Repository: incubator-guacamole-client Updated Branches: refs/heads/master 1a621886c -> 340758664
GUACAMOLE-244: Support configuration of alias dereferencing Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/907e0edf Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/907e0edf Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/907e0edf Branch: refs/heads/master Commit: 907e0edfcfa23eab3da12c7c3d8ff945b5470830 Parents: 1a62188 Author: Nick Couchman <[email protected]> Authored: Sat Mar 18 12:08:38 2017 -0400 Committer: Nick Couchman <[email protected]> Committed: Sat Mar 18 12:08:38 2017 -0400 ---------------------------------------------------------------------- .../auth/ldap/ConfigurationService.java | 32 ++++++++++++++++++++ .../auth/ldap/LDAPGuacamoleProperties.java | 10 ++++++ .../auth/ldap/connection/ConnectionService.java | 15 +++++++-- .../guacamole/auth/ldap/user/UserService.java | 7 ++++- 4 files changed, 61 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/907e0edf/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java index a13eb97..f29d8f1 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java @@ -223,4 +223,36 @@ public class ConfigurationService { ); } + /** + * Returns whether or not LDAP aliases will be dereferenced, + * as configured with guacamole.properties. + * By default they will never be dereferenced. + * + * @return + * An integer representing the status of of alias + * dereferencing, as configured in guacamole.properties. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public int getDereferenceAliases() throws GuacamoleException { + String derefAliases = environment.getProperty( + LDAPGuacamoleProperties.LDAP_DEREFERENCE_ALIASES, + "never" + ); + + if (derefAliases == "always") + return 3; + + else if (derefAliases == "finding") + return 2; + + else if (derefAliases == "searching") + return 1; + + else + return 0; + + } + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/907e0edf/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java index bc684e3..8e7d574 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java @@ -153,4 +153,14 @@ public class LDAPGuacamoleProperties { }; + /** + * The behavior of alias dereferncing for the LDAP connections. + */ + public static final StringGuacamoleProperty LDAP_DEREFERENCE_ALIASES = new StringGuacamoleProperty() { + + @Override + public String getName() { return "ldap-dereference-aliases"; } + + }; + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/907e0edf/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index b13207a..0ec5ebe 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -24,6 +24,7 @@ import com.novell.ldap.LDAPAttribute; import com.novell.ldap.LDAPConnection; import com.novell.ldap.LDAPEntry; import com.novell.ldap.LDAPException; +import com.novell.ldap.LDAPSearchConstraints; import com.novell.ldap.LDAPSearchResults; import java.util.Collections; import java.util.Enumeration; @@ -108,6 +109,10 @@ public class ConnectionService { // current user String connectionSearchFilter = getConnectionSearchFilter(userDN, ldapConnection); + // Set Search Constraints + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Find all Guacamole connections for the given user by // looking for direct membership in the guacConfigGroup // and possibly any groups the user is a member of that are @@ -117,7 +122,8 @@ public class ConnectionService { LDAPConnection.SCOPE_SUB, connectionSearchFilter, null, - false + false, + constraints ); // Build token filter containing credential tokens @@ -234,13 +240,18 @@ public class ConnectionService { String groupBaseDN = confService.getGroupBaseDN(); if (groupBaseDN != null) { + // Set up LDAP constraints + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Get all groups the user is a member of starting at the groupBaseDN, excluding guacConfigGroups LDAPSearchResults userRoleGroupResults = ldapConnection.search( groupBaseDN, LDAPConnection.SCOPE_SUB, "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))", null, - false + false, + constraints ); // Append the additional user groups to the LDAP filter http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/907e0edf/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index cae1599..c4f6ce0 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -88,6 +88,7 @@ public class UserService { // Set search limits LDAPSearchConstraints constraints = new LDAPSearchConstraints(); constraints.setMaxResults(confService.getMaxResults()); + constraints.setDereference(confService.getDereferenceAliases()); // Find all Guacamole users underneath base DN LDAPSearchResults results = ldapConnection.search( @@ -247,6 +248,9 @@ public class UserService { List<String> userDNs = new ArrayList<String>(); + LDAPSearchConstraints constraints = new LDAPSearchConstraints(); + constraints.setDereference(confService.getDereferenceAliases()); + // Find all Guacamole users underneath base DN and matching the // specified username LDAPSearchResults results = ldapConnection.search( @@ -254,7 +258,8 @@ public class UserService { LDAPConnection.SCOPE_SUB, generateLDAPQuery(username), null, - false + false, + constraints ); // Add all DNs for found users
