You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2015/09/05 06:02:46 UTC
[06/17] git commit: updated refs/heads/master to 5881035
CLOUDSTACK-8647 added nested group enabled config in ldap
querying the nested groups only when nested groups are enabled
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/59291864
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/59291864
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/59291864
Branch: refs/heads/master
Commit: 59291864fc893935294fc9a8ac60c6c537a7caff
Parents: 0dc9ccd
Author: Rajani Karuturi <ra...@gmail.com>
Authored: Tue Aug 11 14:27:55 2015 +0530
Committer: Rajani Karuturi <ra...@citrix.com>
Committed: Thu Aug 27 17:30:21 2015 +0530
----------------------------------------------------------------------
.../cloudstack/ldap/ADLdapUserManagerImpl.java | 9 ++++--
.../cloudstack/ldap/LdapAuthenticator.java | 32 ++++++++++++++------
.../cloudstack/ldap/LdapConfiguration.java | 9 +++++-
.../src/com/cloud/user/AccountManagerImpl.java | 4 +--
4 files changed, 38 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/59291864/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
index 89a2781..5570084 100644
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
@@ -33,6 +33,7 @@ import org.apache.log4j.Logger;
public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements LdapUserManager {
public static final Logger s_logger = Logger.getLogger(ADLdapUserManagerImpl.class.getName());
private static final String MICROSOFT_AD_NESTED_MEMBERS_FILTER = "memberOf:1.2.840.113556.1.4.1941:";
+ private static final String MICROSOFT_AD_MEMBERS_FILTER = "memberOf";
@Override
public List<LdapUser> getUsersInGroup(String groupName, LdapContext context) throws NamingException {
@@ -66,7 +67,7 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
final StringBuilder memberOfFilter = new StringBuilder();
String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," + _ldapConfiguration.getBaseDn();
- memberOfFilter.append("(" + MICROSOFT_AD_NESTED_MEMBERS_FILTER + "=");
+ memberOfFilter.append("(").append(getMemberOfAttribute()).append("=");
memberOfFilter.append(groupCnName);
memberOfFilter.append(")");
@@ -94,6 +95,10 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
}
protected String getMemberOfAttribute() {
- return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+ if(_ldapConfiguration.isNestedGroupsEnabled()) {
+ return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+ } else {
+ return MICROSOFT_AD_MEMBERS_FILTER;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/59291864/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
index a04868e..7599dad 100644
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
@@ -17,7 +17,8 @@
package org.apache.cloudstack.ldap;
import com.cloud.server.auth.DefaultUserAuthenticator;
-import com.cloud.user.AccountService;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
import com.cloud.user.User;
import com.cloud.user.UserAccount;
import com.cloud.user.dao.UserAccountDao;
@@ -37,7 +38,7 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
@Inject
private UserAccountDao _userAccountDao;
@Inject
- public AccountService _accountService;
+ private AccountManager _accountManager;
public LdapAuthenticator() {
super();
@@ -68,13 +69,17 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
LdapUser ldapUser = _ldapManager.getUser(username, ldapTrustMapVO.getType(), ldapTrustMapVO.getName());
if(!ldapUser.isDisabled()) {
result = _ldapManager.canAuthenticate(ldapUser.getPrincipal(), password);
- if(result && (user == null)) {
- // import user to cloudstack
- createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType());
+ if(result) {
+ if(user == null) {
+ // import user to cloudstack
+ createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType());
+ } else {
+ enableUserInCloudStack(user);
+ }
}
} else {
//disable user in cloudstack
- disableUserInCloudStack(ldapUser, domainId);
+ disableUserInCloudStack(user);
}
} catch (NoLdapUserMatchingQueryException e) {
s_logger.debug(e.getMessage());
@@ -103,15 +108,22 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
return new Pair<Boolean, ActionOnFailedAuthentication>(result, action);
}
+ private void enableUserInCloudStack(UserAccount user) {
+ if(user != null && (user.getState().equalsIgnoreCase(Account.State.disabled.toString()))) {
+ _accountManager.enableUser(user.getId());
+ }
+ }
+
private void createCloudStackUserAccount(LdapUser user, long domainId, short accountType) {
String username = user.getUsername();
- _accountService.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null,
+ _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null,
UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
}
- private void disableUserInCloudStack(LdapUser ldapUser, long domainId) {
- final UserAccount user = _userAccountDao.getUserAccount(ldapUser.getUsername(), domainId);
- _accountService.lockUser(user.getId());
+ private void disableUserInCloudStack(UserAccount user) {
+ if (user != null) {
+ _accountManager.disableUser(user.getId());
+ }
}
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/59291864/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
index 9501901..56b39a8 100644
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
@@ -39,6 +39,9 @@ public class LdapConfiguration implements Configurable{
private static final ConfigKey<String> ldapProvider = new ConfigKey<String>(String.class, "ldap.provider", "Advanced", "openldap", "ldap provider ex:openldap, microsoftad",
true, ConfigKey.Scope.Global, null);
+ private static final ConfigKey<Boolean> ldapEnableNestedGroups = new ConfigKey<Boolean>(Boolean.class, "ldap.nested.groups.enable", "Advanced", "true",
+ "if true, nested groups will also be queried", true, ConfigKey.Scope.Global, null);
+
private final static int scope = SearchControls.SUBTREE_SCOPE;
@Inject
@@ -183,6 +186,10 @@ public class LdapConfiguration implements Configurable{
return provider;
}
+ public boolean isNestedGroupsEnabled() {
+ return ldapEnableNestedGroups.value();
+ }
+
@Override
public String getConfigComponentName() {
return LdapConfiguration.class.getSimpleName();
@@ -190,6 +197,6 @@ public class LdapConfiguration implements Configurable{
@Override
public ConfigKey<?>[] getConfigKeys() {
- return new ConfigKey<?>[] {ldapReadTimeout, ldapPageSize, ldapProvider};
+ return new ConfigKey<?>[] {ldapReadTimeout, ldapPageSize, ldapProvider, ldapEnableNestedGroups};
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/59291864/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 634c299..edc8ad8 100644
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2173,9 +2173,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (domain != null) {
domainName = domain.getName();
}
- if (userAccount == null) {
- _userAccountDao.getUserAccount(username, domainId);
- }
+ userAccount = _userAccountDao.getUserAccount(username, domainId);
if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) ||
!userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {