diff --git a/src/main/java/org/codelibs/fess/ldap/LdapManager.java b/src/main/java/org/codelibs/fess/ldap/LdapManager.java index 136023a56..4a5d6fad5 100644 --- a/src/main/java/org/codelibs/fess/ldap/LdapManager.java +++ b/src/main/java/org/codelibs/fess/ldap/LdapManager.java @@ -202,26 +202,38 @@ public class LdapManager { if (logger.isDebugEnabled()) { logger.debug("Account Filter: {}", filter); } + final Set subRoleSet = new HashSet<>(); search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() }, () -> ldapUser.getEnvironment(), result -> { processSearchRoles(result, entryDn -> { updateSearchRoles(roleSet, entryDn); if (StringUtil.isNotBlank(groupFilter)) { - processSubRoles(ldapUser, bindDn, entryDn, groupFilter, roleSet); + subRoleSet.add(entryDn); } }); }); + if (!subRoleSet.isEmpty()) { + processSubRoles(ldapUser, bindDn, subRoleSet, groupFilter, roleSet); + } + if (logger.isDebugEnabled()) { logger.debug("role: {}", roleSet); } return roleSet.toArray(new String[roleSet.size()]); } - protected void processSubRoles(final LdapUser ldapUser, final String bindDn, final String dn, final String groupFilter, + protected void processSubRoles(final LdapUser ldapUser, final String bindDn, final Set subRoleSet, final String groupFilter, final Set roleSet) { // (member:1.2.840.113556.1.4.1941:=%s) - final String filter = String.format(groupFilter, dn); + if (subRoleSet.isEmpty()) { + return; + } + String filter = subRoleSet.stream().map(s -> String.format(groupFilter, s)).collect(Collectors.joining()); + if (subRoleSet.size() > 1) { + filter = "(|" + filter + ")"; + } + if (logger.isDebugEnabled()) { logger.debug("Group Filter: {}", filter); }