safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge 1.1.0 changes back to master.

Browse Source
This commit is contained in:
Michael Jumper
2019-08-11 15:54:36 -07:00
parent 51b1c08cf4 2d86bbf5e6
commit 6e439bf827
25 changed files with 880 additions and 857 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
extensions/guacamole-auth-ldap/pom.xml
View File

@@ -141,11 +141,17 @@
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<!-- JLDAP --> <!-- Apache Directory LDAP API -->
<dependency> <dependency>
<groupId>com.novell.ldap</groupId> <groupId>org.apache.directory.api</groupId>
<artifactId>jldap</artifactId> <artifactId>api-all</artifactId>
<version>4.3</version> <version>2.0.0.AM4</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
<!-- Guice --> <!-- Guice -->

23
extensions/guacamole-auth-ldap/src/licenses/LICENSE
View File

@@ -220,6 +220,15 @@ AOP Alliance (http://aopalliance.sourceforge.net/)
Public Domain (bundled/aopalliance-1.0/LICENSE) Public Domain (bundled/aopalliance-1.0/LICENSE)
Apache Directory LDAP API (http://directory.apache.org)
-------------------------------------------------------
Version: 2.0.0.AM4
From: 'Apache Software Foundation' (http://apache.org)
License(s):
Apache v2.0 (bundled/directory-api-2.0.0/LICENSE-2.0.txt)
Google Guice (https://github.com/google/guice) Google Guice (https://github.com/google/guice)
---------------------------------------------- ----------------------------------------------
@@ -229,20 +238,6 @@ Google Guice (https://github.com/google/guice)
Apache v2.0 (bundled/guice-3.0/COPYING) Apache v2.0 (bundled/guice-3.0/COPYING)
JLDAP (http://www.openldap.org/jldap/)
--------------------------------------
Version: 4.3
From: 'The OpenLDAP Foundation' (http://www.openldap.org/)
License(s):
OpenLDAP Public License v2.8 (bundled/jldap-4.3/LICENSE)
OpenLDAP Public License v2.0.1 (bundled/jldap-4.3/LICENSE-2.0.1)
NOTE: JLDAP is *NOT* dual-licensed. Whether a particular source file is under
version 2.8 or 2.0.1 of the OpenLDAP Public License depends on the license
header of the file in question.
JSR-330 / Dependency Injection for Java (http://code.google.com/p/atinject/) JSR-330 / Dependency Injection for Java (http://code.google.com/p/atinject/)
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

202
extensions/guacamole-auth-ldap/src/licenses/bundled/directory-api-2.0.0/LICENSE-2.0.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

47
extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE
View File

@@ -1,47 +0,0 @@
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions in source form must retain copyright statements
and notices,
2. Redistributions in binary form must reproduce applicable copyright
statements and notices, this list of conditions, and the following
disclaimer in the documentation and/or other materials provided
with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number. You may use
this Software under terms of this license revision or under the
terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in
advertising or otherwise to promote the sale, use or other dealing
in this Software without specific, written prior permission. Title
to copyright in this Software shall at all times remain with copyright
holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.

56
extensions/guacamole-auth-ldap/src/licenses/bundled/jldap-4.3/LICENSE-2.0.1
View File

@@ -1,56 +0,0 @@
A number of files contained in OpenLDAP Software contain
a statement:
USE, MODIFICATION, AND REDISTRIBUTION OF THIS WORK IS SUBJECT
TO VERSION 2.0.1 OF THE OPENLDAP PUBLIC LICENSE, A COPY OF
WHICH IS AVAILABLE AT HTTP://WWW.OPENLDAP.ORG/LICENSE.HTML OR
IN THE FILE "LICENSE" IN THE TOP-LEVEL DIRECTORY OF THE
DISTRIBUTION.
The following is a verbatim copy of version 2.0.1 of the OpenLDAP
Public License referenced in the above statement.
The OpenLDAP Public License
Version 2.0.1, 21 December 1999
Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved.
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain copyright
statements and notices. Redistributions must also contain a
copy of this document.
2. Redistributions in binary form must reproduce the
above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other
materials provided with the distribution.
3. The name "OpenLDAP" must not be used to endorse or promote
products derived from this Software without prior written
permission of the OpenLDAP Foundation. For written permission,
please contact foundation@openldap.org.
4. Products derived from this Software may not be called "OpenLDAP"
nor may "OpenLDAP" appear in their names without prior written
permission of the OpenLDAP Foundation. OpenLDAP is a trademark
of the OpenLDAP Foundation.
5. Due credit should be given to the OpenLDAP Project
(http://www.openldap.org/).
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

181
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
View File

@@ -21,27 +21,29 @@ package org.apache.guacamole.auth.ldap;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.google.inject.Provider; import com.google.inject.Provider;
import com.novell.ldap.LDAPAttribute; import java.util.Collection;
import com.novell.ldap.LDAPAttributeSet;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import com.novell.ldap.LDAPException;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.auth.ldap.group.UserGroupService; import org.apache.guacamole.auth.ldap.group.UserGroupService;
import org.apache.guacamole.auth.ldap.user.LDAPAuthenticatedUser; import org.apache.guacamole.auth.ldap.user.LDAPAuthenticatedUser;
import org.apache.guacamole.auth.ldap.user.LDAPUserContext; import org.apache.guacamole.auth.ldap.user.LDAPUserContext;
import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.auth.ldap.user.UserService;
import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.token.TokenName;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.apache.guacamole.token.TokenName;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -113,16 +115,15 @@ public class AuthenticationProviderService {
* If required properties are missing, and thus the user DN cannot be * If required properties are missing, and thus the user DN cannot be
* determined. * determined.
*/ */
private String getUserBindDN(String username) private Dn getUserBindDN(String username) throws GuacamoleException {
throws GuacamoleException {
// If a search DN is provided, search the LDAP directory for the DN // If a search DN is provided, search the LDAP directory for the DN
// corresponding to the given username // corresponding to the given username
String searchBindDN = confService.getSearchBindDN(); Dn searchBindDN = confService.getSearchBindDN();
if (searchBindDN != null) { if (searchBindDN != null) {
// Create an LDAP connection using the search account // Create an LDAP connection using the search account
LDAPConnection searchConnection = ldapService.bindAs( LdapNetworkConnection searchConnection = ldapService.bindAs(
searchBindDN, searchBindDN,
confService.getSearchBindPassword() confService.getSearchBindPassword()
); );
@@ -136,7 +137,7 @@ public class AuthenticationProviderService {
try { try {
// Retrieve all DNs associated with the given username // Retrieve all DNs associated with the given username
List<String> userDNs = userService.getUserDNs(searchConnection, username); List<Dn> userDNs = userService.getUserDNs(searchConnection, username);
if (userDNs.isEmpty()) if (userDNs.isEmpty())
return null; return null;
@@ -163,53 +164,6 @@ public class AuthenticationProviderService {
} }
/**
* Binds to the LDAP server using the provided Guacamole credentials. The
* DN of the user is derived using the LDAP configuration properties
* provided in guacamole.properties, as is the server hostname and port
* information.
*
* @param credentials
* The credentials to use to bind to the LDAP server.
*
* @return
* A bound LDAP connection, or null if the connection could not be
* bound.
*
* @throws GuacamoleException
* If an error occurs while binding to the LDAP server.
*/
private LDAPConnection bindAs(Credentials credentials)
throws GuacamoleException {
// Get username and password from credentials
String username = credentials.getUsername();
String password = credentials.getPassword();
// Require username
if (username == null || username.isEmpty()) {
logger.debug("Anonymous bind is not currently allowed by the LDAP authentication provider.");
return null;
}
// Require password, and do not allow anonymous binding
if (password == null || password.isEmpty()) {
logger.debug("Anonymous bind is not currently allowed by the LDAP authentication provider.");
return null;
}
// Determine user DN
String userDN = getUserBindDN(username);
if (userDN == null) {
logger.debug("Unable to determine DN for user \"{}\".", username);
return null;
}
// Bind using user's DN
return ldapService.bindAs(userDN, password);
}
/** /**
* Returns an AuthenticatedUser representing the user authenticated by the * Returns an AuthenticatedUser representing the user authenticated by the
* given credentials. Also adds custom LDAP attributes to the * given credentials. Also adds custom LDAP attributes to the
@@ -228,39 +182,40 @@ public class AuthenticationProviderService {
*/ */
public LDAPAuthenticatedUser authenticateUser(Credentials credentials) public LDAPAuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException { throws GuacamoleException {
String username = credentials.getUsername();
String password = credentials.getPassword();
// Username and password are required
if (username == null
|| username.isEmpty()
|| password == null
|| password.isEmpty()) {
throw new GuacamoleInvalidCredentialsException(
"Anonymous bind is not currently allowed by the LDAP"
+ " authentication provider.", CredentialsInfo.USERNAME_PASSWORD);
}
Dn bindDn = getUserBindDN(username);
if (bindDn == null || bindDn.isEmpty()) {
throw new GuacamoleInvalidCredentialsException("Unable to determine"
+ " DN of user " + username, CredentialsInfo.USERNAME_PASSWORD);
}
// Attempt bind // Attempt bind
LDAPConnection ldapConnection; LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password);
try {
ldapConnection = bindAs(credentials); // Retrieve group membership of the user that just authenticated
} Set<String> effectiveGroups =
catch (GuacamoleException e) { userGroupService.getParentUserGroupIdentifiers(ldapConnection,
logger.error("Cannot bind with LDAP server: {}", e.getMessage()); bindDn);
logger.debug("Error binding with LDAP server.", e);
ldapConnection = null;
}
// If bind fails, permission to login is denied // Return AuthenticatedUser if bind succeeds
if (ldapConnection == null) LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
throw new GuacamoleInvalidCredentialsException("Permission denied.", CredentialsInfo.USERNAME_PASSWORD); authenticatedUser.init(credentials, getAttributeTokens(ldapConnection,
bindDn), effectiveGroups, bindDn);
try {
return authenticatedUser;
// Retrieve group membership of the user that just authenticated
Set<String> effectiveGroups =
userGroupService.getParentUserGroupIdentifiers(ldapConnection,
ldapConnection.getAuthenticationDN());
// Return AuthenticatedUser if bind succeeds
LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(credentials, getAttributeTokens(ldapConnection, credentials.getUsername()), effectiveGroups);
return authenticatedUser;
}
// Always disconnect
finally {
ldapService.disconnect(ldapConnection);
}
} }
@@ -286,8 +241,8 @@ public class AuthenticationProviderService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs retrieving the user DN or the attributes. * If an error occurs retrieving the user DN or the attributes.
*/ */
private Map<String, String> getAttributeTokens(LDAPConnection ldapConnection, private Map<String, String> getAttributeTokens(LdapNetworkConnection ldapConnection,
String username) throws GuacamoleException { Dn userDn) throws GuacamoleException {
// Get attributes from configuration information // Get attributes from configuration information
List<String> attrList = confService.getAttributes(); List<String> attrList = confService.getAttributes();
@@ -298,29 +253,27 @@ public class AuthenticationProviderService {
// Build LDAP query parameters // Build LDAP query parameters
String[] attrArray = attrList.toArray(new String[attrList.size()]); String[] attrArray = attrList.toArray(new String[attrList.size()]);
String userDN = getUserBindDN(username);
Map<String, String> tokens = new HashMap<>(); Map<String, String> tokens = new HashMap<>();
try { try {
// Get LDAP attributes by querying LDAP // Get LDAP attributes by querying LDAP
LDAPEntry userEntry = ldapConnection.read(userDN, attrArray); Entry userEntry = ldapConnection.lookup(userDn, attrArray);
if (userEntry == null) if (userEntry == null)
return Collections.<String, String>emptyMap(); return Collections.<String, String>emptyMap();
LDAPAttributeSet attrSet = userEntry.getAttributeSet(); Collection<Attribute> attributes = userEntry.getAttributes();
if (attrSet == null) if (attributes == null)
return Collections.<String, String>emptyMap(); return Collections.<String, String>emptyMap();
// Convert each retrieved attribute into a corresponding token // Convert each retrieved attribute into a corresponding token
for (Object attrObj : attrSet) { for (Attribute attr : attributes) {
LDAPAttribute attr = (LDAPAttribute)attrObj; tokens.put(TokenName.canonicalize(attr.getId(),
tokens.put(TokenName.canonicalize(attr.getName(), LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getString());
LDAP_ATTRIBUTE_TOKEN_PREFIX), attr.getStringValue());
} }
} }
catch (LDAPException e) { catch (LdapException e) {
throw new GuacamoleServerException("Could not query LDAP user attributes.", e); throw new GuacamoleServerException("Could not query LDAP user attributes.", e);
} }
@@ -347,23 +300,25 @@ public class AuthenticationProviderService {
// Bind using credentials associated with AuthenticatedUser // Bind using credentials associated with AuthenticatedUser
Credentials credentials = authenticatedUser.getCredentials(); Credentials credentials = authenticatedUser.getCredentials();
LDAPConnection ldapConnection = bindAs(credentials); if (authenticatedUser instanceof LDAPAuthenticatedUser) {
if (ldapConnection == null) Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn();
return null; LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword());
try { try {
// Build user context by querying LDAP // Build user context by querying LDAP
LDAPUserContext userContext = userContextProvider.get(); LDAPUserContext userContext = userContextProvider.get();
userContext.init(authenticatedUser, ldapConnection); userContext.init(authenticatedUser, ldapConnection);
return userContext; return userContext;
}
// Always disconnect
finally {
ldapService.disconnect(ldapConnection);
}
} }
return null;
// Always disconnect
finally {
ldapService.disconnect(ldapConnection);
}
} }

