Re: [PR] GUACAMOLE-954: Add LDAP support for nested user groups [guacamole-client]

Sat, 18 Oct 2025 01:47:29 -0700 


stcbus commented on code in PR #1091:
URL: https://github.com/apache/guacamole-client/pull/1091#discussion_r2395301724


##########
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java:
##########
@@ -227,14 +229,36 @@ public List<Entry> 
getParentUserGroupEntries(ConnectedLDAPConfiguration config,
         groupAttributes.add(memberAttribute);
 
         // Get all groups the user is a member of starting at the groupBaseDN,
-        // excluding guacConfigGroups
+        // excluding guacConfigGroups and evaluating nested groups 
+        // (if enabled).
+
+        ExprNode groupFilter = config.getGroupSearchFilter();
+        String filterValue = userIDorDN;
+
+        if (config.getNestedGroups()) {
+
+            // Add support for nested groups using LDAP_MATCHING_RULE_IN_CHAIN
+            // (memberOf:1.2.840.113556.1.4.1941:=<UserDN>)
+            // Matching rule OID for LDAP_MATCHING_RULE_IN_CHAIN
+            // ** This possibly only supports Active Directory **
+            ExtensibleNode node = new ExtensibleNode("member");
+            filterValue = null;
+
+            // Explicitly set the matching rule ID and dnAttributes
+            node.setMatchingRuleId("1.2.840.113556.1.4.1941");
+            node.setDnAttributes(false);
+            node.setValue(new Value(userIDorDN));
+            groupFilter = new AndNode(
+                    groupFilter, node
+            );
+        }

Review Comment:
   @necouchman I believe in my testing the group filter applied with the 
filtervalue as userIDorDN did not work. It seemed like one or the other and I 
was trying to avoid duplicate code calling the function twice.
   
   Looks like from the doc, it probably was so the groups could be found 
outside of where the user's account object was located:
   
   > The value that should be searched search for within the attributes of 
objects within the LDAP directory. **If null, the search will test only for the 
presence of at least one of the given attributes on each object, regardless of 
the value of those attributes.**
   
   I am not aware of any constant for that value, but I agree it makes sense to 
add it to a variable.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to