diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java index 769d4c39d..5c7747b1d 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java @@ -25,6 +25,7 @@ import java.util.List; import org.apache.directory.api.ldap.model.filter.ExprNode; import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.message.AliasDerefMode; +import org.apache.directory.api.ldap.model.filter.EqualityNode; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; @@ -321,6 +322,26 @@ public class ConfigurationService { ); } + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole groups. If no filter is specified, + * a default of "(objectClass=group)" is returned. + * + * @return + * The search filter that should be used when querying the + * LDAP server for groups that are valid in Guacamole, or + * "(objectClass=group)" if not specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public ExprNode getGroupSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_GROUP_SEARCH_FILTER, + new EqualityNode("objectClass","group") + ); + } + /** * Returns the maximum number of seconds to wait for LDAP operations. * diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java index 231362970..5bf5cfbd6 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java @@ -210,6 +210,17 @@ public class LDAPGuacamoleProperties { }; + /** + * A search filter to apply to group LDAP queries. + */ + public static final LdapFilterGuacamoleProperty LDAP_GROUP_SEARCH_FILTER = + new LdapFilterGuacamoleProperty() { + + @Override + public String getName() { return "ldap-group-search-filter"; } + + }; + /** * Whether or not we should follow referrals. */ diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java index 66f4612a0..2f1fe75ba 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java @@ -87,9 +87,9 @@ public class UserGroupService { if (confService.getConfigurationBaseDN() != null) return new NotNode(new EqualityNode("objectClass","guacConfigGroup")); - // Read any object as a group if LDAP is not being used for connection - // storage (guacConfigGroup) - return new PresenceNode("objectClass"); + // Read objects from LDAP with filter defined by "ldap-group-search-filter" + // as a group if LDAP is not being used for connection storage (guacConfigGroup) + return confService.getGroupSearchFilter(); }