apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-15 18:12:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

add isPerson check to query for AD (#11843)

Browse Source
This commit is contained in:
dahn 2025-11-12 16:09:28 +01:00 committed by GitHub
parent 671d8ad704
commit e90e31d386
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 75 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
View File

@ -49,7 +49,7 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn, generateADGroupSearchFilter(groupName, domainId), searchControls);
final List<LdapUser> users = new ArrayList<LdapUser>();
final List<LdapUser> users = new ArrayList<>();
while (results.hasMoreElements()) {
final SearchResult result = results.nextElement();
users.add(createUser(result, domainId));
@ -58,10 +58,8 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
}
String generateADGroupSearchFilter(String groupName, Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
final StringBuilder memberOfFilter = new StringBuilder();
String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," + _ldapConfiguration.getBaseDn(domainId);
@ -75,10 +73,18 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
result.append(memberOfFilter);
result.append(")");
logger.debug("group search filter = " + result);
logger.debug("group search filter = {}", result);
return result.toString();
}
StringBuilder getUserObjectFilter(Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(&(objectCategory=person)");
userObjectFilter.append(super.getUserObjectFilter(domainId));
userObjectFilter.append(")");
return userObjectFilter;
}
protected boolean isUserDisabled(SearchResult result) throws NamingException {
boolean isDisabledUser = false;
String userAccountControl = LdapUtils.getAttributeValue(result.getAttributes(), _ldapConfiguration.getUserAccountControlAttribute());

