Merge pull request #288 from glyptodon/ldap-tokens

GUAC-1342: Restore use of parameter tokens within LDAP
2025-09-06 13:17:41 +00:00 · 2015-11-03 20:18:33 -08:00
parent 34c7ec4798 c530865a95
commit db2a00dcb8
3 changed files with 23 additions and 4 deletions
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/connection/ConnectionService.java
@@ -37,9 +37,12 @@ import org.glyptodon.guacamole.auth.ldap.ConfigurationService;
 import org.glyptodon.guacamole.auth.ldap.EscapingService;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleServerException;
+import org.glyptodon.guacamole.net.auth.AuthenticatedUser;
 import org.glyptodon.guacamole.net.auth.Connection;
 import org.glyptodon.guacamole.net.auth.simple.SimpleConnection;
 import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
+import org.glyptodon.guacamole.token.StandardTokens;
+import org.glyptodon.guacamole.token.TokenFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@@ -72,6 +75,10 @@ public class ConnectionService {
     * Returns all Guacamole connections accessible to the user currently bound
     * under the given LDAP connection.
     *
+     * @param user
+     *     The AuthenticatedUser object associated with the user who is
+     *     currently authenticated with Guacamole.
+     *
     * @param ldapConnection
     *     The current connection to the LDAP server, associated with the
     *     current user.
@@ -84,8 +91,8 @@ public class ConnectionService {
     * @throws GuacamoleException
     *     If an error occurs preventing retrieval of connections.
     */
-    public Map<String, Connection> getConnections(LDAPConnection ldapConnection)
-            throws GuacamoleException {
+    public Map<String, Connection> getConnections(AuthenticatedUser user,
+            LDAPConnection ldapConnection) throws GuacamoleException {

        // Do not return any connections if base DN is not specified
        String configurationBaseDN = confService.getConfigurationBaseDN();
@@ -111,6 +118,10 @@ public class ConnectionService {
                false
            );

+            // Build token filter containing credential tokens
+            TokenFilter tokenFilter = new TokenFilter();
+            StandardTokens.addStandardTokens(tokenFilter, user.getCredentials());
+
            // Produce connections for each readable configuration
            Map<String, Connection> connections = new HashMap<String, Connection>();
            while (results.hasMore()) {
@@ -163,6 +174,9 @@ public class ConnectionService {

                }

+                // Filter the configuration, substituting all defined tokens
+                tokenFilter.filterValues(config.getParameters());
+
                // Store connection using cn for both identifier and name
                String name = cn.getStringValue();
                Connection connection = new SimpleConnection(name, name, config);
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserContext.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserContext.java
@@ -134,7 +134,7 @@ public class UserContext implements org.glyptodon.guacamole.net.auth.UserContext

        // Query all accessible connections
        connectionDirectory = new SimpleDirectory<Connection>(
-            connectionService.getConnections(ldapConnection)
+            connectionService.getConnections(user, ldapConnection)
        );

        // Root group contains only connections
--- a/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/glyptodon/guacamole/auth/ldap/user/UserService.java
@@ -36,6 +36,7 @@ import org.glyptodon.guacamole.auth.ldap.ConfigurationService;
 import org.glyptodon.guacamole.auth.ldap.EscapingService;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleServerException;
+import org.glyptodon.guacamole.auth.ldap.LDAPGuacamoleProperties;
 import org.glyptodon.guacamole.net.auth.User;
 import org.glyptodon.guacamole.net.auth.simple.SimpleUser;
 import org.slf4j.Logger;
@@ -296,7 +297,11 @@ public class UserService {

        // We need exactly one base DN to derive the user DN
        if (usernameAttributes.size() != 1) {
-            logger.warn("Cannot directly derive user DN when multiple username attributes are specified");
+            logger.warn(String.format("Cannot directly derive user DN when "
+                      + "multiple username attributes are specified. Please "
+                      + "define an LDAP search DN using the \"%s\" property "
+                      + "in your \"guacamole.properties\".",
+                      LDAPGuacamoleProperties.LDAP_SEARCH_BIND_DN.getName()));
            return null;
        }