search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.32k stars 170 forks source link

Users service creates invalid LDAP filter when listing all users. #5142

Open rhafer opened 1 year ago

rhafer commented 1 year ago

This is happening when using an external IDP / external LDAP configuration (setup with our helm chart). Trying to list all users in the user-management (e.g. to assign roles) results in invalid LDAP filters.

These two queries seems to be problematic and are finding 0 result:

openldap  | 63775677 conn=1615 op=19228 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(|(?=undefined)(?=undefined)(?=undefined)(?uid=)))"
openldap  | 63775677 conn=1615 op=19228 SRCH attr=uid uid mail cn uidNumber gidNumber
openldap  | 63775677 conn=1615 op=19228 SEARCH RESULT tag=101 err=0 nentries=0 text=

openldap  | 63775677 conn=1616 op=8 SRCH base="ou=groups,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=groupOfNames)(|(?=undefined)(?=undefined)(?=undefined)(?cn=)))"
openldap  | 63775677 conn=1616 op=8 SRCH attr=description cn mail cn gidNumber
openldap  | 63775677 conn=1616 op=8 SEARCH RESULT tag=101 err=0 nentries=0 text=

This is indeed weird. Looks a bit like a mis-configuration, but it might also be an issue with the helm charts. I need to take a deeper look.

@NexZhu I was able to reproduce the problem. It seems to be caused by a bug in the user provider, which constructs a broken LDAP filter under certain circumstances. I'll open a new issue for this with some background and a possible workaround.

Originally posted by @rhafer in https://github.com/owncloud/ocis/issues/5045#issuecomment-1329370022

rhafer commented 1 year ago

The helm charts configure the graph API to use the cs3 users backend. The user management UI tries to list all users (issueing a graph request with an empty search string):

curl 'https://ocis.owncloud.kube/graph/v1.0/users?%24top=0&%24skip=0&%24search=&%24filter=&%24count=false&%24orderby=displayName&%24select=&%24expand=memberOf'

When LDAP_USER_SUBSTRING_FILTER_TYPE is set to any (or default since #4282) the LDAP backend in the CS3 users service will generate an invalid LDAP filter for it. (e.g. (uid=**) instead of (uid=*)). This needs to be fixed in the cs3 user provider.

@NexZhu I think the easiest temporary workaround for you setup would be to reconfigure your helm chart and set externalUserManagement.ldap.substringFilterType=initial. The downside would be, that until we have a real fix your user will not be able to do a full substring search for users when try to create file shares (see #4282).

@micbar To avoid this becoming a blocker for ocis, I think we can change the helm chart to deploy the graph service to use the LDAP backend instead of the CS3 backend.

NexZhu commented 1 year ago

Thank you!

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.