[Bug] Wrong handling of `orWhere` in emulator

[acharseth]

Environment:

• LDAP Server Type: Development: Built in emulator. Test and prod: ActiveDirectory
• PHP Version: 8.1

Describe the bug: I wanted a scope requiring to be member of one or more groups. I therefore created a scope with an initial where for one group and two more orWhere for 2 other groups. Something like this:

$builder->where('memberof', '=', 'cn=Group1');
$builder->orWhere('memberof', '=', 'cn=Group2');
$builder->orWhere('memberof', '=', 'cn=Group3');

With experience from SQL this makes sense but does not in LDAP. This creates the following LDAP filter (as decoded from the log):

(&...
(memberof=CN=Group1)
(|(memberof=CN=Group2)(memberof=CN=Group3)))

This means that you have to be member of both Group1 and (Group2 or Groups 3), which is not what I intended. Still using the built in LDAP emulator I could be member of eg. Group3 only and still get included. In the test environment, however, I did not get included. The correct implementation for the scope is to use orWhere on all 3 groups like this:

$builder->orWhere('memberof', '=', 'cn=Group1');
$builder->orWhere('memberof', '=', 'cn=Group2');
$builder->orWhere('memberof', '=', 'cn=Group3');

This will create a correct LDAP-filter:

(&...
(|(memberof=CN=Group1)(memberof=CN=Group2)(memberof=CN=Group3)))

To my understanding ActiveDirectoy has a correct implementation of the filter and the built in emulator does not. Agree?

[stevebauman]

Thanks @acharseth, apologies for the long reply here. Yes I agree, the emulator is the one not working properly. The query builder is working as expected. I'm able to reproduce this locally. Working on a patch -- haven't found a solution yet. Will report here once I do 👍