feat(ldap): add new configuration to search for users

fix gravitee-io/issues#2026
gravitee-io · Mar 12, 2019 · 35b9f10 · 35b9f10
1 parent cf51ce4
commit 35b9f10
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 18 deletions.
diff --git a/...api-idp-ldap/src/main/java/io/gravitee/management/idp/ldap/lookup/LdapIdentityLookup.java b/...api-idp-ldap/src/main/java/io/gravitee/management/idp/ldap/lookup/LdapIdentityLookup.java
@@ -46,21 +46,20 @@
 
 /**
  * @author David BRASSELY (david.brassely at graviteesource.com)
+ * @author Nicolas GERAUD (nicolas.geraud at graviteesource.com)
  * @author GraviteeSource Team
  */
 @Import(LdapIdentityLookupConfiguration.class)
 public class LdapIdentityLookup implements IdentityLookup, InitializingBean {
 
     private final Logger LOGGER = LoggerFactory.getLogger(LdapIdentityLookup.class);
 
-    private final static String LDAP_DEFAULT_OBJECT_CLASS = "person";
-
-    private final static String LDAP_ATTRIBUTE_COMMONNAME = "cn";
-    private final static String LDAP_ATTRIBUTE_USERID = "uid";
     private final static String LDAP_ATTRIBUTE_GIVENNAME = "givenName";
     private final static String LDAP_ATTRIBUTE_SURNAME = "sn";
     private final static String LDAP_ATTRIBUTE_MAIL = "mail";
     private final static String LDAP_ATTRIBUTE_DISPLAYNAME = "displayName";
+    private final static String LDAP_DEFAULT_SEARCH ="(&(objectClass=Person)(|(cn=*{0}*)(uid={0})))";
+
 
     @Autowired
     private LdapTemplate ldapTemplate;
@@ -109,14 +108,9 @@ public Collection<User> search(String query) {
         ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
         try {
             Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
-            Filter classFilter = new EqualsFilter("objectclass",
-                    environment.getProperty(
-                            "user-search-objectclass",
-                            LDAP_DEFAULT_OBJECT_CLASS));
-
-            Filter queryFilter = new OrFilter()
-                    .or(new WhitespaceWildcardsFilter(LDAP_ATTRIBUTE_COMMONNAME, query))
-                    .or(new EqualsFilter(LDAP_ATTRIBUTE_USERID, query));
+            String usersSearchFilter = environment.getProperty("users-search-filter", LDAP_DEFAULT_SEARCH);
+            String hardcodedFilter = usersSearchFilter.replaceAll("\\{0}", LdapUtils.addWhitespaceWildcards(query));
+            Filter searchFilter = new HardcodedFilter(hardcodedFilter);
 
             LdapQuery ldapQuery = LdapQueryBuilder
                     .query()
@@ -129,8 +123,7 @@ public Collection<User> search(String query) {
                             LDAP_ATTRIBUTE_SURNAME,
                             LDAP_ATTRIBUTE_MAIL,
                             LDAP_ATTRIBUTE_DISPLAYNAME)
-                    .filter(new AndFilter().and(classFilter).and(queryFilter));
-
+                    .filter(searchFilter);
 
             return ldapTemplate.search(ldapQuery, USER_CONTEXT_MAPPER);
         } catch(LimitExceededException lee) {

diff --git a/...anagement-api-idp-ldap/src/main/java/io/gravitee/management/idp/ldap/utils/LdapUtils.java b/...anagement-api-idp-ldap/src/main/java/io/gravitee/management/idp/ldap/utils/LdapUtils.java
@@ -48,4 +48,11 @@ public static String extractAttribute(String filter) {
 
         return null;
     }
+
+    public static String addWhitespaceWildcards(String str) {
+        if (str == null) {
+            return null;
+        }
+        return str.replaceAll(" ", "*");
+    }
 }
diff --git a/...ne/gravitee-management-api-standalone-distribution/src/main/resources/config/gravitee.yml b/...ne/gravitee-management-api-standalone-distribution/src/main/resources/config/gravitee.yml
@@ -198,12 +198,12 @@ security:
       # Search base for user searches. Defaults to "". Only used with user-search-filter.
       # It should be relative to the Base DN. If the whole DN is o=user accounts,c=io,o=gravitee then the user-search-base should be like this:
 #      user-search-base: "o=user accounts"
-      # The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name.
+      # The LDAP filter used to search for user during authentication. For example "(uid={0})". The substituted parameter is the user's login name.
 #      user-search-filter: "mail={0}"
-      # The objectclass used when searching for user (optional). Default is "person".
-#      user-search-objectclass: "person"
+      # The LDAP filter used to search for users during user research (i.e. for adding a user to a group). The substituted parameter is the query.
+#      users-search-filter: "(&(objectClass=Person)(|(cn=*{0}*)(uid={0})))"
       # The search base for group membership searches. Defaults to "".
-      # It should be relative to the Base DN. If the whole DN is o=authorization groups,c=io,o=gravitee then the group-search-base should be like this:
+      # It should be relative to the Base DN. If the whole DN is o=authorization groups,c=io,o=usergravitee then the group-search-base should be like this:
 #      group-search-base: "o=authorization groups"
       # The LDAP filter to search for groups. Defaults to "(uniqueMember={0})". The substituted parameter is the DN of the user.
 #      group-search-filter: "member={0}"