search

trueaccord / FallingRock

Read-only LDAP server for your Okta user directory.
Apache License 2.0
13 stars 3 forks source link

Group Search doesn't work from Crowd #2

Open ShakataGaNai opened 8 years ago

ShakataGaNai commented 8 years ago

Debug while attempting to view group members in Atlassian Crowd:

17:50:06 FallingRock-0 debug: {"ip":"10.78.46.203:52381","time":1473184206544,"dn":"ou=groups, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=groupofnames)(cn=MYGROUP))","attributes":"member,description,cn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"} 17:50:06 FallingRock-0 debug: {"ip":"10.78.46.203:52382","time":1473184206635,"dn":"ou=users, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=inetorgperson)(memberof=cn=MYGROUP,ou=groups,dc=company,dc=com))","attributes":"entryuuid,mail,displayname,givenname,cn,sn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}

Manual LDAP search sample: ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP,ou=groups,dc=company,dc=com)"

Also returns 0, even though I know at least two users show memberOf: cn=MYGROUP,ou=groups,dc=company,dc=com

nadavsr commented 8 years ago

It looks like it would work if the query had spaces in the group DN:

ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP, ou=groups, dc=company, dc=com)"
ShakataGaNai commented 8 years ago

Ah yes, I tried some other variations but that one I didn't. Unfortunately it looks like that even when I add spaces into the crowd config, they get dropped when it does the group filter:

19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52471","time":1473190864053,"dn":"ou=groups, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=groupofnames)(cn=MYGROUP))","attributes":"member,description,cn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"} 19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52472","time":1473190864123,"dn":"ou=users, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=inetorgperson)(memberof=cn=MYGROUP,ou=groups,dc=trueaccord,dc=com))","attributes":"entryuuid,mail,displayname,givenname,cn,sn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}

(The first line shows the spaces I added to crowd config, the second line does not).

According to https://docs.ldap.com/specs/rfc4514.txt and https://www.ldap.com/ldap-dns-and-rdns all of the following options should be legal:

That being the case, I think the answer is to normalize all searches to always be "dc=something, ou=something, dc=something". Fixing the capitalization (of the ou/dc) and spacing (after a comma) should address a majority of clients?