safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-1388 Allow LDAP role-based access control for guacConfigGroups

Browse Source
This commit is contained in:
Patrick Richardson
2015-12-10 09:35:29 -05:00
parent abbff6d9ac
commit 72dddc0921
5 changed files with 103 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/guacamole-auth-ldap/README
View File

@@ -89,6 +89,8 @@ guacamole.properties such that the authentication provider is available.
# The base DN within which all guacConfig objects can be found. # The base DN within which all guacConfig objects can be found.
ldap-config-base-dn: dc=example,dc=net ldap-config-base-dn: dc=example,dc=net
# The base DN within which all role based groups can be found.
ldap-group-base-dn: ou=groups,dc=example,dc=net
------------------------------------------------------------ ------------------------------------------------------------
Reporting problems Reporting problems

1
extensions/guacamole-auth-ldap/doc/examples/exampleConfigGroup.ldif
View File

@@ -9,3 +9,4 @@ guacConfigParameter: port=5900
guacConfigParameter: password=secret guacConfigParameter: password=secret
member: cn=user1,dc=example,dc=com member: cn=user1,dc=example,dc=com
member: cn=user2,dc=example,dc=com member: cn=user2,dc=example,dc=com
seeAlso: ou=admins,ou=groups,dc=example,dc=com

17
extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/ConfigurationService.java
View File

@@ -135,6 +135,23 @@ public class ConfigurationService {
); );
} }
/**
* Returns the base DN under which all Guacamole role based access control
* (RBAC) groups will be stored within the LDAP directory.
*
* @return
* The base DN under which all Guacamole RBAC groups will be stored
* within the LDAP directory.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed.
*/
public String getGroupBaseDN() throws GuacamoleException {
return environment.getProperty(
LDAPGuacamoleProperties.LDAP_GROUP_BASE_DN
);
}
/** /**
* Returns the DN that should be used when searching for the DNs of users * Returns the DN that should be used when searching for the DNs of users
* attempting to authenticate. If no such search should be performed, null * attempting to authenticate. If no such search should be performed, null

11
extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/LDAPGuacamoleProperties.java
View File

@@ -63,6 +63,17 @@ public class LDAPGuacamoleProperties {
}; };
/**
* The base DN of role based access control (RBAC) groups.
* All groups should be under this DN.
*/
public static final StringGuacamoleProperty LDAP_GROUP_BASE_DN = new StringGuacamoleProperty() {
@Override
public String getName() { return "ldap-group-base-dn"; }
};
/** /**
* The attribute or attributes which identify users. One of these * The attribute or attributes which identify users. One of these
* attributes must be present within each Guacamole user's record in the * attributes must be present within each Guacamole user's record in the

76
extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
View File

@@ -96,8 +96,9 @@ public class ConnectionService {
// Do not return any connections if base DN is not specified // Do not return any connections if base DN is not specified
String configurationBaseDN = confService.getConfigurationBaseDN(); String configurationBaseDN = confService.getConfigurationBaseDN();
if (configurationBaseDN == null) if (configurationBaseDN == null) {
return Collections.<String, Connection>emptyMap(); return Collections.<String, Connection>emptyMap();
}
try { try {
@@ -109,11 +110,17 @@ public class ConnectionService {
// possibly be null // possibly be null
assert(userDN != null); assert(userDN != null);
// Find all Guacamole connections for the given user // Get the search filter for finding connections associated to the userDN
String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection);
// Find all Guacamole connections for the given user by
// looking for direct membership in the guacConfigGroup
// and possibly any groups the user is a member of that are
// referred to in the seeAlso attribute of the guacConfigGroup.
LDAPSearchResults results = ldapConnection.search( LDAPSearchResults results = ldapConnection.search(
configurationBaseDN, configurationBaseDN,
LDAPConnection.SCOPE_SUB, LDAPConnection.SCOPE_SUB,
"(&(objectClass=guacConfigGroup)(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))", connectionSearchFilter,
null, null,
false false
); );
@@ -188,11 +195,70 @@ public class ConnectionService {
// Return map of all connections // Return map of all connections
return connections; return connections;
} } catch (LDAPException e) {
catch (LDAPException e) {
throw new GuacamoleServerException("Error while querying for connections.", e); throw new GuacamoleServerException("Error while querying for connections.", e);
} }
} }
/**
* Returns the connection search filter for the given userDN.
*
* @param userDN
* DN of the user to search for associated guacConfigGroup connections.
*
* @param ldapConnection
* LDAP connection to use for searching for associated groups.
*
* @return
* Search filter for finding guacConfigGroup associated with the userDN.
*
* @throws LDAPException
* If an error occurs preventing retrieval of user groups.
*
* @throws GuacamoleException
* If an error occurs retrieving the group base DN.
*/
private String getConnectionSearchFilter(String userDN, LDAPConnection ldapConnection) throws LDAPException, GuacamoleException {
// Create a search filter for the connection search
StringBuilder connectionSearchFilter = new StringBuilder();
// Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value
connectionSearchFilter.append("(&(objectClass=guacConfigGroup)(|(member=");
connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN));
connectionSearchFilter.append(")");
// If group base DN is specified search for user groups
String groupBaseDN = confService.getGroupBaseDN();
if (groupBaseDN != null) {
// Get all groups the user is a member of starting at the groupBaseDN, excluding guacConfigGroups
LDAPSearchResults userRoleGroupResults = ldapConnection.search(
groupBaseDN,
LDAPConnection.SCOPE_SUB,
"(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))",
null,
false
);
// Append the additional user groups to the LDAP filter
// Now the filter will also look for guacConfigGroups that refer
// to groups the user is a member of
// The guacConfig group uses the seeAlso attribute to refer
// to these other groups
while (userRoleGroupResults.hasMore()) {
LDAPEntry entry = userRoleGroupResults.next();
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
}
}
// Complete the search filter.
connectionSearchFilter.append("))");
return connectionSearchFilter.toString();
}
} }