You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Jason Keltz (Jira)" <ji...@apache.org> on 2022/01/05 16:56:00 UTC

[jira] (GUACAMOLE-996) Provide configuration for filtering LDAP groups

    [ https://issues.apache.org/jira/browse/GUACAMOLE-996 ]


    Jason Keltz deleted comment on GUACAMOLE-996:
    ---------------------------------------

was (Author: kangaroo22):
[~vnick] I configured ldap-group-search-filter exactly as yours is in guacamole.properties.  I previously had just  ldap-group-search-filter: (objectClass=group) so I updated it, and restarted tomcat.  I had restarted tomcat for the previous change anyway.  My result is the same.  In particular, when I go into "groups" in Guac, I see all my users and groups, which is the same behaviour without the patch.  
I may be misunderstanding this new functionality.  Should I only be seeing the groups now?   The change that I've been patching since 1.2.0 does indeed do that.  It shouldn't make much difference on the LDAP version because that patch was just sending objectClass=group.   I can continue to patch it, and I'm sure it will work fine, but I'd love to get this working so that I don't need to. 


> Provide configuration for filtering LDAP groups
> -----------------------------------------------
>
>                 Key: GUACAMOLE-996
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-996
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: Documentation, guacamole-auth-ldap
>            Reporter: Peter Ruhrmann
>            Assignee: Mike Jumper
>            Priority: Minor
>             Fix For: 1.4.0
>
>         Attachments: UserGroupService_donotretrieveall.patch
>
>
> *Problem:*
> If you have an LDAP-Directory where Users and Groups are in the same subtree and you don't use LDAP for Connection-Storage (guacConfigGroup) you get all objects under the DN configured as ldap-group-base-dn returned as groups.
> *Example:*
> Our directory looks like this:
> DC=AD,DC=company,DC=de
>  * OU=faculty
>  ** Group1
>  ** Group2
>  ** Group3
>  ** ...
>  ** OU=students
>  *** Student0001
>  *** Student0002
>  *** Student0003
>  *** ...
>  *** Student1999
> As ldap-group-base-dn I have to configure OU=faculty,DC=AD,DC=company,dc=de
> But then I get in the Web-UI all Groups and all Students as Group-Objects which makes no sense
> *Suggested fix*
> I have a fix for me but as I am not a programmer, I don't know how to implement it the right way.
> I changed in UserGroupService.java line 92 from:
> {{return new PresenceNode("objectClass");}}
> to
> {{return new AndNode(new EqualityNode("objectClass","group"));}}
> and added
> {{import org.apache.directory.api.ldap.model.filter.AndNode;}}
> at line 34.
> Thanks for making this great project!
>  
> Peter
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)