Several problems with LDAP query filters

[istvanrath]

Hi,

I have experimented with several LDAP filtered queries, and found that most filters basically don't work as expected:

• (mail=whatever) incorrectly returns the entire list of users, regardless of whether the email address provided matches or not.
• (uid=whatever) incorrectly returns substring matches as well, e.g. it returns "test.user" for the query filter "(uid=user)"

I have tested these cases with phpLDAPAdmin.

[dwimberger]

There was no requirement to implement a fully functional LDAP Server, so really only authentication within the boundaries of the apps I needed to integrate so far really works.

This is also the reason I made the repository public, because being open source, you can add functionality you need under the terms you prefer :)

I suppose that some things can be implemented on top of the provided search functionality in the REST API.

[istvanrath]

OK that's fine, but at least the documentation should indicate this, as these are fairly prohibitive limitations once you need to provide authentication to practical front-ends such as e-mail management etc.

Just out of curiosity: is this really missing functionality from your code, or a bug (as I would have thought queries would be forwarded to the Apache Directory)?

[dwimberger]

I added a note about this to the Wiki actually :) https://github.com/dwimberger/crowd-ldap-server/wiki

Yes it is missing functionality. And no, queries are not forwarded, they hare handled by a custom partition that essentially uses the Crowd REST API (Java Integration Client) for handling. The limiting factor in functionality will be the Integration/REST API (e.g. it does not permit to retrieve password hashes for example).

[istvanrath]

Thanks for the reply. I've amended the wiki to make this a bit more clear.

And no, queries are not forwarded, they hare handled by a custom partition that essentially uses the Crowd REST API (Java Integration Client) for handling.

I'm wondering: wouldn't it be better to somehow "clone" as much info as possible from Crowd into the Apache Directory, and have that serve everything? This way, you would only have to pipe those request through the Crowd REST which cannot be copied over (e.g. password hashes).

[JanGe]

To connect Seafile with Crowd over LDAP, I did a quick hack to the findOneLevel() method to support filtering for email addresses. You can find the changes here: JanGe/crowd-ldap-server@0e53608ac622af0da7efaf10062321d604d41544 Not perfect, but it works. ;)