[jira] (GUACAMOLE-996) Provide configuration for filtering LDAP groups

Wed, 05 Jan 2022 08:56:22 -0800 


    [ https://issues.apache.org/jira/browse/GUACAMOLE-996 ]


    Jason Keltz deleted comment on GUACAMOLE-996:
    ---------------------------------------

was (Author: kangaroo22):
[~vnick] I configured ldap-group-search-filter exactly as yours is in 
guacamole.properties.  I previously had just  ldap-group-search-filter: 
(objectClass=group) so I updated it, and restarted tomcat.  I had restarted 
tomcat for the previous change anyway.  My result is the same.  In particular, 
when I go into "groups" in Guac, I see all my users and groups, which is the 
same behaviour without the patch.  
I may be misunderstanding this new functionality.  Should I only be seeing the 
groups now?   The change that I've been patching since 1.2.0 does indeed do 
that.  It shouldn't make much difference on the LDAP version because that patch 
was just sending objectClass=group.   I can continue to patch it, and I'm sure 
it will work fine, but I'd love to get this working so that I don't need to. 


> Provide configuration for filtering LDAP groups
> -----------------------------------------------
>
>                 Key: GUACAMOLE-996
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-996
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: Documentation, guacamole-auth-ldap
>            Reporter: Peter Ruhrmann
>            Assignee: Mike Jumper
>            Priority: Minor
>             Fix For: 1.4.0
>
>         Attachments: UserGroupService_donotretrieveall.patch
>
>
> *Problem:*
> If you have an LDAP-Directory where Users and Groups are in the same subtree 
> and you don't use LDAP for Connection-Storage (guacConfigGroup) you get all 
> objects under the DN configured as ldap-group-base-dn returned as groups.
> *Example:*
> Our directory looks like this:
> DC=AD,DC=company,DC=de
>  * OU=faculty
>  ** Group1
>  ** Group2
>  ** Group3
>  ** ...
>  ** OU=students
>  *** Student0001
>  *** Student0002
>  *** Student0003
>  *** ...
>  *** Student1999
> As ldap-group-base-dn I have to configure OU=faculty,DC=AD,DC=company,dc=de
> But then I get in the Web-UI all Groups and all Students as Group-Objects 
> which makes no sense
> *Suggested fix*
> I have a fix for me but as I am not a programmer, I don't know how to 
> implement it the right way.
> I changed in UserGroupService.java line 92 from:
> {{return new PresenceNode("objectClass");}}
> to
> {{return new AndNode(new EqualityNode("objectClass","group"));}}
> and added
> {{import org.apache.directory.api.ldap.model.filter.AndNode;}}
> at line 34.
> Thanks for making this great project!
>  
> Peter
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to