KNOX-3277 : LDAP Proxy improvements for working with AD backend (#1177)

The LdapProxyBackend and GroupLookupInterceptors are updated to work
with sAMAccountName in addition to uid and cn for user and group lookup.
This involved adding the memberOf and sAMAccountName attribute types
to the schema used by the proxy.

Group retrieval during user search is fixed to respect the useMemberOf flag.

Tests for the LdapProxyBackend were added.

Author: handavid

gateway-server/pom.xml

@@ -611,5 +611,11 @@
             <artifactId>zookeeper-jute</artifactId>
             <scope>test</scope>
         </dependency>
+
+        <dependency>
+            <groupId>org.apache.mina</groupId>
+            <artifactId>mina-core</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/GroupLookupInterceptor.java

@@ -44,6 +44,7 @@ public class GroupLookupInterceptor extends BaseInterceptor {
     private LdapBackend backend;
     private static final Pattern UID_PATTERN = Pattern.compile(".*\\(uid=([^)]+)\\).*");
     private static final Pattern CN_PATTERN = Pattern.compile(".*\\(cn=([^)]+)\\).*");
+    private static final Pattern SAMAACCOUNTNAME_PATTERN = Pattern.compile(".*\\(sAMAccountName=([^)]+)\\).*");
 
     public GroupLookupInterceptor(DirectoryService directoryService, LdapBackend backend) {
         this.directoryService = directoryService;
@@ -101,6 +102,9 @@ public EntryFilteringCursor search(SearchOperationContext ctx) throws LdapExcept
                         if (backendEntry != null) {
                             // Return backend result directly without caching
                             entries.add(backendEntry);
+                            LOG.ldapUserEntry(backendEntry.toString());
+                        } else {
+                            LOG.ldapUserNull(username);
                         }
                     }
                 } catch (Exception e) {
@@ -127,7 +131,9 @@ public void bind(BindOperationContext ctx) {
     }
 
     private boolean isUserSearch(String filter) {
-        return UID_PATTERN.matcher(filter).matches() || CN_PATTERN.matcher(filter).matches();
+        return UID_PATTERN.matcher(filter).matches()
+                || CN_PATTERN.matcher(filter).matches()
+                || SAMAACCOUNTNAME_PATTERN.matcher(filter).matches();
     }
 
     private String extractUser(String filter) {
@@ -141,6 +147,11 @@ private String extractUser(String filter) {
             return cnMatcher.group(1);
         }
 
+        Matcher samaaccountnameMatcher = SAMAACCOUNTNAME_PATTERN.matcher(filter);
+        if (samaaccountnameMatcher.matches()) {
+            return samaaccountnameMatcher.group(1);
+        }
+
         return null;
     }
 }

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/KnoxLDAPServerManager.java

@@ -21,8 +21,6 @@
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.ldap.model.schema.SchemaManager;
-import org.apache.directory.api.ldap.schema.loader.JarLdifSchemaLoader;
-import org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager;
 import org.apache.directory.server.core.DefaultDirectoryService;
 import org.apache.directory.server.core.api.DirectoryService;
 import org.apache.directory.server.core.api.InstanceLayout;
@@ -92,10 +90,8 @@ public void start() throws Exception {
         directoryService = new DefaultDirectoryService();
         directoryService.setInstanceLayout(new InstanceLayout(workDir));
 
-        // Create and load schema manager manually
-        JarLdifSchemaLoader loader = new JarLdifSchemaLoader();
-        SchemaManager schemaManager = new DefaultSchemaManager(loader);
-        schemaManager.loadAllEnabled();
+        // Create SchemaManager
+        SchemaManager schemaManager = SchemaManagerFactory.createSchemaManager();
         directoryService.setSchemaManager(schemaManager);
 
         // Initialize schema partition

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/LdapMessages.java

@@ -84,4 +84,16 @@ public interface LdapMessages {
     @Message(level = MessageLevel.INFO,
             text = "Cleaning up old lock file: {0}")
     void ldapCleaningLockFile(String lockFile);
+
+    @Message(level = MessageLevel.DEBUG,
+            text = "Backend user found: {0}")
+    void ldapUserEntry(String user);
+
+    @Message(level = MessageLevel.DEBUG,
+            text = "Backend user not found: {0}")
+    void ldapUserNull(String username);
+
+    @Message(level = MessageLevel.ERROR,
+            text = "Failed to copy attribute: {0}")
+    void ldapAttributeCopyError(@StackTrace(level = MessageLevel.DEBUG) Exception e);
 }

