search

SUSE / Portus

Authorization service and frontend for Docker registry (v2)
http://port.us.org/
Apache License 2.0
3k stars 470 forks source link

"Invalid filter syntax" on LDAP team sync #2203

Closed Falco20019 closed 4 years ago

Falco20019 commented 5 years ago

Description

Adding new users to teams through LDAP fails with the message [ldap] Connection error: Invalid filter syntax..

Steps to reproduce

  1. Add a team "LW-LI" (matching the LDAP group CN=LW-LI,OU=Universal,OU=Group,OU=NW,OU=DE,OU=Production,DC=my-company,DC=com)
  2. Add a new user "debk0l" through first login of LDAP account
  3. Seeing that the user can login and works
  4. Watching the background taks logs, waiting for team addition

Logs don't show any valuable information:

[ldap] Looking up an LDAP group membership for 'debk0l'
  User Load (0.4ms)  SELECT  `users`.* FROM `users` WHERE `users`.`username` = 'debk0l' LIMIT 1
[ldap] Connection error: Invalid filter syntax.

Assumption

I assume, it's failing here when accessing the distinguished name. In our LDAP, there is no field dn, just distinguishedName. This will result in search.groups_from in a filter of the form (&(cn=*)(member=)) which is of course invalid.

I think, like with the uid, the dn attribute needs to be configurable.

I currently can't build the image myself to try it out, since our IT is using a man-in-the-middle proxy (ZScaler) with a self-signed certificate that parts of the your build chain are not trusting.

Deployment information

Deployment method: Docker compose, pretty similar to the example.

Configuration: Running docker-image opensuse/portus:head from today.

ldap:
  enabled: true
  hostname: "mos1d00001.my-company.com"
  port: 636
  timeout: 5
  encryption:
    method: "simple_tls"
  base: "OU=Production,DC=my-company,DC=com"
  group_base: "OU=Universal,OU=Group,OU=NW,OU=DE,OU=Production,DC=my-company,DC=com"
  filter: "(&(objectCategory=person)(memberOf=CN=LW-LI,OU=Universal,OU=Group,OU=NW,OU=DE,OU=Production,DC=my-company,DC=com))"
  uid: "sAMAccountName"
  authentication:
    enabled: true
    bind_dn: "cn=ldap-user,ou=service,ou=user,ou=MB,ou=DE,ou=production,DC=my-company,DC=com"
  group_sync:
    enabled: true
    default_role: "contributor"
  guess_email:
    enabled: true
    attr: "userPrincipalName"

Portus version: 2.5.0-dev@a1b9f2ebfeb84680a9dcd5629195e4c52815735c

LDAP samples (relevant excerpt)

ldaps://mos1d00001.my-company.com:636/CN=Kraemer%5C,%20Benjamin,OU=LW-LI,OU=JLS,OU=Department,OU=People,OU=User,OU=MB,OU=DE,OU=Production,DC=my-company,DC=com

Field Value
objectClass person
cn Kraemer, Benjamin
distinguishedName CN=Kraemer\, Benjamin,OU=LW-LI,OU=JLS,OU=Department,OU=People,OU=User,OU=MB,OU=DE,OU=Production,DC=my-company,DC=com
memberOf CN=LW-LI,OU=Universal,OU=Group,OU=NW,OU=DE,OU=Production,DC=my-company,DC=com
sAMAccountName dejhbk0l
userPrincipalName Benjamin.Kraemer@my-company.com

ldaps://mos1d00001.my-company.com:636/LW-LI,OU=Universal,OU=Group,OU=NW,OU=DE,OU=Production,DC=my-company,DC=com

Field Value
objectClass group
member CN=Kraemer\, Benjamin,OU=LW-LI,OU=JLS,OU=Department,OU=People,OU=User,OU=MB,OU=DE,OU=Production,DC=my-company,DC=com
stale[bot] commented 5 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Falco20019 commented 5 years ago

Still waiting for any attention by the team.

stale[bot] commented 4 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Falco20019 commented 4 years ago

Still a problem

stale[bot] commented 4 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

SuperSandro2000 commented 4 years ago

bump

stale[bot] commented 4 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

SuperSandro2000 commented 4 years ago

/unstale

stale[bot] commented 4 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.