From d8402bad61ba8ec2b2551503dd31db065b2d9824 Mon Sep 17 00:00:00 2001
From: Robert von Burg <eitch@eitchnet.ch>
Date: Thu, 5 Oct 2023 12:15:26 +0200
Subject: [PATCH] [New] Allow to add an additionalFilter in LDAP search

---
 .../handler/BaseLdapPrivilegeHandler.java     | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/privilege/src/main/java/li/strolch/privilege/handler/BaseLdapPrivilegeHandler.java b/privilege/src/main/java/li/strolch/privilege/handler/BaseLdapPrivilegeHandler.java
index 1fc8c6c35..5e8f838af 100644
--- a/privilege/src/main/java/li/strolch/privilege/handler/BaseLdapPrivilegeHandler.java
+++ b/privilege/src/main/java/li/strolch/privilege/handler/BaseLdapPrivilegeHandler.java
@@ -18,12 +18,16 @@
 import java.util.Set;
 import java.util.concurrent.ScheduledExecutorService;
 
+import static li.strolch.utils.helper.StringHelper.isNotEmpty;
+import static li.strolch.utils.helper.StringHelper.trimOrEmpty;
+
 public abstract class BaseLdapPrivilegeHandler extends DefaultPrivilegeHandler {
 
 	protected static final Logger logger = LoggerFactory.getLogger(BaseLdapPrivilegeHandler.class);
 
 	private String providerUrl;
 	private String searchBase;
+	private String additionalFilter;
 	private String domain;
 
 	@Override
@@ -37,8 +41,12 @@ public void initialize(ScheduledExecutorService executorService, Map<String, Str
 
 		this.providerUrl = parameterMap.get("providerUrl");
 		this.searchBase = parameterMap.get("searchBase");
+		this.additionalFilter = trimOrEmpty(parameterMap.get("additionalFilter"));
 		this.domain = parameterMap.get("domain");
-
+		if (isNotEmpty(this.domain) && this.domain.startsWith("@")) {
+			logger.warn("Remove the @ symbol from the domain property! Added automatically.");
+			this.domain = this.domain.substring(1);
+		}
 	}
 
 	@Override
@@ -49,6 +57,8 @@ protected User checkCredentialsAndUserState(String username, char[] password) th
 		if (internalUser != null && internalUser.getUserState() != UserState.REMOTE)
 			return super.checkCredentialsAndUserState(username, password);
 
+		String userPrincipalName = username + "@" + this.domain;
+
 		// Set up the environment for creating the initial context
 		Hashtable<String, String> env = new Hashtable<>();
 
@@ -57,7 +67,7 @@ protected User checkCredentialsAndUserState(String username, char[] password) th
 
 		// Authenticate 
 		env.put(Context.SECURITY_AUTHENTICATION, "simple");
-		env.put(Context.SECURITY_PRINCIPAL, username + this.domain);
+		env.put(Context.SECURITY_PRINCIPAL, userPrincipalName);
 		env.put(Context.SECURITY_CREDENTIALS, new String(password));
 
 		logger.info("User {} tries to login on ldap {}", username + this.domain, this.providerUrl);
@@ -73,21 +83,23 @@ protected User checkCredentialsAndUserState(String username, char[] password) th
 			//Specify the search scope
 			searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
-			String searchFilter = "(&(objectCategory=person)(objectClass=user)(userPrincipalName=" + username +
-					this.domain + "))";
+			String searchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=%s)%s)".formatted(
+					username, this.additionalFilter);
 
 			// Search for objects using the filter
 			NamingEnumeration<SearchResult> answer = ctx.search(this.searchBase, searchFilter, searchCtls);
 
 			if (!answer.hasMore()) {
 
-				logger.warn("No LDAP data retrieved using userPrincipalName, trying with sAMAccountName...");
-				searchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" + username + "))";
+				logger.warn("No LDAP data retrieved using sAMAccountName, trying with userPrincipalName...");
+				searchFilter = "(&(objectCategory=person)(objectClass=user)(userPrincipalName=%s)%s)".formatted(
+						userPrincipalName, this.additionalFilter);
 				answer = ctx.search(this.searchBase, searchFilter, searchCtls);
 
 				if (!answer.hasMore())
-					throw new AccessDeniedException("Could not login with user: " + username + this.domain +
-							" on Ldap: no LDAP Data, for either userPrincipalName or sAMAccountName");
+					throw new AccessDeniedException("Could not login user: " + username +
+							" on Ldap: no LDAP Data, for either sAMAccountName or userPrincipalName searches. Domain used is " +
+							this.domain);
 			}
 
 			SearchResult searchResult = answer.next();