[GitHub] incubator-guacamole-client pull request #132: GUACAMOLE-101: Allow Filtering...

[mike-jumper]

Github user mike-jumper commented on a diff in the pull request:

    
https://github.com/apache/incubator-guacamole-client/pull/132#discussion_r108327237
  
    --- Diff: 
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java
 ---
    @@ -270,7 +270,46 @@ public LDAPSearchConstraints 
getLDAPSearchConstraints() throws GuacamoleExceptio
             constraints.setDereference(getDereferenceAliases().DEREF_VALUE);
     
             return constraints;
    +    }
    +
    +    /**
    +     * Returns the search filter that should be used when querying the
    +     * LDAP server for Guacamole users.  If no filter is specified,
    +     * a default of objectClass=* is returned.
    +     *
    +     * @return
    +     *     The search filter that should be used when querying the
    +     *     LDAP server for users that are valid in Guacamole, or
    +     *     objectClass=* if not specified.
    +     *
    +     * @throws GuacamoleException
    +     *     If guacamole.properties cannot be parsed.
    +     */
    +    public String getUserSearchFilter() throws GuacamoleException {
    +        return environment.getProperty(
    +            LDAPGuacamoleProperties.LDAP_USER_SEARCH_FILTER,
    +            "(objectClass=*)"
    +        );
    +    }
     
    +    /**
    +     * Returns the search filter that should be used when querying the 
    +     * LDAP server for Guacamole connections.  If no filter is specified,
    +     * the default of objectClass=guacConfigGroup is returned.
    +     * 
    +     * @return
    +     *     The search filter that should be used when querying the 
    +     *     LDAP server for connections for Guacamole, or 
    +     *     objectClass=guacConfigGroup if no filter is specified. 
    +     *
    +     * @throws GuacamoleException
    +     *     If guacamole.properties cannot be parsed.
    +     */
    +    public String getConnectionSearchFilter() throws GuacamoleException {
    +        return environment.getProperty(
    +            LDAPGuacamoleProperties.LDAP_CONNECTION_SEARCH_FILTER,
    +            "(objectClass=guacConfigGroup)"
    --- End diff --
    
    If we're going to allow connection filters to be defined, 
`(objectClass=guacConfigGroup)` should probably be of the filter in all cases. 
Unlike the objects returned by the user search, the connection search really 
must be strictly `guacConfigGroup` objects as defined by the schema 
modifications included with the LDAP extension.
    
    Since connections returned by the search using this filter will already be 
limited by membership (users must be explicit members of the group to see the 
connection), this probably simply isn't necessary and can be simply removed.
    
    Given that the summary of 
[GUACAMOLE-101](https://issues.apache.org/jira/browse/GUACAMOLE-101) is "Allow 
arbitrary filtering of LDAP users", it is probably also out of scope.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---