apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 10:32:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

add isPerson check to query for AD (#11843)

Browse Source
This commit is contained in:
dahn 2025-11-12 16:09:28 +01:00 committed by GitHub
parent 671d8ad704
commit e90e31d386
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 75 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
View File

@ -49,7 +49,7 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId)); searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn, generateADGroupSearchFilter(groupName, domainId), searchControls); NamingEnumeration<SearchResult> results = context.search(basedn, generateADGroupSearchFilter(groupName, domainId), searchControls);
final List<LdapUser> users = new ArrayList<LdapUser>(); final List<LdapUser> users = new ArrayList<>();
while (results.hasMoreElements()) { while (results.hasMoreElements()) {
final SearchResult result = results.nextElement(); final SearchResult result = results.nextElement();
users.add(createUser(result, domainId)); users.add(createUser(result, domainId));
@ -58,10 +58,8 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
} }
String generateADGroupSearchFilter(String groupName, Long domainId) { String generateADGroupSearchFilter(String groupName, Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass="); final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder memberOfFilter = new StringBuilder(); final StringBuilder memberOfFilter = new StringBuilder();
String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," + _ldapConfiguration.getBaseDn(domainId); String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," + _ldapConfiguration.getBaseDn(domainId);
@ -75,10 +73,18 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
result.append(memberOfFilter); result.append(memberOfFilter);
result.append(")"); result.append(")");
logger.debug("group search filter = " + result); logger.debug("group search filter = {}", result);
return result.toString(); return result.toString();
} }
StringBuilder getUserObjectFilter(Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(&(objectCategory=person)");
userObjectFilter.append(super.getUserObjectFilter(domainId));
userObjectFilter.append(")");
return userObjectFilter;
}
protected boolean isUserDisabled(SearchResult result) throws NamingException { protected boolean isUserDisabled(SearchResult result) throws NamingException {
boolean isDisabledUser = false; boolean isDisabledUser = false;
String userAccountControl = LdapUtils.getAttributeValue(result.getAttributes(), _ldapConfiguration.getUserAccountControlAttribute()); String userAccountControl = LdapUtils.getAttributeValue(result.getAttributes(), _ldapConfiguration.getUserAccountControlAttribute());

