GUACAMOLE-944: Merge support for arbitrary, non-DN search usernames.

2025-09-06 05:07:41 +00:00 · 2021-05-30 17:11:56 -07:00
parent 3ec0bdbc57 4ac1d1bb64
commit 78904863c4
4 changed files with 31 additions and 23 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
@@ -119,18 +119,19 @@ public class AuthenticationProviderService {

        // If a search DN is provided, search the LDAP directory for the DN
        // corresponding to the given username
-        Dn searchBindDN = confService.getSearchBindDN();
-        if (searchBindDN != null) {
+        String searchBindLogon = confService.getSearchBindDN();
+        if (searchBindLogon != null) {

            // Create an LDAP connection using the search account
            LdapNetworkConnection searchConnection = ldapService.bindAs(
-                searchBindDN,
+                searchBindLogon,
                confService.getSearchBindPassword()
            );

            // Warn of failure to find
            if (searchConnection == null) {
-                logger.error("Unable to bind using search DN \"{}\"", searchBindDN);
+                logger.error("Unable to bind using search DN \"{}\"",
+                        searchBindLogon);
                return null;
            }

@@ -203,7 +204,8 @@ public class AuthenticationProviderService {
        }
        
        // Attempt bind
-        LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password);
+        LdapNetworkConnection ldapConnection =
+                ldapService.bindAs(bindDn.getName(), password);
        if (ldapConnection == null)
            throw new GuacamoleInvalidCredentialsException("Invalid login.",
                    CredentialsInfo.USERNAME_PASSWORD);
@@ -315,7 +317,8 @@ public class AuthenticationProviderService {
        if (authenticatedUser instanceof LDAPAuthenticatedUser) {

            Dn bindDn = ((LDAPAuthenticatedUser) authenticatedUser).getBindDn();
-            LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, credentials.getPassword());
+            LdapNetworkConnection ldapConnection =
+                    ldapService.bindAs(bindDn.getName(), credentials.getPassword());
            if (ldapConnection == null) {
                logger.debug("LDAP bind succeeded for \"{}\" during "
                        + "authentication but failed during data retrieval.",
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
@@ -239,11 +239,11 @@ public class LDAPConnectionService {
     *     bound.
     */
    private LdapNetworkConnection bindAs(LdapNetworkConnection ldapConnection,
-            Dn userDN, String password) {
+            String bindUser, String password) {

        // Add credentials to existing config
        LdapConnectionConfig config = ldapConnection.getConfig();
-        config.setName(userDN.getName());
+        config.setName(bindUser);
        config.setCredentials(password);

        try {
@@ -255,7 +255,8 @@ public class LDAPConnectionService {
        // only at the debug level (such failures are expected)
        catch (LdapAuthenticationException e) {
            ldapConnection.close();
-            logger.debug("Bind attempt with LDAP server as user \"{}\" failed.", userDN, e);
+            logger.debug("Bind attempt with LDAP server as user \"{}\" failed.",
+                    bindUser, e);
            return null;
        }

@@ -264,7 +265,8 @@ public class LDAPConnectionService {
        catch (LdapException e) {
            ldapConnection.close();
            logger.error("Binding with the LDAP server at \"{}\" as user "
-                    + "\"{}\" failed: {}", config.getLdapHost(), userDN, e.getMessage());
+                    + "\"{}\" failed: {}", config.getLdapHost(), bindUser,
+                    e.getMessage());
            logger.debug("Unable to bind to LDAP server.", e);
            return null;
        }
@@ -318,7 +320,7 @@ public class LDAPConnectionService {
        }

        // Bind using username/password from existing connection
-        return bindAs(ldapConnection, userDN, password);
+        return bindAs(ldapConnection, userDN.getName(), password);

    }

@@ -327,8 +329,8 @@ public class LDAPConnectionService {
     * hostname, port, and encryption method of the LDAP server are determined
     * from guacamole.properties.
     *
-     * @param userDN
-     *     The DN of the user to bind as, or null to bind anonymously.
+     * @param bindUser
+     *     The DN or UPN of the user to bind as, or null to bind anonymously.
     *
     * @param password
     *     The password to use when binding as the specified user, or null to
@@ -342,9 +344,9 @@ public class LDAPConnectionService {
     *     If an error occurs while parsing guacamole.properties, or if the
     *     configured encryption method is actually not implemented (a bug).
     */
-    public LdapNetworkConnection bindAs(Dn userDN, String password)
+    public LdapNetworkConnection bindAs(String bindUser, String password)
            throws GuacamoleException {
-        return bindAs(createLDAPConnection(), userDN, password);
+        return bindAs(createLDAPConnection(), bindUser, password);
    }

    /**
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
@@ -171,7 +171,7 @@ public class ConfigurationService {
    }

    /**
-     * Returns the DN that should be used when searching for the DNs of users
+     * Returns the login that should be used when searching for the DNs of users
     * attempting to authenticate. If no such search should be performed, null
     * is returned.
     *
@@ -183,7 +183,7 @@ public class ConfigurationService {
     * @throws GuacamoleException
     *     If guacamole.properties cannot be parsed.
     */
-    public Dn getSearchBindDN() throws GuacamoleException {
+    public String getSearchBindDN() throws GuacamoleException {
        return environment.getProperty(
            LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN
        );
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
@@ -128,13 +128,16 @@ public class LDAPGuacamoleProperties {
    };

    /**
-     * The DN of the user that the LDAP authentication should bind as when
-     * searching for the user accounts of users attempting to log in. If not
-     * specified, the DNs of users attempting to log in will be derived from
-     * the LDAP_BASE_DN and LDAP_USERNAME_ATTRIBUTE directly.
+     * The user that the LDAP extension should bind as when searching for the
+     * accounts of users attempting to log in. The format of this parameter
+     * will vary based on the LDAP server implementation - often it is expected
+     * to be in full LDAP DN format; however various LDAP server implementations
+     * allow this to be in other formats (e.g. Active Directory allows
+     * User Principal Name, or UPN, format). For this reason the configuration
+     * allows this to be any string.
     */
-    public static final LdapDnGuacamoleProperty LDAP_SEARCH_BIND_DN =
-            new LdapDnGuacamoleProperty() {
+    public static final StringGuacamoleProperty LDAP_SEARCH_BIND_DN =
+            new StringGuacamoleProperty() {

        @Override
        public String getName() { return "ldap-search-bind-dn"; }