74
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesMode.java
View File

@@ -1,74 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap;
import com.novell.ldap.LDAPSearchConstraints;
/**
* Data type that handles acceptable values for configuring
* alias dereferencing behavior when querying LDAP servers.
*/
public enum DereferenceAliasesMode {
/**
* Never dereference aliases. This is the default.
*/
NEVER(LDAPSearchConstraints.DEREF_NEVER),
/**
* Aliases are dereferenced below the base object, but not to locate
* the base object itself. So, if the base object is itself an alias
* the search will not complete.
*/
SEARCHING(LDAPSearchConstraints.DEREF_SEARCHING),
/**
* Aliases are only dereferenced to locate the base object, but not
* after that. So, a search against a base object that is an alias will
* find any subordinates of the real object the alias references, but
* further aliases in the search will not be dereferenced.
*/
FINDING(LDAPSearchConstraints.DEREF_FINDING),
/**
* Aliases will always be dereferenced, both to locate the base object
* and when handling results returned by the search.
*/
ALWAYS(LDAPSearchConstraints.DEREF_ALWAYS);
/**
* The integer constant as defined in the JLDAP library that
* the LDAPSearchConstraints class uses to define the
* dereferencing behavior during search operations.
*/
public final int DEREF_VALUE;
/**
* Initializes the dereference aliases object with the integer
* value the setting maps to per the JLDAP implementation.
*
* @param derefValue
* The value associated with this dereference setting
*/
private DereferenceAliasesMode(int derefValue) {
this.DEREF_VALUE = derefValue;
}
}

120
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EscapingService.java
View File

@@ -1,120 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap;
/**
* Service for escaping LDAP filters, distinguished names (DN's), etc.
*/
public class EscapingService {
/**
* Escapes the given string for use within an LDAP search filter. This
* implementation is provided courtesy of OWASP:
*
* https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
*
* @param filter
* The string to escape such that it has no special meaning within an
* LDAP search filter.
*
* @return
* The escaped string, safe for use within an LDAP search filter.
*/
public String escapeLDAPSearchFilter(String filter) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < filter.length(); i++) {
char curChar = filter.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\5c");
break;
case '*':
sb.append("\\2a");
break;
case '(':
sb.append("\\28");
break;
case ')':
sb.append("\\29");
break;
case '\u0000':
sb.append("\\00");
break;
default:
sb.append(curChar);
}
}
return sb.toString();
}
/**
* Escapes the given string such that it is safe for use within an LDAP
* distinguished name (DN). This implementation is provided courtesy of
* OWASP:
*
* https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
*
* @param name
* The string to escape such that it has no special meaning within an
* LDAP DN.
*
* @return
* The escaped string, safe for use within an LDAP DN.
*/
public String escapeDN(String name) {
StringBuilder sb = new StringBuilder();
if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
sb.append('\\'); // add the leading backslash if needed
}
for (int i = 0; i < name.length(); i++) {
char curChar = name.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\\\");
break;
case ',':
sb.append("\\,");
break;
case '+':
sb.append("\\+");
break;
case '"':
sb.append("\\\"");
break;
case '<':
sb.append("\\<");
break;
case '>':
sb.append("\\>");
break;
case ';':
sb.append("\\;");
break;
default:
sb.append(curChar);
}
}
if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
}
return sb.toString();
}
}

2
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPAuthenticationProviderModule.java
View File

@@ -20,6 +20,7 @@
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap;
import com.google.inject.AbstractModule; import com.google.inject.AbstractModule;
import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.auth.ldap.connection.ConnectionService;
import org.apache.guacamole.auth.ldap.user.UserService; import org.apache.guacamole.auth.ldap.user.UserService;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
@@ -76,7 +77,6 @@ public class LDAPAuthenticationProviderModule extends AbstractModule {
// Bind LDAP-specific services // Bind LDAP-specific services
bind(ConfigurationService.class); bind(ConfigurationService.class);
bind(ConnectionService.class); bind(ConnectionService.class);
bind(EscapingService.class);
bind(LDAPConnectionService.class); bind(LDAPConnectionService.class);
bind(ObjectQueryService.class); bind(ObjectQueryService.class);
bind(UserGroupService.class); bind(UserGroupService.class);

