search

TremoloSecurity / MyVirtualDirectory

Open Source LDAP Virtual Directory
Apache License 2.0
45 stars 18 forks source link

Group search return null with groupofname filter #94

Open JaiseT opened 3 years ago

JaiseT commented 3 years ago

myvd_log.txt I am using MyVD 1.0.6 to integrate our user role database with Oracle Fusion Middleware. Search with uid is working fine.

Filter with assigned counts is (&(&(objectclass=person)(uid=*))(uid=myuser))

However there is no success yet with group query ( query to check if a user belongs to a group). Query filter : (&(&(cn=*)(objectclass=groupofnames))(cn=MY_GROUP))

User myuser is part of MY_GROUP in our role database. Generated SQL queries for users and group returns records as expected. Anything going terribly wrong with my myvd.conf attached?

myvd.txt

mlbiam commented 3 years ago

Looking in the logs i see:

2020-10-01 02:09:06,578][pool-6-thread-7] DEBUG JdbcInsert - Search SQL : "SELECT * FROM (select 'myad' as dc,userid,groupid,use
rid as displayName,guid FROM OVD_AUTHORIZATIONS_IDS_VIEW) X WHERE userid IN (SELECT userid  FROM OVD_AUTHORIZATIONS_IDS_VIEW WHERE
 (  (  (  (  (  ( groupid IS NOT NULL  )  AND  (  1=1  )  )  )  AND  ( groupid=? )  )  )  AND  ( dc=? )  ) ) ORDER BY userid"
[2020-10-01 02:09:06,578][pool-6-thread-7] DEBUG JdbcInsert - Adding new parameter '1'='My_GROUP
[2020-10-01 02:09:06,579][pool-6-thread-7] DEBUG JdbcInsert - Adding new parameter '2'='myad
[2020-10-01 02:09:06,579][pool-6-thread-7] DEBUG JdbcInsert - Execute query '

Does

SELECT * FROM (select 'myad' as dc,userid,groupid,use
rid as displayName,guid FROM OVD_AUTHORIZATIONS_IDS_VIEW) X WHERE userid IN (SELECT userid  FROM OVD_AUTHORIZATIONS_IDS_VIEW WHERE
 (  (  (  (  (  ( groupid IS NOT NULL  )  AND  (  1=1  )  )  )  AND  ( groupid='My_GROUP' )  )  )  AND  ( dc='myad' )  ) ) ORDER BY userid

return the expected data?

JaiseT commented 3 years ago

@mlbiam thanks very much for your support. The above query was returning records. But the query was returning too many records ( > 65k) because of issues with the database view it was querying against. I have corrected it. The manager mapping was also causing issues. Previously I had manager mapped to groupid. We don't have a manager attribute in our role database. Hence I have mapped it to userid itself for now.

server.GroupProfile.GroupInstance.config.mapping=cn=groupid,uid=userid,member=userid,uniquemember=userid,displayName=displayName,entryuuid=guid,dc=dc,manager=userid

With the above changes, I am seeing groups being fetched from MyVD with my test java class. Oracle is still throwing errors because some internal users are not configured in MyVD. Hopefully adding those users in the role database should resolve this issue.