From 907e0edfcfa23eab3da12c7c3d8ff945b5470830 Mon Sep 17 00:00:00 2001 From: Nick Couchman Date: Sat, 18 Mar 2017 12:08:38 -0400 Subject: [PATCH] GUACAMOLE-244: Support configuration of alias dereferencing --- .../auth/ldap/ConfigurationService.java | 32 +++++++++++++++++++ .../auth/ldap/LDAPGuacamoleProperties.java | 10 ++++++ .../ldap/connection/ConnectionService.java | 15 +++++++-- .../guacamole/auth/ldap/user/UserService.java | 7 +++- 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java index a13eb9715..f29d8f106 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java @@ -223,4 +223,36 @@ public class ConfigurationService { ); } + /** + * Returns whether or not LDAP aliases will be dereferenced, + * as configured with guacamole.properties. + * By default they will never be dereferenced. + * + * @return + * An integer representing the status of of alias + * dereferencing, as configured in guacamole.properties. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public int getDereferenceAliases() throws GuacamoleException { + String derefAliases = environment.getProperty( + LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES, + "never" + ); + + if (derefAliases == "always") + return 3; + + else if (derefAliases == "finding") + return 2; + + else if (derefAliases == "searching") + return 1; + + else + return 0; + + } + } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java index bc684e32c..8e7d574a9 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java @@ -153,4 +153,14 @@ public class LDAPGuacamoleProperties { }; + /** + * The behavior of alias dereferncing for the LDAP connections. + */ + public static final StringGuacamoleProperty LDAP_DEREFERENCE_ALIASES = new StringGuacamoleProperty() { + + @Override + public String getName() { return "ldap-dereference-aliases"; } + + }; + } diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index b13207a15..0ec5ebe4e 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -24,6 +24,7 @@ import com.novell.ldap.LDAPAttribute; import com.novell.ldap.LDAPConnection; import com.novell.ldap.LDAPEntry; import com.novell.ldap.LDAPException; +import com.novell.ldap.LDAPSearchConstraints; import com.novell.ldap.LDAPSearchResults; import java.util.Collections; import java.util.Enumeration; @@ -108,6 +109,10 @@ public class ConnectionService { // current user String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection); + // Set Search Constraints + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Find all Guacamole connections for the given user by // looking for direct membership in the guacConfigGroup // and possibly any groups the user is a member of that are @@ -117,7 +122,8 @@ public class ConnectionService { LDAPConnection.SCOPE_SUB, connectionSearchFilter, null, - false + false, + constraints ); // Build token filter containing credential tokens @@ -234,13 +240,18 @@ public class ConnectionService { String groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN != null) { + // Set up LDAP constraints + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Get all groups the user is a member of starting at the groupBaseDN, excluding guacConfigGroups LDAPSearchResults userRoleGroupResults = ldapConnection.search( groupBaseDN, LDAPConnection.SCOPE_SUB, "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))", null, - false + false, + constraints ); // Append the additional user groups to the LDAP filter diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index cae1599ef..c4f6ce097 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -88,6 +88,7 @@ public class UserService { // Set search limits LDAPSearchConstraints constraints = new LDAPSearchConstraints(); constraints.setMaxResults(confService.getMaxResults()); + constraints.setDereference(confService.getDereferenceAliases()); // Find all Guacamole users underneath base DN LDAPSearchResults results = ldapConnection.search( @@ -247,6 +248,9 @@ public class UserService { List userDNs = new ArrayList(); + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Find all Guacamole users underneath base DN and matching the // specified username LDAPSearchResults results = ldapConnection.search( @@ -254,7 +258,8 @@ public class UserService { LDAPConnection.SCOPE_SUB, generateLDAPQuery(username), null, - false + false, + constraints ); // Add all DNs for found users