230
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
View File

@@ -20,14 +20,28 @@
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPConnection; import java.io.IOException;
import com.novell.ldap.LDAPConstraints; import org.apache.directory.api.ldap.model.exception.LdapException;
import com.novell.ldap.LDAPException; import org.apache.directory.api.ldap.model.filter.ExprNode;
import com.novell.ldap.LDAPJSSESecureSocketFactory; import org.apache.directory.api.ldap.model.message.BindRequest;
import com.novell.ldap.LDAPJSSEStartTLSFactory; import org.apache.directory.api.ldap.model.message.BindRequestImpl;
import java.io.UnsupportedEncodingException; import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.message.SearchRequest;
import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.url.LdapUrl;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.GuacamoleUnsupportedException; import org.apache.guacamole.GuacamoleUnsupportedException;
import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.auth.ldap.conf.EncryptionMethod;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -39,7 +53,7 @@ public class LDAPConnectionService {
/** /**
* Logger for this class. * Logger for this class.
*/ */
private final Logger logger = LoggerFactory.getLogger(LDAPConnectionService.class); private static final Logger logger = LoggerFactory.getLogger(LDAPConnectionService.class);
/** /**
* Service for retrieving LDAP server configuration information. * Service for retrieving LDAP server configuration information.
@@ -48,19 +62,24 @@ public class LDAPConnectionService {
private ConfigurationService confService; private ConfigurationService confService;
/** /**
* Creates a new instance of LDAPConnection, configured as required to use * Creates a new instance of LdapNetworkConnection, configured as required
* whichever encryption method is requested within guacamole.properties. * to use whichever encryption method is requested within
* guacamole.properties.
* *
* @return * @return
* A new LDAPConnection instance which has already been configured to * A new LdapNetworkConnection instance which has already been
* use the encryption method requested within guacamole.properties. * configured to use the encryption method requested within
* guacamole.properties.
* *
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs while parsing guacamole.properties, or if the * If an error occurs while parsing guacamole.properties, or if the
* requested encryption method is actually not implemented (a bug). * requested encryption method is actually not implemented (a bug).
*/ */
private LDAPConnection createLDAPConnection() throws GuacamoleException { private LdapNetworkConnection createLDAPConnection() throws GuacamoleException {
String host = confService.getServerHostname();
int port = confService.getServerPort();
// Map encryption method to proper connection and socket factory // Map encryption method to proper connection and socket factory
EncryptionMethod encryptionMethod = confService.getEncryptionMethod(); EncryptionMethod encryptionMethod = confService.getEncryptionMethod();
switch (encryptionMethod) { switch (encryptionMethod) {
@@ -68,17 +87,17 @@ public class LDAPConnectionService {
// Unencrypted LDAP connection // Unencrypted LDAP connection
case NONE: case NONE:
logger.debug("Connection to LDAP server without encryption."); logger.debug("Connection to LDAP server without encryption.");
return new LDAPConnection(); return new LdapNetworkConnection(host, port);
// LDAP over SSL (LDAPS) // LDAP over SSL (LDAPS)
case SSL: case SSL:
logger.debug("Connecting to LDAP server using SSL/TLS."); logger.debug("Connecting to LDAP server using SSL/TLS.");
return new LDAPConnection(new LDAPJSSESecureSocketFactory()); return new LdapNetworkConnection(host, port, true);
// LDAP + STARTTLS // LDAP + STARTTLS
case STARTTLS: case STARTTLS:
logger.debug("Connecting to LDAP server using STARTTLS."); logger.debug("Connecting to LDAP server using STARTTLS.");
return new LDAPConnection(new LDAPJSSEStartTLSFactory()); return new LdapNetworkConnection(host, port);
// The encryption method, though known, is not actually // The encryption method, though known, is not actually
// implemented. If encountered, this would be a bug. // implemented. If encountered, this would be a bug.
@@ -106,86 +125,113 @@ public class LDAPConnectionService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs while binding to the LDAP server. * If an error occurs while binding to the LDAP server.
*/ */
public LDAPConnection bindAs(String userDN, String password) public LdapNetworkConnection bindAs(Dn userDN, String password)
throws GuacamoleException { throws GuacamoleException {
// Obtain appropriately-configured LDAPConnection instance // Obtain appropriately-configured LdapNetworkConnection instance
LDAPConnection ldapConnection = createLDAPConnection(); LdapNetworkConnection ldapConnection = createLDAPConnection();
// Configure LDAP connection constraints
LDAPConstraints ldapConstraints = ldapConnection.getConstraints();
if (ldapConstraints == null)
ldapConstraints = new LDAPConstraints();
// Set whether or not we follow referrals
ldapConstraints.setReferralFollowing(confService.getFollowReferrals());
// Set referral authentication to use the provided credentials.
if (userDN != null && !userDN.isEmpty())
ldapConstraints.setReferralHandler(new ReferralAuthHandler(userDN, password));
// Set the maximum number of referrals we follow
ldapConstraints.setHopLimit(confService.getMaxReferralHops());
// Set timelimit to wait for LDAP operations, converting to ms
ldapConstraints.setTimeLimit(confService.getOperationTimeout() * 1000);
// Apply the constraints to the connection
ldapConnection.setConstraints(ldapConstraints);
try { try {
// Connect to LDAP server // Connect to LDAP server
ldapConnection.connect( ldapConnection.connect();
confService.getServerHostname(),
confService.getServerPort()
);
// Explicitly start TLS if requested // Explicitly start TLS if requested
if (confService.getEncryptionMethod() == EncryptionMethod.STARTTLS) if (confService.getEncryptionMethod() == EncryptionMethod.STARTTLS)
ldapConnection.startTLS(); ldapConnection.startTls();
} }
catch (LDAPException e) { catch (LdapException e) {
logger.error("Unable to connect to LDAP server: {}", e.getMessage()); throw new GuacamoleServerException("Error connecting to LDAP server.", e);
logger.debug("Failed to connect to LDAP server.", e);
return null;
} }
// Bind using provided credentials // Bind using provided credentials
try { try {
byte[] passwordBytes; BindRequest bindRequest = new BindRequestImpl();
try { bindRequest.setDn(userDN);
bindRequest.setCredentials(password);
// Convert password into corresponding byte array BindResponse bindResponse = ldapConnection.bind(bindRequest);
if (password != null) if (bindResponse.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS)
passwordBytes = password.getBytes("UTF-8"); return ldapConnection;
else
passwordBytes = null; else
throw new GuacamoleInvalidCredentialsException("Error binding"
} + " to server: " + bindResponse.toString(),
catch (UnsupportedEncodingException e) { CredentialsInfo.USERNAME_PASSWORD);
logger.error("Unexpected lack of support for UTF-8: {}", e.getMessage());
logger.debug("Support for UTF-8 (as required by Java spec) not found.", e);
disconnect(ldapConnection);
return null;
}
// Bind as user
ldapConnection.bind(LDAPConnection.LDAP_V3, userDN, passwordBytes);
} }
// Disconnect if an error occurs during bind // Disconnect if an error occurs during bind
catch (LDAPException e) { catch (LdapException e) {
logger.debug("LDAP bind failed.", e); logger.debug("Unable to bind to LDAP server.", e);
disconnect(ldapConnection); disconnect(ldapConnection);
return null; throw new GuacamoleInvalidCredentialsException(
"Unable to bind to the LDAP server.",
CredentialsInfo.USERNAME_PASSWORD);
} }
return ldapConnection; }
/**
* Generate a new LdapNetworkConnection object for following a referral
* with the given LdapUrl, and copy the username and password
* from the original connection.
*
* @param referralUrl
* The LDAP URL to follow.
*
* @param ldapConfig
* The connection configuration to use to retrieve username and
* password.
*
* @param hop
* The current hop number of this referral - once the configured
* limit is reached, this method will throw an exception.
*
* @return
* A LdapNetworkConnection object that points at the location
* specified in the referralUrl.
*
* @throws GuacamoleException
* If an error occurs parsing out the LdapUrl object or the
* maximum number of referral hops is reached.
*/
public LdapNetworkConnection getReferralConnection(LdapUrl referralUrl,
LdapConnectionConfig ldapConfig, int hop)
throws GuacamoleException {
if (hop >= confService.getMaxReferralHops())
throw new GuacamoleServerException("Maximum number of referrals reached.");
LdapConnectionConfig referralConfig = new LdapConnectionConfig();
// Copy bind name and password from original config
referralConfig.setName(ldapConfig.getName());
referralConfig.setCredentials(ldapConfig.getCredentials());
// Look for host - if not there, bail out.
String host = referralUrl.getHost();
if (host == null || host.isEmpty())
throw new GuacamoleServerException("Referral URL contains no host.");
referralConfig.setLdapHost(host);
// Look for port, or assign a default.
int port = referralUrl.getPort();
if (port < 1)
referralConfig.setLdapPort(389);
else
referralConfig.setLdapPort(port);
// Deal with SSL connections
if (referralUrl.getScheme().equals(LdapUrl.LDAPS_SCHEME))
referralConfig.setUseSsl(true);
else
referralConfig.setUseSsl(false);
return new LdapNetworkConnection(referralConfig);
} }
/** /**
@@ -195,19 +241,53 @@ public class LDAPConnectionService {
* @param ldapConnection * @param ldapConnection
* The LDAP connection to disconnect. * The LDAP connection to disconnect.
*/ */
public void disconnect(LDAPConnection ldapConnection) { public void disconnect(LdapConnection ldapConnection) {
// Attempt disconnect // Attempt disconnect
try { try {
ldapConnection.disconnect(); ldapConnection.close();
} }
// Warn if disconnect unexpectedly fails // Warn if disconnect unexpectedly fails
catch (LDAPException e) { catch (IOException e) {
logger.warn("Unable to disconnect from LDAP server: {}", e.getMessage()); logger.warn("Unable to disconnect from LDAP server: {}", e.getMessage());
logger.debug("LDAP disconnect failed.", e); logger.debug("LDAP disconnect failed.", e);
} }
} }
/**
* Generate a SearchRequest object using the given Base DN and filter
* and retrieving other properties from the LDAP configuration service.
*
* @param baseDn
* The LDAP Base DN at which to search the search.
*
* @param filter
* A string representation of a LDAP filter to use for the search.
*
* @return
* The properly-configured SearchRequest object.
*
* @throws GuacamoleException
* If an error occurs retrieving any of the configuration values.
*/
public SearchRequest getSearchRequest(Dn baseDn, ExprNode filter)
throws GuacamoleException {
SearchRequest searchRequest = new SearchRequestImpl();
searchRequest.setBase(baseDn);
searchRequest.setDerefAliases(confService.getDereferenceAliases());
searchRequest.setScope(SearchScope.SUBTREE);
searchRequest.setFilter(filter);
searchRequest.setSizeLimit(confService.getMaxResults());
searchRequest.setTimeLimit(confService.getOperationTimeout());
searchRequest.setTypesOnly(false);
if (confService.getFollowReferrals())
searchRequest.followReferrals();
return searchRequest;
}
} }

