Github user mike-jumper commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/202#discussion_r146647996
--- Diff:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
---
@@ -111,6 +113,29 @@ public LDAPConnection bindAs(String userDN, String
password)
// Obtain appropriately-configured LDAPConnection instance
LDAPConnection ldapConnection = createLDAPConnection();
+ // Configure LDAP connection constraints
+ LDAPConstraints ldapConstraints = ldapConnection.getConstraints();
+ if (ldapConstraints == null)
+ ldapConstraints = new LDAPConstraints();
+
+ // Set whether or not we follow referrals
+
ldapConstraints.setReferralFollowing(confService.getFollowReferrals());
+
+ // If the referral auth method is set to bind, we set it using the
existing
+ // username and password.
+ String refAuthMethod = confService.getReferralAuthentication();
+ if (refAuthMethod != null && refAuthMethod.equals("bind"))
+ ldapConstraints.setReferralHandler(new
ReferralAuthHandler(userDN, password));
--- End diff --
Well, to clarify a bit, there are two types of searches which may occur in
the LDAP auth:
* The search performed to resolve the user's DN. This is the only case
where the search DN and password are used.
* The search to retrieve the users and/or connections defined within LDAP
and accessible to the user that authenticated. These searches naturally
**must** use the user's own DN and password, since part of the point of the
LDAP auth is to allow the LDAP directory's own access control to take effect.
If users or connections cannot be retrieved via LDAP because the
authenticated user cannot access them, then they shouldn't have access,
referral or not.
---
