CLOUDSTACK-8647 added nested group enabled config in ldap

querying the nested groups only when nested groups are enabled
2015-08-11 14:27:55 +05:30 · 2015-08-11 14:27:55 +05:30 · 59291864fc
parent 0dc9ccd189
commit 59291864fc
4 changed files with 38 additions and 16 deletions
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java
@ -33,6 +33,7 @@ import org.apache.log4j.Logger;
 public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements LdapUserManager {
    public static final Logger s_logger = Logger.getLogger(ADLdapUserManagerImpl.class.getName());
    private static final String MICROSOFT_AD_NESTED_MEMBERS_FILTER = "memberOf:1.2.840.113556.1.4.1941:";
+    private static final String MICROSOFT_AD_MEMBERS_FILTER = "memberOf";

    @Override
    public List<LdapUser> getUsersInGroup(String groupName, LdapContext context) throws NamingException {
@ -66,7 +67,7 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld

        final StringBuilder memberOfFilter = new StringBuilder();
        String groupCnName =  _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," +  _ldapConfiguration.getBaseDn();
-        memberOfFilter.append("(" + MICROSOFT_AD_NESTED_MEMBERS_FILTER + "=");
+        memberOfFilter.append("(").append(getMemberOfAttribute()).append("=");
        memberOfFilter.append(groupCnName);
        memberOfFilter.append(")");

@ -94,6 +95,10 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld
    }

    protected String getMemberOfAttribute() {
-        return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+        if(_ldapConfiguration.isNestedGroupsEnabled()) {
+            return MICROSOFT_AD_NESTED_MEMBERS_FILTER;
+        } else {
+            return MICROSOFT_AD_MEMBERS_FILTER;
+        }
    }
 }
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java
@ -17,7 +17,8 @@
 package org.apache.cloudstack.ldap;

 import com.cloud.server.auth.DefaultUserAuthenticator;
-import com.cloud.user.AccountService;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
 import com.cloud.user.User;
 import com.cloud.user.UserAccount;
 import com.cloud.user.dao.UserAccountDao;
@ -37,7 +38,7 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
    @Inject
    private UserAccountDao _userAccountDao;
    @Inject
-    public AccountService _accountService;
+    private AccountManager _accountManager;

    public LdapAuthenticator() {
        super();
@ -68,13 +69,17 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
                    LdapUser ldapUser = _ldapManager.getUser(username, ldapTrustMapVO.getType(), ldapTrustMapVO.getName());
                    if(!ldapUser.isDisabled()) {
                        result = _ldapManager.canAuthenticate(ldapUser.getPrincipal(), password);
-                        if(result && (user == null)) {
-                            // import user to cloudstack
-                            createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType());
+                        if(result) {
+                            if(user == null) {
+                                // import user to cloudstack
+                                createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType());
+                            } else {
+                                enableUserInCloudStack(user);
+                            }
                        }
                    } else {
                        //disable user in cloudstack
-                        disableUserInCloudStack(ldapUser, domainId);
+                        disableUserInCloudStack(user);
                    }
                } catch (NoLdapUserMatchingQueryException e) {
                    s_logger.debug(e.getMessage());
@ -103,15 +108,22 @@ public class LdapAuthenticator extends DefaultUserAuthenticator {
        return new Pair<Boolean, ActionOnFailedAuthentication>(result, action);
    }

+    private void enableUserInCloudStack(UserAccount user) {
+        if(user != null && (user.getState().equalsIgnoreCase(Account.State.disabled.toString()))) {
+            _accountManager.enableUser(user.getId());
+        }
+    }
+
    private void createCloudStackUserAccount(LdapUser user, long domainId, short accountType) {
        String username = user.getUsername();
-        _accountService.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null,
+        _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null,
                                          UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
    }

-    private void disableUserInCloudStack(LdapUser ldapUser, long domainId) {
-        final UserAccount user = _userAccountDao.getUserAccount(ldapUser.getUsername(), domainId);
-        _accountService.lockUser(user.getId());
+    private void disableUserInCloudStack(UserAccount user) {
+        if (user != null) {
+            _accountManager.disableUser(user.getId());
+        }
    }

    @Override
--- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
+++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java
@ -39,6 +39,9 @@ public class LdapConfiguration implements Configurable{
    private static final ConfigKey<String> ldapProvider = new ConfigKey<String>(String.class, "ldap.provider", "Advanced", "openldap", "ldap provider ex:openldap, microsoftad",
                                                                                true, ConfigKey.Scope.Global, null);

+    private static final ConfigKey<Boolean> ldapEnableNestedGroups = new ConfigKey<Boolean>(Boolean.class, "ldap.nested.groups.enable", "Advanced", "true",
+                                                                                            "if true, nested groups will also be queried", true, ConfigKey.Scope.Global, null);
+
    private final static int scope = SearchControls.SUBTREE_SCOPE;

    @Inject
@ -183,6 +186,10 @@ public class LdapConfiguration implements Configurable{
        return provider;
    }

+    public boolean isNestedGroupsEnabled() {
+        return ldapEnableNestedGroups.value();
+    }
+
    @Override
    public String getConfigComponentName() {
        return LdapConfiguration.class.getSimpleName();
@ -190,6 +197,6 @@ public class LdapConfiguration implements Configurable{

    @Override
    public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {ldapReadTimeout, ldapPageSize, ldapProvider};
+        return new ConfigKey<?>[] {ldapReadTimeout, ldapPageSize, ldapProvider, ldapEnableNestedGroups};
    }
 }
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -2173,9 +2173,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
            if (domain != null) {
                domainName = domain.getName();
            }
-            if (userAccount == null) {
-                _userAccountDao.getUserAccount(username, domainId);
-            }
+            userAccount = _userAccountDao.getUserAccount(username, domainId);

            if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) ||
                !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {