fix #1746 add group filter
This commit is contained in:
Shinsuke Sugaya
parent
cf8e9c2dc2
commit
e17850568b
10 changed files with 93 additions and 21 deletions
|
|
@ -380,6 +380,8 @@ public class Constants extends CoreLibConstants {
|
|||
|
||||
public static final String LDAP_ACCOUNT_FILTER = "ldap.account.filter";
|
||||
|
||||
public static final String LDAP_GROUP_FILTER = "ldap.group.filter";
|
||||
|
||||
public static final String LDAP_MEMBEROF_ATTRIBUTE = "ldap.memberof.attribute";
|
||||
|
||||
public static final String NOTIFICATION_LOGIN = "notification.login";
|
||||
|
|
|
|||
|
|
@ -160,6 +160,7 @@ public class AdminGeneralAction extends FessAdminAction {
|
|||
}
|
||||
fessConfig.setLdapBaseDn(form.ldapBaseDn);
|
||||
fessConfig.setLdapAccountFilter(form.ldapAccountFilter);
|
||||
fessConfig.setLdapGroupFilter(form.ldapGroupFilter);
|
||||
fessConfig.setLdapMemberofAttribute(form.ldapMemberofAttribute);
|
||||
fessConfig.setNotificationLogin(form.notificationLogin);
|
||||
fessConfig.setNotificationSearchTop(form.notificationSearchTop);
|
||||
|
|
@ -204,6 +205,7 @@ public class AdminGeneralAction extends FessAdminAction {
|
|||
StringUtil.isNotBlank(fessConfig.getLdapAdminSecurityCredentials()) ? DUMMY_PASSWORD : StringUtil.EMPTY;
|
||||
form.ldapBaseDn = fessConfig.getLdapBaseDn();
|
||||
form.ldapAccountFilter = fessConfig.getLdapAccountFilter();
|
||||
form.ldapGroupFilter = fessConfig.getLdapGroupFilter();
|
||||
form.ldapMemberofAttribute = fessConfig.getLdapMemberofAttribute();
|
||||
form.notificationLogin = fessConfig.getNotificationLogin();
|
||||
form.notificationSearchTop = fessConfig.getNotificationSearchTop();
|
||||
|
|
|
|||
|
|
@ -145,6 +145,9 @@ public class EditForm {
|
|||
@Size(max = 1000)
|
||||
public String ldapAccountFilter;
|
||||
|
||||
@Size(max = 1000)
|
||||
public String ldapGroupFilter;
|
||||
|
||||
@Size(max = 100)
|
||||
public String ldapMemberofAttribute;
|
||||
|
||||
|
|
|
|||
|
|
@ -20,9 +20,11 @@ import static org.codelibs.core.stream.StreamUtil.stream;
|
|||
import java.util.ArrayList;
|
||||
import java.util.Base64;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Hashtable;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
import java.util.function.BiConsumer;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Supplier;
|
||||
|
|
@ -169,40 +171,81 @@ public class LdapManager {
|
|||
return new LdapUser(env, username);
|
||||
}
|
||||
|
||||
public String[] getRoles(final LdapUser ldapUser, final String bindDn, final String accountFilter) {
|
||||
public String[] getRoles(final LdapUser ldapUser, final String bindDn, final String accountFilter, final String groupFilter) {
|
||||
final SystemHelper systemHelper = ComponentUtil.getSystemHelper();
|
||||
final List<String> roleList = new ArrayList<>();
|
||||
final Set<String> roleSet = new HashSet<>();
|
||||
|
||||
if (fessConfig.isLdapRoleSearchUserEnabled()) {
|
||||
roleList.add(systemHelper.getSearchRoleByUser(ldapUser.getName()));
|
||||
roleSet.add(systemHelper.getSearchRoleByUser(ldapUser.getName()));
|
||||
}
|
||||
|
||||
// LDAP: cn=%s
|
||||
// AD: (&(objectClass=user)(sAMAccountName=%s))
|
||||
final String filter = String.format(accountFilter, ldapUser.getName());
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("filter: " + filter);
|
||||
logger.debug("Account Filter: " + filter);
|
||||
}
|
||||
search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() }, () -> ldapUser.getEnvironment(), result -> {
|
||||
processSearchRoles(result, (entryDn, name) -> {
|
||||
final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1;
|
||||
if (isRole) {
|
||||
if (fessConfig.isLdapRoleSearchRoleEnabled()) {
