GUACAMOLE-996: Merge add support for specifying an LDAP group filter.

2025-09-06 05:07:41 +00:00 · 2021-07-26 09:55:48 -04:00
parent 5d05442057 5e61ec7e84
commit 925621a707
4 changed files with 45 additions and 7 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
@@ -321,6 +321,26 @@ public class ConfigurationService {
        );
    }

+    /**
+     * Returns the search filter that should be used when querying the
+     * LDAP server for Guacamole groups.  If no filter is specified,
+     * a default of "(objectClass=*)" is used.
+     *
+     * @return
+     *     The search filter that should be used when querying the
+     *     LDAP server for groups that are valid in Guacamole, or
+     *     "(objectClass=*)" if not specified.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public ExprNode getGroupSearchFilter() throws GuacamoleException {
+        return environment.getProperty(
+            LDAPGuacamoleProperties.LDAP_GROUP_SEARCH_FILTER,
+            new PresenceNode("objectClass")
+        );
+    }
+
    /**
     * Returns the maximum number of seconds to wait for LDAP operations.
     *
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
@@ -210,6 +210,17 @@ public class LDAPGuacamoleProperties {

    };

+    /**
+     * A search filter to apply to group LDAP queries.
+     */
+    public static final LdapFilterGuacamoleProperty LDAP_GROUP_SEARCH_FILTER =
+            new LdapFilterGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "ldap-group-search-filter"; }
+
+    };
+
    /**
     * Whether or not we should follow referrals.
     */
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java
@@ -28,10 +28,10 @@ import java.util.Map;
 import java.util.Set;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.filter.AndNode;
 import org.apache.directory.api.ldap.model.filter.EqualityNode;
 import org.apache.directory.api.ldap.model.filter.ExprNode;
 import org.apache.directory.api.ldap.model.filter.NotNode;
-import org.apache.directory.api.ldap.model.filter.PresenceNode;
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
 import org.apache.guacamole.auth.ldap.conf.ConfigurationService;
@@ -81,15 +81,21 @@ public class UserGroupService {
     */
    private ExprNode getGroupSearchFilter() throws GuacamoleException {

+        // Use filter defined by "ldap-group-search-filter" as basis for all
+        // retrieval of user groups
+        ExprNode groupFilter = confService.getGroupSearchFilter();
+
        // Explicitly exclude guacConfigGroup object class only if it should
        // be assumed to be defined (query may fail due to no such object
        // class existing otherwise)
-        if (confService.getConfigurationBaseDN() != null)
-            return new NotNode(new EqualityNode("objectClass","guacConfigGroup"));
+        if (confService.getConfigurationBaseDN() != null) {
+            groupFilter = new AndNode(
+                groupFilter,
+                new NotNode(new EqualityNode<String>("objectClass", "guacConfigGroup"))
+            );
+        }

-        // Read any object as a group if LDAP is not being used for connection
-        // storage (guacConfigGroup)
-        return new PresenceNode("objectClass");
+        return groupFilter;
        
    }

--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -443,6 +443,7 @@ END
    set_optional_property "ldap-user-search-filter"         "$LDAP_USER_SEARCH_FILTER"
    set_optional_property "ldap-config-base-dn"             "$LDAP_CONFIG_BASE_DN"
    set_optional_property "ldap-group-base-dn"              "$LDAP_GROUP_BASE_DN"
+    set_optional_property "ldap-group-search-filter"        "$LDAP_GROUP_SEARCH_FILTER"
    set_optional_property "ldap-member-attribute-type"      "$LDAP_MEMBER_ATTRIBUTE_TYPE"
    set_optional_property "ldap-group-name-attribute"       "$LDAP_GROUP_NAME_ATTRIBUTE"
    set_optional_property "ldap-dereference-aliases"        "$LDAP_DEREFERENCE_ALIASES"