split LDAP filters

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

changelog/unreleased/update-ldap-config.md

@@ -0,0 +1,12 @@
+Bugfix: Update LDAP filters
+
+With the separation of use and find filters we can now use a filter that taken into account a users uuid as well as his username. This is necessary to make sharing work with the new account service which assigns accounts an immutable account id that is different from the username. Furthermore, the separate find filters now allows searching users by their displayname or email as well.
+
+
+```
+userfilter = "(&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))"
+findfilter = "(&(objectclass=posixAccount)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))"
+```
+
+https://github.com/owncloud/ocis-reva/pull/399
+https://github.com/cs3org/reva/pull/996

changelog/unreleased/update-reva-to-20200724.md

@@ -0,0 +1,7 @@
+Enhancement: update reva to v0.1.1-0.20200724...-....
+
+- Update reva to v0.1.1-0.20200724...-....
+- Split LDAP user filters (reva/#996)
+
+https://github.com/owncloud/ocis-reva/pull/399
+https://github.com/cs3org/reva/pull/996

pkg/command/users.go

@@ -97,6 +97,7 @@ func Users(cfg *config.Config) *cli.Command {
 										"port":          cfg.Reva.LDAP.Port,
 										"base_dn":       cfg.Reva.LDAP.BaseDN,
 										"userfilter":    cfg.Reva.LDAP.UserFilter,
+										"findfilter":    cfg.Reva.LDAP.FindFilter,
 										"groupfilter":   cfg.Reva.LDAP.GroupFilter,
 										"bind_username": cfg.Reva.LDAP.BindDN,
 										"bind_password": cfg.Reva.LDAP.BindPassword,

pkg/config/config.go

@@ -207,6 +207,7 @@ type LDAP struct {
 	Port         int
 	BaseDN       string
 	UserFilter   string
+	FindFilter   string
 	GroupFilter  string
 	BindDN       string
 	BindPassword string

pkg/flagset/authbasic.go

@@ -123,18 +123,11 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 			Destination: &cfg.Reva.LDAP.BaseDN,
 		},
 		&cli.StringFlag{
-			Name:        "ldap-userfilter",
-			Value:       "(&(objectclass=posixAccount)(cn=%s))",
-			Usage:       "LDAP userfilter",
-			EnvVars:     []string{"REVA_LDAP_USERFILTER"},
-			Destination: &cfg.Reva.LDAP.UserFilter,
-		},
-		&cli.StringFlag{
-			Name:        "ldap-groupfilter",
-			Value:       "(&(objectclass=posixGroup)(cn=%s))",
-			Usage:       "LDAP groupfilter",
-			EnvVars:     []string{"REVA_LDAP_GROUPFILTER"},
-			Destination: &cfg.Reva.LDAP.GroupFilter,
+			Name:        "ldap-loginfilter",
+			Value:       "(&(objectclass=posixAccount)(|(cn={{login}})(mail={{login}})))",
+			Usage:       "LDAP login filter",
+			EnvVars:     []string{"REVA_LDAP_LOGINFILTER"},
+			Destination: &cfg.Reva.LDAP.LoginFilter,
 		},
 		&cli.StringFlag{
 			Name:        "ldap-bind-dn",
@@ -160,7 +153,7 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 		// ldap dn is always the dn
 		&cli.StringFlag{
 			Name:        "ldap-schema-uid",
-			Value:       "uid",
+			Value:       "ownclouduuid",
 			Usage:       "LDAP schema uid",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_UID"},
 			Destination: &cfg.Reva.LDAP.Schema.UID,
@@ -174,7 +167,7 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-schema-displayName",
-			Value:       "sn",
+			Value:       "displayname",
 			Usage:       "LDAP schema displayName",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_DISPLAYNAME"},
 			Destination: &cfg.Reva.LDAP.Schema.DisplayName,

pkg/flagset/users.go

@@ -107,15 +107,24 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-userfilter",
-			Value:       "(&(objectclass=posixAccount)(cn=%s*))",
-			Usage:       "LDAP userfilter",
+			Value:       "(&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))",
+			Usage:       "LDAP filter used when getting a user. The CS3 userid properties {{.OpaqueId}} and {{.Idp}} are available.",
 			EnvVars:     []string{"REVA_LDAP_USERFILTER"},
 			Destination: &cfg.Reva.LDAP.UserFilter,
 		},
 		&cli.StringFlag{
-			Name:        "ldap-groupfilter",
-			Value:       "(&(objectclass=posixGroup)(cn=%s*))",
-			Usage:       "LDAP groupfilter",
+			Name:        "ldap-findfilter",
+			Value:       "(&(objectclass=posixAccount)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))",
+			Usage:       "LDAP filter used when searching for recipients. {{query}} will be replaced with the search query",
+			EnvVars:     []string{"REVA_LDAP_FINDFILTER"},
+			Destination: &cfg.Reva.LDAP.FindFilter,
+		},
+		&cli.StringFlag{
+			Name: "ldap-groupfilter",
+			// FIXME the reva implementation needs to use the memberof overlay to get the cn when it only has the uuid,
+			// because the ldap schema either uses the dn or the member(of) attributes to establish membership
+			Value:       "(&(objectclass=posixGroup)(ownclouduuid={{.OpaqueId}}*))", // This filter will never work
+			Usage:       "LDAP filter used when getting the groups of a user. The CS3 userid properties {{.OpaqueId}} and {{.Idp}} are available.",
 			EnvVars:     []string{"REVA_LDAP_GROUPFILTER"},
 			Destination: &cfg.Reva.LDAP.GroupFilter,
 		},
@@ -143,7 +152,7 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		// ldap dn is always the dn
 		&cli.StringFlag{
 			Name:        "ldap-schema-uid",
-			Value:       "uid",
+			Value:       "ownclouduuid",
 			Usage:       "LDAP schema uid",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_UID"},
 			Destination: &cfg.Reva.LDAP.Schema.UID,
@@ -157,7 +166,7 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-schema-displayName",
-			Value:       "sn",
+			Value:       "displayname",
 			Usage:       "LDAP schema displayName",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_DISPLAYNAME"},
 			Destination: &cfg.Reva.LDAP.Schema.DisplayName,