diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 01bde33e6..7040e8739 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -113,7 +113,7 @@ LdapAuthoritiesPopulator ldapAuthoritiesPopulator(@Qualifier("contextSource") Ba /* Specificity here : we don't get the Role by reading the members of available groups (which is implemented by - default in Spring security LDAP), but we retrieve the groups from the field memberOf of the user. + default in Spring security LDAP), but we retrieve the groups the user belongs to. */ class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { @@ -126,11 +126,11 @@ private CustomLdapAuthoritiesPopulator(BaseLdapPathContextSource ldapContextSour @Override public Collection getGrantedAuthorities( DirContextOperations userData, String username) { + logger.debug("Populating authorities using LDAP"); Optional userOptional = userRepository.findByUsername(username); - if (!userOptional.isPresent()) { + if (userOptional.isEmpty()) { User newUser = createLdapUser(userData); - userOptional = Optional.of(newUser); } @@ -139,13 +139,20 @@ public Collection getGrantedAuthorities( saveLdapUser(userData, user); } user.setPassword(null); - String userDn = userAttributesUsername + "=" + user.getUsername() + "," + providerBase; + + StringBuilder userDnBuilder = new StringBuilder(); + userDnBuilder.append(userData.getDn().toString()); + if (providerBase != null && !providerBase.isEmpty()) { + userDnBuilder.append(','); + userDnBuilder.append(providerBase); + } + String userDn = userDnBuilder.toString(); List definedGroups = groupRepository.findAll(); OrFilter orFilter = new OrFilter(); - for (int i = 0; i < definedGroups.size(); i++) { - orFilter.or(new EqualsFilter(groupRoleAttribute, definedGroups.get(i).getName())); + for (Group definedGroup : definedGroups) { + orFilter.or(new EqualsFilter(groupRoleAttribute, definedGroup.getName())); } AndFilter andFilter = new AndFilter(); @@ -154,9 +161,11 @@ public Collection getGrantedAuthorities( andFilter.and(groupsFilter); andFilter.and(orFilter); + String filter = andFilter.encode(); + logger.debug("Searching LDAP with filter: {}", filter); Set memberGroups = ldapTemplate - .searchForSingleAttributeValues("", andFilter.encode(), new Object[]{""}, - groupRoleAttribute); + .searchForSingleAttributeValues(groupSearchBase, filter, new Object[]{""}, groupRoleAttribute); + logger.debug("LDAP search result: {}", Arrays.toString(memberGroups.toArray())); Set addGroups = new HashSet<>(); for (String memberGroup : memberGroups) { @@ -186,6 +195,7 @@ public BaseLdapPathContextSource contextSource() { providerUrl); contextSource.setUserDn(providerUserDn); contextSource.setPassword(providerPassword); + contextSource.setBase(providerBase); return contextSource; } @@ -210,13 +220,14 @@ private User saveLdapUser(DirContextOperations userData, User saveUser) { } private User createLdapUser(DirContextOperations userData) { + String username = userData.getStringAttribute(userAttributesUsername); + logger.debug("Creating user for {} using LDAP", username); User user = saveLdapUser(userData, new User()); - user.setUsername(userData.getStringAttribute(userAttributesUsername)); + user.setUsername(username); user.setEnabled(true); user.setAdmin(false); userRepository.save(user); - return user; } } \ No newline at end of file