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/SchemaManagerFactory.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.ldap;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.schema.AttributeType;
+import org.apache.directory.api.ldap.model.schema.LdapSyntax;
+import org.apache.directory.api.ldap.model.schema.MatchingRule;
+import org.apache.directory.api.ldap.model.schema.ObjectClass;
+import org.apache.directory.api.ldap.model.schema.SchemaManager;
+import org.apache.directory.api.ldap.schema.loader.JarLdifSchemaLoader;
+import org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager;
+
+import java.io.IOException;
+
+/**
+ * Factory class for creating SchemaManager instances.
+ */
+public class SchemaManagerFactory {
+
+    public static SchemaManager createSchemaManager() throws IOException, LdapException {
+        // Create and load schema manager manually
+        JarLdifSchemaLoader loader = new JarLdifSchemaLoader();
+        SchemaManager schemaManager = new DefaultSchemaManager(loader);
+        schemaManager.loadAllEnabled();
+
+        // Add Custom schemas
+        AttributeType memberOfAttrType = new AttributeType("1.2.840.113556.1.2.102");
+        memberOfAttrType.setNames(new String[]{"memberOf"});
+        memberOfAttrType.setSchemaName("other");
+        memberOfAttrType.setSyntax(new LdapSyntax("1.3.6.1.4.1.1466.115.121.1.12"));
+        memberOfAttrType.setDescription("attribute specifies the distinguished names of the groups to which this object belongs");
+        memberOfAttrType.setSingleValued(false);
+        schemaManager.add(memberOfAttrType);
+
+        AttributeType sAMAccountNameAttrType = new AttributeType("1.2.840.113556.1.4.221");
+        sAMAccountNameAttrType.setNames(new String[]{"sAMAccountName"});
+        sAMAccountNameAttrType.setSchemaName("other");
+        sAMAccountNameAttrType.setSyntax(new LdapSyntax("1.3.6.1.4.1.1466.115.121.1.15"));
+        sAMAccountNameAttrType.setDescription("Microsoft sAMAccountName attribute for compatibility");
+        sAMAccountNameAttrType.setEquality(new MatchingRule("caseignorematch"));
+        sAMAccountNameAttrType.setSubstring(new MatchingRule("caseignoresubstringsmatch"));
+        schemaManager.add(sAMAccountNameAttrType);
+
+        ObjectClass personObjectClass = schemaManager.lookupObjectClassRegistry("person");
+        personObjectClass.unlock();
+        personObjectClass.addMayAttributeTypes(memberOfAttrType, sAMAccountNameAttrType);
+        personObjectClass.lock();
+
+        return schemaManager;
+    }
+}

gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/backend/LdapProxyBackend.java

@@ -35,6 +35,7 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
@@ -63,6 +64,14 @@ public class LdapProxyBackend implements LdapBackend {
     private String groupMemberAttribute = "memberUid"; // member for AD, memberUid for POSIX
     private boolean useMemberOf; // Use memberOf attribute for group lookup (efficient for AD)
 
+    private List<String> proxyEntryAttributeTypes = List.of(
+            // "uid" will always be filled
+            "cn",
+            "dn",
+            "mail",
+            "description");
+    private final String proxyEntryGroupMembershipAttributeType = "memberOf";
+
     // Connection pool for efficient connection reuse
     private LdapConnectionPool connectionPool;
 
@@ -120,7 +129,6 @@ public void initialize(Map<String, String> config) throws Exception {
 
         // Configure attribute mappings for AD/LDAP compatibility
         userIdentifierAttribute = config.getOrDefault("userIdentifierAttribute", "uid");
-        config.getOrDefault("userDnTemplate", "uid={username},ou=Users,{baseDn}");
         groupMemberAttribute = config.getOrDefault("groupMemberAttribute", "memberUid");
         useMemberOf = Boolean.parseBoolean(config.getOrDefault("useMemberOf", "false"));
 
