-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for specifying LDAP UPN in properties file #683
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -120,17 +120,28 @@ public class AuthenticationProviderService { | |
* If required properties are missing, and thus the user DN cannot be | ||
* determined. | ||
*/ | ||
private Dn getUserBindDN(LDAPConfiguration config, String username) | ||
throws GuacamoleException { | ||
private Dn getUserBindDN(LDAPConfiguration config, String username, String password) throws GuacamoleException { | ||
|
||
// If a search DN is provided, search the LDAP directory for the DN | ||
// corresponding to the given username | ||
String searchBindLogon = config.getSearchBindDN(); | ||
|
||
String searchBindLogon; | ||
String searchBindPassword; | ||
|
||
if(confService.getUPNDomain() != "" && confService.getUPNDomain() != null){ | ||
searchBindLogon = username + "@" + confService.getUPNDomain(); | ||
searchBindPassword = password; | ||
Comment on lines
+132
to
+133
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think this should be done. The search bind DN is a very specific thing - it's the service account that Guacamole uses to resolve the DN of a user. It shouldn't be replaced with the user's own account. If the idea here is to allow logins via UPN and avoid the search bind DN entirely, then the solution would be to allow user authentication to proceed without a user search by directly binding with the provided UPN - essentially an alternative to the direct user mapping already supported. |
||
}else{ | ||
searchBindLogon = config.getSearchBindDN(); | ||
searchBindPassword = config.getSearchBindPassword(); | ||
} | ||
if (searchBindLogon != null) { | ||
|
||
// Create an LDAP connection using the search account | ||
LdapNetworkConnection searchConnection = ldapService.bindAs(config, | ||
searchBindLogon, config.getSearchBindPassword()); | ||
searchBindLogon, | ||
searchBindPassword | ||
); | ||
|
||
// Warn of failure to find | ||
if (searchConnection == null) { | ||
|
@@ -219,7 +230,8 @@ private UserLDAPConfiguration getLDAPConfiguration(String username, | |
config.getServerHostname(), username, translatedUsername); | ||
|
||
// Derive DN of user within this LDAP server | ||
Dn bindDn = getUserBindDN(config, translatedUsername); | ||
|
||
Dn bindDn = getUserBindDN(config, username, password); | ||
if (bindDn == null || bindDn.isEmpty()) { | ||
logger.info("Unable to determine DN of user \"{}\" using LDAP " | ||
+ "server \"{}\". Proceeding with next server...", | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test
confService.getUPNDomain() != ""
performs a by-reference comparison against theString
object for""
, not a comparison of the content of those strings. The proper test for whether aString
is empty isisEmpty()
, however thenull
check shown here would have to occur first for that call to not throw aNullPointerException
in the event the string is indeednull
.