[jira] [Commented] (GUACAMOLE-996) LDAP Auth returns all objects as groups even if they are users

Fri, 27 Mar 2020 06:38:00 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17068705#comment-17068705
 ] 

Nick Couchman commented on GUACAMOLE-996:
-----------------------------------------

Actually, looking at the code a little closer, it looks like maybe the original 
intention was that this would behave this way.  That said, I think it might be 
good to limit these, and provide a way to configure what object class and/or 
filter is used to find groups, similar to the ldap-user-search-filter option.  
Since the object class used for group varies implementation-to-implementation, 
I think that we'll want to make it configurable rather than hard-coding it.

> LDAP Auth returns all objects as groups even if they are users
> --------------------------------------------------------------
>
>                 Key: GUACAMOLE-996
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-996
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.1.0
>            Reporter: Peter Ruhrmann
>            Priority: Minor
>             Fix For: 1.2.0
>
>
> *Problem:*
> If you have an LDAP-Directory where Users and Groups are in the same subtree 
> and you don't use LDAP for Connection-Storage (guacConfigGroup) you get all 
> objects under the DN configured as ldap-group-base-dn returned as groups.
> *Example:*
> Our directory looks like this:
> DC=AD,DC=company,DC=de
>  * OU=faculty
>  ** Group1
>  ** Group2
>  ** Group3
>  ** ...
>  ** OU=students
>  *** Student0001
>  *** Student0002
>  *** Student0003
>  *** ...
>  *** Student1999
> As ldap-group-base-dn I have to configure OU=faculty,DC=AD,DC=company,dc=de
> But then I get in the Web-UI all Groups and all Students as Group-Objects 
> which makes no sense
> *Suggested fix*
> I have a fix for me but as I am not a programmer, I don't know how to 
> implement it the right way.
> I changed in UserGroupService.java line 92 from:
> {{return new PresenceNode("objectClass");}}
> to
> {{return new AndNode(new EqualityNode("objectClass","group"));}}
> and added
> {{import org.apache.directory.api.ldap.model.filter.AndNode;}}
> at line 34.
> Thanks for making this great project!
>  
> Peter
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to