Issue when searching a user on LDAP

[mjattiot]

Hello everyone,

I am trying to setup the directory search feature in mxisd, using LDAP provider. While searching for a user I have a correct match when mxisd is looking for the "Display name" but then mxisd is looking on 3PIDs and matches every entries !

Correct match on display name:

[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Performing LDAP directory search on display name using 'mja'
[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Found possible match, DN: uid=mjattiot,ou=Users,dc=opensense,dc=fr
[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - DN uid=mjattiot,ou=Users,dc=opensense,dc=fr is a valid match
[XNIO-1 task-5] INFO io.kamax.mxisd.directory.DirectoryManager - Display name: found 1 match(es) for 'mja'

Matching every entries on 3PIDs ...

[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Performing LDAP directory search on 3PIDs using 'mja'
[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Found possible match, DN: uid=mjattiot,ou=Users,dc=opensense,dc=fr
[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - DN uid=mjattiot,ou=Users,dc=opensense,dc=fr is a valid match
[XNIO-1 task-5] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Found possible match, DN: uid=hbaptiste,ou=Users,dc=opensense,dc=fr
[...]
[XNIO-1 task-5] INFO io.kamax.mxisd.directory.DirectoryManager - Threepid: found 10 match(es) for 'mja'
[XNIO-1 task-5] INFO io.kamax.mxisd.directory.DirectoryManager - Total matches: 10 - limited? false

I have setup a 3PID mapping on emails and the word 'mja' is only present on one email out of our 10 users. This is strange that everything matches. Any clues ?

My configuration is the following:

ldap:
  enabled: true
  connection:
    [...]
    baseDNs:
      - 'ou=Users,dc=opensense,dc=fr'
  attribute:
    uid:
      type: 'uid'
      value: 'uid'
    name: 'cn'
    threepid:
      email:
        - 'mail'

session:
  policy:
    validation:
      enabled: false

dns:
  overwrite:
    homeserver:
      client:
        - name: 'my_homeserver'
          value: 'http://matrix-server:8008'

[maxidorius]

The connector is not just using the 3PID attributes when performing a research for various UX reasons that we learned over time. The point is that display name search or 3PID would include other attributes, like the ID or the display name itself, making some of the lookup redundant at times.

So rather, let me ask you this: can you find "mja" as a substring in any attribute value for those users?

[mjattiot]

Ok I understand that it's performing a search on all attributes. However the word "mja" only exists in one user attributes as you can see from the following ldapsearch:

$ ldapsearch -H ldap://localhost:1234 -D 'cn=LDAP_USER' -w LDAP_PASSWORD -b "ou=Users,dc=opensense,dc=fr" | grep mja

ldap_bind: Success (0)
        additional info: Valid access code
# mjattiot, Users, opensense.fr
dn: uid=mjattiot,ou=Users,dc=opensense,dc=fr
uid: mjattiot
googleUid: mjattiot
posixUid: mjattiot
cn: mjattiot
mail: mjattiot@opensense.fr
homeDirectory: /home/mjattiot

It's why I don't understand the mxisd behavior ...

[maxidorius]

I'll label this as a bug for now and try to reproduce and fix for v1.4 if that is indeed a bug. There is a higher priority at the moment so give this a few working days for us to work on.

[mjattiot]

ok thank you @maxidorius

[mjattiot]

@maxidorius I think it's a bug coming from Google LDAP not accepting wildcards on the mail attribute ... Don't bother yet, I am opening a bug at Google and I'll keep you posted on this thread to help people that might use Google LDAP as well.

[maxidorius]

@mjattiot any update or should I close?

[maxidorius]

Closing due to lack of feedback, and removing bug label as it seems to be specific to Google LDAP, which we do not try to support.