search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.73k stars 920 forks source link

Compound LDAP searches fail #11880

Open terratrax opened 3 weeks ago

terratrax commented 3 weeks ago

Describe the bug Searches using the or ( | ) operator fail even though objects exist that satisfy the search criteria.

For example, this this will work and return the someuser's object: ldapsearch -D 'cn=searchuser,DC=ldap,DC=my,DC=domain' -w 'searchpassword' -H ldap://ldap-server:389 -b 'DC=ldap,DC=my,DC=domain' '(&(objectClass=posixAccount)(sAMAccountName=someuser))'

However, if I add an or ( | ) to search multiple object types the search will return no results: ldapsearch -D 'cn=searchuser,DC=ldap,DC=my,DC=domain' -w 'searchpassword' -H ldap://ldap-server:389 -b 'DC=ldap,DC=my,DC=domain' '(&(|(objectClass=posixAccount)(objectClass=posixGroup))(sAMAccountName=someuser))'

Additionally and perhaps related, searches that have two matching results due to an or ( | ) will return only the last result:

The following will return the only the posixAccount object: ldapsearch -D 'cn=searchuser,DC=ldap,DC=ultimus,DC=cloud' -w 'searchpassword' -H ldap://ldap-server:389 -b 'DC=ldap,DC=my,DC=domain' '(|(&(objectClass=posixGroup)(sAMAccountName=groupname))(&(objectClass=posixAccount)(sAMAccountName=username)))'

While the following will return the only the posixGroup object: ldapsearch -D 'cn=searchuser,DC=ldap,DC=ultimus,DC=cloud' -w 'searchpassword' -H ldap://ldap-server:389 -b 'DC=ldap,DC=my,DC=domain' '(|(&(objectClass=posixAccount)(sAMAccountName=username))(&(objectClass=posixGroup)(sAMAccountName=groupname)))'

To Reproduce Steps to reproduce the behavior:

  1. Set up an LDAP outpost, provider, and application
  2. Create a user with LDAP directory search credentials and bind it to the LDAP application.
  3. Verify that you can bind to the LDAP server and perform a simple search as in the first example above.
  4. Add an or ( | ) operator to the query which you expect to not match anything as in the second example above
  5. Note that the query will now return no results

Expected behavior Because the search includes the or operator ( | ) results should include objects that match any of the queries that apply to the operator. For example, searching for objects (objectClass posixUsers OR objectClass posixGroup) AND (sAMAccountName=somename) should return all posixUsers and posixGroups where the sAMAccountName is somename.

Version and Deployment (please complete the following information):

Additional context Seems related to #2756

SergioLuis commented 1 week ago

This issue and #2756 make Authentik LDAP outpost incompatible with Unity Version Control (Plastic SCM).