From cb61fc8312c7393faba1b2af951241960c10b3ee Mon Sep 17 00:00:00 2001 From: Edgardo Rodriguez Date: Sat, 4 Apr 2020 18:31:30 -0300 Subject: [PATCH 1/4] GUACAMOLE-996: Add support for configuring group filter. --- .../auth/ldap/conf/ConfigurationService.java | 21 +++++++++++++++++++ .../ldap/conf/LDAPGuacamoleProperties.java | 11 ++++++++++ .../auth/ldap/group/UserGroupService.java | 6 +++--- 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 769d4c39d..5c7747b1d 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -25,6 +25,7 @@ import java.util.List; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.message.AliasDerefMode; +import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -321,6 +322,26 @@ public class ConfigurationService { ); } + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole groups. If no filter is specified, + * a default of "(objectClass=group)" is returned. + * + * @return + * The search filter that should be used when querying the + * LDAP server for groups that are valid in Guacamole, or + * "(objectClass=group)" if not specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public ExprNode getGroupSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_GROUP_SEARCH_FILTER, + new EqualityNode("objectClass","group") + ); + } + /** * Returns the maximum number of seconds to wait for LDAP operations. * diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java index 231362970..5bf5cfbd6 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java @@ -210,6 +210,17 @@ public class LDAPGuacamoleProperties { }; + /** + * A search filter to apply to group LDAP queries. + */ + public static final LdapFilterGuacamoleProperty LDAP_GROUP_SEARCH_FILTER = + new LdapFilterGuacamoleProperty() { + + @Override + public String getName() { return "ldap-group-search-filter"; } + + }; + /** * Whether or not we should follow referrals. */ diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 66f4612a0..2f1fe75ba 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -87,9 +87,9 @@ public class UserGroupService { if (confService.getConfigurationBaseDN() != null) return new NotNode(new EqualityNode("objectClass","guacConfigGroup")); - // Read any object as a group if LDAP is not being used for connection - // storage (guacConfigGroup) - return new PresenceNode("objectClass"); + // Read objects from LDAP with filter defined by "ldap-group-search-filter" + // as a group if LDAP is not being used for connection storage (guacConfigGroup) + return confService.getGroupSearchFilter(); } From 38c03ddfd7aa404f2970ef0c9b69d3ec16365a76 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Fri, 25 Jun 2021 00:32:06 -0700 Subject: [PATCH 2/4] GUACAMOLE-996: Use "(objectClass=*)" as default group filter. --- .../guacamole/auth/ldap/conf/ConfigurationService.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 5c7747b1d..2071dfa02 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -25,7 +25,6 @@ import java.util.List; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.message.AliasDerefMode; -import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -325,12 +324,12 @@ public class ConfigurationService { /** * Returns the search filter that should be used when querying the * LDAP server for Guacamole groups. If no filter is specified, - * a default of "(objectClass=group)" is returned. + * a default of "(objectClass=*)" is used. * * @return * The search filter that should be used when querying the * LDAP server for groups that are valid in Guacamole, or - * "(objectClass=group)" if not specified. + * "(objectClass=*)" if not specified. * * @throws GuacamoleException * If guacamole.properties cannot be parsed. @@ -338,7 +337,7 @@ public class ConfigurationService { public ExprNode getGroupSearchFilter() throws GuacamoleException { return environment.getProperty( LDAPGuacamoleProperties.LDAP_GROUP_SEARCH_FILTER, - new EqualityNode("objectClass","group") + new PresenceNode("objectClass") ); } From 962696199a1ed5866c5efc9f5b2d6415ef5196b2 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Mon, 26 Jul 2021 02:19:56 -0700 Subject: [PATCH 3/4] GUACAMOLE-996: Always apply LDAP group filter, regardless of whether "ldap-config-base-dn" is set. --- .../auth/ldap/group/UserGroupService.java | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 2f1fe75ba..6d97a930a 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -28,10 +28,10 @@ import java.util.Map; import java.util.Set; import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; +import org.apache.directory.api.ldap.model.filter.AndNode; import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.NotNode; -import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.ldap.client.api.LdapNetworkConnection; import org.apache.guacamole.auth.ldap.conf.ConfigurationService; @@ -81,16 +81,22 @@ public class UserGroupService { */ private ExprNode getGroupSearchFilter() throws GuacamoleException { + // Use filter defined by "ldap-group-search-filter" as basis for all + // retrieval of user groups + ExprNode groupFilter = confService.getGroupSearchFilter(); + // Explicitly exclude guacConfigGroup object class only if it should // be assumed to be defined (query may fail due to no such object // class existing otherwise) - if (confService.getConfigurationBaseDN() != null) - return new NotNode(new EqualityNode("objectClass","guacConfigGroup")); - - // Read objects from LDAP with filter defined by "ldap-group-search-filter" - // as a group if LDAP is not being used for connection storage (guacConfigGroup) - return confService.getGroupSearchFilter(); + if (confService.getConfigurationBaseDN() != null) { + groupFilter = new AndNode( + groupFilter, + new NotNode(new EqualityNode("objectClass", "guacConfigGroup")) + ); + } + return groupFilter; + } /** From 5e61ec7e84f8ab12777315e27d7ffb99fffa0c06 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Mon, 26 Jul 2021 02:22:35 -0700 Subject: [PATCH 4/4] GUACAMOLE-996: Add LDAP_GROUP_SEARCH_FILTER variable to Docker image. --- guacamole-docker/bin/start.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index e6bd50e99..062e16a06 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -443,6 +443,7 @@ END set_optional_property "ldap-user-search-filter" "$LDAP_USER_SEARCH_FILTER" set_optional_property "ldap-config-base-dn" "$LDAP_CONFIG_BASE_DN" set_optional_property "ldap-group-base-dn" "$LDAP_GROUP_BASE_DN" + set_optional_property "ldap-group-search-filter" "$LDAP_GROUP_SEARCH_FILTER" set_optional_property "ldap-member-attribute-type" "$LDAP_MEMBER_ATTRIBUTE_TYPE" set_optional_property "ldap-group-name-attribute" "$LDAP_GROUP_NAME_ATTRIBUTE" set_optional_property "ldap-dereference-aliases" "$LDAP_DEREFERENCE_ALIASES"