@@ -260,7 +268,6 @@ public Entry getUser(String username, SchemaManager schemaManager) throws Except
                 cursor.close();
                 return entry;
             }
-
             cursor.close();
             return null;
         } finally {
@@ -284,7 +291,7 @@ public List<String> getUserGroups(String username) throws Exception {
                 if (cursor.next()) {
                     String userDn = cursor.get().getDn().toString();
                     cursor.close();
-                    return getUserGroupsInternal(connection, userDn, username);
+                    return getCnsFromEntries(getUserGroupsInternal(connection, userDn, username));
                 }
 
                 cursor.close();
@@ -333,8 +340,8 @@ private String extractGroupNameFromDn(String groupDn) {
         return null;
     }
 
-    private List<String> getUserGroupsInternal(LdapConnection connection, String userDn, String username) throws LdapException, CursorException, IOException {
-        List<String> groups = new ArrayList<>();
+    private List<Entry> getUserGroupsInternal(LdapConnection connection, String userDn, String username) throws LdapException, CursorException, IOException {
+        List<Entry> groups = new ArrayList<>();
 
         // Search for groups where user is a member - build filter based on configuration
         String filter;
@@ -356,26 +363,32 @@ private List<String> getUserGroupsInternal(LdapConnection connection, String use
         EntryCursor cursor = connection.search(groupSearchBase, filter, SearchScope.SUBTREE, "cn");
 
         while (cursor.next()) {
-            Entry groupEntry = cursor.get();
-            Attribute cnAttr = groupEntry.get("cn");
-            if (cnAttr != null) {
-                groups.add(cnAttr.getString());
-            }
+            groups.add(cursor.get());
         }
 
         cursor.close();
         return groups;
     }
 
+    private List<String> getCnsFromEntries(Collection<Entry> entries) throws LdapException {
+        List<String> cns = new ArrayList<>();
+        for (Entry entry : entries) {
+            Attribute cnAttr = entry.get("cn");
+            if (cnAttr != null) {
+                cns.add(cnAttr.getString());
+            }
+        }
+        return cns;
+    }
+
     @Override
     public List<Entry> searchUsers(String filter, SchemaManager schemaManager) throws Exception {
         List<Entry> results = new ArrayList<>();
         LdapConnection connection = null;
 
         try {
             connection = getConnection();
-            String searchValue = filter.contains("*") ? "*" : filter;
-            String ldapFilter = "(" + userIdentifierAttribute + "=" + searchValue + ")";
+            String ldapFilter = "(" + userIdentifierAttribute + "=" + filter.trim() + ")";
             EntryCursor cursor = connection.search(userSearchBase, ldapFilter, SearchScope.SUBTREE, "*");
 
             while (cursor.next()) {
@@ -425,16 +438,17 @@ private Entry createProxyEntry(Entry sourceEntry, String username, LdapConnectio
             }
         }
 
-        copyAttribute(sourceEntry, entry, "cn");
-        copyAttribute(sourceEntry, entry, "sn");
-        copyAttribute(sourceEntry, entry, "mail");
-        copyAttribute(sourceEntry, entry, "description");
-        copyAttribute(sourceEntry, entry, "memberOf");  // Preserve group memberships
+        for (String attributeType : proxyEntryAttributeTypes) {
+            copyAttribute(sourceEntry, entry, attributeType);
+        }
 
-        // Get user's groups
-        List<String> groups = getUserGroupsInternal(connection, sourceEntry.getDn().toString(), username);
-        if (!groups.isEmpty()) {
-            entry.add("description", "Groups: " + String.join(", ", groups));
+        if (useMemberOf) {
+            copyAttribute(sourceEntry, entry, proxyEntryGroupMembershipAttributeType);
+        } else {
+            List<Entry> groups = getUserGroupsInternal(connection, sourceEntry.getDn().toString(), username);
+            for (Entry groupEntry : groups) {
+                entry.add(proxyEntryGroupMembershipAttributeType, groupEntry.getDn().getName());
+            }
         }
 
         return entry;
@@ -445,7 +459,12 @@ private void copyAttribute(Entry source, Entry target, String attributeName) thr
         if (attr != null) {
             // Copy all values of the attribute (important for multi-valued attributes like objectClass)
             for (org.apache.directory.api.ldap.model.entry.Value value : attr) {
-                target.add(attributeName, value.getString());
+                try {
+                    target.add(attributeName, value.getString());
+                } catch (LdapException e) {
+                    LOG.ldapAttributeCopyError(e);
+                    throw e;
+                }
             }
         }
     }