diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 769d4c39d..2071dfa02 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -321,6 +321,26 @@ public class ConfigurationService { ); } + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole groups. If no filter is specified, + * a default of "(objectClass=*)" is used. + * + * @return + * The search filter that should be used when querying the + * LDAP server for groups that are valid in Guacamole, or + * "(objectClass=*)" if not specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public ExprNode getGroupSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_GROUP_SEARCH_FILTER, + new PresenceNode("objectClass") + ); + } + /** * Returns the maximum number of seconds to wait for LDAP operations. * diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java index 231362970..5bf5cfbd6 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java @@ -210,6 +210,17 @@ public class LDAPGuacamoleProperties { }; + /** + * A search filter to apply to group LDAP queries. + */ + public static final LdapFilterGuacamoleProperty LDAP_GROUP_SEARCH_FILTER = + new LdapFilterGuacamoleProperty() { + + @Override + public String getName() { return "ldap-group-search-filter"; } + + }; + /** * Whether or not we should follow referrals. */ diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 66f4612a0..6d97a930a 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -28,10 +28,10 @@ import java.util.Map; import java.util.Set; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.filter.AndNode; import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.NotNode; -import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; @@ -81,16 +81,22 @@ public class UserGroupService { */ private ExprNode getGroupSearchFilter() throws GuacamoleException { + // Use filter defined by "ldap-group-search-filter" as basis for all + // retrieval of user groups + ExprNode groupFilter = confService.getGroupSearchFilter(); + // Explicitly exclude guacConfigGroup object class only if it should // be assumed to be defined (query may fail due to no such object // class existing otherwise) - if (confService.getConfigurationBaseDN() != null) - return new NotNode(new EqualityNode("objectClass","guacConfigGroup")); - - // Read any object as a group if LDAP is not being used for connection - // storage (guacConfigGroup) - return new PresenceNode("objectClass"); + if (confService.getConfigurationBaseDN() != null) { + groupFilter = new AndNode( + groupFilter, + new NotNode(new EqualityNode("objectClass", "guacConfigGroup")) + ); + } + return groupFilter; + } /** diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index e6bd50e99..062e16a06 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -443,6 +443,7 @@ END set_optional_property "ldap-user-search-filter" "$LDAP_USER_SEARCH_FILTER" set_optional_property "ldap-config-base-dn" "$LDAP_CONFIG_BASE_DN" set_optional_property "ldap-group-base-dn" "$LDAP_GROUP_BASE_DN" + set_optional_property "ldap-group-search-filter" "$LDAP_GROUP_SEARCH_FILTER" set_optional_property "ldap-member-attribute-type" "$LDAP_MEMBER_ATTRIBUTE_TYPE" set_optional_property "ldap-group-name-attribute" "$LDAP_GROUP_NAME_ATTRIBUTE" set_optional_property "ldap-dereference-aliases" "$LDAP_DEREFERENCE_ALIASES"