt bind + LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password); - // Retrieve group membership of the user that just authenticated - Set effectiveGroups = - userGroupService.getParentUserGroupIdentifiers(ldapConnection, - authDn); + // Retrieve group membership of the user that just authenticated + Set effectiveGroups = + userGroupService.getParentUserGroupIdentifiers(ldapConnection, + bindDn); - // Return AuthenticatedUser if bind succeeds - LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); - authenticatedUser.init(credentials, getAttributeTokens(ldapConnection, credentials.getUsername()), effectiveGroups); - return authenticatedUser; - - } - catch (LdapInvalidDnException e) { - throw new GuacamoleServerException("Invalid DN trying to bind to server.", e); - } - // Always disconnect - finally { - ldapService.disconnect(ldapConnection); - } + // Return AuthenticatedUser if bind succeeds + LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); + authenticatedUser.init(credentials, getAttributeTokens(ldapConnection, + bindDn), effectiveGroups, bindDn); + + return authenticatedUser; } @@ -282,7 +242,7 @@ public class AuthenticationProviderService { * If an error occurs retrieving the user DN or the attributes. */ private Map getAttributeTokens(LdapNetworkConnection ldapConnection, - String username) throws GuacamoleException { + Dn userDn) throws GuacamoleException { // Get attributes from configuration information List attrList = confService.getAttributes(); @@ -293,13 +253,12 @@ public class AuthenticationProviderService { // Build LDAP query parameters String[] attrArray = attrList.toArray(new String[attrList.size()]); - Dn userDN = getUserBindDN(username); Map tokens = new HashMap<>(); try { // Get LDAP attributes by querying LDAP - Entry userEntry = ldapConnection.lookup(userDN, attrArray); + Entry userEntry = ldapConnection.lookup(userDn, attrArray); if (userEntry == null) return Collections.emptyMap(); @@ -341,7 +300,8 @@ public class AuthenticationProviderService { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); - LdapNetworkConnection ldapConnection = bindAs(credentials); + Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); + LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); try { diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java index db36fc0b4..44296432f 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java @@ -57,6 +57,11 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser { * available to this user. */ private Set effectiveGroups; + + /** + * The LDAP DN used to bind this user. + */ + private Dn bindDn; /** * Initializes this AuthenticatedUser with the given credentials, @@ -72,12 +77,16 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser { * @param effectiveGroups * The unique identifiers of all user groups which affect the * permissions available to this user. + * + * @param bindDn + * The LDAP DN used to bind this user. */ public void init(Credentials credentials, Map tokens, - Set effectiveGroups) { + Set effectiveGroups, Dn bindDn) { this.credentials = credentials; this.tokens = Collections.unmodifiableMap(tokens); this.effectiveGroups = effectiveGroups; + this.bindDn = bindDn; setIdentifier(credentials.getUsername()); } @@ -94,6 +103,16 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser { public Map getTokens() { return tokens; } + + /** + * Returns the LDAP DN used to bind this user. + * + * @return + * The LDAP DN used to bind this user. + */ + public Dn getBindDn() { + return bindDn; + } @Override public AuthenticationProvider getAuthenticationProvider() { From 7825f57b994b20765975c8deb35f108d65b663ae Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Fri, 14 Dec 2018 21:02:14 -0500 Subject: [PATCH 08/18] GUACAMOLE-234: Correct counter for referral hops. --- .../guacamole/auth/ldap/ObjectQueryService.java | 12 +++++++----- .../auth/ldap/connection/ConnectionService.java | 3 ++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index 6df617ae7..31d1210b1 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -169,6 +169,9 @@ public class ObjectQueryService { * * @param query * The LDAP query to execute. + * + * @param searchHop + * The level of depth for this search, used for tracking referrals. * * @return * A list of all results accessible to the user currently bound under @@ -180,7 +183,7 @@ public class ObjectQueryService { * guacamole.properties. */ public