This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch 4.22
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.22 by this push:
new e90e31d3861 add isPerson check to query for AD (#11843)
e90e31d3861 is described below
commit e90e31d3861235553673c7789a252bc4ce512027
Author: dahn <[email protected]>
AuthorDate: Wed Nov 12 16:09:28 2025 +0100
add isPerson check to query for AD (#11843)
---
.../cloudstack/ldap/ADLdapUserManagerImpl.java | 18 ++-
.../cloudstack/ldap/OpenLdapUserManagerImpl.java | 139 ++++++++++-----------
.../cloudstack/ldap/ADLdapUserManagerImplTest.java | 5 +-
3 files changed, 78 insertions(+), 84 deletions(-)
diff --git
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
index e96606dca2f..bf5d503e841 100644
---
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
+++
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
@@ -49,7 +49,7 @@ public class ADLdapUserManagerImpl extends
OpenLdapUserManagerImpl implements Ld
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn,
generateADGroupSearchFilter(groupName, domainId), searchControls);
- final List<LdapUser> users = new ArrayList<LdapUser>();
+ final List<LdapUser> users = new ArrayList<>();
while (results.hasMoreElements()) {
final SearchResult result = results.nextElement();
users.add(createUser(result, domainId));
@@ -58,10 +58,8 @@ public class ADLdapUserManagerImpl extends
OpenLdapUserManagerImpl implements Ld
}
String generateADGroupSearchFilter(String groupName, Long domainId) {
- final StringBuilder userObjectFilter = new StringBuilder();
- userObjectFilter.append("(objectClass=");
- userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
- userObjectFilter.append(")");
+
+ final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
final StringBuilder memberOfFilter = new StringBuilder();
String groupCnName = _ldapConfiguration.getCommonNameAttribute() +
"=" +groupName + "," + _ldapConfiguration.getBaseDn(domainId);
@@ -75,10 +73,18 @@ public class ADLdapUserManagerImpl extends
OpenLdapUserManagerImpl implements Ld
result.append(memberOfFilter);
result.append(")");
- logger.debug("group search filter = " + result);
+ logger.debug("group search filter = {}", result);
return result.toString();
}
+ StringBuilder getUserObjectFilter(Long domainId) {
+ final StringBuilder userObjectFilter = new StringBuilder();
+ userObjectFilter.append("(&(objectCategory=person)");
+ userObjectFilter.append(super.getUserObjectFilter(domainId));
+ userObjectFilter.append(")");
+ return userObjectFilter;
+ }
+
protected boolean isUserDisabled(SearchResult result) throws
NamingException {
boolean isDisabledUser = false;
String userAccountControl =
LdapUtils.getAttributeValue(result.getAttributes(),
_ldapConfiguration.getUserAccountControlAttribute());
diff --git
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index d0b6bc4bd34..80d394d7478 100644
---
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -75,23 +75,15 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
}
private String generateSearchFilter(final String username, Long domainId) {
- final StringBuilder userObjectFilter = new StringBuilder();
- userObjectFilter.append("(objectClass=");
- userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
- userObjectFilter.append(")");
+ final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
- final StringBuilder usernameFilter = new StringBuilder();
- usernameFilter.append("(");
-
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
- usernameFilter.append("=");
- usernameFilter.append((username == null ? "*" :
LdapUtils.escapeLDAPSearchFilter(username)));
- usernameFilter.append(")");
+ final StringBuilder usernameFilter = getUsernameFilter(username,
domainId);
String memberOfAttribute = getMemberOfAttribute(domainId);
StringBuilder ldapGroupsFilter = new StringBuilder();
// this should get the trustmaps for this domain
List<String> ldapGroups = getMappedLdapGroups(domainId);
- if (null != ldapGroups && ldapGroups.size() > 0) {
+ if (!ldapGroups.isEmpty()) {
ldapGroupsFilter.append("(|");
for (String ldapGroup : ldapGroups) {
ldapGroupsFilter.append(getMemberOfGroupString(ldapGroup,
memberOfAttribute));
@@ -104,21 +96,35 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
