Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP: Only the first 1000 groups are selectable for role to group mapping #4425

Closed
tfischer77 opened this issue Oct 18, 2024 · 0 comments
Closed

LDAP: Only the first 1000 groups are selectable for role to group mapping #4425

tfischer77 opened this issue Oct 18, 2024 · 0 comments

Comments

@tfischer77
Copy link

Steps to reproduce

  1. Install Teampass to the latest Master
  2. Configure LDAP authentication with Active Directory

LDAP Configuration

Hosts: 10.146.149.180
LDAP Port: 389
Base DN: DC=automation,DC=cilag,DC=intern
Username: CN=ADS Read,OU=XYZ,,DC=my,DC=domain,DC=com
Password: abcde
User Distinguished Name: distinguishedname
User name attribute: samaccountname
Additional User DN:
User Object Filter: (memberof=CN=Teampass-User,OU=TeamPass,OU=XYZ,DC=my,DC=domain,DC=com)
AD Group ObjectClasses attribute: top,group
LDAP server type: Active Directory
Local and LDAP users: No
AD user roles mapped with their AD groups: Yes
LDAP GUID attribute: objectguid

Expected behaviour

As there is no group filter configurable in the dialog, all AD groups should be visible.

Actual behaviour

Only the first 1000 groups are shown.

Server configuration

Operating system:
Debian 12.7
Web server:
Apache 2.4.62
Database:
10.11.6-MariaDB-0+deb12u1
PHP version:
PHP Version 8.2.20
Teampass version:
Master from Github (Oct 16, 2024)
Teampass configuration file:
// DATABASE connexion parameters
define("DB_HOST", "localhost:3306");
define("DB_USER", "teampass");
define("DB_PASSWD", "XXXXX");
define("DB_NAME", "teampass");
define("DB_PREFIX", "teampass_");
define("DB_PORT", "3306");
define("DB_ENCODING", "utf8");
//define("DB_SSL", false); // if DB over SSL then comment this line
// if DB over SSL then uncomment the following lines
define("DB_SSL", array(
"key" => "",
"cert" => "",
"ca_cert" => "",
"ca_path" => "",
"cipher" => ""
));
define("DB_CONNECT_OPTIONS", array(
MYSQLI_OPT_CONNECT_TIMEOUT => 10
));
define("SECUREPATH", "/var/local/teampass");
define("SECUREFILE", "teampass-seckey.txt");
define("IKEY", "");
define("SKEY", "");
define("HOST", "");

if (isset($_SESSION['settings']['timezone']) === true) {
date_default_timezone_set($_SESSION['settings']['timezone']);
}

Client configuration

Browser:
Google Chrome 129.0.6668.101
Operating system:
Windows 10

Logs

Web server error log

No error / log message shown

Log from the web-browser developer console (CTRL + SHIFT + i)

{error: false, teampass_groups: Array(4), ldap_groups: Array(1000)}

Possible solution

Groups are read in vendor/teampassclasses/ldapextra/src/ActiveDirectoryExtra.php
If I change lines 61 and 106 from get() to paginate(), all groups are visible inside Teampass.
$groups = $query->get(); change to: $groups = $query->paginate();

Could that be changed in the official master tree sources? Any better solutions available? Maybe setting an LDAP group filter somewhere?
Best regards,
Tim
nilsteampassnet added a commit that referenced this issue Oct 30, 2024
@nilsteampassnet
Fix for #4425
aa94955 
Get rid of limitation of 1000 groups retreived from AD.
nilsteampassnet added a commit that referenced this issue Oct 30, 2024
@nilsteampassnet
Fix for #4425
a25842d 
Duplicate the change to teampassclasses libraries
Updated composer libraries
nilsteampassnet added a commit that referenced this issue Oct 31, 2024
@nilsteampassnet
Merge pull request #4437 from nilsteampassnet/fix_4425
9e8d5aa 
Fix for #4425
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nilsteampassnet @tfischer77