156
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java
View File

@@ -20,18 +20,28 @@
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPAttribute;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import com.novell.ldap.LDAPException;
import com.novell.ldap.LDAPReferralException;
import com.novell.ldap.LDAPSearchResults;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.function.Function; import java.util.function.Function;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.SearchCursor;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.filter.AndNode;
import org.apache.directory.api.ldap.model.filter.EqualityNode;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.OrNode;
import org.apache.directory.api.ldap.model.message.Referral;
import org.apache.directory.api.ldap.model.message.SearchRequest;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.url.LdapUrl;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.net.auth.Identifiable; import org.apache.guacamole.net.auth.Identifiable;
@@ -50,19 +60,13 @@ public class ObjectQueryService {
/** /**
* Logger for this class. * Logger for this class.
*/ */
private final Logger logger = LoggerFactory.getLogger(ObjectQueryService.class); private static final Logger logger = LoggerFactory.getLogger(ObjectQueryService.class);
/** /**
* Service for escaping parts of LDAP queries. * Service for connecting to LDAP directory.
*/ */
@Inject @Inject
private EscapingService escapingService; private LDAPConnectionService ldapService;
/**
* Service for retrieving LDAP server configuration information.
*/
@Inject
private ConfigurationService confService;
/** /**
* Returns the identifier of the object represented by the given LDAP * Returns the identifier of the object represented by the given LDAP
@@ -86,14 +90,18 @@ public class ObjectQueryService {
* The identifier of the object represented by the given LDAP entry, or * The identifier of the object represented by the given LDAP entry, or
* null if no attributes declared as containing the identifier of the * null if no attributes declared as containing the identifier of the
* object are present on the entry. * object are present on the entry.
*
* @throws LdapInvalidAttributeValueException
* If an error occurs retrieving the value of the identifier attribute.
*/ */
public String getIdentifier(LDAPEntry entry, Collection<String> attributes) { public String getIdentifier(Entry entry, Collection<String> attributes)
throws LdapInvalidAttributeValueException {
// Retrieve the first value of the highest priority identifier attribute // Retrieve the first value of the highest priority identifier attribute
for (String identifierAttribute : attributes) { for (String identifierAttribute : attributes) {
LDAPAttribute identifier = entry.getAttribute(identifierAttribute); Attribute identifier = entry.get(identifierAttribute);
if (identifier != null) if (identifier != null)
return identifier.getStringValue(); return identifier.getString();
} }
// No identifier attribute is present on the entry // No identifier attribute is present on the entry
@@ -125,42 +133,25 @@ public class ObjectQueryService {
* An LDAP query which will search for arbitrary LDAP objects having at * An LDAP query which will search for arbitrary LDAP objects having at
* least one of the given attributes set to the specified value. * least one of the given attributes set to the specified value.
*/ */
public String generateQuery(String filter, public ExprNode generateQuery(ExprNode filter,
Collection<String> attributes, String attributeValue) { Collection<String> attributes, String attributeValue) {
// Build LDAP query for objects having at least one attribute and with // Build LDAP query for objects having at least one attribute and with
// the given search filter // the given search filter
StringBuilder ldapQuery = new StringBuilder(); AndNode searchFilter = new AndNode();
ldapQuery.append("(&"); searchFilter.addNode(filter);
ldapQuery.append(filter);
// Include all attributes within OR clause if there are more than one // Include all attributes within OR clause if there are more than one
if (attributes.size() > 1) OrNode attributeFilter = new OrNode();
ldapQuery.append("(|");
// Add equality comparison for each possible attribute // Add equality comparison for each possible attribute
for (String attribute : attributes) { attributes.forEach(attribute ->
ldapQuery.append("("); attributeFilter.addNode(new EqualityNode(attribute, attributeValue))
ldapQuery.append(escapingService.escapeLDAPSearchFilter(attribute)); );
if (attributeValue != null) { searchFilter.addNode(attributeFilter);
ldapQuery.append("=");
ldapQuery.append(escapingService.escapeLDAPSearchFilter(attributeValue)); return searchFilter;
ldapQuery.append(")");
}
else
ldapQuery.append("=*)");
}
// Close OR clause, if any
if (attributes.size() > 1)
ldapQuery.append(")");
// Close overall query (AND clause)
ldapQuery.append(")");
return ldapQuery.toString();
} }
@@ -178,6 +169,10 @@ public class ObjectQueryService {
* *
* @param query * @param query
* The LDAP query to execute. * The LDAP query to execute.
*
* @param searchHop
* The current level of referral depth for this search, used for
* limiting the maximum depth to which referrals can go.
* *
* @return * @return
* A list of all results accessible to the user currently bound under * A list of all results accessible to the user currently bound under
@@ -188,51 +183,50 @@ public class ObjectQueryService {
* information required to execute the query cannot be read from * information required to execute the query cannot be read from
* guacamole.properties. * guacamole.properties.
*/ */
public List<LDAPEntry> search(LDAPConnection ldapConnection, public List<Entry> search(LdapNetworkConnection ldapConnection,
String baseDN, String query) throws GuacamoleException { Dn baseDN, ExprNode query, int searchHop) throws GuacamoleException {
logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query); logger.debug("Searching \"{}\" for objects matching \"{}\".", baseDN, query);
try { try {
LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig();
// Search within subtree of given base DN // Search within subtree of given base DN
LDAPSearchResults results = ldapConnection.search(baseDN, SearchRequest request = ldapService.getSearchRequest(baseDN,
LDAPConnection.SCOPE_SUB, query, null, false, query);
confService.getLDAPSearchConstraints());
SearchCursor results = ldapConnection.search(request);
// Produce list of all entries in the search result, automatically // Produce list of all entries in the search result, automatically
// following referrals if configured to do so // following referrals if configured to do so
List<LDAPEntry> entries = new ArrayList<>(results.getCount()); List<Entry> entries = new ArrayList<>();
while (results.hasMore()) { while (results.next()) {
try { if (results.isEntry()) {
entries.add(results.next()); entries.add(results.getEntry());
} }
else if (results.isReferral() && request.isFollowReferrals()) {
// Warn if referrals cannot be followed
catch (LDAPReferralException e) { Referral referral = results.getReferral();
if (confService.getFollowReferrals()) { for (String url : referral.getLdapUrls()) {
logger.error("Could not follow referral: {}", e.getFailedReferral()); LdapNetworkConnection referralConnection =
logger.debug("Error encountered trying to follow referral.", e); ldapService.getReferralConnection(
throw new GuacamoleServerException("Could not follow LDAP referral.", e); new LdapUrl(url),
} ldapConnectionConfig, searchHop++
else { );
logger.warn("Given a referral, but referrals are disabled. Error was: {}", e.getMessage()); entries.addAll(search(referralConnection, baseDN, query,
logger.debug("Got a referral, but configured to not follow them.", e); searchHop));
} }
} }
catch (LDAPException e) {
logger.warn("Failed to process an LDAP search result. Error was: {}", e.resultCodeToString());
logger.debug("Error processing LDAPEntry search result.", e);
}
} }
return entries; return entries;
} }
catch (LDAPException | GuacamoleException e) { catch (CursorException | LdapException e) {
throw new GuacamoleServerException("Unable to query list of " throw new GuacamoleServerException("Unable to query list of "
+ "objects from LDAP directory.", e); + "objects from LDAP directory.", e);
} }
@@ -274,11 +268,11 @@ public class ObjectQueryService {
* information required to execute the query cannot be read from * information required to execute the query cannot be read from
* guacamole.properties. * guacamole.properties.
*/ */
public List<LDAPEntry> search(LDAPConnection ldapConnection, String baseDN, public List<Entry> search(LdapNetworkConnection ldapConnection, Dn baseDN,
String filter, Collection<String> attributes, String attributeValue) ExprNode filter, Collection<String> attributes, String attributeValue)
throws GuacamoleException { throws GuacamoleException {
String query = generateQuery(filter, attributes, attributeValue); ExprNode query = generateQuery(filter, attributes, attributeValue);
return search(ldapConnection, baseDN, query); return search(ldapConnection, baseDN, query, 0);
} }
/** /**
@@ -302,15 +296,15 @@ public class ObjectQueryService {
* {@link Map} under its corresponding identifier. * {@link Map} under its corresponding identifier.
*/ */
public <ObjectType extends Identifiable> Map<String, ObjectType> public <ObjectType extends Identifiable> Map<String, ObjectType>
asMap(List<LDAPEntry> entries, Function<LDAPEntry, ObjectType> mapper) { asMap(List<Entry> entries, Function<Entry, ObjectType> mapper) {
// Convert each entry to the corresponding Guacamole API object // Convert each entry to the corresponding Guacamole API object
Map<String, ObjectType> objects = new HashMap<>(entries.size()); Map<String, ObjectType> objects = new HashMap<>(entries.size());
for (LDAPEntry entry : entries) { for (Entry entry : entries) {
ObjectType object = mapper.apply(entry); ObjectType object = mapper.apply(entry);
if (object == null) { if (object == null) {
logger.debug("Ignoring object \"{}\".", entry.getDN()); logger.debug("Ignoring object \"{}\".", entry.getDn().toString());
continue; continue;
} }
@@ -320,7 +314,7 @@ public class ObjectQueryService {
if (objects.putIfAbsent(identifier, object) != null) if (objects.putIfAbsent(identifier, object) != null)
logger.warn("Multiple objects ambiguously map to the " logger.warn("Multiple objects ambiguously map to the "
+ "same identifier (\"{}\"). Ignoring \"{}\" as " + "same identifier (\"{}\"). Ignoring \"{}\" as "
+ "a duplicate.", identifier, entry.getDN()); + "a duplicate.", identifier, entry.getDn().toString());
} }

79
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ReferralAuthHandler.java
View File

@@ -1,79 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap;
import com.novell.ldap.LDAPAuthHandler;
import com.novell.ldap.LDAPAuthProvider;
import java.io.UnsupportedEncodingException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Class that implements the necessary authentication handling
* for following referrals in LDAP connections.
*/
public class ReferralAuthHandler implements LDAPAuthHandler {
/**
* Logger for this class.
*/
private final Logger logger = LoggerFactory.getLogger(ReferralAuthHandler.class);
/**
* The LDAPAuthProvider object that will be set and returned to the referral handler.
*/
private final LDAPAuthProvider ldapAuth;
/**
* Creates a ReferralAuthHandler object to handle authentication when
* following referrals in a LDAP connection, using the provided dn and
* password.
*
* @param dn
* The distinguished name to use for the referral login.
*
* @param password
* The password to use for the referral login.
*/
public ReferralAuthHandler(String dn, String password) {
byte[] passwordBytes;
try {
// Convert password into corresponding byte array
if (password != null)
passwordBytes = password.getBytes("UTF-8");
else
passwordBytes = null;
}
catch (UnsupportedEncodingException e) {
logger.error("Unexpected lack of support for UTF-8: {}", e.getMessage());
logger.debug("Support for UTF-8 (as required by Java spec) not found.", e);
throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e);
}
ldapAuth = new LDAPAuthProvider(dn, passwordBytes);
}
@Override
public LDAPAuthProvider getAuthProvider(String host, int port) {
return ldapAuth;
}
}