133
plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
View File

@ -75,23 +75,15 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
} }
private String generateSearchFilter(final String username, Long domainId) { private String generateSearchFilter(final String username, Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder(); final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder usernameFilter = new StringBuilder(); final StringBuilder usernameFilter = getUsernameFilter(username, domainId);
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
String memberOfAttribute = getMemberOfAttribute(domainId); String memberOfAttribute = getMemberOfAttribute(domainId);
StringBuilder ldapGroupsFilter = new StringBuilder(); StringBuilder ldapGroupsFilter = new StringBuilder();
// this should get the trustmaps for this domain // this should get the trustmaps for this domain
List<String> ldapGroups = getMappedLdapGroups(domainId); List<String> ldapGroups = getMappedLdapGroups(domainId);
if (null != ldapGroups && ldapGroups.size() > 0) { if (!ldapGroups.isEmpty()) {
ldapGroupsFilter.append("(|"); ldapGroupsFilter.append("(|");
for (String ldapGroup : ldapGroups) { for (String ldapGroup : ldapGroups) {
ldapGroupsFilter.append(getMemberOfGroupString(ldapGroup, memberOfAttribute)); ldapGroupsFilter.append(getMemberOfGroupString(ldapGroup, memberOfAttribute));
@ -104,21 +96,35 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
if (null != pricipleGroup) { if (null != pricipleGroup) {
principleGroupFilter.append(getMemberOfGroupString(pricipleGroup, memberOfAttribute)); principleGroupFilter.append(getMemberOfGroupString(pricipleGroup, memberOfAttribute));
} }
final StringBuilder result = new StringBuilder();
result.append("(&");
result.append(userObjectFilter);
result.append(usernameFilter);
result.append(ldapGroupsFilter);
result.append(principleGroupFilter);
result.append(")");
String returnString = result.toString(); String returnString = "(&" +
if (logger.isTraceEnabled()) { userObjectFilter +
logger.trace("constructed ldap query: " + returnString); usernameFilter +
} ldapGroupsFilter +
principleGroupFilter +
")";
logger.trace("constructed ldap query: {}", returnString);
return returnString; return returnString;
} }
private StringBuilder getUsernameFilter(String username, Long domainId) {
final StringBuilder usernameFilter = new StringBuilder();
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
return usernameFilter;
}
StringBuilder getUserObjectFilter(Long domainId) {
final StringBuilder userObjectFilter = new StringBuilder();
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
return userObjectFilter;
}
private List<String> getMappedLdapGroups(Long domainId) { private List<String> getMappedLdapGroups(Long domainId) {
List <String> ldapGroups = new ArrayList<>(); List <String> ldapGroups = new ArrayList<>();
// first get the trustmaps // first get the trustmaps
@ -134,37 +140,31 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
private String getMemberOfGroupString(String group, String memberOfAttribute) { private String getMemberOfGroupString(String group, String memberOfAttribute) {
final StringBuilder memberOfFilter = new StringBuilder(); final StringBuilder memberOfFilter = new StringBuilder();
if (null != group) { if (null != group) {
if(logger.isDebugEnabled()) { logger.debug("adding search filter for '{}', using '{}'", group, memberOfAttribute);
logger.debug("adding search filter for '" + group + memberOfFilter.append("(")
"', using '" + memberOfAttribute + "'"); .append(memberOfAttribute)
} .append("=")
memberOfFilter.append("(" + memberOfAttribute + "="); .append(group)
memberOfFilter.append(group); .append(")");
memberOfFilter.append(")");
} }
return memberOfFilter.toString(); return memberOfFilter.toString();
} }
private String generateGroupSearchFilter(final String groupName, Long domainId) { private String generateGroupSearchFilter(final String groupName, Long domainId) {
final StringBuilder groupObjectFilter = new StringBuilder(); String groupObjectFilter = "(objectClass=" +
groupObjectFilter.append("(objectClass="); _ldapConfiguration.getGroupObject(domainId) +
groupObjectFilter.append(_ldapConfiguration.getGroupObject(domainId)); ")";
groupObjectFilter.append(")");
final StringBuilder groupNameFilter = new StringBuilder(); String groupNameFilter = "(" +
groupNameFilter.append("("); _ldapConfiguration.getCommonNameAttribute() +
groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute()); "=" +
groupNameFilter.append("="); (groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)) +
groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName))); ")";
groupNameFilter.append(")");
final StringBuilder result = new StringBuilder(); return "(&" +
result.append("(&"); groupObjectFilter +
result.append(groupObjectFilter); groupNameFilter +
result.append(groupNameFilter); ")";
result.append(")");
return result.toString();
} }
@Override @Override
@ -186,17 +186,9 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
basedn = _ldapConfiguration.getBaseDn(domainId); basedn = _ldapConfiguration.getBaseDn(domainId);
} }
final StringBuilder userObjectFilter = new StringBuilder(); final StringBuilder userObjectFilter = getUserObjectFilter(domainId);
userObjectFilter.append("(objectClass=");
userObjectFilter.append(_ldapConfiguration.getUserObject(domainId));
userObjectFilter.append(")");
final StringBuilder usernameFilter = new StringBuilder(); final StringBuilder usernameFilter = getUsernameFilter(username, domainId);
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
final StringBuilder memberOfFilter = new StringBuilder(); final StringBuilder memberOfFilter = new StringBuilder();
