(cloudstack) branch 4.20 updated: LDAP: honour nested groups for MSAD (#11696)

[weizhou]

This is an automated email from the ASF dual-hosted git repository.

weizhou pushed a commit to branch 4.20
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.20 by this push:
     new c24d2b88f6b LDAP: honour nested groups for MSAD (#11696)
c24d2b88f6b is described below

commit c24d2b88f6bff2a13b21cad8fc25ebf367c726be
Author: dahn <d...@onecht.net>
AuthorDate: Wed Sep 24 11:30:04 2025 +0200

    LDAP: honour nested groups for MSAD (#11696)
---
 .../java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java    | 8 ++++++--
 .../main/java/org/apache/cloudstack/ldap/LdapConfiguration.java   | 5 ++++-
 .../java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java  | 4 ++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
index 552d5969a9e..e96606dca2f 100644
--- 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
+++ 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
@@ -93,10 +93,14 @@ public class ADLdapUserManagerImpl extends 
OpenLdapUserManagerImpl implements Ld
     }
 
     protected String getMemberOfAttribute(final Long domainId) {
+        String rc;
         if(_ldapConfiguration.isNestedGroupsEnabled(domainId)) {
-            return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+            rc = MICROSOFT_AD_NESTED_MEMBERS_FILTER;
         } else {
-            return MICROSOFT_AD_MEMBERS_FILTER;
+            rc = MICROSOFT_AD_MEMBERS_FILTER;
         }
+        logger.trace("using memberOf filter = {} for domain with id {}", rc, 
domainId);
+
+        return rc;
     }
 }
diff --git 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
index 6a62ad8d99d..87ff2d0a2ac 100644
--- 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
+++ 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java
@@ -27,9 +27,12 @@ import 
org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 
 import com.cloud.utils.Pair;
 import org.apache.cloudstack.ldap.dao.LdapConfigurationDao;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 public class LdapConfiguration implements Configurable{
     private final static String factory = "com.sun.jndi.ldap.LdapCtxFactory";
+    protected Logger logger = LogManager.getLogger(getClass());
 
     private static final ConfigKey<Long> ldapReadTimeout = new ConfigKey<Long>(
             Long.class,
@@ -325,7 +328,7 @@ public class LdapConfiguration implements Configurable{
         try {
             provider = 
LdapUserManager.Provider.valueOf(ldapProvider.valueIn(domainId).toUpperCase());
         } catch (IllegalArgumentException ex) {
-            //openldap is the default
+            logger.warn("no LDAP provider found for domain {}, using openldap 
as default", domainId);
             provider = LdapUserManager.Provider.OPENLDAP;
         }
         return provider;
diff --git 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index 4c125af2ea6..d0b6bc4bd34 100644
--- 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -63,7 +63,7 @@ public class OpenLdapUserManagerImpl implements 
LdapUserManager {
         final String firstname = LdapUtils.getAttributeValue(attributes, 
_ldapConfiguration.getFirstnameAttribute(domainId));
         final String lastname = LdapUtils.getAttributeValue(attributes, 
_ldapConfiguration.getLastnameAttribute(domainId));
         final String principal = result.getNameInNamespace();
-        final List<String> memberships = 
LdapUtils.getAttributeValues(attributes, 
_ldapConfiguration.getUserMemberOfAttribute(domainId));
+        final List<String> memberships = 
LdapUtils.getAttributeValues(attributes, getMemberOfAttribute(domainId));
 
         String domain = principal.replace("cn=" + 
LdapUtils.getAttributeValue(attributes, 
_ldapConfiguration.getCommonNameAttribute()) + ",", "");
         domain = domain.replace("," + _ldapConfiguration.getBaseDn(domainId), 
"");
@@ -87,7 +87,7 @@ public class OpenLdapUserManagerImpl implements 
LdapUserManager {
         usernameFilter.append((username == null ? "*" : 
LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
-        String memberOfAttribute = 
_ldapConfiguration.getUserMemberOfAttribute(domainId);
+        String memberOfAttribute = getMemberOfAttribute(domainId);
         StringBuilder ldapGroupsFilter = new StringBuilder();
         // this should get the trustmaps for this domain
         List<String> ldapGroups = getMappedLdapGroups(domainId);