diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java index 89a278191a4..5570084c5d4 100644 --- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java +++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/ADLdapUserManagerImpl.java @@ -33,6 +33,7 @@ import org.apache.log4j.Logger; public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements LdapUserManager { public static final Logger s_logger = Logger.getLogger(ADLdapUserManagerImpl.class.getName()); private static final String MICROSOFT_AD_NESTED_MEMBERS_FILTER = "memberOf:1.2.840.113556.1.4.1941:"; + private static final String MICROSOFT_AD_MEMBERS_FILTER = "memberOf"; @Override public List getUsersInGroup(String groupName, LdapContext context) throws NamingException { @@ -66,7 +67,7 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld final StringBuilder memberOfFilter = new StringBuilder(); String groupCnName = _ldapConfiguration.getCommonNameAttribute() + "=" +groupName + "," + _ldapConfiguration.getBaseDn(); - memberOfFilter.append("(" + MICROSOFT_AD_NESTED_MEMBERS_FILTER + "="); + memberOfFilter.append("(").append(getMemberOfAttribute()).append("="); memberOfFilter.append(groupCnName); memberOfFilter.append(")"); @@ -94,6 +95,10 @@ public class ADLdapUserManagerImpl extends OpenLdapUserManagerImpl implements Ld } protected String getMemberOfAttribute() { - return MICROSOFT_AD_NESTED_MEMBERS_FILTER; + if(_ldapConfiguration.isNestedGroupsEnabled()) { + return MICROSOFT_AD_NESTED_MEMBERS_FILTER; + } else { + return MICROSOFT_AD_MEMBERS_FILTER; + } } } diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java index a04868eca01..7599dadffba 100644 --- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java +++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapAuthenticator.java @@ -17,7 +17,8 @@ package org.apache.cloudstack.ldap; import com.cloud.server.auth.DefaultUserAuthenticator; -import com.cloud.user.AccountService; +import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.user.User; import com.cloud.user.UserAccount; import com.cloud.user.dao.UserAccountDao; @@ -37,7 +38,7 @@ public class LdapAuthenticator extends DefaultUserAuthenticator { @Inject private UserAccountDao _userAccountDao; @Inject - public AccountService _accountService; + private AccountManager _accountManager; public LdapAuthenticator() { super(); @@ -68,13 +69,17 @@ public class LdapAuthenticator extends DefaultUserAuthenticator { LdapUser ldapUser = _ldapManager.getUser(username, ldapTrustMapVO.getType(), ldapTrustMapVO.getName()); if(!ldapUser.isDisabled()) { result = _ldapManager.canAuthenticate(ldapUser.getPrincipal(), password); - if(result && (user == null)) { - // import user to cloudstack - createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType()); + if(result) { + if(user == null) { + // import user to cloudstack + createCloudStackUserAccount(ldapUser, domainId, ldapTrustMapVO.getAccountType()); + } else { + enableUserInCloudStack(user); + } } } else { //disable user in cloudstack - disableUserInCloudStack(ldapUser, domainId); + disableUserInCloudStack(user); } } catch (NoLdapUserMatchingQueryException e) { s_logger.debug(e.getMessage()); @@ -103,15 +108,22 @@ public class LdapAuthenticator extends DefaultUserAuthenticator { return new Pair(result, action); } + private void enableUserInCloudStack(UserAccount user) { + if(user != null && (user.getState().equalsIgnoreCase(Account.State.disabled.toString()))) { + _accountManager.enableUser(user.getId()); + } + } + private void createCloudStackUserAccount(LdapUser user, long domainId, short accountType) { String username = user.getUsername(); - _accountService.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null, + _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, domainId, username, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); } - private void disableUserInCloudStack(LdapUser ldapUser, long domainId) { - final UserAccount user = _userAccountDao.getUserAccount(ldapUser.getUsername(), domainId); - _accountService.lockUser(user.getId()); + private void disableUserInCloudStack(UserAccount user) { + if (user != null) { + _accountManager.disableUser(user.getId()); + } } @Override diff --git a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java index 95019015442..56b39a8b3d1 100644 --- a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java +++ b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapConfiguration.java @@ -39,6 +39,9 @@ public class LdapConfiguration implements Configurable{ private static final ConfigKey ldapProvider = new ConfigKey(String.class, "ldap.provider", "Advanced", "openldap", "ldap provider ex:openldap, microsoftad", true, ConfigKey.Scope.Global, null); + private static final ConfigKey ldapEnableNestedGroups = new ConfigKey(Boolean.class, "ldap.nested.groups.enable", "Advanced", "true", + "if true, nested groups will also be queried", true, ConfigKey.Scope.Global, null); + private final static int scope = SearchControls.SUBTREE_SCOPE; @Inject @@ -183,6 +186,10 @@ public class LdapConfiguration implements Configurable{ return provider; } + public boolean isNestedGroupsEnabled() { + return ldapEnableNestedGroups.value(); + } + @Override public String getConfigComponentName() { return LdapConfiguration.class.getSimpleName(); @@ -190,6 +197,6 @@ public class LdapConfiguration implements Configurable{ @Override public ConfigKey[] getConfigKeys() { - return new ConfigKey[] {ldapReadTimeout, ldapPageSize, ldapProvider}; + return new ConfigKey[] {ldapReadTimeout, ldapPageSize, ldapProvider, ldapEnableNestedGroups}; } } \ No newline at end of file diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 634c2996143..edc8ad87b78 100644 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2173,9 +2173,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M if (domain != null) { domainName = domain.getName(); } - if (userAccount == null) { - _userAccountDao.getUserAccount(username, domainId); - } + userAccount = _userAccountDao.getUserAccount(username, domainId); if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {