GUACAMOLE-593: Merge support for configuring the LDAP attribute used to define group membership.

2025-09-06 05:07:41 +00:00 · 2018-07-31 09:24:47 -07:00
parent 5ce0c0f035 735b22bcf0
commit a34bbcf637
3 changed files with 38 additions and 2 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java
@@ -358,5 +358,23 @@ public class ConfigurationService {
            LDAPGuacamoleProperties.LDAP_USER_ATTRIBUTES
        );
    }
+    
+    /**
+     * Returns the name of the LDAP attribute used to enumerate
+     * members in a group, or "member" by default.
+     * 
+     * @return
+     *     The name of the LDAP attribute to use to enumerate
+     *     members in a group.
+     * 
+     * @throws GuacamoleException
+     *     If guacamole.properties connect be parsed.
+     */
+    public String getMemberAttribute() throws GuacamoleException {
+        return environment.getProperty(
+            LDAPGuacamoleProperties.LDAP_MEMBER_ATTRIBUTE,
+            "member"
+        );
+    }

 }
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java
@@ -215,4 +215,14 @@ public class LDAPGuacamoleProperties {
        public String getName() { return "ldap-user-attributes"; }

    };
+    
+    /**
+     * LDAP attribute used to enumerate members of a group in the LDAP directory.
+     */
+    public static final StringGuacamoleProperty LDAP_MEMBER_ATTRIBUTE = new StringGuacamoleProperty() {
+      
+        @Override
+        public String getName() { return "ldap-member-attribute"; }
+        
+    };
 }
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
@@ -245,7 +245,11 @@ public class ConnectionService {
        StringBuilder connectionSearchFilter = new StringBuilder();

        // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value
-        connectionSearchFilter.append("(&(objectClass=guacConfigGroup)(|(member=");
+        connectionSearchFilter.append("(&(objectClass=guacConfigGroup)");
+        connectionSearchFilter.append("(|(");
+        connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(
+                confService.getMemberAttribute()));
+        connectionSearchFilter.append("=");
        connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN));
        connectionSearchFilter.append(")");

@@ -257,7 +261,11 @@ public class ConnectionService {
            LDAPSearchResults userRoleGroupResults = ldapConnection.search(
                groupBaseDN,
                LDAPConnection.SCOPE_SUB,
-                "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))",
+                "(&(!(objectClass=guacConfigGroup))(" 
+                        + escapingService.escapeLDAPSearchFilter(
+                                confService.getMemberAttribute()) 
+                        + "=" + escapingService.escapeLDAPSearchFilter(userDN) 
+                        + "))",
                null,
                false,
                confService.getLDAPSearchConstraints()