63
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
View File

@@ -17,27 +17,23 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPSearchConstraints;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.PresenceNode;
import org.apache.directory.api.ldap.model.message.AliasDerefMode;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment; import org.apache.guacamole.environment.Environment;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** /**
* Service for retrieving configuration information regarding the LDAP server. * Service for retrieving configuration information regarding the LDAP server.
*/ */
public class ConfigurationService { public class ConfigurationService {
/**
* Logger for this class.
*/
private final Logger logger = LoggerFactory.getLogger(ConfigurationService.class);
/** /**
* The Guacamole server environment. * The Guacamole server environment.
*/ */
@@ -113,7 +109,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the user base DN * If guacamole.properties cannot be parsed, or if the user base DN
* property is not specified. * property is not specified.
*/ */
public String getUserBaseDN() throws GuacamoleException { public Dn getUserBaseDN() throws GuacamoleException {
return environment.getRequiredProperty( return environment.getRequiredProperty(
LDAPGuacamoleProperties.LDAP_USER_BASE_DN LDAPGuacamoleProperties.LDAP_USER_BASE_DN
); );
@@ -132,7 +128,7 @@ public class ConfigurationService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
public String getConfigurationBaseDN() throws GuacamoleException { public Dn getConfigurationBaseDN() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_CONFIG_BASE_DN LDAPGuacamoleProperties.LDAP_CONFIG_BASE_DN
); );
@@ -168,7 +164,7 @@ public class ConfigurationService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
public String getGroupBaseDN() throws GuacamoleException { public Dn getGroupBaseDN() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_GROUP_BASE_DN LDAPGuacamoleProperties.LDAP_GROUP_BASE_DN
); );
@@ -187,7 +183,7 @@ public class ConfigurationService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
public String getSearchBindDN() throws GuacamoleException { public Dn getSearchBindDN() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN
); );
@@ -242,7 +238,7 @@ public class ConfigurationService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
private int getMaxResults() throws GuacamoleException { public int getMaxResults() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_MAX_SEARCH_RESULTS, LDAPGuacamoleProperties.LDAP_MAX_SEARCH_RESULTS,
1000 1000
@@ -262,10 +258,10 @@ public class ConfigurationService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
private DereferenceAliasesMode getDereferenceAliases() throws GuacamoleException { public AliasDerefMode getDereferenceAliases() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES, LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES,
DereferenceAliasesMode.NEVER AliasDerefMode.NEVER_DEREF_ALIASES
); );
} }
@@ -288,28 +284,8 @@ public class ConfigurationService {
} }
/** /**
* Returns a set of LDAPSearchConstraints to apply globally * Returns the maximum number of referral hops to follow. By default
* to all LDAP searches. * a maximum of 5 hops is allowed.
*
* @return
* A LDAPSearchConstraints object containing constraints
* to be applied to all LDAP search operations.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed.
*/
public LDAPSearchConstraints getLDAPSearchConstraints() throws GuacamoleException {
LDAPSearchConstraints constraints = new LDAPSearchConstraints();
constraints.setMaxResults(getMaxResults());
constraints.setDereference(getDereferenceAliases().DEREF_VALUE);
return constraints;
}
/**
* Returns the maximum number of referral hops to follow.
* *
* @return * @return
* The maximum number of referral hops to follow * The maximum number of referral hops to follow
@@ -328,20 +304,20 @@ public class ConfigurationService {
/** /**
* Returns the search filter that should be used when querying the * Returns the search filter that should be used when querying the
* LDAP server for Guacamole users. If no filter is specified, * LDAP server for Guacamole users. If no filter is specified,
* a default of "(objectClass=*)" is returned. * a default of "(objectClass=user)" is returned.
* *
* @return * @return
* The search filter that should be used when querying the * The search filter that should be used when querying the
* LDAP server for users that are valid in Guacamole, or * LDAP server for users that are valid in Guacamole, or
* "(objectClass=*)" if not specified. * "(objectClass=user)" if not specified.
* *
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
public String getUserSearchFilter() throws GuacamoleException { public ExprNode getUserSearchFilter() throws GuacamoleException {
return environment.getProperty( return environment.getProperty(
LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER,
"(objectClass=*)" new PresenceNode("objectClass")
); );
} }
@@ -363,7 +339,8 @@ public class ConfigurationService {
} }
/** /**
* Returns names for custom LDAP user attributes. * Returns names for custom LDAP user attributes. By default no
* attributes will be returned.
* *
* @return * @return
* Custom LDAP user attributes as configured in guacamole.properties. * Custom LDAP user attributes as configured in guacamole.properties.

21
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/DereferenceAliasesProperty.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/DereferenceAliasesProperty.java
View File

@@ -17,21 +17,22 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
import org.apache.directory.api.ldap.model.message.AliasDerefMode;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.properties.GuacamoleProperty; import org.apache.guacamole.properties.GuacamoleProperty;
/** /**
* A GuacamoleProperty with a value of DereferenceAliases. The possible strings * A GuacamoleProperty with a value of AliasDerefMode. The possible strings
* "never", "searching", "finding", and "always" are mapped to their values as a * "never", "searching", "finding", and "always" are mapped to their values as
* DereferenceAliases enum. Anything else results in a parse error. * an AliasDerefMode object. Anything else results in a parse error.
*/ */
public abstract class DereferenceAliasesProperty implements GuacamoleProperty<DereferenceAliasesMode> { public abstract class DereferenceAliasesProperty implements GuacamoleProperty<AliasDerefMode> {
@Override @Override
public DereferenceAliasesMode parseValue(String value) throws GuacamoleException { public AliasDerefMode parseValue(String value) throws GuacamoleException {
// No value provided, so return null. // No value provided, so return null.
if (value == null) if (value == null)
@@ -39,19 +40,19 @@ public abstract class DereferenceAliasesProperty implements GuacamoleProperty<De
// Never dereference aliases // Never dereference aliases
if (value.equals("never")) if (value.equals("never"))
return DereferenceAliasesMode.NEVER; return AliasDerefMode.NEVER_DEREF_ALIASES;
// Dereference aliases during search operations, but not at base // Dereference aliases during search operations, but not at base
if (value.equals("searching")) if (value.equals("searching"))
return DereferenceAliasesMode.SEARCHING; return AliasDerefMode.DEREF_IN_SEARCHING;
// Dereference aliases to locate base, but not during searches // Dereference aliases to locate base, but not during searches
if (value.equals("finding")) if (value.equals("finding"))
return DereferenceAliasesMode.FINDING; return AliasDerefMode.DEREF_FINDING_BASE_OBJ;
// Always dereference aliases // Always dereference aliases
if (value.equals("always")) if (value.equals("always"))
return DereferenceAliasesMode.ALWAYS; return AliasDerefMode.DEREF_ALWAYS;
// Anything else is invalid and results in an error // Anything else is invalid and results in an error
throw new GuacamoleServerException("Dereference aliases must be one of \"never\", \"searching\", \"finding\", or \"always\"."); throw new GuacamoleServerException("Dereference aliases must be one of \"never\", \"searching\", \"finding\", or \"always\".");

2
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EncryptionMethod.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/EncryptionMethod.java
View File

@@ -17,7 +17,7 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
/** /**
* All possible encryption methods which may be used when connecting to an LDAP * All possible encryption methods which may be used when connecting to an LDAP

2
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/EncryptionMethodProperty.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/EncryptionMethodProperty.java
View File

@@ -17,7 +17,7 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleServerException;

56
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
View File

@@ -17,7 +17,7 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
import org.apache.guacamole.properties.BooleanGuacamoleProperty; import org.apache.guacamole.properties.BooleanGuacamoleProperty;
import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty;
@@ -39,7 +39,8 @@ public class LDAPGuacamoleProperties {
/** /**
* The base DN to search for Guacamole configurations. * The base DN to search for Guacamole configurations.
*/ */
public static final StringGuacamoleProperty LDAP_CONFIG_BASE_DN = new StringGuacamoleProperty() { public static final LdapDnGuacamoleProperty LDAP_CONFIG_BASE_DN =
new LdapDnGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-config-base-dn"; } public String getName() { return "ldap-config-base-dn"; }
@@ -52,7 +53,8 @@ public class LDAPGuacamoleProperties {
* credentials for querying other LDAP users, all users must be direct * credentials for querying other LDAP users, all users must be direct
* children of this base DN, varying only by LDAP_USERNAME_ATTRIBUTE. * children of this base DN, varying only by LDAP_USERNAME_ATTRIBUTE.
*/ */
public static final StringGuacamoleProperty LDAP_USER_BASE_DN = new StringGuacamoleProperty() { public static final LdapDnGuacamoleProperty LDAP_USER_BASE_DN =
new LdapDnGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-user-base-dn"; } public String getName() { return "ldap-user-base-dn"; }
@@ -64,7 +66,8 @@ public class LDAPGuacamoleProperties {
* will be used for RBAC must be contained somewhere within the subtree of * will be used for RBAC must be contained somewhere within the subtree of
* this DN. * this DN.
*/ */
public static final StringGuacamoleProperty LDAP_GROUP_BASE_DN = new StringGuacamoleProperty() { public static final LdapDnGuacamoleProperty LDAP_GROUP_BASE_DN =
new LdapDnGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-group-base-dn"; } public String getName() { return "ldap-group-base-dn"; }
@@ -79,7 +82,8 @@ public class LDAPGuacamoleProperties {
* one attribute, and the concatenation of that attribute and the value of * one attribute, and the concatenation of that attribute and the value of
* LDAP_USER_BASE_DN must equal the user's full DN. * LDAP_USER_BASE_DN must equal the user's full DN.
*/ */
public static final StringListProperty LDAP_USERNAME_ATTRIBUTE = new StringListProperty() { public static final StringListProperty LDAP_USERNAME_ATTRIBUTE =
new StringListProperty() {
@Override @Override
public String getName() { return "ldap-username-attribute"; } public String getName() { return "ldap-username-attribute"; }
@@ -91,7 +95,8 @@ public class LDAPGuacamoleProperties {
* attributes must be present within each Guacamole user group's record in * attributes must be present within each Guacamole user group's record in
* the LDAP directory for that group to be visible. * the LDAP directory for that group to be visible.
*/ */
public static final StringListProperty LDAP_GROUP_NAME_ATTRIBUTE = new StringListProperty() { public static final StringListProperty LDAP_GROUP_NAME_ATTRIBUTE =
new StringListProperty() {
@Override @Override
public String getName() { return "ldap-group-name-attribute"; } public String getName() { return "ldap-group-name-attribute"; }
@@ -101,7 +106,8 @@ public class LDAPGuacamoleProperties {
/** /**
* The port on the LDAP server to connect to when authenticating users. * The port on the LDAP server to connect to when authenticating users.
*/ */
public static final IntegerGuacamoleProperty LDAP_PORT = new IntegerGuacamoleProperty() { public static final IntegerGuacamoleProperty LDAP_PORT =
new IntegerGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-port"; } public String getName() { return "ldap-port"; }
@@ -111,7 +117,8 @@ public class LDAPGuacamoleProperties {
/** /**
* The hostname of the LDAP server to connect to when authenticating users. * The hostname of the LDAP server to connect to when authenticating users.
*/ */
public static final StringGuacamoleProperty LDAP_HOSTNAME = new StringGuacamoleProperty() { public static final StringGuacamoleProperty LDAP_HOSTNAME =
new StringGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-hostname"; } public String getName() { return "ldap-hostname"; }
@@ -124,7 +131,8 @@ public class LDAPGuacamoleProperties {
* specified, the DNs of users attempting to log in will be derived from * specified, the DNs of users attempting to log in will be derived from
* the LDAP_BASE_DN and LDAP_USERNAME_ATTRIBUTE directly. * the LDAP_BASE_DN and LDAP_USERNAME_ATTRIBUTE directly.
*/ */
public static final StringGuacamoleProperty LDAP_SEARCH_BIND_DN = new StringGuacamoleProperty() { public static final LdapDnGuacamoleProperty LDAP_SEARCH_BIND_DN =
new LdapDnGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-search-bind-dn"; } public String getName() { return "ldap-search-bind-dn"; }
@@ -137,7 +145,8 @@ public class LDAPGuacamoleProperties {
* property has no effect. If this property is not specified, no password * property has no effect. If this property is not specified, no password
* will be provided when attempting to bind as LDAP_SEARCH_BIND_DN. * will be provided when attempting to bind as LDAP_SEARCH_BIND_DN.
*/ */
public static final StringGuacamoleProperty LDAP_SEARCH_BIND_PASSWORD = new StringGuacamoleProperty() { public static final StringGuacamoleProperty LDAP_SEARCH_BIND_PASSWORD =
new StringGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-search-bind-password"; } public String getName() { return "ldap-search-bind-password"; }
@@ -149,7 +158,8 @@ public class LDAPGuacamoleProperties {
* The chosen method will also dictate the default port if not already * The chosen method will also dictate the default port if not already
* explicitly specified via LDAP_PORT. * explicitly specified via LDAP_PORT.
*/ */
public static final EncryptionMethodProperty LDAP_ENCRYPTION_METHOD = new EncryptionMethodProperty() { public static final EncryptionMethodProperty LDAP_ENCRYPTION_METHOD =
new EncryptionMethodProperty() {
@Override @Override
public String getName() { return "ldap-encryption-method"; } public String getName() { return "ldap-encryption-method"; }
@@ -159,7 +169,8 @@ public class LDAPGuacamoleProperties {
/** /**
* The maximum number of results a LDAP query can return. * The maximum number of results a LDAP query can return.
*/ */
public static final IntegerGuacamoleProperty LDAP_MAX_SEARCH_RESULTS = new IntegerGuacamoleProperty() { public static final IntegerGuacamoleProperty LDAP_MAX_SEARCH_RESULTS =
new IntegerGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-max-search-results"; } public String getName() { return "ldap-max-search-results"; }
@@ -170,7 +181,8 @@ public class LDAPGuacamoleProperties {
* Property that controls whether or not the LDAP connection follows * Property that controls whether or not the LDAP connection follows
* (dereferences) aliases as it searches the tree. * (dereferences) aliases as it searches the tree.
*/ */
public static final DereferenceAliasesProperty LDAP_DEREFERENCE_ALIASES = new DereferenceAliasesProperty() { public static final DereferenceAliasesProperty LDAP_DEREFERENCE_ALIASES =
new DereferenceAliasesProperty() {
@Override @Override
public String getName() { return "ldap-dereference-aliases"; } public String getName() { return "ldap-dereference-aliases"; }
@@ -180,7 +192,8 @@ public class LDAPGuacamoleProperties {
/** /**
* A search filter to apply to user LDAP queries. * A search filter to apply to user LDAP queries.
*/ */
public static final StringGuacamoleProperty LDAP_USER_SEARCH_FILTER = new StringGuacamoleProperty() { public static final LdapFilterGuacamoleProperty LDAP_USER_SEARCH_FILTER =
new LdapFilterGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-user-search-filter"; } public String getName() { return "ldap-user-search-filter"; }
@@ -190,7 +203,8 @@ public class LDAPGuacamoleProperties {
/** /**
* Whether or not we should follow referrals. * Whether or not we should follow referrals.
*/ */
public static final BooleanGuacamoleProperty LDAP_FOLLOW_REFERRALS = new BooleanGuacamoleProperty() { public static final BooleanGuacamoleProperty LDAP_FOLLOW_REFERRALS =
new BooleanGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-follow-referrals"; } public String getName() { return "ldap-follow-referrals"; }
@@ -200,7 +214,8 @@ public class LDAPGuacamoleProperties {
/** /**
* Maximum number of referral hops to follow. * Maximum number of referral hops to follow.
*/ */
public static final IntegerGuacamoleProperty LDAP_MAX_REFERRAL_HOPS = new IntegerGuacamoleProperty() { public static final IntegerGuacamoleProperty LDAP_MAX_REFERRAL_HOPS =
new IntegerGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-max-referral-hops"; } public String getName() { return "ldap-max-referral-hops"; }
@@ -210,7 +225,8 @@ public class LDAPGuacamoleProperties {
/** /**
* Number of seconds to wait for LDAP operations to complete. * Number of seconds to wait for LDAP operations to complete.
*/ */
public static final IntegerGuacamoleProperty LDAP_OPERATION_TIMEOUT = new IntegerGuacamoleProperty() { public static final IntegerGuacamoleProperty LDAP_OPERATION_TIMEOUT =
new IntegerGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-operation-timeout"; } public String getName() { return "ldap-operation-timeout"; }
@@ -221,7 +237,8 @@ public class LDAPGuacamoleProperties {
* Custom attribute or attributes to query from Guacamole user's record in * Custom attribute or attributes to query from Guacamole user's record in
* the LDAP directory. * the LDAP directory.
*/ */
public static final StringListProperty LDAP_USER_ATTRIBUTES = new StringListProperty() { public static final StringListProperty LDAP_USER_ATTRIBUTES =
new StringListProperty() {
@Override @Override
public String getName() { return "ldap-user-attributes"; } public String getName() { return "ldap-user-attributes"; }
@@ -231,7 +248,8 @@ public class LDAPGuacamoleProperties {
/** /**
* LDAP attribute used to enumerate members of a group in the LDAP directory. * LDAP attribute used to enumerate members of a group in the LDAP directory.
*/ */
public static final StringGuacamoleProperty LDAP_MEMBER_ATTRIBUTE = new StringGuacamoleProperty() { public static final StringGuacamoleProperty LDAP_MEMBER_ATTRIBUTE =
new StringGuacamoleProperty() {
@Override @Override
public String getName() { return "ldap-member-attribute"; } public String getName() { return "ldap-member-attribute"; }

