Skip to content
This repository has been archived by the owner on Feb 9, 2024. It is now read-only.

Group Search doesn't work from Crowd #2

Open
ShakataGaNai opened this issue Sep 6, 2016 · 2 comments
Open

Group Search doesn't work from Crowd #2

ShakataGaNai opened this issue Sep 6, 2016 · 2 comments

Comments

@ShakataGaNai
Copy link
Contributor

ShakataGaNai commented Sep 6, 2016
edited
Loading

Debug while attempting to view group members in Atlassian Crowd:

17:50:06 FallingRock-0 debug: {"ip":"10.78.46.203:52381","time":1473184206544,"dn":"ou=groups, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=groupofnames)(cn=MYGROUP))","attributes":"member,description,cn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}
17:50:06 FallingRock-0 debug: {"ip":"10.78.46.203:52382","time":1473184206635,"dn":"ou=users, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=inetorgperson)(memberof=cn=MYGROUP,ou=groups,dc=company,dc=com))","attributes":"entryuuid,mail,displayname,givenname,cn,sn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}

Manual LDAP search sample: ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP,ou=groups,dc=company,dc=com)"

Also returns 0, even though I know at least two users show memberOf: cn=MYGROUP,ou=groups,dc=company,dc=com
@nadavsr
Copy link

nadavsr commented Sep 6, 2016

It looks like it would work if the query had spaces in the group DN:

ldapsearch -h localhost -p 1389 -D "uid=admin,ou=system" -w SAMPLE -b "ou=users,dc=company,dc=com" "(memberOf=cn=MYGROUP, ou=groups, dc=company, dc=com)"

@ShakataGaNai
Copy link
Contributor Author

Ah yes, I tried some other variations but that one I didn't. Unfortunately it looks like that even when I add spaces into the crowd config, they get dropped when it does the group filter:

19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52471","time":1473190864053,"dn":"ou=groups, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=groupofnames)(cn=MYGROUP))","attributes":"member,description,cn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}
19:41:04 FallingRock-0 debug: {"ip":"10.78.46.203:52472","time":1473190864123,"dn":"ou=users, dc=company, dc=com","scope":"sub","filter":"(&(objectclass=inetorgperson)(memberof=cn=MYGROUP,ou=groups,dc=trueaccord,dc=com))","attributes":"entryuuid,mail,displayname,givenname,cn,sn,objectclass,javaserializeddata,javaclassname,javafactory,javacodebase,javareferenceaddress,javaclassnames,javaremotelocation"}

(The first line shows the spaces I added to crowd config, the second line does not).

According to https://docs.ldap.com/specs/rfc4514.txt and https://www.ldap.com/ldap-dns-and-rdns all of the following options should be legal:

  • dc=example,dc=com
  • dc=example, dc=com
  • dc = example , dc = com
  • DC=EXAMPLE,DC=COM

That being the case, I think the answer is to normalize all searches to always be "dc=something, ou=something, dc=something". Fixing the capitalization (of the ou/dc) and spacing (after a comma) should address a majority of clients?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShakataGaNai @nadavsr