necouchman commented on code in PR #1091:
URL: https://github.com/apache/guacamole-client/pull/1091#discussion_r2369823206
##########
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java:
##########
@@ -227,14 +229,36 @@ public List<Entry>
getParentUserGroupEntries(ConnectedLDAPConfiguration config,
groupAttributes.add(memberAttribute);
// Get all groups the user is a member of starting at the groupBaseDN,
- // excluding guacConfigGroups
+ // excluding guacConfigGroups and evaluating nested groups
+ // (if enabled).
+
+ ExprNode groupFilter = config.getGroupSearchFilter();
+ String filterValue = userIDorDN;
+
+ if (config.getNestedGroups()) {
+
+ // Add support for nested groups using LDAP_MATCHING_RULE_IN_CHAIN
+ // (memberOf:1.2.840.113556.1.4.1941:=<UserDN>)
+ // Matching rule OID for LDAP_MATCHING_RULE_IN_CHAIN
+ // ** This possibly only supports Active Directory **
+ ExtensibleNode node = new ExtensibleNode("member");
+ filterValue = null;
+
+ // Explicitly set the matching rule ID and dnAttributes
+ node.setMatchingRuleId("1.2.840.113556.1.4.1941");
+ node.setDnAttributes(false);
+ node.setValue(new Value(userIDorDN));
+ groupFilter = new AndNode(
+ groupFilter, node
+ );
+ }
Review Comment:
I have a few concerns for this:
* Why is `filterValue` set to `null`, and what is the implication of passing
through `null` to the `queryService.search()` method?
* The OID for LDAP_MATCHING_RULE_IN_CHAIN should probably be defined as a
`const string` above - if the Apache LDAP API doesn't already have that defined
somewhere?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