List search(LdapNetworkConnection ldapConnection, - Dn baseDN, ExprNode query) throws GuacamoleException { + Dn baseDN, ExprNode query, int searchHop) throws GuacamoleException { logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query); @@ -205,11 +208,10 @@ public class ObjectQueryService { else if (results.isReferral() && request.isFollowReferrals()) { Referral referral = results.getReferral(); - int referralHop = 0; for (String url : referral.getLdapUrls()) { LdapNetworkConnection referralConnection = ldapService.referralConnection( - new LdapUrl(url), ldapConnectionConfig, referralHop++); - entries.addAll(search(referralConnection, baseDN, query)); + new LdapUrl(url), ldapConnectionConfig, searchHop++); + entries.addAll(search(referralConnection, baseDN, query, searchHop)); } } @@ -270,7 +272,7 @@ public class ObjectQueryService { ExprNode filter, Collection attributes, String attributeValue) throws GuacamoleException { ExprNode query = generateQuery(filter, attributes, attributeValue); - return search(ldapConnection, baseDN, query); + return search(ldapConnection, baseDN, query, 0); } /** diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index dbd1b0390..70bd80cf9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -125,7 +125,8 @@ public class ConnectionService { // looking for direct membership in the guacConfigGroup // and possibly any groups the user is a member of that are // referred to in the seeAlso attribute of the guacConfigGroup. - List results = queryService.search(ldapConnection, configurationBaseDN, connectionSearchFilter); + List results = queryService.search(ldapConnection, + configurationBaseDN, connectionSearchFilter, 0); // Return a map of all readable connections return queryService.asMap(results, (entry) -> { From 72dad76d42873a52c4815f56141766b9cfce3f6b Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sat, 15 Dec 2018 12:50:32 -0500 Subject: [PATCH 09/18] GUACAMOLE-234: Adjust LDAP filters. --- .../guacamole/auth/ldap/conf/ConfigurationService.java | 6 +++--- .../apache/guacamole/auth/ldap/group/UserGroupService.java | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 126b343d9..67e78ce6e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -304,12 +304,12 @@ public class ConfigurationService { /** * Returns the search filter that should be used when querying the * LDAP server for Guacamole users. If no filter is specified, - * a default of "(objectClass=*)" is returned. + * a default of "(objectClass=user)" is returned. * * @return * The search filter that should be used when querying the * LDAP server for users that are valid in Guacamole, or - * "(objectClass=*)" if not specified. + * "(objectClass=user)" if not specified. * * @throws GuacamoleException * If guacamole.properties cannot be parsed. @@ -317,7 +317,7 @@ public class ConfigurationService { public ExprNode getUserSearchFilter() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, - new EqualityNode("objectClass","*") + new EqualityNode("objectClass","user") ); } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index cf29a2bb9..2fb31afc2 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -87,7 +87,7 @@ public class UserGroupService { // Read any object as a group if LDAP is not being used for connection // storage (guacConfigGroup) - return new EqualityNode("objectClass","*"); + return new EqualityNode("objectClass","group"); } From d7d622051fd662563f700ccb35429a2b4285cc38 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sat, 15 Dec 2018 13:57:56 -0500 Subject: [PATCH 10/18] GUACAMOLE-234: Change EqualityNode to PresenceNode for wildcard objectClass. --- .../apache/guacamole/auth/ldap/conf/ConfigurationService.java | 4 ++-- .../apache/guacamole/auth/ldap/group/UserGroupService.java | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 67e78ce6e..588c60d4c 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -22,8 +22,8 @@ package org.apache.guacamole.auth.ldap.conf; import com.google.inject.Inject; import java.util.Collections; import java.util.List; -import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; +import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.message.AliasDerefMode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.GuacamoleException; @@ -317,7 +317,7 @@ public class ConfigurationService { public ExprNode getUserSearchFilter() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, - new