50
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapDnGuacamoleProperty.java Normal file
View File

@@ -0,0 +1,50 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap.conf;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.properties.GuacamoleProperty;
/**
* A GuacamoleProperty that converts a string to a Dn that can be used
* in LDAP connections. An exception is thrown if the provided DN is invalid
* and cannot be parsed.
*/
public abstract class LdapDnGuacamoleProperty implements GuacamoleProperty<Dn> {
@Override
public Dn parseValue(String value) throws GuacamoleException {
if (value == null)
return null;
try {
return new Dn(value);
}
catch (LdapInvalidDnException e) {
throw new GuacamoleServerException("The DN \"" + value + "\" is invalid.", e);
}
}
}

53
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LdapFilterGuacamoleProperty.java Normal file
View File

@@ -0,0 +1,53 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.ldap.conf;
import java.text.ParseException;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.FilterParser;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.properties.GuacamoleProperty;
/**
* A GuacamoleProperty with a value of an ExprNode query filter. The string
* provided is passed through the FilterParser returning the ExprNode object,
* or an exception is thrown if the filter is invalid and cannot be correctly
* parsed.
*/
public abstract class LdapFilterGuacamoleProperty implements GuacamoleProperty<ExprNode> {
@Override
public ExprNode parseValue(String value) throws GuacamoleException {
// No value provided, so return null.
if (value == null)
return null;
try {
return FilterParser.parse(value);
}
catch (ParseException e) {
throw new GuacamoleServerException("\"" + value + "\" is not a valid LDAP filter.", e);
}
}
}

2
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/StringListProperty.java → extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/StringListProperty.java
View File

@@ -17,7 +17,7 @@
* under the License. * under the License.
*/ */
package org.apache.guacamole.auth.ldap; package org.apache.guacamole.auth.ldap.conf;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;

