Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't filter groups in Windows Active Directory (LDAP BindDN Authentication) #23615

Closed
ZantsuRocks opened this issue Mar 21, 2023 · 6 comments · Fixed by #23745
Closed

Can't filter groups in Windows Active Directory (LDAP BindDN Authentication) #23615

ZantsuRocks opened this issue Mar 21, 2023 · 6 comments · Fixed by #23745
Labels
type/bug

Comments

@ZantsuRocks
Copy link

Description

I'm trying to automate the organization and teams grouping with my LDAP authentication (Authentication is working fine) but the configuration to add Users to groups do not work.

Log states that the filter failed: 2023/03/21 11:17:21 ...dap/source_search.go:228:listLdapGroupMemberships() [E] [6419bc71] Failed group search in LDAP with filter [(&()(member=CN=User Teste,CN=Users,DC=agst,DC=com,DC=br))]: LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter
For what i see that empty &() in the filter start is the problem, i can't see any way to remove it in the UI.

If i search only (member=CN=User Teste,CN=Users,DC=agst,DC=com,DC=br) manually the groups are displayed correctly.

Gitea Version

1.19.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

image
image

Git Version

2.39.1.windows.1

Operating System

Windows Server 2022 (20348.803)

How are you running Gitea?

AMD64 Binary From Git Releases Page

Database

SQLite
@ZantsuRocks
Copy link
Author

Analyzing the listLdapGroupMemberships function code it have a boolean value to apply a group filter, the docs explain about that group filter, but this filter isn't present in the UI to set.

@ZantsuRocks
Copy link
Author

Found the problem...

The bool value is WRONG when there is no text in the UI field Verify group membership in LDAP (leave the filter empty to skip)
When this field is empty applyGroupFilter should be FALSE

@svenseeberg svenseeberg mentioned this issue Mar 27, 2023
Closed
@svenseeberg
Copy link
Contributor

Workaround: set "Verify group membership in LDAP" to (&).

@ZantsuRocks
Copy link
Author

Workaround: set "Verify group membership in LDAP" to (&).

I was using (objectClass=group) as workaround, but (&) works as well.

@zeripath
Copy link
Contributor

listLdapGroupMemberships

Do you mean that:

gitea/services/auth/source/ldap/source_search.go

Lines 211 to 213 in 22fec16

if applyGroupFilter {
searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
} else {

should actually be:

 if applyGroupFilter && groupFilter != "" { 
 	searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid)) 
 } else {

If so does the below patch solve the problem?

PATCH 
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 5a2d25b0c..2a61386ae 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -208,7 +208,7 @@ func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGr
 	}
 
 	var searchFilter string
-	if applyGroupFilter {
+	if applyGroupFilter && groupFilter != "" {
 		searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
 	} else {
 		searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))

@zeripath zeripath mentioned this issue Mar 27, 2023
Merged
zeripath added a commit to zeripath/gitea that referenced this issue Mar 27, 2023
@zeripath
Only apply the group filter when listing LDAP group membership if it …
ddc708e 
…is non-empty

When running listLdapGroupMemberships check if the groupFilter is empty
before using it to list memberships.

Fix go-gitea#23615

Signed-off-by: Andrew Thornton <art27@cantab.net>
lunny pushed a commit that referenced this issue Mar 29, 2023
@zeripath
Don't apply the group filter when listing LDAP group membership if it…
ed5e7d0 
… is empty (#23745)

When running listLdapGroupMemberships check if the groupFilter is empty
before using it to list memberships.

Fix #23615

Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot mentioned this issue Mar 29, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Mar 29, 2023
@zeripath @GiteaBot
Don't apply the group filter when listing LDAP group membership if it…
2e06739 
… is empty (go-gitea#23745)

When running listLdapGroupMemberships check if the groupFilter is empty
before using it to list memberships.

Fix go-gitea#23615

Signed-off-by: Andrew Thornton <art27@cantab.net>
jolheiser pushed a commit that referenced this issue Mar 29, 2023
@GiteaBot @zeripath
Don't apply the group filter when listing LDAP group membership if it…
494721c 
… is empty (#23745) (#23788)

Backport #23745 by @zeripath

When running listLdapGroupMemberships check if the groupFilter is empty
before using it to list memberships.

Fix #23615

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
@svenseeberg svenseeberg mentioned this issue Apr 5, 2023
Closed
@dawivid
Copy link

dawivid commented Apr 5, 2023
edited
Loading

Hi, So I am having the exact same issue, except the workaround to populate the 'Verify group membership in LDAP' stops my LDAP search altogether. If I leave it blank I get the error described in this issue.

This is the debug with the field populated
| 2023/04/05 12:40:53 ...dap/source_search.go:79:findUserDN() [T] [642d6c55] Search for LDAP user: david.testing
gitea | 2023/04/05 12:40:53 ...dap/source_search.go:87:findUserDN() [T] [642d6c55] Searching for DN using filter (sAMAccountName=david.testing) and base OU=Infra,DC=,DC=,DC=**
gitea | 2023/04/05 12:40:53 ...dap/source_search.go:139:bindUser() [T] [642d6c55] Binding with userDN: CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=,DC=,DC=**
gitea | 2023/04/05 12:40:53 ...dap/source_search.go:145:bindUser() [T] [642d6c55] Bound successfully with userDN: CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=,DC=,DC=**
gitea | 2023/04/05 12:40:53 ...dap/source_search.go:340:SearchEntry() [T] [642d6c55] Fetching attributes '', '', '', 'mail', '', '', 'dn' with filter '(sAMAccountName=david.testing)' and base 'CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=,DC=,DC=**'
gitea | 2023/04/05 12:40:53 [642d6c55] router: completed POST /user/login for 192.168.200.104:55046, 303 See Other in 10.3ms @ auth/auth.go:170(auth.SignInPost)
gitea | 2023/04/05 12:40:53 ...s/process/manager.go:207:remove() [T] [642d6c55] Done 642d6c55: POST: /user/login
gitea | 2023/04/05 12:40:53 ...s/process/manager.go:170:Add() [T] Start 642d6c55-2: GET: / (request)
gitea | 2023/04/05 12:40:53 [642d6c55-2] router: started GET / for 192.168.200.104:55046

Git Version
2.38.4, Wire Protocol Version 2 Enabled

Gitea Version
1.19.0 built with GNU Make 4.3, go1.20.2 : bindata, timetzdata, sqlite, sqlite_unlock_notify

@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't apply the group filter when listing LDAP group membership if it is empty zeripath/gitea
4 participants
@zeripath @ZantsuRocks @svenseeberg @dawivid