EqualityNode("objectClass","user") + new PresenceNode("objectClass") ); } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 2fb31afc2..5eb375cb4 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -31,6 +31,7 @@ import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueEx import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.NotNode; +import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; @@ -87,7 +88,7 @@ public class UserGroupService { // Read any object as a group if LDAP is not being used for connection // storage (guacConfigGroup) - return new EqualityNode("objectClass","group"); + return new PresenceNode("objectClass"); } From fc5c4c538e97d028bdd1c79dc0e553f99e46f21a Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sat, 15 Dec 2018 14:11:53 -0500 Subject: [PATCH 11/18] GUACAMOLE-234: Don't close the connection after bind. --- .../apache/guacamole/auth/ldap/LDAPConnectionService.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index 744936d31..a5ee4b3c5 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -156,14 +156,12 @@ public class LDAPConnectionService { // Disconnect if an error occurs during bind catch (LdapException e) { logger.debug("Unable to bind to LDAP server.", e); + disconnect(ldapConnection); throw new GuacamoleInvalidCredentialsException( "Unable to bind to the LDAP server.", CredentialsInfo.USERNAME_PASSWORD); } - finally { - disconnect(ldapConnection); - } - + return ldapConnection; } From 791cfeabbb15001926a28b6801802bf9256663dc Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sat, 15 Dec 2018 14:22:54 -0500 Subject: [PATCH 12/18] GUACAMOLE-234: Only try LDAP bind if user authenticated with LDAP. --- .../ldap/AuthenticationProviderService.java | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java index e53b233c5..9004c132b 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java @@ -300,22 +300,25 @@ public class AuthenticationProviderService { // Bind using credentials associated with AuthenticatedUser Credentials credentials = authenticatedUser.getCredentials(); - Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); - LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); + if (authenticatedUser instanceof LDAPAuthenticatedUser) { + Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn(); + LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword()); - try { + try { - // Build user context by querying LDAP - LDAPUserContext userContext = userContextProvider.get(); - userContext.init(authenticatedUser, ldapConnection); - return userContext; + // Build user context by querying LDAP + LDAPUserContext userContext = userContextProvider.get(); + userContext.init(authenticatedUser, ldapConnection); + return userContext; + } + + // Always disconnect + finally { + ldapService.disconnect(ldapConnection); + } } - - // Always disconnect - finally { - ldapService.disconnect(ldapConnection); - } + return null; } From 742b0c4e6586ca738ae0ec304d45ca3c809799e5 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Thu, 27 Dec 2018 10:28:09 -0500 Subject: [PATCH 13/18] GUACAMOLE-234: Correctly handle bind failure. --- .../apache/guacamole/auth/ldap/LDAPConnectionService.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index a5ee4b3c5..c2914f7c1 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -150,6 +150,8 @@ public class LDAPConnectionService { bindRequest.setDn(userDN); bindRequest.setCredentials(password); ldapConnection.bind(bindRequest); + if (ldapConnection.isConnected() && ldapConnection.isAuthenticated()) + return ldapConnection; } @@ -162,7 +164,8 @@ public class LDAPConnectionService { CredentialsInfo.USERNAME_PASSWORD); } - return ldapConnection; + throw new GuacamoleInvalidCredentialsException("Authentication failed.", + CredentialsInfo.USERNAME_PASSWORD); } From ed568b1f55be667fe5fedef5eaa0698656daa4e8 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Thu, 27 Dec 2018 10:36:33 -0500 Subject: [PATCH 14/18] GUACAMOLE-234: Tweaks to handling bind requests/failures. --- .../guacamole/auth/ldap/LDAPConnectionService.java | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index c2914f7c1..c24901b9b 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -25,6 +25,8 @@ import org.apache.directory.api.ldap.model.exception.LdapException; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.message.BindRequest; import org.apache.directory.api.ldap.model.message.BindRequestImpl; +import