Open ShakataGaNai opened 8 years ago
It looks like it would work if the query had spaces in the group DN:
ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP, ou=groups, dc=company, dc=com)"
Ah yes, I tried some other variations but that one I didn't. Unfortunately it looks like that even when I add spaces into the crowd config, they get dropped when it does the group filter:
19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52471","time":1473190864053,"dn":"ou=groups, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=groupofnames)(cn=MYGROUP))","attributes":"member,description,cn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"} 19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52472","time":1473190864123,"dn":"ou=users, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=inetorgperson)(memberof=cn=MYGROUP,ou=groups,dc=trueaccord,dc=com))","attributes":"entryuuid,mail,displayname,givenname,cn,sn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}
(The first line shows the spaces I added to crowd config, the second line does not).
According to https://docs.ldap.com/specs/rfc4514.txt and https://www.ldap.com/ldap-dns-and-rdns all of the following options should be legal:
That being the case, I think the answer is to normalize all searches to always be "dc=something, ou=something, dc=something". Fixing the capitalization (of the ou/dc) and spacing (after a comma) should address a majority of clients?
Debug while attempting to view group members in Atlassian Crowd:
Manual LDAP search sample:
ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP,ou=groups,dc=company,dc=com)"
Also returns 0, even though I know at least two users show memberOf: cn=MYGROUP,ou=groups,dc=company,dc=com