Merge OpenOLAT91 to OpenOLAT default with 99372bd64b6936b4dadc1df138b4cf247e76a3c6

src/main/java/org/olat/core/commons/modules/glossary/GlossaryMainController.java

@@ -28,7 +28,6 @@ import java.util.List;
 import java.util.Properties;
 import java.util.Set;
 
-import org.apache.commons.lang.StringEscapeUtils;
 import org.olat.core.CoreSpringFactory;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
@@ -208,7 +207,7 @@ public class GlossaryMainController extends BasicController implements Activatea
 					if (deleteDialogCtr != null) {
 						deleteDialogCtr.dispose();
 					}
-					deleteDialogCtr = activateYesNoDialog(ureq, null, translate("glossary.delete.dialog", StringEscapeUtils.escapeHtml(currentGlossaryItem.getGlossTerm())),
+					deleteDialogCtr = activateYesNoDialog(ureq, null, translate("glossary.delete.dialog", StringHelper.escapeHtml(currentGlossaryItem.getGlossTerm())),
 							deleteDialogCtr);
 				} 
 			} else if (button.getCommand().startsWith(REGISTER_LINK)) {

src/main/java/org/olat/ldap/LDAPLoginManagerImpl.java

@@ -336,11 +336,9 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 			return null;
 
 		List<String> ldapBases = LDAPLoginModule.getLdapBases();
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
 		String[] serachAttr = { "dn" };
 		
-		String ldapUserIDAttribute = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
-		String filter = "(&(objectClass=" + objctClass + ")(" + ldapUserIDAttribute + "=" + uid + "))";
+		String filter = buildSearchUserFilter(uid);
 		SearchControls ctls = new SearchControls();
 		ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 		ctls.setReturningAttributes(serachAttr);
@@ -364,6 +362,26 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 		return userDN;
 	}
 
+	/**
+	 * Build an LDAP search filter for the given user ID using the preconfigured filters
+	 * @param uid the user ID
+	 * @return the filter String
+	 */
+	private String buildSearchUserFilter(String uid) {
+		String ldapUserIDAttribute = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
+		String ldapUserFilter = LDAPLoginModule.getLdapUserFilter();
+		StringBuilder filter = new StringBuilder();
+		if (ldapUserFilter != null) {
+			// merge preconfigured filter (e.g. object class, group filters) with username using AND rule
+			filter.append("(&").append(ldapUserFilter);	
+		}
+		filter.append("(").append(ldapUserIDAttribute).append("=").append(uid).append(")");
+		if (ldapUserFilter != null) {
+			filter.append(")");	
+		}
+		return filter.toString();
+	}
+
 	/**
 	 * 
 	 * Creates list of all LDAP Users or changed Users since syncTime
@@ -384,22 +402,31 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 	 * @throws NamingException
 	 */
 	public List<Attributes> getUserAttributesModifiedSince(Date syncTime, LdapContext ctx) {
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
+		String userFilter = LDAPLoginModule.getLdapUserFilter();
 		StringBuilder filter = new StringBuilder();
 		if (syncTime == null) {
 			logDebug("LDAP get user attribs since never -> full sync!");
-			filter.append("(objectClass=").append(objctClass).append(")");
+			if (filter != null) {
+				filter.append(userFilter);				
+			}
 		} else {
 			String dateFormat = LDAPLoginModule.getLdapDateFormat();
 			SimpleDateFormat generalizedTimeFormatter = new SimpleDateFormat(dateFormat);
 			generalizedTimeFormatter.setTimeZone(UTC_TIME_ZONE);
 			String syncTimeForm = generalizedTimeFormatter.format(syncTime);
 			logDebug("LDAP get user attribs since " + syncTime + " -> means search with date restriction-filter: " + syncTimeForm);
-			filter.append("(&(objectClass=").append(objctClass).append(")(|(");
+			if (userFilter != null) {
+				// merge user filter with time fileter using and rule
+				filter.append("(&").append(userFilter);				
+			}
+			filter.append("(|(");								
 			filter.append(LDAPLoginModule.getLdapUserLastModifiedTimestampAttribute()).append(">=").append(syncTimeForm);
 			filter.append(")(");
 			filter.append(LDAPLoginModule.getLdapUserCreatedTimestampAttribute()).append(">=").append(syncTimeForm);
-			filter.append(")))");
+			filter.append("))");
+			if (userFilter != null) {
+				filter.append(")");				
+			}
 		}
 		final List<Attributes> ldapUserList = new ArrayList<Attributes>();
 
