Repository: incubator-guacamole-client Updated Branches: refs/heads/master 3188adb89 -> 0317fc002
GUACAMOLE-101: Impelement properties for controller user and connection search filters. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/2aec452a Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/2aec452a Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/2aec452a Branch: refs/heads/master Commit: 2aec452aa5d2430295039cb0e087957b5396c9aa Parents: 8a0a6e3 Author: Nick Couchman <[email protected]> Authored: Mon Mar 20 22:15:14 2017 -0400 Committer: Nick Couchman <[email protected]> Committed: Tue Mar 28 07:56:28 2017 -0400 ---------------------------------------------------------------------- .../auth/ldap/ConfigurationService.java | 39 ++++++++++++++++++++ .../auth/ldap/LDAPGuacamoleProperties.java | 20 ++++++++++ .../auth/ldap/connection/ConnectionService.java | 6 ++- .../guacamole/auth/ldap/user/UserService.java | 13 ++++++- 4 files changed, 74 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/2aec452a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java index f0988a7..19df483 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java @@ -270,7 +270,46 @@ public class ConfigurationService { constraints.setDereference(getDereferenceAliases().DEREF_VALUE); return constraints; + } + + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole users. If no filter is specified, + * a default of objectClass=* is returned. + * + * @return + * The search filter that should be used when querying the + * LDAP server for users that are valid in Guacamole, or + * objectClass=* if not specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public String getUserSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER, + "(objectClass=*)" + ); + } + /** + * Returns the search filter that should be used when querying the + * LDAP server for Guacamole connections. If no filter is specified, + * null is returned. + * + * @return + * The search filter that should be used when querying the + * LDAP server for connections for Guacamole, or + * null if no filter is specified. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public String getConnectionSearchFilter() throws GuacamoleException { + return environment.getProperty( + LDAPGuacamoleProperties.LDAP_CONNECTION_SEARCH_FILTER, + "(objectClass=guacConfigGroup)" + ); } } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/2aec452a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java index 266af8e..691a6fc 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPGuacamoleProperties.java @@ -164,4 +164,24 @@ public class LDAPGuacamoleProperties { }; + /** + * A search filter to apply to the user LDAP query. + */ + public static final StringGuacamoleProperty LDAP_USER_SEARCH_FILTER = new StringGuacamoleProperty() { + + @Override + public String getName() { return "ldap-user-search-filter"; } + + }; + + /** + * A search filter to apply to the connection LDAP query. + */ + public static final StringGuacamoleProperty LDAP_CONNECTION_SEARCH_FILTER = new StringGuacamoleProperty() { + + @Override + public String getName() { return "ldap-connection-search-filter"; } + + }; + } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/2aec452a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java index d256ebb..04e57f0 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java @@ -227,7 +227,9 @@ public class ConnectionService { StringBuilder connectionSearchFilter = new StringBuilder(); // Add the prefix to the search filter, prefix filter searches for guacConfigGroups with the userDN as the member attribute value - connectionSearchFilter.append("(&(objectClass=guacConfigGroup)(|(member="); + connectionSearchFilter.append("(&"); + connectionSearchFilter.append(confService.getConnectionSearchFilter()); + connectionSearchFilter.append("(|(member="); connectionSearchFilter.append(escapingService.escapeLDAPSearchFilter(userDN)); connectionSearchFilter.append(")"); @@ -239,7 +241,7 @@ public class ConnectionService { LDAPSearchResults userRoleGroupResults = ldapConnection.search( groupBaseDN, LDAPConnection.SCOPE_SUB, - "(&(!(objectClass=guacConfigGroup))(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))", + "(&(!" + confService.getConnectionSearchFilter() + ")(member=" + escapingService.escapeLDAPSearchFilter(userDN) + "))", null, false, confService.getLDAPSearchConstraints() http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/2aec452a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java index f7c5716..f58b410 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java @@ -85,11 +85,18 @@ public class UserService { try { + StringBuilder userSearchFilter = new StringBuilder(); + userSearchFilter.append("(&"); + userSearchFilter.append(confService.getUserSearchFilter()); + userSearchFilter.append("(" + escapeService.escapeLDAPSearchFilter(usernameAttribute) + "=*)"); + userSearchFilter.append(")"); + + // Find all Guacamole users underneath base DN LDAPSearchResults results = ldapConnection.search( confService.getUserBaseDN(), LDAPConnection.SCOPE_SUB, - "(&(objectClass=*)(" + escapingService.escapeLDAPSearchFilter(usernameAttribute) + "=*))", + userSearchFilter.toString(), null, false, confService.getLDAPSearchConstraints() @@ -189,7 +196,9 @@ public class UserService { // Build LDAP query for users having at least one username attribute // with the specified username as its value - StringBuilder ldapQuery = new StringBuilder("(&(objectClass=*)"); + StringBuilder ldapQuery = new StringBuilder(); + ldapQuery.append("(&"); + ldapQuery.append(confService.getUserSearchFilter()); // Include all attributes within OR clause if there are more than one if (usernameAttributes.size() > 1)
