LdapUserPlugin should be configurable to use User.username as search base

oracle / opengrok

OpenGrok is a fast and usable source code search and cross reference engine, written in Java

http://oracle.github.io/opengrok/

Other

4.36k stars 748 forks source link

LdapUserPlugin should be configurable to use User.username as search base #2284

Open vladak opened 6 years ago

vladak commented 6 years ago

When thinking about how to make LDAP searches done by the authorization plugins more efficient (also see #2283), I discovered that LdapUserPlugin can benefit from using the username as base.

Specifically, if the UserPlugin fills the username of a user with DN that matches its node in the LDAP structure, it is not necessary to use the filter at all - certainly not filling the common name there as LdapUserPlugin#getFilter() does.

I.e. instead of passing null as a first argument to lookupLdapContent() in LdapUserPlugin#fillSession(), it will pass user (which will then be used as a base) and the filter can be augmented based on that (to only contain the this.objectClass).

This can be made a tunable of UserLdapPlugin - there are still cases when the search base cannot be based on User.

tulinkry commented 6 years ago

Setting up authorization layer is described https://github.com/oracle/opengrok/wiki/Authorization Examples of using Ldap plugins is https://github.com/oracle/opengrok/tree/master/plugins

The ldap-plugin-config.xml is a parameter of the ldap setup - it's not OpenGrok related file so you put it wherever you want.

           <void method="put">
                <string>configuration</string>
                <string>/opengrok/auth/config/ldap-plugin-config.xml</string>
            </void>

and these are the values you can change in the ldap-plugin-config.xml - basically servers configuration https://github.com/oracle/opengrok/blob/master/plugins/src/opengrok/auth/plugin/configuration/Configuration.java.

tulinkry commented 6 years ago

maybe @vladak could provide some simple example of ldap-plugin-config.xml for you

tulinkry commented 6 years ago

I have no idea about your setup. The LDAP authorization needs more than that.

Firstly, this https://github.com/oracle/opengrok/tree/master/plugins is just an example of using the plugins which might not match your environment. Secondly, ldap-plugin-config.xml - you need to create this file by hand - that's why I asked @vladak to provide an example. Thirdly, you put the ldap-plugin-config.xml to the location specified in read-only configuration for the authorization stack (again mentioned in https://github.com/oracle/opengrok/tree/master/plugins - ):

Snippet from the https://github.com/oracle/opengrok/tree/master/plugins

<void method="put">
      <string>configuration</string>
      <string>/opengrok/auth/config/ldap-plugin-config.xml</string>
      <!--    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -->
      <!--           this is where you put the file        -->
</void>

tulinkry commented 6 years ago

The example of ldap-plugin-config.xml is here https://github.com/oracle/opengrok/blob/master/plugins/sample-ldap-plugin-config.xml (nothing needed anymore @vladak)