coudot
commented
1 week ago I plan to create a new method in ltb-common to check if a DN matches a filter/base/scope.
The best way from my point of view is to do a search with filter/base/scope and use the DN value is filter (which needs to adapt the filter between AD and OpenLDAP)
When displaying the entry from the DN (or doing any action on it), we don't check that the DN is compatible with LDAP filter (and scope) configured. This could allow to act on entries that should not be managed by Service Desk.
Even if the Service Desk LDAP account should be limited by directory ACLs, it would be better to refuse any action if we are out of scope of what is configured.
This is really needed for multi-tenancy.