GUACAMOLE-244: Support configuration of alias dereferencing

2025-09-06 05:07:41 +00:00 · 2017-03-18 12:08:38 -04:00
parent 1a621886c6
commit 907e0edfcf
4 changed files with 61 additions and 3 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java
@@ -223,4 +223,36 @@ public class ConfigurationService {
        );
    }

+    /**
+     * Returns whether or not LDAP aliases will be dereferenced,
+     * as configured with guacamole.properties.
+     * By default they will never be dereferenced.
+     *
+     * @return
+     *     An integer representing the status of of alias
+     *     dereferencing, as configured in guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public int getDereferenceAliases() throws GuacamoleException {
+        String derefAliases = environment.getProperty(
+            LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES,
+            "never"
+        );
+
+        if (derefAliases == "always")
+            return 3;
+
+        else if (derefAliases == "finding")
+            return 2;
+
+        else if (derefAliases == "searching")
+            return 1;
+
+        else
+            return 0;
+
+    }
+
 }
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java
@@ -153,4 +153,14 @@ public class LDAPGuacamoleProperties {

    };

+    /**
+     * The behavior of alias dereferncing for the LDAP connections.
+     */
+    public static final StringGuacamoleProperty LDAP_DEREFERENCE_ALIASES = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "ldap-dereference-aliases"; }
+
+    };
+
 }
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
@@ -24,6 +24,7 @@ import com.novell.ldap.LDAPAttribute;
 import com.novell.ldap.LDAPConnection;
 import com.novell.ldap.LDAPEntry;
 import com.novell.ldap.LDAPException;
+import com.novell.ldap.LDAPSearchConstraints;
 import com.novell.ldap.LDAPSearchResults;
 import java.util.Collections;
 import java.util.Enumeration;
@@ -108,6 +109,10 @@ public class ConnectionService {
            // current user
            String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection);

+            // Set Search Constraints
+            LDAPSearchConstraints constraints = new LDAPSearchConstraints();
+            constraints.setDereference(confService.getDereferenceAliases());
+
            // Find all Guacamole connections for the given user by
            // looking for direct membership in the guacConfigGroup
            // and possibly any groups the user is a member of that are
@@ -117,7 +122,8 @@ public class ConnectionService {
                LDAPConnection.SCOPE_SUB,
                connectionSearchFilter,
                null,
-                false
+                false,
+                constraints
            );

            // Build token filter containing credential tokens
@@ -234,13 +240,18 @@ public class ConnectionService {
        String groupBaseDN = confService.getGroupBaseDN();
        if (groupBaseDN != null) {

+            // Set up LDAP constraints
+            LDAPSearchConstraints constraints = new LDAPSearchConstraints();
+            constraints.setDereference(confService.getDereferenceAliases());
+
            // Get all groups the user is a member of starting at the groupBaseDN, excluding guacConfigGroups
            LDAPSearchResults userRoleGroupResults = ldapConnection.search(
                groupBaseDN,
                LDAPConnection.SCOPE_SUB,
                "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))",
                null,
-                false
+                false,
+                constraints
            );

            // Append the additional user groups to the LDAP filter
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java
@@ -88,6 +88,7 @@ public class UserService {
            // Set search limits
            LDAPSearchConstraints constraints = new LDAPSearchConstraints();
            constraints.setMaxResults(confService.getMaxResults());
+            constraints.setDereference(confService.getDereferenceAliases());

            // Find all Guacamole users underneath base DN
            LDAPSearchResults results = ldapConnection.search(
@@ -247,6 +248,9 @@ public class UserService {

            List<String> userDNs = new ArrayList<String>();

+            LDAPSearchConstraints constraints = new LDAPSearchConstraints();
+            constraints.setDereference(confService.getDereferenceAliases());
+
            // Find all Guacamole users underneath base DN and matching the
            // specified username
            LDAPSearchResults results = ldapConnection.search(
@@ -254,7 +258,8 @@ public class UserService {
                LDAPConnection.SCOPE_SUB,
                generateLDAPQuery(username),
                null,
-                false
+                false,
+                constraints
            );

            // Add all DNs for found users