if (null != pricipleGroup) {
principleGroupFilter.append(getMemberOfGroupString(pricipleGroup,
memberOfAttribute));
}
- final StringBuilder result = new StringBuilder();
- result.append("(&");
- result.append(userObjectFilter);
- result.append(usernameFilter);
- result.append(ldapGroupsFilter);
- result.append(principleGroupFilter);
- result.append(")");
-
- String returnString = result.toString();
- if (logger.isTraceEnabled()) {
- logger.trace("constructed ldap query: " + returnString);
- }
+
+ String returnString = "(&" +
+ userObjectFilter +
+ usernameFilter +
+ ldapGroupsFilter +
+ principleGroupFilter +
+ ")";
+ logger.trace("constructed ldap query: {}", returnString);
return returnString;
}
+ private StringBuilder getUsernameFilter(String username, Long domainId) {
+ final StringBuilder usernameFilter = new StringBuilder();
+ usernameFilter.append("(");
+
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
+ usernameFilter.append("=");
+ usernameFilter.append((username == null ? "*" :
LdapUtils.escapeLDAPSearchFilter(username)));
+ usernameFilter.append(")");
+ return usernameFilter;
+ }
+
+ StringBuilder getUserObjectFilter(Long domainId) {
+ final StringBuilder userObjectFilter = new StringBuilder();
+ userObjectFilter.append("(objectClass=");
+ userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
+ userObjectFilter.append(")");
+ return userObjectFilter;
+ }
+
private List<String> getMappedLdapGroups(Long domainId) {
List <String> ldapGroups = new ArrayList<>();
// first get the trustmaps
@@ -134,37 +140,31 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
private String getMemberOfGroupString(String group, String
memberOfAttribute) {
final StringBuilder memberOfFilter = new StringBuilder();
if (null != group) {
- if(logger.isDebugEnabled()) {
- logger.debug("adding search filter for '" + group +
- "', using '" + memberOfAttribute + "'");
- }
- memberOfFilter.append("(" + memberOfAttribute + "=");
- memberOfFilter.append(group);
- memberOfFilter.append(")");
+ logger.debug("adding search filter for '{}', using '{}'", group,
memberOfAttribute);
+ memberOfFilter.append("(")
+ .append(memberOfAttribute)
+ .append("=")
+ .append(group)
+ .append(")");
}
return memberOfFilter.toString();
}
private String generateGroupSearchFilter(final String groupName, Long
domainId) {
- final StringBuilder groupObjectFilter = new StringBuilder();
- groupObjectFilter.append("(objectClass=");
- groupObjectFilter.append(_ldapConfiguration.getGroupObject(domainId));
- groupObjectFilter.append(")");
-
- final StringBuilder groupNameFilter = new StringBuilder();
- groupNameFilter.append("(");
- groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
- groupNameFilter.append("=");
- groupNameFilter.append((groupName == null ? "*" :
LdapUtils.escapeLDAPSearchFilter(groupName)));
- groupNameFilter.append(")");
-
- final StringBuilder result = new StringBuilder();
- result.append("(&");
- result.append(groupObjectFilter);
- result.append(groupNameFilter);
- result.append(")");
-
- return result.toString();
+ String groupObjectFilter = "(objectClass=" +
+ _ldapConfiguration.getGroupObject(domainId) +
+ ")";
+
+ String groupNameFilter = "(" +
+ _ldapConfiguration.getCommonNameAttribute() +
+ "=" +
+ (groupName == null ? "*" :
LdapUtils.escapeLDAPSearchFilter(groupName)) +
+ ")";
+
+ return "(&" +
+ groupObjectFilter +
+ groupNameFilter +
+ ")";
}
@Override
@@ -186,17 +186,9 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
basedn = _ldapConfiguration.getBaseDn(domainId);
}
- final StringBuilder userObjectFilter = new StringBuilder();
- userObjectFilter.append("(objectClass=");
- userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
- userObjectFilter.append(")");
+ final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
- final StringBuilder usernameFilter = new StringBuilder();
- usernameFilter.append("(");
-
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
- usernameFilter.append("=");
- usernameFilter.append((username == null ? "*" :
LdapUtils.escapeLDAPSearchFilter(username)));
- usernameFilter.append(")");
+ final StringBuilder usernameFilter = getUsernameFilter(username,
domainId);
final StringBuilder memberOfFilter = new StringBuilder();
