do not blindly override permission set of ldap users

fixes #2516

graylog2-server/src/main/java/org/graylog2/security/realm/LdapUserAuthenticator.java

@@ -48,7 +48,6 @@
 import javax.annotation.Nullable;
 import javax.inject.Inject;
 import javax.inject.Named;
-import java.util.Collections;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
@@ -250,7 +249,8 @@ private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSet
             translatedRoleIds.addAll(user.getRoleIds());
         }
         user.setRoleIds(translatedRoleIds);
-        user.setPermissions(Collections.emptyList());
+        // preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
+        user.setPermissions(user.getPermissions());
     }
 
 }

graylog2-server/src/main/java/org/graylog2/users/UserImpl.java

@@ -19,6 +19,7 @@
 import com.google.common.collect.Collections2;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
 import com.google.inject.assistedinject.Assisted;
 import com.google.inject.assistedinject.AssistedInject;
 import org.bson.types.ObjectId;
@@ -172,8 +173,9 @@ public List<String> getPermissions() {
 
     @Override
     public void setPermissions(final List<String> permissions) {
+        final List<String> perms = Lists.newArrayList(permissions);
         // Do not store the dynamic user self edit permissions
-        permissions.removeAll(this.permissions.userSelfEditPermissions(getName()));
+        perms.removeAll(this.permissions.userSelfEditPermissions(getName()));
         fields.put(PERMISSIONS, permissions);
     }