Nold360
commented
3 years ago Seems to be fixed by now. I could successfully use this filter as described.
LDAP User Search:
[
"OU=User,DC=mydomain,DC=org",
"SCOPE_SUBTREE",
"(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=AWX-Group,OU=Gruups,DC=mydoimain,DC=org)(sAMAccountName=%(user)s))"
]
ISSUE TYPE
COMPONENT NAME
SUMMARY
Validation fails on complex LDAP User Search filters.
ENVIRONMENT
STEPS TO REPRODUCE
For example trying to use a nested group search filter will trigger "Invalid filter" error.
That means that the valid users are members of nested groups that are in turn members of the APP_AWX_Users group. This is common in large AD because it's not realistic to add individual users to an application group when you need access for entire departments.
EXPECTED RESULTS
Save the form.
ACTUAL RESULTS
Form is not saved, red text appears under Ldap User Search box saying "Invalid filter: ...".
ADDITIONAL INFORMATION
My LDAP backend is Microsoft AD 2008 DFL.
I have tried using the Ldap Group Type and Ldap Require Group to set a parent group with group members but none of the Group Types with Nested in the name have worked to lookup my user which is nested in one of the child-group members of the specified group DN in LDAP Require Group.
So when this doesn't work I use a more complex filter to search nested groups and that's when I ran into the validation bug.
I did not submit a PR immediately because I think there should be a discussion whether this type of validation of LDAP filters is sound or not. And if the fix should be to add more characters to the regex so that this one example of a complex filter passes, or to avoid doing regex validation of LDAP filters altogether.
Speaking to a person on IRC they claim that with an IPA backend and Group Type set to NestedMemberDNGroupType they are able to use nested group memberships without a complex filter.
I am unable to do this with an AD 2008 DFL backend. Unless I disable the regex validation and use a complex filter like the example I provided earlier.