133
plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
View File

@ -75,23 +75,15 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
}
private String generateSearchFilter(final String username, Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
final StringBuilder usernameFilter = new StringBuilder();
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
final StringBuilder usernameFilter = getUsernameFilter(username, domainId);
String memberOfAttribute = getMemberOfAttribute(domainId);
StringBuilder ldapGroupsFilter = new StringBuilder();
// this should get the trustmaps for this domain
List<String> ldapGroups = getMappedLdapGroups(domainId);
if (null != ldapGroups && ldapGroups.size() > 0) {
if (!ldapGroups.isEmpty()) {
ldapGroupsFilter.append("(|");
for (String ldapGroup : ldapGroups) {
ldapGroupsFilter.append(getMemberOfGroupString(ldapGroup, memberOfAttribute));
@ -104,21 +96,35 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
if (null != pricipleGroup) {
principleGroupFilter.append(getMemberOfGroupString(pricipleGroup, memberOfAttribute));
}
final StringBuilder result = new StringBuilder();
result.append("(&");
result.append(userObjectFilter);
result.append(usernameFilter);
result.append(ldapGroupsFilter);
result.append(principleGroupFilter);
result.append(")");
String returnString = result.toString();
if (logger.isTraceEnabled()) {
logger.trace("constructed ldap query: " + returnString);
}
String returnString = "(&" +
userObjectFilter +
usernameFilter +
ldapGroupsFilter +
principleGroupFilter +
")";
logger.trace("constructed ldap query: {}", returnString);
return returnString;
}
private StringBuilder getUsernameFilter(String username, Long domainId) {
final StringBuilder usernameFilter = new StringBuilder();
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
return usernameFilter;
}
StringBuilder getUserObjectFilter(Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
return userObjectFilter;
}
private List<String> getMappedLdapGroups(Long domainId) {
List <String> ldapGroups = new ArrayList<>();
// first get the trustmaps
@ -134,37 +140,31 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
private String getMemberOfGroupString(String group, String memberOfAttribute) {
final StringBuilder memberOfFilter = new StringBuilder();
if (null != group) {
if(logger.isDebugEnabled()) {
logger.debug("adding search filter for '" + group +
"', using '" + memberOfAttribute + "'");
}
memberOfFilter.append("(" + memberOfAttribute + "=");
memberOfFilter.append(group);
memberOfFilter.append(")");
logger.debug("adding search filter for '{}', using '{}'", group, memberOfAttribute);
memberOfFilter.append("(")
.append(memberOfAttribute)
.append("=")
.append(group)
.append(")");
}
return memberOfFilter.toString();
}
private String generateGroupSearchFilter(final String groupName, Long domainId) {
final StringBuilder groupObjectFilter = new StringBuilder();
groupObjectFilter.append("(objectClass=");
groupObjectFilter.append(_ldapConfiguration.getGroupObject(domainId));
groupObjectFilter.append(")");
String groupObjectFilter = "(objectClass=" +
_ldapConfiguration.getGroupObject(domainId) +
")";
final StringBuilder groupNameFilter = new StringBuilder();
groupNameFilter.append("(");
groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
groupNameFilter.append("=");
groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)));
groupNameFilter.append(")");
String groupNameFilter = "(" +
_ldapConfiguration.getCommonNameAttribute() +
"=" +
(groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)) +
")";
final StringBuilder result = new StringBuilder();
result.append("(&");
result.append(groupObjectFilter);
result.append(groupNameFilter);
result.append(")");
return result.toString();
return "(&" +
groupObjectFilter +
groupNameFilter +
")";
}
@Override
@ -186,17 +186,9 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
basedn = _ldapConfiguration.getBaseDn(domainId);
}
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
final StringBuilder usernameFilter = new StringBuilder();
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
final StringBuilder usernameFilter = getUsernameFilter(username, domainId);
final StringBuilder memberOfFilter = new StringBuilder();
if ("GROUP".equals(type)) {
@ -205,18 +197,17 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
memberOfFilter.append(")");
}
final StringBuilder searchQuery = new StringBuilder();
searchQuery.append("(&");
searchQuery.append(userObjectFilter);
searchQuery.append(usernameFilter);
searchQuery.append(memberOfFilter);
searchQuery.append(")");
String searchQuery = "(&" +
userObjectFilter +
usernameFilter +
memberOfFilter +
")";
return searchUser(basedn, searchQuery.toString(), context, domainId);
return searchUser(basedn, searchQuery, context, domainId);
}
protected String getMemberOfAttribute(final Long domainId) {
return _ldapConfiguration.getUserMemberOfAttribute(domainId);
return LdapConfiguration.getUserMemberOfAttribute(domainId);
}
@Override
@ -243,7 +234,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
NamingEnumeration<SearchResult> result = context.search(_ldapConfiguration.getBaseDn(domainId), generateGroupSearchFilter(groupName, domainId), controls);
final List<LdapUser> users = new ArrayList<LdapUser>();
final List<LdapUser> users = new ArrayList<>();
//Expecting only one result which has all the users
if (result.hasMoreElements()) {
Attribute attribute = result.nextElement().getAttributes().get(attributeName);
@ -254,7 +245,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
try{
users.add(getUserForDn(userdn, context, domainId));
} catch (NamingException e){
logger.info("Userdn: " + userdn + " Not Found:: Exception message: " + e.getMessage());
logger.info("Userdn: {} Not Found:: Exception message: {}", userdn, e.getMessage());
}
}
}
@ -286,17 +277,15 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
return false;
}
public LdapUser searchUser(final String basedn, final String searchString, final LdapContext context, Long domainId) throws NamingException, IOException {
public LdapUser searchUser(final String basedn, final String searchString, final LdapContext context, Long domainId) throws NamingException {
final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(_ldapConfiguration.getScope());
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn, searchString, searchControls);
if(logger.isDebugEnabled()) {
logger.debug("searching user(s) with filter: \"" + searchString + "\"");
}
final List<LdapUser> users = new ArrayList<LdapUser>();
logger.debug("searching user(s) with filter: \"{}\"", searchString);
final List<LdapUser> users = new ArrayList<>();
while (results.hasMoreElements()) {
final SearchResult result = results.nextElement();
users.add(createUser(result, domainId));
@ -324,7 +313,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
byte[] cookie = null;
int pageSize = _ldapConfiguration.getLdapPageSize(domainId);
context.setRequestControls(new Control[]{new PagedResultsControl(pageSize, Control.NONCRITICAL)});
final List<LdapUser> users = new ArrayList<LdapUser>();
final List<LdapUser> users = new ArrayList<>();
NamingEnumeration<SearchResult> results;
do {
results = context.search(basedn, generateSearchFilter(username, domainId), searchControls);

5
plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
View File

@ -54,9 +54,8 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"};
for (String group: groups) {
String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L);
assertTrue(("(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf:1.2.840.113556.1.4.1941:=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
}
}
@Test
@ -69,7 +68,7 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"};
for (String group: groups) {
String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L);
assertTrue(("(&(objectClass=user)(memberOf=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
}
}