|
||||
roleList.add(systemHelper.getSearchRoleByRole(name));
|
||||
}
|
||||
} else if (fessConfig.isLdapRoleSearchGroupEnabled()) {
|
||||
roleList.add(systemHelper.getSearchRoleByGroup(name));
|
||||
processSearchRoles(result, entryDn -> {
|
||||
updateSearchRoles(roleSet, entryDn);
|
||||
|
||||
if (StringUtil.isNotBlank(groupFilter)) {
|
||||
processSubRoles(ldapUser, bindDn, entryDn, groupFilter, roleSet);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("roleList: " + roleList);
|
||||
logger.debug("role: " + roleSet);
|
||||
}
|
||||
return roleSet.toArray(new String[roleSet.size()]);
|
||||
}
|
||||
|
||||
protected void processSubRoles(final LdapUser ldapUser, final String bindDn, final String dn, final String groupFilter,
|
||||
final Set<String> roleSet) {
|
||||
// (member:1.2.840.113556.1.4.1941:=%s)
|
||||
final String filter = String.format(groupFilter, dn);
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Group Filter: " + filter);
|
||||
}
|
||||
search(bindDn, filter, null, () -> ldapUser.getEnvironment(), result -> {
|
||||
for (final SearchResult srcrslt : result) {
|
||||
String groupDn = srcrslt.getNameInNamespace();
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("groupDn: " + groupDn);
|
||||
}
|
||||
updateSearchRoles(roleSet, groupDn);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
protected void updateSearchRoles(final Set<String> roleSet, String entryDn) {
|
||||
final String name = getSearchRoleName(entryDn);
|
||||
if (StringUtil.isBlank(name)) {
|
||||
return;
|
||||
}
|
||||
|
||||
final SystemHelper systemHelper = ComponentUtil.getSystemHelper();
|
||||
final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1;
|
||||
if (isRole) {
|
||||
if (fessConfig.isLdapRoleSearchRoleEnabled()) {
|
||||
roleSet.add(systemHelper.getSearchRoleByRole(name));
|
||||
}
|
||||
} else if (fessConfig.isLdapRoleSearchGroupEnabled()) {
|
||||
roleSet.add(systemHelper.getSearchRoleByGroup(name));
|
||||
}
|
||||
return roleList.toArray(new String[roleList.size()]);
|
||||
}
|
||||
|
||||
protected void processSearchRoles(final List<SearchResult> result, final BiConsumer<String, String> consumer) throws NamingException {
|
||||
processSearchRoles(result, entryDn -> {
|
||||
final String name = getSearchRoleName(entryDn);
|
||||
if (name != null) {
|
||||
consumer.accept(entryDn, name);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
protected void processSearchRoles(final List<SearchResult> result, final Consumer<String> consumer) throws NamingException {
|
||||
for (final SearchResult srcrslt : result) {
|
||||
final Attributes attrs = srcrslt.getAttributes();
|
||||
|
||||
|
|
@ -220,10 +263,7 @@ public class LdapManager {
|
|||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("entryDn: " + entryDn);
|
||||
}
|
||||
final String name = getSearchRoleName(entryDn);
|
||||
if (name != null) {
|
||||
consumer.accept(entryDn, name);
|
||||
}
|
||||
consumer.accept(entryDn);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,11 +49,12 @@ public class LdapUser implements FessUser {
|
|||
public String[] getPermissions() {
|
||||
if (permissions == null) {
|
||||
final FessConfig fessConfig = ComponentUtil.getFessConfig();
|
||||
final String baseDn = ComponentUtil.getFessConfig().getLdapBaseDn();
|
||||
final String accountFilter = ComponentUtil.getFessConfig().getLdapAccountFilter();
|
||||
final String baseDn = fessConfig.getLdapBaseDn();
|
||||
final String accountFilter = fessConfig.getLdapAccountFilter();
|
||||
final String groupFilter = fessConfig.getLdapGroupFilter();
|
||||
if (StringUtil.isNotBlank(baseDn) && StringUtil.isNotBlank(accountFilter)) {
|
||||
permissions =
|
||||
