Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/202#discussion_r146417245
--- Diff:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
---
@@ -111,6 +113,29 @@ public LDAPConnection bindAs(String userDN, String
password)
// Obtain appropriately-configured LDAPConnection instance
LDAPConnection ldapConnection = createLDAPConnection();
+ // Configure LDAP connection constraints
+ LDAPConstraints ldapConstraints = ldapConnection.getConstraints();
+ if (ldapConstraints == null)
+ ldapConstraints = new LDAPConstraints();
+
+ // Set whether or not we follow referrals
+
ldapConstraints.setReferralFollowing(confService.getFollowReferrals());
+
+ // If the referral auth method is set to bind, we set it using the
existing
+ // username and password.
+ String refAuthMethod = confService.getReferralAuthentication();
+ if (refAuthMethod != null && refAuthMethod.equals("bind"))
+ ldapConstraints.setReferralHandler(new
ReferralAuthHandler(userDN, password));
--- End diff --
I believe it's the difference between using the credentials that the user
logged in with vs. using the credentials specified in the guacamole.properties
file, if any. So, in some cases it'll be the difference between an anonymous
bind and an authenticated bind, in other cases it'll be the difference between
binding with the configured search user vs. the logged in user.
There are cases where the user who logged in may not have access to the
entire tree, or even the base of the tree, so you'd want the search & referral
following to happen under that user account instead of the logged in account.
At least, that's the theory, I think...whether or not I've actually
implemented it that way, I probably should go back and take another look and
make sure.
---
