[jira] [Commented] (GUACAMOLE-996) Provide configuration for filtering LDAP groups

[Mike Jumper (Jira)]

    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17074168#comment-17074168
 ] 

Mike Jumper commented on GUACAMOLE-996:
---------------------------------------

{quote}
Having or not ldap-group-search-filter implemented, it's not right to retrieve 
everything (containing objectClass) from LDAP. ldap-group-search-filter should 
be complementary (or substitute if declared) to ldap-member-attribute
{quote}

The expectation for users and groups is that they will be separated in distinct 
subtrees of the directory, and that the base DN of each will therefore separate 
objects into users and groups.

In the case of a directory where users and groups are mingled, a filter would 
be needed to separate these, and that filter would be specific to the directory 
in question. Defaulting things to a filter involving the member attribute would 
not be correct, as it would exclude empty groups.

{quote}
... because if not, that attribute should be removed from configuration.
{quote}

Why should any attribute be removed from the configuration?

> Provide configuration for filtering LDAP groups
> -----------------------------------------------
>
>                 Key: GUACAMOLE-996
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-996
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Peter Ruhrmann
>            Priority: Minor
>         Attachments: UserGroupService_donotretrieveall.patch
>
>
> *Problem:*
> If you have an LDAP-Directory where Users and Groups are in the same subtree 
> and you don't use LDAP for Connection-Storage (guacConfigGroup) you get all 
> objects under the DN configured as ldap-group-base-dn returned as groups.
> *Example:*
> Our directory looks like this:
> DC=AD,DC=company,DC=de
>  * OU=faculty
>  ** Group1
>  ** Group2
>  ** Group3
>  ** ...
>  ** OU=students
>  *** Student0001
>  *** Student0002
>  *** Student0003
>  *** ...
>  *** Student1999
> As ldap-group-base-dn I have to configure OU=faculty,DC=AD,DC=company,dc=de
> But then I get in the Web-UI all Groups and all Students as Group-Objects 
> which makes no sense
> *Suggested fix*
> I have a fix for me but as I am not a programmer, I don't know how to 
> implement it the right way.
> I changed in UserGroupService.java line 92 from:
> {{return new PresenceNode("objectClass");}}
> to
> {{return new AndNode(new EqualityNode("objectClass","group"));}}
> and added
> {{import org.apache.directory.api.ldap.model.filter.AndNode;}}
> at line 34.
> Thanks for making this great project!
>  
> Peter
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)