ArrayUtils.addAll(ComponentUtil.getLdapManager().getRoles(this, baseDn, accountFilter),
|
||||
ArrayUtils.addAll(ComponentUtil.getLdapManager().getRoles(this, baseDn, accountFilter, groupFilter),
|
||||
fessConfig.getRoleSearchUserPrefix() + getName());
|
||||
} else {
|
||||
permissions = StringUtil.EMPTY_STRINGS;
|
||||
|
|
|
|||
|
|
@ -603,6 +603,14 @@ public interface FessProp {
|
|||
return getSystemProperty(Constants.LDAP_ACCOUNT_FILTER);
|
||||
}
|
||||
|
||||
public default void setLdapGroupFilter(final String value) {
|
||||
setSystemProperty(Constants.LDAP_GROUP_FILTER, value);
|
||||
}
|
||||
|
||||
public default String getLdapGroupFilter() {
|
||||
return getSystemProperty(Constants.LDAP_GROUP_FILTER, StringUtil.EMPTY);
|
||||
}
|
||||
|
||||
public default void setNotificationLogin(final String value) {
|
||||
setSystemProperty(Constants.NOTIFICATION_LOGIN, value);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ labels.ldapAdminSecurityPrincipal=Bind DN
|
|||
labels.ldapAdminSecurityCredentials=Password
|
||||
labels.ldapBaseDn=Base DN
|
||||
labels.ldapAccountFilter=Account Filter
|
||||
labels.ldapGroupFilter=Group Filter
|
||||
labels.ldapMemberofAttribute=memberOf Attribute
|
||||
labels.oldPassword=Current Password
|
||||
labels.newPassword=New Password
|
||||
|
|
@ -786,6 +787,7 @@ labels.ldap_admin_security_principal=Bind DN
|
|||
labels.ldap_admin_security_credentials=Password
|
||||
labels.ldap_base_dn=Base DN
|
||||
labels.ldap_account_filter=Account Filter
|
||||
labels.ldap_group_filter=Group Filter
|
||||
labels.ldap_memberof_attribute=memberOf Attribute
|
||||
labels.notification_login=Login page
|
||||
labels.notification_search_top=Search top page
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ labels.ldapAdminSecurityPrincipal=Bind DN
|
|||
labels.ldapAdminSecurityCredentials=Password
|
||||
labels.ldapBaseDn=Base DN
|
||||
labels.ldapAccountFilter=Account Filter
|
||||
labels.ldapGroupFilter=Group Filter
|
||||
labels.ldapMemberofAttribute=memberOf Attribute
|
||||
labels.oldPassword=Current Password
|
||||
labels.newPassword=New Password
|
||||
|
|
@ -786,6 +787,7 @@ labels.ldap_admin_security_principal=Bind DN
|
|||
labels.ldap_admin_security_credentials=Password
|
||||
labels.ldap_base_dn=Base DN
|
||||
labels.ldap_account_filter=Account Filter
|
||||
labels.ldap_group_filter=Group Filter
|
||||
labels.ldap_memberof_attribute=memberOf Attribute
|
||||
labels.notification_login=Login page
|
||||
labels.notification_search_top=Search top page
|
||||
|
|
|
|||
|
|
@ -786,8 +786,10 @@ labels.ldap_admin_security_principal=Bind DN
|
|||
labels.ldap_admin_security_credentials=パスワード
|
||||
labels.ldap_base_dn=Base DN
|
||||
labels.ldapAccountFilter=アカウントフィルタ
|
||||
labels.ldapGroupFilter=グループフィルタ
|
||||
labels.ldapMemberofAttribute=memberOf属性
|
||||
labels.ldap_account_filter=アカウントフィルタ
|
||||
labels.ldap_group_filter=グループフィルタ
|
||||
labels.ldap_memberof_attribute=memberOf属性
|
||||
labels.notification_login=ログインページ
|
||||
labels.notification_search_top=検索トップページ
|
||||
|
|
|
|||
|
|
@ -403,6 +403,16 @@
|
|||
styleClass="form-control" autocomplete="off" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="ldapGroupFilter"
|
||||
class="col-sm-3 control-label"><la:message
|
||||
key="labels.ldap_group_filter" /></label>
|
||||
<div class="col-sm-9">
|
||||
<la:errors property="ldapGroupFilter" />
|
||||
<la:text styleId="ldapGroupFilter" property="ldapGroupFilter"
|
||||
styleClass="form-control" autocomplete="off" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="ldapMemberofAttribute"
|
||||
class="col-sm-3 control-label"><la:message
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue