Ability to change LDAP lookup attribute

[McL0v1n]

When using the LDAP auth module, ma1sd looks into LDAP for "samaccountname" by default. When using FreeIPA (based on OpenLDAP), this account attribute is not part of the ldap schema.

Best fix would be to to change the default filter to be adjustable.

I attempted to add a default filter and it just added it in addition to looking for samaccountname.

[gnouts]

Hi, I don't know if my issue is related... I setup ma1sd with OpenLDAP (Debian Slapd) and I can't login. I keep seeing Query: (saMAccountName=nouts) in the logs. As I don't have a field sAMAccountName in my ldap, I guess that's why. It need to use uid instead. I thought this would allow to overwrite the default query. My config is :

attribute:
        uid:
            type: 'uid'
            value: 'uid'

That's would mean ma1sd does not fully support OpenLDAP ? :thinking:

[McL0v1n]

Same issue. It looks like the setting you posted only maps the attributes, it doesnt change the search

-------- Original Message -------- On Apr 19, 2020, 5:31 AM, nouts wrote:

Hi, I don't now if my issue is related... I setup ma1sd with OpenLDAP (Debian Slapd) and I can't login. I keep seeing Query: (saMAccountName=nouts) in the logs. As I don't have a field sAMAccountName in my ldap, I guess that's why. It need to use uid instead. I thought this would allow to overwrite the default query. My config is :

attribute: uid: type: 'uid' value: 'uid'

That's would mean ma1sd does not fully support OpenLDAP ? 🤔

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[toushin-taishi]

gnouts, I'm using 389-ds. I'm using the following config and it's working fine using uid as the username:

ldap:
   enabled: true
   lookup: true 
   connection:
     host: '$ldap.server'
     port: 389
     bindDn: 'cn=$something'
     bindPassword: '$pw'
     baseDNs:
       - 'ou=people,dc=domain,dc=foo'
   attribute:
     uid:
       type: 'uid' # or mxid
       value: 'uid'
     name: 'cn'
     other:
        - 'givenName'
        - 'sn'        
   identity:
     filter: '(objectClass=inetOrgPerson)'

[eMPee584]

hey @toushin-taishi & thanks for posting your config.. please post esp. YAML within code blocks (three backticks) so it gets properly formatted. :+1:

[McL0v1n]

@toushin-taishi : Can you do an LDAP search in your directory (389-ds) for a standard user and post the attributes?

[toushin-taishi]

@McL0v1n , sure.

# LDAPv3
# base <ou=people,dc=xx,dc=xx,dc=xx> with scope subtree
# filter: (uid=matrix.synapse)
# requesting: ALL
#

# matrix.synapse, People, xx.xx.xx
dn: uid=matrix.synapse,ou=People,dc=xx,dc=xx,dc=xx
cn: Matrix Synapse
givenName: Matrix
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
objectClass: posixAccount
objectClass: mailrecipient
objectClass: mailgroup
objectClass: inetuser
sn: Synapse
uidNumber: xx
gidNumber: xx
homeDirectory: xx
telephoneNumber: 
ou: xx
loginShell: xx
mail: matrix.synapse@xx.xx.xx
mailQuota: xx
ntUserDomainId: matrix.synapse
inetUserStatus: off
uid: matrix.synapse

# search result
search: 2
result: 0 Success

[McL0v1n]

Thanks @toushin-taishi . Which version of the container are you running?

[toushin-taishi]

@McL0v1n , I'm not using Docker images. I"m using the debian packages.

[McL0v1n]

Thank you @toushin-taishi .

@gnouts are you using a package or a docker image?

@eMPee584 there may be a disparity between the docker image and the packages.

[gnouts]

I'm using the docker image, installed with matrix-docker-ansible

[McL0v1n]

Coming back to this. Version 2.4.0 still has the issue, attempting with 2.5.0.

[McL0v1n]

This issue still occurs with the docker image @ma1uta. It constantly looks for samAccountname instead of uid