search

openshift / oc

The OpenShift Command Line, part of OKD
https://www.openshift.org
Apache License 2.0
185 stars 373 forks source link

group sync is showing error "entry would search outside of the base dn specified" but it's not. #1814

Closed germanparente closed 1 day ago

germanparente commented 3 days ago

This is a bug that is well known from support side and that can be seen multiple times in customer environments.

when sync'ing groups from ldap, usersquery.basedn or groupsquery.basedn is case sensitive when, in fact, ldap should not be.

As an example if we specify in the sync config file:

usersQuery:
    baseDN: "cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG"

we can have an error of this sort:

I0704 15:38:22.006947 27224 ldapinterface.go:99] membership lookup for user "cn=ipausers,cn=groups,cn=accounts,dc=demo1,dc=freeipa,dc=org" in group "uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" skipped because of "search for entry with dn=\"uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org\" would search outside of the base dn specified (dn=\"cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG\")"

when in fact, we see cleary that in this case cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org is not outside of base dn cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG

The problem is that DN's should be normalized before being compared.

The issue seems to be in this piece of code:

            if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
                    return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
            }

There are some functions to normalize DN's only in library github.com/go-ldap/ldap/v3 v3.4.8

But the current library we are using github.com/go-ldap/ldap/v3 v3.4.8 already propose the former functions normalizing the parameters ( EqualFold / AncestorFold )

A quick fix that I have already tested could be:

diff --git a/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go b/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go index 19f276f3e..8868f287a 100644 --- a/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go +++ b/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go @@ -112,9 +112,9 @@ func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attribute if err != nil { return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err) }

germanparente commented 1 day ago

/assign

germanparente commented 1 day ago

Closing this issue that should be fixed in:

https://github.com/openshift/library-go

Issue opened: https://github.com/openshift/library-go/issues/1755 in ldapquery, validation out of bounds query should be case insensitive as ldap is.