LDAP: honour nested groups for MSAD (#11696)

2025-10-26 01:32:18 +02:00 · 2025-09-24 11:30:04 +02:00 · 2025-09-24 11:30:04 +02:00 · c24d2b88f6
commit c24d2b88f6
parent 96992d3d64
3 changed files with 12 additions and 5 deletions
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
@ -93,10 +93,14 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
    }

    protected String getMemberOfAttribute(final Long domainId) {
+        String rc;
        if(_ldapConfiguration.isNestedGroupsEnabled(domainId)) {
-            return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+            rc = MICROSOFT_AD_NESTED_MEMBERS_FILTER;
        } else {
-            return MICROSOFT_AD_MEMBERS_FILTER;
+            rc = MICROSOFT_AD_MEMBERS_FILTER;
        }
+        logger.trace("using memberOf filter = {} for domain with id {}", rc, domainId);
+
+        return rc;
    }
 }
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
@ -27,9 +27,12 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;

 import com.cloud.utils.Pair;
 import org.apache.cloudstack.ldap.dao.LdapConfigurationDao;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;

 public class LdapConfiguration implements Configurable{
    private final static String factory = "com.sun.jndi.ldap.LdapCtxFactory";
+    protected Logger logger = LogManager.getLogger(getClass());

    private static final ConfigKey<Long> ldapReadTimeout = new ConfigKey<Long>(
            Long.class,
@ -325,7 +328,7 @@ public class LdapConfiguration implements Configurable{
        try {
            provider = LdapUserManager.Provider.valueOf(ldapProvider.valueIn(domainId).toUpperCase());
        } catch (IllegalArgumentException ex) {
-            //openldap is the default
+            logger.warn("no LDAP provider found for domain {}, using openldap as default", domainId);
            provider = LdapUserManager.Provider.OPENLDAP;
        }
        return provider;
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@ -63,7 +63,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
        final String firstname = LdapUtils.getAttributeValue(attributes, _ldapConfiguration.getFirstnameAttribute(domainId));
        final String lastname = LdapUtils.getAttributeValue(attributes, _ldapConfiguration.getLastnameAttribute(domainId));
        final String principal = result.getNameInNamespace();
-        final List<String> memberships = LdapUtils.getAttributeValues(attributes, _ldapConfiguration.getUserMemberOfAttribute(domainId));
+        final List<String> memberships = LdapUtils.getAttributeValues(attributes, getMemberOfAttribute(domainId));

        String domain = principal.replace("cn=" + LdapUtils.getAttributeValue(attributes, _ldapConfiguration.getCommonNameAttribute()) + ",", "");
        domain = domain.replace("," + _ldapConfiguration.getBaseDn(domainId), "");
@ -87,7 +87,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
        usernameFilter.append(")");

-        String memberOfAttribute = _ldapConfiguration.getUserMemberOfAttribute(domainId);
+        String memberOfAttribute = getMemberOfAttribute(domainId);
        StringBuilder ldapGroupsFilter = new StringBuilder();
        // this should get the trustmaps for this domain
        List<String> ldapGroups = getMappedLdapGroups(domainId);