[FIXED HUDSON-1971] Applying patch from Justin Edelson.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@10468 71c3de6d-444a-0410-be80-ed276b4c234a Originally-Committed-As: adbccfee4f7229843f8b53fd5cee40a072f271e3
2026-05-10 01:58:30 +02:00 · 2008-06-27 17:37:50 +00:00 · 2008-06-27 17:37:50 +00:00 · 3459fc18c0
commit 3459fc18c0
parent 5b9472b894
3 changed files with 27 additions and 3 deletions
--- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java
+++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java
@ -42,6 +42,7 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

+
 /**
 * {@link SecurityRealm} implementation that uses LDAP for authentication.
 * 
@ -78,6 +79,15 @@ public class LDAPSecurityRealm extends SecurityRealm {
     * @see FilterBasedLdapUserSearch
     */
    public final String userSearch;
+    
+    /**
+     * This defines the organizational unit that contains groups.
+     *
+     * Normally "ou=groups"
+     *
+     * @see FilterBasedLdapUserSearch
+     */
+    public final String groupSearchBase;

    /*
        Other configurations that are needed:
@ -106,13 +116,14 @@ public class LDAPSecurityRealm extends SecurityRealm {
    private final String managerPassword;

    @DataBoundConstructor
-    public LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String managerDN, String managerPassword) {
+    public LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String managerDN, String managerPassword) {
        this.server = server.trim();
        if(Util.fixEmptyAndTrim(rootDN)==null)    rootDN=Util.fixNull(inferRootDN(server));
        this.rootDN = rootDN.trim();
        this.userSearchBase = userSearchBase.trim();
        if(Util.fixEmptyAndTrim(userSearch)==null)    userSearch="uid={0}";
        this.userSearch = userSearch.trim();
+        this.groupSearchBase = Util.fixEmptyAndTrim(groupSearchBase);
        this.managerDN = Util.fixEmpty(managerDN);
        if(Util.fixEmpty(managerPassword)==null)
            this.managerPassword = null;
@ -165,6 +176,7 @@ public class LDAPSecurityRealm extends SecurityRealm {
        BeanBuilder builder = new BeanBuilder();
        builder.parse(Hudson.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding);
        final WebApplicationContext appContext = builder.createApplicationContext();
+        correctAuthoritiesPopulator(appContext);

        return new SecurityComponents(
            findBean(AuthenticationManager.class, appContext),
@ -181,6 +193,15 @@ public class LDAPSecurityRealm extends SecurityRealm {
            });
    }

+    /**
+     * Adjust the authoritiesPopulator bean to have the correct groupSearchBase
+     * @param appContext 
+     */
+    private void correctAuthoritiesPopulator(WebApplicationContext appContext) {
+        DeferredCreationLdapAuthoritiesPopulator factory = (DeferredCreationLdapAuthoritiesPopulator) appContext.getBean("authoritiesPopulator");
+        factory.setGroupSearchBase(groupSearchBase==null ? "ou=groups" : groupSearchBase);
+    }
+    
    /**
     * If the security realm is LDAP, try to pick up e-mail address from LDAP.
     */
--- a/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
+++ b/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
@ -13,6 +13,9 @@
    <f:entry title="${%User search filter}" help="/help/security/ldap/userSearchFilter.html">
      <f:textbox name="ldap.userSearch" value="${instance.userSearch}" />
    </f:entry>
+    <f:entry title="${%Group search base}" help="/help/security/ldap/groupSearchBase.html">
+      <f:textbox name="ldap.groupSearchBase" value="${instance.groupSearchBase}" />
+    </f:entry>
    <f:entry title="${%Manager DN}" help="/help/security/ldap/managerDN.html">
      <f:textbox name="ldap.managerDN" value="${instance.managerDN}"
      checkUrl="'${rootURL}/securityRealms/LDAPSecurityRealm/serverCheck?field=managerDN&amp;server='+escape(this.form.elements['ldap.server'].value)+'&amp;managerDN='+escape(this.value)+'&amp;managerPassword='+escape(this.form.elements['ldap.managerPassword'].value)"
--- a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
+++ b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
@ -2,11 +2,11 @@ import org.acegisecurity.providers.ProviderManager
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider
 import org.acegisecurity.providers.ldap.LdapAuthenticationProvider
 import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2
-import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
 import org.acegisecurity.ldap.DefaultInitialDirContextFactory
 import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch
 import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider
 import hudson.model.Hudson
+import hudson.security.DeferredCreationLdapAuthoritiesPopulator

 /*
    Configure LDAP as the authentication realm.
@ -35,7 +35,7 @@ bindAuthenticator(BindAuthenticator2,initialDirContextFactory) {
    userSearch = ldapUserSearch;
 }

-authoritiesPopulator(DefaultLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups") {
+authoritiesPopulator(DeferredCreationLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups") {
  // groupRoleAttribute = "ou";
 }