[jira] [Commented] (GUACAMOLE-996) Provide configuration for filtering LDAP groups

[Peter Ruhrmann (Jira)]

    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17074385#comment-17074385
 ] 

Peter Ruhrmann commented on GUACAMOLE-996:
------------------------------------------

[~vnick]: Feel free to submit a pull request with a solution. I think you need 
to add a getGroupSearchFilter() to ConfigurationService.java and a 
LdapFilterGuacamoleProperty LDAP_GROUP_SEARCH_FILTER to 
LDAPGuacamoleProperties.java.

The hard-coded lines of my suggested fix in UserGroupService.java line 92 would 
change to something like

{{if (confService.getGroupSearchFilter() != null)}}
 {{    return new AndNode(new 
EqualityNode("objectClass",conService.getGroupSearchFilter()));}}

This is all untested and just what I think from having a quick look to the 
code. I am not a programmer but I think something like this would be a solution.

Regarding the default behaviour: Mike is right. The most directories separate 
users from groups, so the default should be no filtering. But if you have that 
problem with the weird directory structure I have, filtering would take place 
if the LDAP_GROUP_SEARCH_FILTER attribute is defined.

 

> Provide configuration for filtering LDAP groups
> -----------------------------------------------
>
>                 Key: GUACAMOLE-996
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-996
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Peter Ruhrmann
>            Priority: Minor
>         Attachments: UserGroupService_donotretrieveall.patch
>
>
> *Problem:*
> If you have an LDAP-Directory where Users and Groups are in the same subtree 
> and you don't use LDAP for Connection-Storage (guacConfigGroup) you get all 
> objects under the DN configured as ldap-group-base-dn returned as groups.
> *Example:*
> Our directory looks like this:
> DC=AD,DC=company,DC=de
>  * OU=faculty
>  ** Group1
>  ** Group2
>  ** Group3
>  ** ...
>  ** OU=students
>  *** Student0001
>  *** Student0002
>  *** Student0003
>  *** ...
>  *** Student1999
> As ldap-group-base-dn I have to configure OU=faculty,DC=AD,DC=company,dc=de
> But then I get in the Web-UI all Groups and all Students as Group-Objects 
> which makes no sense
> *Suggested fix*
> I have a fix for me but as I am not a programmer, I don't know how to 
> implement it the right way.
> I changed in UserGroupService.java line 92 from:
> {{return new PresenceNode("objectClass");}}
> to
> {{return new AndNode(new EqualityNode("objectClass","group"));}}
> and added
> {{import org.apache.directory.api.ldap.model.filter.AndNode;}}
> at line 34.
> Thanks for making this great project!
>  
> Peter
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)