127
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
View File

@@ -20,17 +20,22 @@
package org.apache.guacamole.auth.ldap.connection; package org.apache.guacamole.auth.ldap.connection;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPAttribute;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import com.novell.ldap.LDAPException;
import java.util.Collections; import java.util.Collections;
import java.util.Enumeration;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.filter.AndNode;
import org.apache.directory.api.ldap.model.filter.EqualityNode;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.OrNode;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider;
import org.apache.guacamole.auth.ldap.ConfigurationService; import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.auth.ldap.EscapingService;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.ldap.ObjectQueryService; import org.apache.guacamole.auth.ldap.ObjectQueryService;
@@ -53,13 +58,7 @@ public class ConnectionService {
/** /**
* Logger for this class. * Logger for this class.
*/ */
private final Logger logger = LoggerFactory.getLogger(ConnectionService.class); private static final Logger logger = LoggerFactory.getLogger(ConnectionService.class);
/**
* Service for escaping parts of LDAP queries.
*/
@Inject
private EscapingService escapingService;
/** /**
* Service for retrieving LDAP server configuration information. * Service for retrieving LDAP server configuration information.
@@ -100,17 +99,18 @@ public class ConnectionService {
* If an error occurs preventing retrieval of connections. * If an error occurs preventing retrieval of connections.
*/ */
public Map<String, Connection> getConnections(AuthenticatedUser user, public Map<String, Connection> getConnections(AuthenticatedUser user,
LDAPConnection ldapConnection) throws GuacamoleException { LdapNetworkConnection ldapConnection) throws GuacamoleException {
// Do not return any connections if base DN is not specified // Do not return any connections if base DN is not specified
String configurationBaseDN = confService.getConfigurationBaseDN(); Dn configurationBaseDN = confService.getConfigurationBaseDN();
if (configurationBaseDN == null) if (configurationBaseDN == null)
return Collections.<String, Connection>emptyMap(); return Collections.<String, Connection>emptyMap();
try { try {
// Pull the current user DN from the LDAP connection // Pull the current user DN from the LDAP connection
String userDN = ldapConnection.getAuthenticationDN(); LdapConnectionConfig ldapConnectionConfig = ldapConnection.getConfig();
Dn userDN = new Dn(ldapConnectionConfig.getName());
// getConnections() will only be called after a connection has been // getConnections() will only be called after a connection has been
// authenticated (via non-anonymous bind), thus userDN cannot // authenticated (via non-anonymous bind), thus userDN cannot
@@ -119,46 +119,77 @@ public class ConnectionService {
// Get the search filter for finding connections accessible by the // Get the search filter for finding connections accessible by the
// current user // current user
String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection); ExprNode connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection);
// Find all Guacamole connections for the given user by // Find all Guacamole connections for the given user by
// looking for direct membership in the guacConfigGroup // looking for direct membership in the guacConfigGroup
// and possibly any groups the user is a member of that are // and possibly any groups the user is a member of that are
// referred to in the seeAlso attribute of the guacConfigGroup. // referred to in the seeAlso attribute of the guacConfigGroup.
List<LDAPEntry> results = queryService.search(ldapConnection, configurationBaseDN, connectionSearchFilter); List<Entry> results = queryService.search(ldapConnection,
configurationBaseDN, connectionSearchFilter, 0);
// Return a map of all readable connections // Return a map of all readable connections
return queryService.asMap(results, (entry) -> { return queryService.asMap(results, (entry) -> {
// Get common name (CN) // Get common name (CN)
LDAPAttribute cn = entry.getAttribute("cn"); Attribute cn = entry.get("cn");
if (cn == null) { if (cn == null) {
logger.warn("guacConfigGroup is missing a cn."); logger.warn("guacConfigGroup is missing a cn.");
return null; return null;
} }
String cnName;
try {
cnName = cn.getString();
}
catch (LdapInvalidAttributeValueException e) {
logger.error("Invalid value for CN attribute: {}",
e.getMessage());
logger.debug("LDAP exception while getting CN attribute.", e);
return null;
}
// Get associated protocol // Get associated protocol
LDAPAttribute protocol = entry.getAttribute("guacConfigProtocol"); Attribute protocol = entry.get("guacConfigProtocol");
if (protocol == null) { if (protocol == null) {
logger.warn("guacConfigGroup \"{}\" is missing the " logger.warn("guacConfigGroup \"{}\" is missing the "
+ "required \"guacConfigProtocol\" attribute.", + "required \"guacConfigProtocol\" attribute.",
cn.getStringValue()); cnName);
return null; return null;
} }
// Set protocol // Set protocol
GuacamoleConfiguration config = new GuacamoleConfiguration(); GuacamoleConfiguration config = new GuacamoleConfiguration();
config.setProtocol(protocol.getStringValue()); try {
config.setProtocol(protocol.getString());
}
catch (LdapInvalidAttributeValueException e) {
logger.error("Invalid value of the protocol entry: {}",
e.getMessage());
logger.debug("LDAP exception when getting protocol value.", e);
return null;
}
// Get parameters, if any // Get parameters, if any
LDAPAttribute parameterAttribute = entry.getAttribute("guacConfigParameter"); Attribute parameterAttribute = entry.get("guacConfigParameter");
if (parameterAttribute != null) { if (parameterAttribute != null) {
// For each parameter // For each parameter
Enumeration<?> parameters = parameterAttribute.getStringValues(); while (parameterAttribute.size() > 0) {
while (parameters.hasMoreElements()) { String parameter;
try {
String parameter = (String) parameters.nextElement(); parameter = parameterAttribute.getString();
}
catch (LdapInvalidAttributeValueException e) {
logger.warn("Parameter value not valid for {}: {}",
cnName, e.getMessage());
logger.debug("LDAP exception when getting parameter value.",
e);
return null;
}
parameterAttribute.remove(parameter);
// Parse parameter // Parse parameter
int equals = parameter.indexOf('='); int equals = parameter.indexOf('=');
@@ -177,8 +208,7 @@ public class ConnectionService {
} }
// Store connection using cn for both identifier and name // Store connection using cn for both identifier and name
String name = cn.getStringValue(); Connection connection = new SimpleConnection(cnName, cnName, config, true);
Connection connection = new SimpleConnection(name, name, config, true);
connection.setParentIdentifier(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP); connection.setParentIdentifier(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP);
// Inject LDAP-specific tokens only if LDAP handled user // Inject LDAP-specific tokens only if LDAP handled user
@@ -192,7 +222,7 @@ public class ConnectionService {
}); });
} }
catch (LDAPException e) { catch (LdapException e) {
throw new GuacamoleServerException("Error while querying for connections.", e); throw new GuacamoleServerException("Error while querying for connections.", e);
} }
@@ -213,40 +243,39 @@ public class ConnectionService {
* An LDAP search filter which queries all guacConfigGroup objects * An LDAP search filter which queries all guacConfigGroup objects
* accessible by the user having the given DN. * accessible by the user having the given DN.
* *
* @throws LDAPException * @throws LdapException
* If an error occurs preventing retrieval of user groups. * If an error occurs preventing retrieval of user groups.
* *
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs retrieving the group base DN. * If an error occurs retrieving the group base DN.
*/ */
private String getConnectionSearchFilter(String userDN, private ExprNode getConnectionSearchFilter(Dn userDN,
LDAPConnection ldapConnection) LdapNetworkConnection ldapConnection)
throws LDAPException, GuacamoleException { throws LdapException, GuacamoleException {
// Create a search filter for the connection search AndNode searchFilter = new AndNode();
StringBuilder connectionSearchFilter = new StringBuilder();
// Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value
connectionSearchFilter.append("(&(objectClass=guacConfigGroup)"); searchFilter.addNode(new EqualityNode("objectClass","guacConfigGroup"));
connectionSearchFilter.append("(|(");
connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter( // Apply group filters
confService.getMemberAttribute())); OrNode groupFilter = new OrNode();
connectionSearchFilter.append("="); groupFilter.addNode(new EqualityNode(confService.getMemberAttribute(),
connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN)); userDN.toString()));
connectionSearchFilter.append(")");
// Additionally filter by group membership if the current user is a // Additionally filter by group membership if the current user is a
// member of any user groups // member of any user groups
List<LDAPEntry> userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN); List<Entry> userGroups = userGroupService.getParentUserGroupEntries(ldapConnection, userDN);
if (!userGroups.isEmpty()) { if (!userGroups.isEmpty()) {
for (LDAPEntry entry : userGroups) userGroups.forEach(entry ->
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")"); groupFilter.addNode(new EqualityNode("seeAlso",entry.getDn().toString()))
);
} }
// Complete the search filter. // Complete the search filter.
connectionSearchFilter.append("))"); searchFilter.addNode(groupFilter);
return connectionSearchFilter.toString(); return searchFilter;
} }
} }

74
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java
View File

@@ -20,15 +20,21 @@
package org.apache.guacamole.auth.ldap.group; package org.apache.guacamole.auth.ldap.group;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import org.apache.guacamole.auth.ldap.ConfigurationService; import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.filter.EqualityNode;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.NotNode;
import org.apache.directory.api.ldap.model.filter.PresenceNode;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.ldap.ObjectQueryService; import org.apache.guacamole.auth.ldap.ObjectQueryService;
import org.apache.guacamole.net.auth.UserGroup; import org.apache.guacamole.net.auth.UserGroup;
@@ -45,7 +51,7 @@ public class UserGroupService {
/** /**
* Logger for this class. * Logger for this class.
*/ */
private final Logger logger = LoggerFactory.getLogger(UserGroupService.class); private static final Logger logger = LoggerFactory.getLogger(UserGroupService.class);
/** /**
* Service for retrieving LDAP server configuration information. * Service for retrieving LDAP server configuration information.
@@ -72,17 +78,17 @@ public class UserGroupService {
* @throws GuacamoleException * @throws GuacamoleException
* If guacamole.properties cannot be parsed. * If guacamole.properties cannot be parsed.
*/ */
private String getGroupSearchFilter() throws GuacamoleException { private ExprNode getGroupSearchFilter() throws GuacamoleException {
// Explicitly exclude guacConfigGroup object class only if it should // Explicitly exclude guacConfigGroup object class only if it should
// be assumed to be defined (query may fail due to no such object // be assumed to be defined (query may fail due to no such object
// class existing otherwise) // class existing otherwise)
if (confService.getConfigurationBaseDN() != null) if (confService.getConfigurationBaseDN() != null)
return "(!(objectClass=guacConfigGroup))"; return new NotNode(new EqualityNode("objectClass","guacConfigGroup"));
// Read any object as a group if LDAP is not being used for connection // Read any object as a group if LDAP is not being used for connection
// storage (guacConfigGroup) // storage (guacConfigGroup)
return "(objectClass=*)"; return new PresenceNode("objectClass");
} }
@@ -102,17 +108,17 @@ public class UserGroupService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs preventing retrieval of user groups. * If an error occurs preventing retrieval of user groups.
*/ */
public Map<String, UserGroup> getUserGroups(LDAPConnection ldapConnection) public Map<String, UserGroup> getUserGroups(LdapNetworkConnection ldapConnection)
throws GuacamoleException { throws GuacamoleException {
// Do not return any user groups if base DN is not specified // Do not return any user groups if base DN is not specified
String groupBaseDN = confService.getGroupBaseDN(); Dn groupBaseDN = confService.getGroupBaseDN();
if (groupBaseDN == null) if (groupBaseDN == null)
return Collections.emptyMap(); return Collections.emptyMap();
// Retrieve all visible user groups which are not guacConfigGroups // Retrieve all visible user groups which are not guacConfigGroups
Collection<String> attributes = confService.getGroupNameAttributes(); Collection<String> attributes = confService.getGroupNameAttributes();
List<LDAPEntry> results = queryService.search( List<Entry> results = queryService.search(
ldapConnection, ldapConnection,
groupBaseDN, groupBaseDN,
getGroupSearchFilter(), getGroupSearchFilter(),
@@ -125,13 +131,18 @@ public class UserGroupService {
return queryService.asMap(results, entry -> { return queryService.asMap(results, entry -> {
// Translate entry into UserGroup object having proper identifier // Translate entry into UserGroup object having proper identifier
String name = queryService.getIdentifier(entry, attributes); try {
if (name != null) String name = queryService.getIdentifier(entry, attributes);
return new SimpleUserGroup(name); if (name != null)
return new SimpleUserGroup(name);
}
catch (LdapInvalidAttributeValueException e) {
return null;
}
// Ignore user groups which lack a name attribute // Ignore user groups which lack a name attribute
logger.debug("User group \"{}\" is missing a name attribute " logger.debug("User group \"{}\" is missing a name attribute "
+ "and will be ignored.", entry.getDN()); + "and will be ignored.", entry.getDn().toString());
return null; return null;
}); });
@@ -157,11 +168,11 @@ public class UserGroupService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs preventing retrieval of user groups. * If an error occurs preventing retrieval of user groups.
*/ */
public List<LDAPEntry> getParentUserGroupEntries(LDAPConnection ldapConnection, public List<Entry> getParentUserGroupEntries(LdapNetworkConnection ldapConnection,
String userDN) throws GuacamoleException { Dn userDN) throws GuacamoleException {
// Do not return any user groups if base DN is not specified // Do not return any user groups if base DN is not specified
String groupBaseDN = confService.getGroupBaseDN(); Dn groupBaseDN = confService.getGroupBaseDN();
if (groupBaseDN == null) if (groupBaseDN == null)
return Collections.emptyList(); return Collections.emptyList();
@@ -172,7 +183,7 @@ public class UserGroupService {
groupBaseDN, groupBaseDN,
getGroupSearchFilter(), getGroupSearchFilter(),
Collections.singleton(confService.getMemberAttribute()), Collections.singleton(confService.getMemberAttribute()),
userDN userDN.toString()
); );
} }
@@ -196,24 +207,31 @@ public class UserGroupService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs preventing retrieval of user groups. * If an error occurs preventing retrieval of user groups.
*/ */
public Set<String> getParentUserGroupIdentifiers(LDAPConnection ldapConnection, public Set<String> getParentUserGroupIdentifiers(LdapNetworkConnection ldapConnection,
String userDN) throws GuacamoleException { Dn userDN) throws GuacamoleException {
Collection<String> attributes = confService.getGroupNameAttributes(); Collection<String> attributes = confService.getGroupNameAttributes();
List<LDAPEntry> userGroups = getParentUserGroupEntries(ldapConnection, userDN); List<Entry> userGroups = getParentUserGroupEntries(ldapConnection, userDN);
Set<String> identifiers = new HashSet<>(userGroups.size()); Set<String> identifiers = new HashSet<>(userGroups.size());
userGroups.forEach(entry -> { userGroups.forEach(entry -> {
// Determine unique identifier for user group // Determine unique identifier for user group
String name = queryService.getIdentifier(entry, attributes); try {
if (name != null) String name = queryService.getIdentifier(entry, attributes);
identifiers.add(name); if (name != null)
identifiers.add(name);
// Ignore user groups which lack a name attribute // Ignore user groups which lack a name attribute
else else
logger.debug("User group \"{}\" is missing a name attribute " logger.debug("User group \"{}\" is missing a name attribute "
+ "and will be ignored.", entry.getDN()); + "and will be ignored.", entry.getDn().toString());
}
catch (LdapInvalidAttributeValueException e) {
logger.error("User group missing identifier: {}",
e.getMessage());
logger.debug("LDAP exception while getting group identifier.", e);
}
}); });

