GUAC-1388 Allow LDAP role-based access control for guacConfigGroups

2025-09-06 05:07:41 +00:00 · 2015-12-10 09:35:29 -05:00
parent abbff6d9ac
commit 72dddc0921
5 changed files with 103 additions and 6 deletions
--- a/extensions/guacamole-auth-ldap/README
+++ b/extensions/guacamole-auth-ldap/README
@@ -88,7 +88,9 @@ guacamole.properties such that the authentication provider is available.

    # The base DN within which all guacConfig objects can be found.
    ldap-config-base-dn:     dc=example,dc=net
-
+    
+    # The base DN within which all role based groups can be found.
+    ldap-group-base-dn:      ou=groups,dc=example,dc=net

 ------------------------------------------------------------
 Reporting problems
--- a/extensions/guacamole-auth-ldap/doc/examples/exampleConfigGroup.ldif
+++ b/extensions/guacamole-auth-ldap/doc/examples/exampleConfigGroup.ldif
@@ -9,3 +9,4 @@ guacConfigParameter: port=5900
 guacConfigParameter: password=secret
 member: cn=user1,dc=example,dc=com
 member: cn=user2,dc=example,dc=com
+seeAlso: ou=admins,ou=groups,dc=example,dc=com
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/ConfigurationService.java
@@ -135,6 +135,23 @@ public class ConfigurationService {
        );
    }

+    /**
+     * Returns the base DN under which all Guacamole role based access control
+     * (RBAC) groups will be stored within the LDAP directory.
+     *
+     * @return
+     *     The base DN under which all Guacamole RBAC groups will be stored
+     *     within the LDAP directory.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public String getGroupBaseDN() throws GuacamoleException {
+        return environment.getProperty(
+            LDAPGuacamoleProperties.LDAP_GROUP_BASE_DN
+        );
+    }
+
    /**
     * Returns the DN that should be used when searching for the DNs of users
     * attempting to authenticate. If no such search should be performed, null
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/LDAPGuacamoleProperties.java
@@ -62,6 +62,17 @@ public class LDAPGuacamoleProperties {
        public String getName() { return "ldap-user-base-dn"; }

    };
+    
+    /**
+     * The base DN of role based access control (RBAC) groups. 
+     * All groups should be under this DN.
+     */
+    public static final StringGuacamoleProperty LDAP_GROUP_BASE_DN = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "ldap-group-base-dn"; }
+
+    };

    /**
     * The attribute or attributes which identify users. One of these
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
@@ -96,8 +96,9 @@ public class ConnectionService {

        // Do not return any connections if base DN is not specified
        String configurationBaseDN = confService.getConfigurationBaseDN();
-        if (configurationBaseDN == null)
+        if (configurationBaseDN == null) {
            return Collections.<String, Connection>emptyMap();
+        }

        try {

@@ -109,11 +110,17 @@ public class ConnectionService {
            // possibly be null
            assert(userDN != null);

-            // Find all Guacamole connections for the given user
+            // Get the search filter for finding connections associated to the userDN
+            String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection);
+            
+            // Find all Guacamole connections for the given user by
+            // looking for direct membership in the guacConfigGroup
+            // and possibly any groups the user is a member of that are
+            // referred to in the seeAlso attribute of the guacConfigGroup.
            LDAPSearchResults results = ldapConnection.search(
                configurationBaseDN,
                LDAPConnection.SCOPE_SUB,
-                "(&(objectClass=guacConfigGroup)(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))",
+                connectionSearchFilter,
                null,
                false
            );
@@ -188,11 +195,70 @@ public class ConnectionService {
            // Return map of all connections
            return connections;

-        }
-        catch (LDAPException e) {
+        } catch (LDAPException e) {
            throw new GuacamoleServerException("Error while querying for connections.", e);
        }

    }
+    
+    /**
+     * Returns the connection search filter for the given userDN.
+     *
+     * @param userDN
+     *     DN of the user to search for associated guacConfigGroup connections.
+     *
+     * @param ldapConnection
+     *     LDAP connection to use for searching for associated groups.
+     *
+     * @return
+     *     Search filter for finding guacConfigGroup associated with the userDN.
+     *
+     * @throws LDAPException
+     *     If an error occurs preventing retrieval of user groups.
+     *     
+     * @throws GuacamoleException
+     *     If an error occurs retrieving the group base DN. 
+     */
+    private String getConnectionSearchFilter(String userDN, LDAPConnection ldapConnection) throws LDAPException, GuacamoleException {
+        
+        // Create a search filter for the connection search
+        StringBuilder connectionSearchFilter = new StringBuilder();
+
+        // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value
+        connectionSearchFilter.append("(&(objectClass=guacConfigGroup)(|(member=");
+        connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN));
+        connectionSearchFilter.append(")");
+
+        // If group base DN is specified search for user groups
+        String groupBaseDN = confService.getGroupBaseDN();
+
+        if (groupBaseDN != null) {
+
+            // Get all groups the user is a member of starting at the groupBaseDN, excluding guacConfigGroups
+            LDAPSearchResults userRoleGroupResults = ldapConnection.search(
+                groupBaseDN,
+                LDAPConnection.SCOPE_SUB,
+                "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))",
+                null,
+                false
+            );
+
+            // Append the additional user groups to the LDAP filter
+            // Now the filter will also look for guacConfigGroups that refer 
+            // to groups the user is a member of
+            // The guacConfig group uses the seeAlso attribute to refer 
+            // to these other groups
+            while (userRoleGroupResults.hasMore()) {
+                LDAPEntry entry = userRoleGroupResults.next();
+                connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
+            }
+        }
+        
+        // Complete the search filter.
+        connectionSearchFilter.append("))");  
+        
+        return connectionSearchFilter.toString();
+    }

 }
+