if ("GROUP".equals(type)) { if ("GROUP".equals(type)) {
@ -205,18 +197,17 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
memberOfFilter.append(")"); memberOfFilter.append(")");
} }
final StringBuilder searchQuery = new StringBuilder(); String searchQuery = "(&" +
searchQuery.append("(&"); userObjectFilter +
searchQuery.append(userObjectFilter); usernameFilter +
searchQuery.append(usernameFilter); memberOfFilter +
searchQuery.append(memberOfFilter); ")";
searchQuery.append(")");
return searchUser(basedn, searchQuery.toString(), context, domainId); return searchUser(basedn, searchQuery, context, domainId);
} }
protected String getMemberOfAttribute(final Long domainId) { protected String getMemberOfAttribute(final Long domainId) {
return _ldapConfiguration.getUserMemberOfAttribute(domainId); return LdapConfiguration.getUserMemberOfAttribute(domainId);
} }
@Override @Override
@ -243,7 +234,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
NamingEnumeration<SearchResult> result = context.search(_ldapConfiguration.getBaseDn(domainId), generateGroupSearchFilter(groupName, domainId), controls); NamingEnumeration<SearchResult> result = context.search(_ldapConfiguration.getBaseDn(domainId), generateGroupSearchFilter(groupName, domainId), controls);
final List<LdapUser> users = new ArrayList<LdapUser>(); final List<LdapUser> users = new ArrayList<>();
//Expecting only one result which has all the users //Expecting only one result which has all the users
if (result.hasMoreElements()) { if (result.hasMoreElements()) {
Attribute attribute = result.nextElement().getAttributes().get(attributeName); Attribute attribute = result.nextElement().getAttributes().get(attributeName);
@ -254,7 +245,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
try{ try{
users.add(getUserForDn(userdn, context, domainId)); users.add(getUserForDn(userdn, context, domainId));
} catch (NamingException e){ } catch (NamingException e){
logger.info("Userdn: " + userdn + " Not Found:: Exception message: " + e.getMessage()); logger.info("Userdn: {} Not Found:: Exception message: {}", userdn, e.getMessage());
} }
} }
} }
@ -286,17 +277,15 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
return false; return false;
} }
public LdapUser searchUser(final String basedn, final String searchString, final LdapContext context, Long domainId) throws NamingException, IOException { public LdapUser searchUser(final String basedn, final String searchString, final LdapContext context, Long domainId) throws NamingException {
final SearchControls searchControls = new SearchControls(); final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(_ldapConfiguration.getScope()); searchControls.setSearchScope(_ldapConfiguration.getScope());
searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId)); searchControls.setReturningAttributes(_ldapConfiguration.getReturnAttributes(domainId));
NamingEnumeration<SearchResult> results = context.search(basedn, searchString, searchControls); NamingEnumeration<SearchResult> results = context.search(basedn, searchString, searchControls);
if(logger.isDebugEnabled()) { logger.debug("searching user(s) with filter: \"{}\"", searchString);
logger.debug("searching user(s) with filter: \"" + searchString + "\""); final List<LdapUser> users = new ArrayList<>();
}
final List<LdapUser> users = new ArrayList<LdapUser>();
while (results.hasMoreElements()) { while (results.hasMoreElements()) {
final SearchResult result = results.nextElement(); final SearchResult result = results.nextElement();
users.add(createUser(result, domainId)); users.add(createUser(result, domainId));
@ -324,7 +313,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
byte[] cookie = null; byte[] cookie = null;
int pageSize = _ldapConfiguration.getLdapPageSize(domainId); int pageSize = _ldapConfiguration.getLdapPageSize(domainId);
context.setRequestControls(new Control[]{new PagedResultsControl(pageSize, Control.NONCRITICAL)}); context.setRequestControls(new Control[]{new PagedResultsControl(pageSize, Control.NONCRITICAL)});
final List<LdapUser> users = new ArrayList<LdapUser>(); final List<LdapUser> users = new ArrayList<>();
NamingEnumeration<SearchResult> results; NamingEnumeration<SearchResult> results;
do { do {
results = context.search(basedn, generateSearchFilter(username, domainId), searchControls); results = context.search(basedn, generateSearchFilter(username, domainId), searchControls);

5
plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/ADLdapUserManagerImplTest.java
View File

@ -54,9 +54,8 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"}; String [] groups = {"dev", "dev-hyd"};
for (String group: groups) { for (String group: groups) {
String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L); String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L);
assertTrue(("(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result)); assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf:1.2.840.113556.1.4.1941:=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
} }
} }
@Test @Test
@ -69,7 +68,7 @@ public class ADLdapUserManagerImplTest {
String [] groups = {"dev", "dev-hyd"}; String [] groups = {"dev", "dev-hyd"};
for (String group: groups) { for (String group: groups) {
String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L); String result = adLdapUserManager.generateADGroupSearchFilter(group, 1L);
assertTrue(("(&(objectClass=user)(memberOf=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result)); assertTrue(("(&(&(objectCategory=person)(objectClass=user))(memberOf=CN=" + group + ",DC=cloud,DC=citrix,DC=com))").equals(result));
} }
} }