@@ -705,7 +732,7 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 		if (ctx == null) return null;
 		// Find all LDAP Users
 		String userID = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
+		String userFilter = LDAPLoginModule.getLdapUserFilter();
 		final List<String> ldapList = new ArrayList<String>();
 		
 		searchInLdap(new LdapVisitor() {
@@ -718,7 +745,7 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 					ldapList.add(attr.get().toString().toLowerCase());
 				}
 			}
-		}, "(objectClass=" + objctClass + ")", new String[] { userID }, ctx);
+		}, (userFilter == null ? "" : userFilter), new String[] { userID }, ctx);
 
 		if (ldapList.isEmpty()) {
 			logWarn("No users in LDAP found, can't create deletionList!!", null);

src/main/java/org/olat/ldap/LDAPLoginModule.java

@@ -101,7 +101,7 @@ public class LDAPLoginModule implements Initializable {
 	// Propagate the password changes onto the LDAP server
 	private static boolean propagatePasswordChangedOnLdapServer;
 	// Configuration for syncing user attributes
-	private static String ldapUserObjectClass;
+	private static String ldapUserFilter;
 	private static String ldapUserCreatedTimestampAttribute;
 	private static String ldapUserLastModifiedTimestampAttribute;
 	private static String ldapUserPasswordAttribute;
@@ -162,7 +162,13 @@ public class LDAPLoginModule implements Initializable {
 			setEnableLDAPLogins(false);
 			return;
 		}
-		if (!checkConfigParameterIsNotEmpty(ldapUserObjectClass)) return;
+		if (ldapUserFilter != null) {
+			if (!ldapUserFilter.startsWith("(") || !ldapUserFilter.endsWith(")")) {
+				log.error("Wrong configuration 'ldapUserFilter'. Set filter to emtpy value or enclose filter in brackets like '(objectClass=person)'. Disabling LDAP");
+				setEnableLDAPLogins(false);
+				return;
+			}
+		}
 		if (!checkConfigParameterIsNotEmpty(ldapUserCreatedTimestampAttribute)) return;
 		if (!checkConfigParameterIsNotEmpty(ldapUserLastModifiedTimestampAttribute)) return;
 		if (userAttrMap == null || userAttrMap.size() == 0) {
@@ -477,8 +483,13 @@ public class LDAPLoginModule implements Initializable {
 		ldapSyncOnStartup = ldapStartSyncs;
 	}
 
-	public void setLdapUserObjectClass(String objectClass) {
-		ldapUserObjectClass = objectClass.trim();
+	public void setLdapUserFilter(String filter) {
+		if (StringHelper.containsNonWhitespace(filter)) {
+			ldapUserFilter = filter.trim();			
+		} else {
+			// set explicitly to null for no filter
+			ldapUserFilter = null;
+		}
 	}
 
 	public void setLdapSystemDN(String ldapSystemDN) {
@@ -629,8 +640,11 @@ public class LDAPLoginModule implements Initializable {
 		return connectionTimeout;
 	}
 
-	public static String getLdapUserObjectClass() {
-		return ldapUserObjectClass;
+	/**
+	 * @return A filter expression enclosed in () brackets to filter for valid users or NULL for no filtering
+	 */
+	public static String getLdapUserFilter() {
+		return ldapUserFilter;
 	}
 
 	public static String getLdapUserLastModifiedTimestampAttribute() {

src/main/java/org/olat/ldap/_spring/ldapContext.xml

@@ -81,7 +81,7 @@
 		<!-- if ldapSyncCronSync=true, specify cron expression: http://quartz.sourceforge.net/javadoc/org/quartz/CronTrigger.html  -->
 		<property name="ldapSyncCronSyncExpression" value="${ldap.ldapSyncCronSyncExpression}" /> <!--  run every hour -->		
 		<!-- Configuration for syncing user attributes during login or cron and batch sync -->		
-		<property name="ldapUserObjectClass" value="${ldap.ldapUserObjectClass}"/>
+		<property name="ldapUserFilter" value="${ldap.ldapUserFilter}"/>
 		<property name="ldapUserCreatedTimestampAttribute" value="${ldap.ldapUserCreatedTimestampAttribute}"/>
 		<property name="ldapUserLastModifiedTimestampAttribute" value="${ldap.ldapUserLastModifiedTimestampAttribute}"/>
 		<property name="ldapUserPasswordAttribute" value="${ldap.ldapUserPassordAttribute}"/>

src/main/resources/serviceconfig/olat.properties

@@ -795,6 +795,10 @@ ldap.ldapSyncCronSyncExpression=0 0 * * * ?
 # Configuration for syncing user attributes during login or cron and batch sync (examples are
 # for an active directory)
 ldap.ldapUserObjectClass=person
+# Filter that uses the user object class. Can be exteded to include group memberships as well. Default is a standard object class filter.
+ldap.ldapUserFilter=(objectClass=${ldap.ldapUserObjectClass})
+# Example for more complex filter: 
+# ldap.ldapUserFilter=(&(objectClass=${ldap.ldapUserObjectClass})(memberOf=CN=OpenOLATAccess,OU=Students,DC=openolat,DC=org))
 ldap.ldapUserCreatedTimestampAttribute=whenCreated
 ldap.ldapUserLastModifiedTimestampAttribute=whenChanged
 # OpenLDAP is userPassword, ActiveDirectory is unicodePwd