org.apache.directory.api.ldap.model.message.BindResponse; +import org.apache.directory.api.ldap.model.message.ResultCodeEnum; import org.apache.directory.api.ldap.model.message.SearchRequest; import org.apache.directory.api.ldap.model.message.SearchRequestImpl; import org.apache.directory.api.ldap.model.message.SearchScope; @@ -149,9 +151,14 @@ public class LDAPConnectionService { BindRequest bindRequest = new BindRequestImpl(); bindRequest.setDn(userDN); bindRequest.setCredentials(password); - ldapConnection.bind(bindRequest); - if (ldapConnection.isConnected() && ldapConnection.isAuthenticated()) + BindResponse bindResponse = ldapConnection.bind(bindRequest); + if (bindResponse.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS) return ldapConnection; + + else + throw new GuacamoleInvalidCredentialsException("Error binding" + + " to server: " + bindResponse.toString(), + CredentialsInfo.USERNAME_PASSWORD); } @@ -163,9 +170,6 @@ public class LDAPConnectionService { "Unable to bind to the LDAP server.", CredentialsInfo.USERNAME_PASSWORD); } - - throw new GuacamoleInvalidCredentialsException("Authentication failed.", - CredentialsInfo.USERNAME_PASSWORD); } From 5ea518a390c0db3c6f95801ed6ce0ea8d8ab444a Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Mon, 17 Jun 2019 20:25:45 -0400 Subject: [PATCH 15/18] GUACAMOLE-234: Update to latest available Apache Directory API. --- extensions/guacamole-auth-ldap/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-ldap/pom.xml b/extensions/guacamole-auth-ldap/pom.xml index 624b0f02b..17c8ed638 100644 --- a/extensions/guacamole-auth-ldap/pom.xml +++ b/extensions/guacamole-auth-ldap/pom.xml @@ -145,7 +145,7 @@ org.apache.directory.api api-all - 2.0.0.AM2 + 2.0.0.AM4 org.slf4j From 8c1a3f34351d84065b588e5f4027747ff29aa612 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Mon, 17 Jun 2019 20:26:00 -0400 Subject: [PATCH 16/18] GUACAMOLE-234: Remove stray catch block. --- .../org/apache/guacamole/auth/ldap/ObjectQueryService.java | 5 ----- 1 file changed, 5 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index 31d1210b1..ff107ced9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -216,11 +216,6 @@ public class ObjectQueryService { } - catch (LDAPException e) { - logger.warn("Failed to process an LDAP search result. Error was: {}", e.resultCodeToString()); - logger.debug("Error processing LDAPEntry search result.", e); - } - } return entries; From 8b172a98fc77241664be16e7f40ab4add510c73a Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 10 Aug 2019 22:14:56 -0400 Subject: [PATCH 17/18] GUACAMOLE-234: Fix style, debug messages, and logger output. --- .../auth/ldap/LDAPConnectionService.java | 4 ++-- .../guacamole/auth/ldap/ObjectQueryService.java | 13 +++++++++---- .../auth/ldap/connection/ConnectionService.java | 15 +++++++++++---- .../auth/ldap/group/UserGroupService.java | 4 +++- 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java index c24901b9b..ecde74c52 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java @@ -197,8 +197,8 @@ public class LDAPConnectionService { * If an error occurs parsing out the LdapUrl object or the * maximum number of referral hops is reached. */ - public LdapNetworkConnection referralConnection(LdapUrl referralUrl, - LdapConnectionConfig ldapConfig, int hop) + public LdapNetworkConnection getReferralConnection(LdapUrl referralUrl, + LdapConnectionConfig ldapConfig, int hop) throws GuacamoleException { if (hop >= confService.getMaxReferralHops()) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java index ff107ced9..f9d7956a2 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java @@ -171,7 +171,8 @@ public class ObjectQueryService { * The LDAP query to execute. * * @param searchHop - * The level of depth for this search, used for tracking referrals. + * The current level of referral depth for this search, used for + * limiting the maximum depth to which referrals can go. * * @return * A list of all results accessible to the user currently bound under @@ -209,9 +210,13 @@ public class ObjectQueryService { Referral referral = results.getReferral(); for (String url : referral.getLdapUrls()) { - LdapNetworkConnection referralConnection = ldapService.referralConnection( - new LdapUrl(url), ldapConnectionConfig, searchHop++); - entries.addAll(search(referralConnection, baseDN, query, searchHop)); + LdapNetworkConnection referralConnection = + ldapService.getReferralConnection( + new LdapUrl(url), + ldapConnectionConfig, searchHop++ + ); + entries.addAll(search(referralConnection, baseDN, query, + searchHop)); } } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index 70bd80cf9..6b2d840a1 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -115,7 +115,7 @@ public class ConnectionService { // getConnections() will only be called after a connection has been // authenticated (via non-anonymous bind), thus userDN cannot // possibly be null - assert (userDN != null); + assert(userDN != null); // Get the search filter for finding connections accessible by the // current user @@ -145,7 +145,9 @@ public class ConnectionService { cnName = cn.getString(); } catch (LdapInvalidAttributeValueException e) { - logger.error("Invalid value for CN attribute.", e.getMessage()); + logger.error("Invalid value for CN attribute: {}", + e.getMessage()); + logger.debug("LDAP exception while getting CN attribute.", e); return null; } @@ -164,7 +166,9 @@ public class ConnectionService { config.setProtocol(protocol.getString()); } catch (LdapInvalidAttributeValueException e) { - logger.error("Invalid value of the protocol entry.", e.getMessage()); + logger.error("Invalid value of the protocol entry: {}", + e.getMessage()); + logger.debug("LDAP exception when getting protocol value.", e); return null; } @@ -179,7 +183,10 @@ public class ConnectionService { parameter = parameterAttribute.getString(); } catch (LdapInvalidAttributeValueException e) { - logger.warn("Parameter value not valid for {}", cnName, e); + logger.warn("Parameter value not valid for {}: {}", + cnName, e.getMessage()); + logger.debug("LDAP exception when getting parameter value.", + e); return null; } parameterAttribute.remove(parameter); diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 5eb375cb4..0628006dd 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -228,7 +228,9 @@ public class UserGroupService { + "and will be ignored.", entry.getDn().toString()); } catch (LdapInvalidAttributeValueException e) { - logger.debug("User group missing identifier.", e.getMessage()); + logger.error("User group missing identifier: {}", + e.getMessage()); + logger.debug("LDAP exception while getting group identifier.", e); } }); From 11f7a7f3c7483fc3b187fb6878455b180fcf90ff Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sun, 11 Aug 2019 18:37:43 -0400 Subject: [PATCH 18/18] GUACAMOLE-234: Update license files. --- .../guacamole-auth-ldap/src/licenses/LICENSE | 23 +- .../directory-api-2.0.0/LICENSE-2.0.txt | 202 ++++++++++++++++++ .../src/licenses/bundled/jldap-4.3/LICENSE | 47 ---- .../licenses/bundled/jldap-4.3/LICENSE-2.0.1 | 56 ----- 4 files changed, 211 insertions(+), 117 deletions(-) create mode 100644 extensions/guacamole-auth-ldap/src/licenses/bundled/directory-api-2.0.0/LICENSE-2.0.txt delete mode 100644 extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE delete mode 100644 extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE-2.0.1 diff --git a/extensions/guacamole-auth-ldap/src/licenses/LICENSE b/extensions/guacamole-auth-ldap/src/licenses/LICENSE index 9368e8f28..0414ad678 100644 --- a/extensions/guacamole-auth-ldap/src/licenses/LICENSE +++ b/extensions/guacamole-auth-ldap/src/licenses/LICENSE @@ -220,6 +220,15 @@ AOP Alliance (http://aopalliance.sourceforge.net/) Public Domain (bundled/aopalliance-1.0/LICENSE) +Apache Directory LDAP API (http://directory.apache.org) +------------------------------------------------------- + + Version: 2.0.0.AM4 + From: 'Apache Software Foundation' (http://apache.org) + License(s): + Apache v2.0 (bundled/directory-api-2.0.0/LICENSE-2.0.txt) + + Google Guice (https://github.com/google/guice) ---------------------------------------------- @@ -229,20 +238,6 @@ Google Guice (https://github.com/google/guice) Apache v2.0 (bundled/guice-3.0/COPYING) -JLDAP (http://www.openldap.org/jldap/) --------------------------------------- - - Version: 4.3 - From: 'The OpenLDAP Foundation' (http://www.openldap.org/) - License(s): - OpenLDAP Public License v2.8 (bundled/jldap-4.3/LICENSE) - OpenLDAP Public License v2.0.1 (bundled/jldap-4.3/LICENSE-2.0.1) - -NOTE: JLDAP is *NOT* dual-licensed. Whether a particular source file is under -version 2.8 or 2.0.1 of the OpenLDAP Public License depends on the license -header of the file in question. - - JSR-330 / Dependency Injection for Java (http://code.google.com/p/atinject/) ---------------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/licenses/bundled/directory-api-2.0.0/LICENSE-2.0.txt b/extensions/guacamole-auth-ldap/src/licenses/bundled/directory-api-2.0.0/LICENSE-2.0.