Hard-coded group_filter causing imcompatibility with certain LDAP configurations

[ivan-gomes]

The filter used for checking allowed group membership is hard-coded, see

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Lines 397 to 403 in 455432a

	group_filter = (
	'(|'
	'(member={userdn})'
	'(uniqueMember={userdn})'
	'(memberUid={uid})'
	')'
	)

Some LDAP implementations/configurations do not allow queries that include attributes that don't exist, even when used in an or statement with other conditions that match.

For example, this works (returns >= 1 results):

(|(member=uid=ivangomes,ou=personnel,dc=dir,dc=ivangomes,dc=com)(uniqueMember=uid=ivangomes,ou=personnel,dc=dir,dc=ivangomes,dc=com))

but this doesn't (returns zero results):

(|(member=uid=ivangomes,ou=personnel,dc=dir,dc=ivangomes,dc=com)(uniqueMember=uid=ivangomes,ou=personnel,dc=dir,dc=ivangomes,dc=com)(memberUid=ivangomes))

because in this particular LDAP server, memberUid is not a recognized attribute.

While the current filter is a good catch-all default, we could work around this issue and other potential ones by exposing a command-line option to override group_filter, similarly to lookup_dn_search_filter.

In addition, some group implementations may require specifying search_base on the group search, which currently isn't possible, so this could be another configuration option to expose.

[kinow]

+1

This is related or duplicate of #62.