From 4dfa153b638cfe9a72c42dec504eaf39d2263810 Mon Sep 17 00:00:00 2001
From: Drew Green <agreenbhm@gmail.com>
Date: Thu, 13 Jan 2022 12:22:49 -0500
Subject: [PATCH] Added support for specifying LDAP UPN in properties file. 
 Allows for any user in LDAP (with the corresponding UPN) to authenticate.
 Removes requirement of users being within same OU for large LDAP deployments.

---
 .../ldap/AuthenticationProviderService.java   | 22 ++++++++++++++-----
 .../auth/ldap/conf/ConfigurationService.java  | 16 ++++++++++++++
 .../ldap/conf/LDAPGuacamoleProperties.java    | 13 ++++++++++-
 3 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
index 654b403c34..09c94b7160 100644
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
@@ -120,17 +120,28 @@ public class AuthenticationProviderService {
      *     If required properties are missing, and thus the user DN cannot be
      *     determined.
      */
-    private Dn getUserBindDN(LDAPConfiguration config, String username)
-            throws GuacamoleException {
+    private Dn getUserBindDN(LDAPConfiguration config, String username, String password) throws GuacamoleException {
 
         // If a search DN is provided, search the LDAP directory for the DN
         // corresponding to the given username
-        String searchBindLogon = config.getSearchBindDN();
+
+        String searchBindLogon;
+        String searchBindPassword;
+        
+        if(confService.getUPNDomain() != "" && confService.getUPNDomain() != null){
+            searchBindLogon = username + "@" + confService.getUPNDomain();
+            searchBindPassword = password;
+        }else{
+            searchBindLogon = config.getSearchBindDN();
+            searchBindPassword = config.getSearchBindPassword();
+        }
         if (searchBindLogon != null) {
 
             // Create an LDAP connection using the search account
             LdapNetworkConnection searchConnection = ldapService.bindAs(config,
-                searchBindLogon, config.getSearchBindPassword());
+                searchBindLogon,
+                searchBindPassword
+            );
 
             // Warn of failure to find
             if (searchConnection == null) {
@@ -219,7 +230,8 @@ private UserLDAPConfiguration getLDAPConfiguration(String username,
                     config.getServerHostname(), username, translatedUsername);
 
             // Derive DN of user within this LDAP server
-            Dn bindDn = getUserBindDN(config, translatedUsername);
+            
+            Dn bindDn = getUserBindDN(config, username, password);
             if (bindDn == null || bindDn.isEmpty()) {
                 logger.info("Unable to determine DN of user \"{}\" using LDAP "
                         + "server \"{}\". Proceeding with next server...",
diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
index 15bd0026c6..7cd8770e8c 100644
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/ConfigurationService.java
@@ -149,4 +149,20 @@ else if (cachedConfigurations != null) {
 
     }
 
+     /**
+     * Returns the UPN domain name used to authenticate via LDAP,
+     * or null by default.
+     * 
+     * @return
+     *     The UPN domain name of the LDAP accounts when authenticating per-user.
+     * 
+     * @throws GuacamoleException
+     *     If guacamole.properties connect be parsed.
+     */
+    public String getUPNDomain() throws GuacamoleException {
+        return environment.getProperty(
+            LDAPGuacamoleProperties.LDAP_UPN_DOMAIN,
+            null
+        );
+    }
 }
diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
index 1db4f723cd..1836299e67 100644
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/conf/LDAPGuacamoleProperties.java
@@ -125,6 +125,17 @@ private LDAPGuacamoleProperties() {}
         @Override
         public String getName() { return "ldap-hostname"; }
 
+    };
+
+     /**
+     * The domain used for a UPN username for LDAP server to connect to when authenticating users.
+     */
+    public static final StringGuacamoleProperty LDAP_UPN_DOMAIN =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "ldap-upn-domain"; }
+
     };
 
     /**
@@ -298,5 +309,5 @@ private LDAPGuacamoleProperties() {}
         public String getName() { return "ldap-member-attribute-type"; }
 
     };
-
+    
 }