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/extensions/guacamole-auth-ldap/src/licenses/bundled/directory-api-2.0.0/LICENSE-2.0.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE b/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE deleted file mode 100644 index 05ad7571e..000000000 --- a/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE +++ /dev/null @@ -1,47 +0,0 @@ -The OpenLDAP Public License - Version 2.8, 17 August 2003 - -Redistribution and use of this software and associated documentation -("Software"), with or without modification, are permitted provided -that the following conditions are met: - -1. Redistributions in source form must retain copyright statements - and notices, - -2. Redistributions in binary form must reproduce applicable copyright - statements and notices, this list of conditions, and the following - disclaimer in the documentation and/or other materials provided - with the distribution, and - -3. Redistributions must contain a verbatim copy of this document. - -The OpenLDAP Foundation may revise this license from time to time. -Each revision is distinguished by a version number. You may use -this Software under terms of this license revision or under the -terms of any subsequent revision of the license. - -THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS -CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) -OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. - -The names of the authors and copyright holders must not be used in -advertising or otherwise to promote the sale, use or other dealing -in this Software without specific, written prior permission. Title -to copyright in this Software shall at all times remain with copyright -holders. - -OpenLDAP is a registered trademark of the OpenLDAP Foundation. - -Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, -California, USA. All Rights Reserved. Permission to copy and -distribute verbatim copies of this document is granted. diff --git a/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE-2.0.1 b/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE-2.0.1 deleted file mode 100644 index db93ec5a7..000000000 --- a/extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE-2.0.1 +++ /dev/null @@ -1,56 +0,0 @@ -A number of files contained in OpenLDAP Software contain -a statement: - USE, MODIFICATION, AND REDISTRIBUTION OF THIS WORK IS SUBJECT - TO VERSION 2.0.1 OF THE OPENLDAP PUBLIC LICENSE, A COPY OF - WHICH IS AVAILABLE AT HTTP://WWW.OPENLDAP.ORG/LICENSE.HTML OR - IN THE FILE "LICENSE" IN THE TOP-LEVEL DIRECTORY OF THE - DISTRIBUTION. - -The following is a verbatim copy of version 2.0.1 of the OpenLDAP -Public License referenced in the above statement. - - -The OpenLDAP Public License - - Version 2.0.1, 21 December 1999 - Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA. - All Rights Reserved. - -Redistribution and use of this software and associated documentation -("Software"), with or without modification, are permitted provided -that the following conditions are met: - -1. Redistributions of source code must retain copyright -statements and notices. Redistributions must also contain a -copy of this document. - -2. Redistributions in binary form must reproduce the -above copyright notice, this list of conditions and the -following disclaimer in the documentation and/or other -materials provided with the distribution. - -3. The name "OpenLDAP" must not be used to endorse or promote -products derived from this Software without prior written -permission of the OpenLDAP Foundation. For written permission, -please contact foundation@openldap.org. - -4. Products derived from this Software may not be called "OpenLDAP" -nor may "OpenLDAP" appear in their names without prior written -permission of the OpenLDAP Foundation. OpenLDAP is a trademark -of the OpenLDAP Foundation. - -5. Due credit should be given to the OpenLDAP Project -(http://www.openldap.org/). - -THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS -``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT -NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL -THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -OF THE POSSIBILITY OF SUCH DAMAGE.