if ("GROUP".equals(type)) {
@@ -205,18 +197,17 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
memberOfFilter.append(")");
}
- final StringBuilder searchQuery = new StringBuilder();
- searchQuery.append("(&");
- searchQuery.append(userObjectFilter);
- searchQuery.append(usernameFilter);
- searchQuery.append(memberOfFilter);
- searchQuery.append(")");
+ String searchQuery = "(&" +
+ userObjectFilter +
+ usernameFilter +
+ memberOfFilter +
+ ")";
- return searchUser(basedn, searchQuery.toString(), context, domainId);
+ return searchUser(basedn, searchQuery, context, domainId);
}
protected String getMemberOfAttribute(final Long domainId) {
- return _ldapConfiguration.getUserMemberOfAttribute(domainId);
+ return LdapConfiguration.getUserMemberOfAttribute(domainId);
}
@Override
@@ -243,7 +234,7 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
NamingEnumeration<SearchResult> result =
context.search(_ldapConfiguration.getBaseDn(domainId),
generateGroupSearchFilter(groupName, domainId), controls);
- final List<LdapUser> users = new ArrayList<LdapUser>();
+ final List<LdapUser> users = new ArrayList<>();
//Expecting only one result which has all the users
if (result.hasMoreElements()) {
Attribute attribute =
result.nextElement().getAttributes().get(attributeName);
@@ -254,7 +245,7 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
try{
users.add(getUserForDn(userdn, context, domainId));
} catch (NamingException e){
- logger.info("Userdn: " + userdn + " Not Found:: Exception
message: " + e.getMessage());
+ logger.info("Userdn: {} Not Found:: Exception message:
{}", userdn, e.getMessage());
}
}
}
@@ -286,17 +277,15 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
return false;
}
- public LdapUser searchUser(final String basedn, final String searchString,
final LdapContext context, Long domainId) throws NamingException, IOException {
+ public LdapUser searchUser(final String basedn, final String searchString,
final LdapContext context, Long domainId) throws NamingException {
final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(_ldapConfiguration.getScope());
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn,
searchString, searchControls);
- if(logger.isDebugEnabled()) {
- logger.debug("searching user(s) with filter: \"" + searchString +
"\"");
- }
- final List<LdapUser> users = new ArrayList<LdapUser>();
+ logger.debug("searching user(s) with filter: \"{}\"", searchString);
+ final List<LdapUser> users = new ArrayList<>();
while (results.hasMoreElements()) {
final SearchResult result = results.nextElement();
users.add(createUser(result, domainId));
@@ -324,7 +313,7 @@ public class OpenLdapUserManagerImpl implements
LdapUserManager {
byte[] cookie = null;
int pageSize = _ldapConfiguration.getLdapPageSize(domainId);
context.setRequestControls(new Control[]{new
PagedResultsControl(pageSize, Control.NONCRITICAL)});
- final List<LdapUser> users = new ArrayList<LdapUser>();
+ final List<LdapUser> users = new ArrayList<>();
NamingEnumeration<SearchResult> results;
do {
results = context.search(basedn, generateSearchFilter(username,
domainId), searchControls);
diff --git
a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
index 58b14ec3684..f2ac1dffaf9 100644
---
a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
+++
b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
@@ -54,9 +54,8 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"};
for (String group: groups) {
String result =
adLdapUserManager.generateADGroupSearchFilter(group, 1L);
-
assertTrue(("(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=" +
group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
+
assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf:1.2.840.113556.1.4.1941:=CN="
+ group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
}
-
}
@Test
@@ -69,7 +68,7 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"};
for (String group: groups) {
String result =
adLdapUserManager.generateADGroupSearchFilter(group, 1L);
- assertTrue(("(&(objectClass=user)(memberOf=CN=" + group +
",DC=cloud,DC=citrix,DC=com))").equals(result));
+
assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf=CN=" +
group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
}
}
