Issue with LDAP filtering

Raumbaren commented 5 years ago

Expected Behavior (or desired behavior if a feature request)

LDAP sync filters the users based on the specified CN and syncs only users in that group.

Actual Behavior

When using a wildcard filter such as &(cn=*) it will successfully pull down all users in Jumpcloud including service accounts, admin accounts, and other misc crap we have in there so we've confirmed that LDAP Sync works. However, when we specify a target container with &(cn=SnipeUsers,ou=Users,o=org-id,dc=jumpcloud,dc=com) or &(cn=SnipeUsers) the sync completes successfully but does not pull down any users. Additionally, when we use the filter provided by Jumpcloud's ldap sync documentation for syncing a target group (&(objectClass=groupOfNames)(cn=SnipeUsers)) or (&(objectClass=groupOfNames)(cn=SnipeUsers,ou=Users,o=org-id,dc=jumpcloud,dc=com)) we get the following error:

Error: ldap_search(): Search: Bad search filter

Please confirm you have done the following before posting your bug report:

[X] I have enabled debug mode
[X] I have read checked the Common Issues page

Provide answers to these questions:

Is this a fresh install or an upgrade? Fresh Install
Version of Snipe-IT you're running - 4.7.7 build 4160
Version of PHP you're running - 7.2
Version of MySQL/MariaDB you're running - 5.7
What OS and web server you're running Snipe-IT on - Ubuntu 18.04 w/ LEMP
What method you used to install Snipe-IT - git clone
WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error - debug contains nothing applicable
What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error - LDAP User Sync > Synchronize
If a stacktrace is provided in the error, include that too. - N/A
Any errors that appear in your browser's error console. - N/A
Confirm whether the error is reproducible on the demo: https://snipeitapp.com/demo. - N/A
Include any additional information you can find in storage/logs and your webserver's logs. - Nothing useful
Include what you've done so far in the installation, and if you got any error messages along the way. - I've used every version of this ldap filter that I can find but so far only a wildcard results in a successful sync.
Indicate whether or not you've manually edited any data directly in the database - no

Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket. It will be next to impossible for us to help you.

https://snipe-it.readme.io/docs/getting-help

Scintillator commented 5 years ago

It doesn't seem like you are using the Base Bind DN, just the LDAP Filter.

Try this: Base Bind DN: OU=Users,DC=jumpcloud,DC=com LDAP Filter: &(cn=*)(o=org-id)

Raumbaren commented 5 years ago

To clarify, LDAP sync is working so my Base Bind DN and wildcard filter are both fine as is. The problem is we want to target a specific group for ldap sync rather than pulling the entire directory down as it includes a bunch of accounts that are unnecessary for snipe. That is where I'm running into a problem and I included several examples in the Actual Behavior section above.

snipe / snipe-it