25
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPAuthenticatedUser.java
View File

@@ -23,6 +23,7 @@ import com.google.inject.Inject;
import java.util.Collections; import java.util.Collections;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.guacamole.net.auth.AbstractAuthenticatedUser; import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.AuthenticationProvider;
import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.Credentials;
@@ -56,6 +57,11 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser {
* available to this user. * available to this user.
*/ */
private Set<String> effectiveGroups; private Set<String> effectiveGroups;
/**
* The LDAP DN used to bind this user.
*/
private Dn bindDn;
/** /**
* Initializes this AuthenticatedUser with the given credentials, * Initializes this AuthenticatedUser with the given credentials,
@@ -71,14 +77,19 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser {
* @param effectiveGroups * @param effectiveGroups
* The unique identifiers of all user groups which affect the * The unique identifiers of all user groups which affect the
* permissions available to this user. * permissions available to this user.
*
* @param bindDn
* The LDAP DN used to bind this user.
*/ */
public void init(Credentials credentials, Map<String, String> tokens, Set<String> effectiveGroups) { public void init(Credentials credentials, Map<String, String> tokens,
Set<String> effectiveGroups, Dn bindDn) {
this.credentials = credentials; this.credentials = credentials;
this.tokens = Collections.unmodifiableMap(tokens); this.tokens = Collections.unmodifiableMap(tokens);
this.effectiveGroups = effectiveGroups; this.effectiveGroups = effectiveGroups;
this.bindDn = bindDn;
setIdentifier(credentials.getUsername()); setIdentifier(credentials.getUsername());
} }
/** /**
* Returns a Map of all name/value pairs that should be applied as * Returns a Map of all name/value pairs that should be applied as
* parameter tokens when connections are established using this * parameter tokens when connections are established using this
@@ -92,6 +103,16 @@ public class LDAPAuthenticatedUser extends AbstractAuthenticatedUser {
public Map<String, String> getTokens() { public Map<String, String> getTokens() {
return tokens; return tokens;
} }
/**
* Returns the LDAP DN used to bind this user.
*
* @return
* The LDAP DN used to bind this user.
*/
public Dn getBindDn() {
return bindDn;
}
@Override @Override
public AuthenticationProvider getAuthenticationProvider() { public AuthenticationProvider getAuthenticationProvider() {

13
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/LDAPUserContext.java
View File

@@ -20,8 +20,8 @@
package org.apache.guacamole.auth.ldap.user; package org.apache.guacamole.auth.ldap.user;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPConnection;
import java.util.Collections; import java.util.Collections;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.auth.ldap.connection.ConnectionService; import org.apache.guacamole.auth.ldap.connection.ConnectionService;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider; import org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider;
@@ -39,8 +39,6 @@ import org.apache.guacamole.net.auth.simple.SimpleConnectionGroup;
import org.apache.guacamole.net.auth.simple.SimpleDirectory; import org.apache.guacamole.net.auth.simple.SimpleDirectory;
import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
import org.apache.guacamole.net.auth.simple.SimpleUser; import org.apache.guacamole.net.auth.simple.SimpleUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** /**
* An LDAP-specific implementation of UserContext which queries all Guacamole * An LDAP-specific implementation of UserContext which queries all Guacamole
@@ -48,11 +46,6 @@ import org.slf4j.LoggerFactory;
*/ */
public class LDAPUserContext extends AbstractUserContext { public class LDAPUserContext extends AbstractUserContext {
/**
* Logger for this class.
*/
private final Logger logger = LoggerFactory.getLogger(LDAPUserContext.class);
/** /**
* Service for retrieving Guacamole connections from the LDAP server. * Service for retrieving Guacamole connections from the LDAP server.
*/ */
@@ -109,7 +102,7 @@ public class LDAPUserContext extends AbstractUserContext {
/** /**
* Initializes this UserContext using the provided AuthenticatedUser and * Initializes this UserContext using the provided AuthenticatedUser and
* LDAPConnection. * LdapNetworkConnection.
* *
* @param user * @param user
* The AuthenticatedUser representing the user that authenticated. This * The AuthenticatedUser representing the user that authenticated. This
@@ -124,7 +117,7 @@ public class LDAPUserContext extends AbstractUserContext {
* If associated data stored within the LDAP directory cannot be * If associated data stored within the LDAP directory cannot be
* queried due to an error. * queried due to an error.
*/ */
public void init(AuthenticatedUser user, LDAPConnection ldapConnection) public void init(AuthenticatedUser user, LdapNetworkConnection ldapConnection)
throws GuacamoleException { throws GuacamoleException {
// Query all accessible users // Query all accessible users

65
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java
View File

@@ -20,16 +20,20 @@
package org.apache.guacamole.auth.ldap.user; package org.apache.guacamole.auth.ldap.user;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.apache.guacamole.auth.ldap.ConfigurationService; import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.guacamole.auth.ldap.EscapingService; import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.name.Rdn;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.ldap.LDAPGuacamoleProperties; import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.ldap.conf.LDAPGuacamoleProperties;
import org.apache.guacamole.auth.ldap.ObjectQueryService; import org.apache.guacamole.auth.ldap.ObjectQueryService;
import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.simple.SimpleUser; import org.apache.guacamole.net.auth.simple.SimpleUser;
@@ -45,13 +49,7 @@ public class UserService {
/** /**
* Logger for this class. * Logger for this class.
*/ */
private final Logger logger = LoggerFactory.getLogger(UserService.class); private static final Logger logger = LoggerFactory.getLogger(UserService.class);
/**
* Service for escaping parts of LDAP queries.
*/
@Inject
private EscapingService escapingService;
/** /**
* Service for retrieving LDAP server configuration information. * Service for retrieving LDAP server configuration information.
@@ -81,12 +79,12 @@ public class UserService {
* @throws GuacamoleException * @throws GuacamoleException
* If an error occurs preventing retrieval of users. * If an error occurs preventing retrieval of users.
*/ */
public Map<String, User> getUsers(LDAPConnection ldapConnection) public Map<String, User> getUsers(LdapNetworkConnection ldapConnection)
throws GuacamoleException { throws GuacamoleException {
// Retrieve all visible user objects // Retrieve all visible user objects
Collection<String> attributes = confService.getUsernameAttributes(); Collection<String> attributes = confService.getUsernameAttributes();
List<LDAPEntry> results = queryService.search(ldapConnection, List<Entry> results = queryService.search(ldapConnection,
confService.getUserBaseDN(), confService.getUserBaseDN(),
confService.getUserSearchFilter(), confService.getUserSearchFilter(),
attributes, attributes,
@@ -96,15 +94,21 @@ public class UserService {
return queryService.asMap(results, entry -> { return queryService.asMap(results, entry -> {
// Get username from record // Get username from record
String username = queryService.getIdentifier(entry, attributes); try {
if (username == null) { String username = queryService.getIdentifier(entry, attributes);
logger.warn("User \"{}\" is missing a username attribute " if (username == null) {
+ "and will be ignored.", entry.getDN()); logger.warn("User \"{}\" is missing a username attribute "
+ "and will be ignored.", entry.getDn().toString());
return null;
}
return new SimpleUser(username);
}
catch (LdapInvalidAttributeValueException e) {
return null; return null;
} }
return new SimpleUser(username);
}); });
} }
@@ -130,19 +134,19 @@ public class UserService {
* If an error occurs while querying the user DNs, or if the username * If an error occurs while querying the user DNs, or if the username
* attribute property cannot be parsed within guacamole.properties. * attribute property cannot be parsed within guacamole.properties.
*/ */
public List<String> getUserDNs(LDAPConnection ldapConnection, public List<Dn> getUserDNs(LdapNetworkConnection ldapConnection,
String username) throws GuacamoleException { String username) throws GuacamoleException {
// Retrieve user objects having a matching username // Retrieve user objects having a matching username
List<LDAPEntry> results = queryService.search(ldapConnection, List<Entry> results = queryService.search(ldapConnection,
confService.getUserBaseDN(), confService.getUserBaseDN(),
confService.getUserSearchFilter(), confService.getUserSearchFilter(),
confService.getUsernameAttributes(), confService.getUsernameAttributes(),
username); username);
// Build list of all DNs for retrieved users // Build list of all DNs for retrieved users
List<String> userDNs = new ArrayList<>(results.size()); List<Dn> userDNs = new ArrayList<>(results.size());
results.forEach(entry -> userDNs.add(entry.getDN())); results.forEach(entry -> userDNs.add(entry.getDn()));
return userDNs; return userDNs;
@@ -164,7 +168,7 @@ public class UserService {
* If required properties are missing, and thus the user DN cannot be * If required properties are missing, and thus the user DN cannot be
* determined. * determined.
*/ */
public String deriveUserDN(String username) public Dn deriveUserDN(String username)
throws GuacamoleException { throws GuacamoleException {
// Pull username attributes from properties // Pull username attributes from properties
@@ -181,10 +185,13 @@ public class UserService {
} }
// Derive user DN from base DN // Derive user DN from base DN
return try {
escapingService.escapeDN(usernameAttributes.get(0)) return new Dn(new Rdn(usernameAttributes.get(0), username),
+ "=" + escapingService.escapeDN(username) confService.getUserBaseDN());
+ "," + confService.getUserBaseDN(); }
catch (LdapInvalidAttributeValueException | LdapInvalidDnException e) {
throw new GuacamoleServerException("Error trying to derive user DN.", e);
}
} }