necouchman commented on a change in pull request #468: GUACAMOLE-938: Use same
bind/connect process for all LDAP connections, including referrals.
URL: https://github.com/apache/guacamole-client/pull/468#discussion_r370986762
##########
File path:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
##########
@@ -104,151 +117,254 @@ private LdapNetworkConnection createLDAPConnection()
throws GuacamoleException {
}
+ return new LdapNetworkConnection(config);
+
}
/**
- * Binds to the LDAP server using the provided user DN and password.
+ * Creates a new instance of LdapNetworkConnection, configured as required
+ * to use whichever encryption method, hostname, and port are requested
+ * within guacamole.properties. The returned LdapNetworkConnection is
+ * configured for use but is not yet connected nor bound to the LDAP
+ * server. It will not be bound until it a bind operation is explicitly
+ * requested, and will not connected until it is used in an LDAP operation
+ * (such as a bind).
*
- * @param userDN
- * The DN of the user to bind as, or null to bind anonymously.
+ * @return
+ * A new LdapNetworkConnection instance which has already been
+ * configured to use the encryption method, hostname, and port
+ * requested within guacamole.properties.
*
- * @param password
- * The password to use when binding as the specified user, or null to
- * attempt to bind without a password.
+ * @throws GuacamoleException
+ * If an error occurs while parsing guacamole.properties, or if the
+ * requested encryption method is actually not implemented (a bug).
+ */
+ private LdapNetworkConnection createLDAPConnection()
+ throws GuacamoleException {
+ return createLDAPConnection(
+ confService.getServerHostname(),
+ confService.getServerPort(),
+ confService.getEncryptionMethod());
+ }
+
+ /**
+ * Creates a new instance of LdapNetworkConnection, configured as required
+ * to use whichever encryption method, hostname, and port are specified
+ * within the given LDAP URL. The returned LdapNetworkConnection is
+ * configured for use but is not yet connected nor bound to the LDAP
+ * server. It will not be bound until it a bind operation is explicitly
+ * requested, and will not connected until it is used in an LDAP operation
+ * (such as a bind).
+ *
+ * @param url
+ * The LDAP URL containing the details which should be used to connect
+ * to the LDAP server.
*
* @return
- * A bound LDAP connection, or null if the connection could not be
- * bound.
+ * A new LdapNetworkConnection instance which has already been
+ * configured to use the encryption method, hostname, and port
+ * specified within the given LDAP URL.
*
* @throws GuacamoleException
- * If the configuration details relevant to binding to the LDAP server
- * cannot be read.
+ * If the given URL is not a valid LDAP URL, or if the encryption
+ * method indicated by the URL is known but not actually implemented (a
+ * bug).
*/
- public LdapNetworkConnection bindAs(Dn userDN, String password)
+ private LdapNetworkConnection createLDAPConnection(String url)
throws GuacamoleException {
- // Get ldapConnection and try to connect and bind.
- LdapNetworkConnection ldapConnection = createLDAPConnection();
+ // Parse provided LDAP URL
+ LdapUrl ldapUrl;
try {
+ ldapUrl = new LdapUrl(url);
+ }
+ catch (LdapException e) {
+ logger.debug("Cannot connect to LDAP URL \"{}\": URL is invalid.",
url, e);
+ throw new GuacamoleServerException("Invalid LDAP URL.", e);
+ }
+
+ // Retrieve hostname from URL, bailing out if no hostname is present
+ String host = ldapUrl.getHost();
+ if (host == null || host.isEmpty()) {
+ logger.debug("Cannot connect to LDAP URL \"{}\": no hostname is
present.", url);
+ throw new GuacamoleServerException("LDAP URL contains no
hostname.");
+ }
+
+ // Parse encryption method from URL scheme
+ EncryptionMethod encryptionMethod = EncryptionMethod.NONE;
+ if (LdapUrl.LDAPS_SCHEME.equals(ldapUrl.getScheme()))
+ encryptionMethod = EncryptionMethod.SSL;
- // Connect to LDAP server
- ldapConnection.connect();
+ // If no post is specified within the URL, use the default port
+ // dictated by the encryption method
+ int port = ldapUrl.getPort();
+ if (port < 1)
+ port = encryptionMethod.DEFAULT_PORT;
+
+ return createLDAPConnection(host, port, encryptionMethod);
- // Explicitly start TLS if requested
- if (confService.getEncryptionMethod() == EncryptionMethod.STARTTLS)
- ldapConnection.startTls();
Review comment:
Why are we not looking at the TLS encryption method, here? Since there's
not really a way that I know of within the LDAP URL to specify that we want TLS
encryption, and since we assume no encryption if not set to LDAPS, it seems
like we'd want to allow the user to use the URL, but override the encryption
with TLS? Or at least try?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
