unable to authorize with unusual ldap schema
Vebryn opened this issue · comments
Hi,
I'm unable to use ldap authorization because my ldap implements an unusual schema.
A ldap query on my group reveal that memberUid (uniqueMember) attribute contains only my login id (instead of full dn).
dn: cn=mygroup,ou=Group,dc=x,dc=x,dc=x
memberUid: jdurand
memberUid: sdupond
According to UnboundidLdapService.scala, searchFilterFrom method hard code a full dn search :
private def searchFilterFrom(mode: DefaultGroupSearch, user: LdapUser) = {
s"(&${mode.groupSearchFilter}(${mode.uniqueMemberAttribute}=${Filter.encodeValue(user.dn.value.value)}))"
}
Is it possible to create a configuration parameter to customize this search filter ?
Best regards.
Ldapsearch on jdurand :
dn: uid=jdurand,ou=People,dc=x,dc=x,dc=x
accessgroup: mygroup
uid: jdurand
Elasticsearch logs :
[2019-07-30T12:14:48,122][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] Trying to authenticate user [jdurand] with LDAP [ldap1]
[2019-07-30T12:14:48,245][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] User [jdurand] authenticated by LDAP [ldap1]
[2019-07-30T12:14:48,245][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] Trying to fetch user [id=jdurand] groups from LDAP [ldap1]
[2019-07-30T12:14:48,266][DEBUG][t.b.r.a.b.d.l.i.UnboundidLdapAuthorizationService] LDAP search string: (&(cn=*)(memberUid=uid=jdurand,ou=People,dc=x,dc=x,dc=x)) | groupNameAttr: cn
[2019-07-30T12:14:48,283][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] LDAP [ldap1] returned for user [jdurand] following groups: []
RoR configuration :
- name: "mygroup access"
ldap_auth:
name: "ldap1"
groups: ["mygroup"]
indices: ["*"]
ldaps:
- name: "ldap1"
hosts: x.x.x.x
search_user_base_DN: "ou=People,dc=x,dc=x,dc=x"
search_groups_base_DN: "ou=Group,dc=x,dc=x,dc=x"
unique_member_attribute: "memberUid"