feat(authZ/ldap): Adds userSearchBase and userSearchFilter properties…

… for LDAP (#169)
spinnaker · Apr 3, 2017 · c41b3a9 · c41b3a9
1 parent 3b94a31
commit c41b3a9
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/config/LdapConfig.java b/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/config/LdapConfig.java
@@ -55,6 +55,8 @@ public static class ConfigProps {
 
     String groupSearchBase = "";
     MessageFormat userDnPattern = new MessageFormat("uid={0},ou=users");
+    String userSearchBase = "";
+    String userSearchFilter;
     String groupSearchFilter = "(uniqueMember={0})";
     String groupRoleAttributes = "cn";
   }

diff --git a/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java b/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java
@@ -25,6 +25,8 @@
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.dao.IncorrectResultSizeDataAccessException;
+import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.ldap.core.LdapEncoder;
 import org.springframework.security.ldap.LdapUtils;
@@ -107,8 +109,22 @@ private String getUserFullDn(String userId) {
     log.debug("Root DN: " + root.toString());
 
     String[] formatArgs = new String[]{LdapEncoder.nameEncode(userId)};
-    String formattedUser = configProps.getUserDnPattern().format(formatArgs);
-    DistinguishedName user = new DistinguishedName(formattedUser);
+
+    String partialUserDn;
+    if (!StringUtils.isEmpty(configProps.getUserSearchFilter())) {
+      try {
+        DirContextOperations res = ldapTemplate.searchForSingleEntry(configProps.getUserSearchBase(),
+                configProps.getUserSearchFilter(), formatArgs);
+        partialUserDn = res.getDn().toString();
+      } catch (IncorrectResultSizeDataAccessException e) {
+        log.error("Unable to find a single user entry", e);
+        return null;
+      }
+    } else {
+      partialUserDn = configProps.getUserDnPattern().format(formatArgs);
+    }
+
+    DistinguishedName user = new DistinguishedName(partialUserDn);
     log.debug("User portion: " + user.toString());
 
     try {