authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

LDAP filter search on multiple values

Open fayak opened this issue 3 years ago • 4 comments

Describe the bug

I'm trying to search for a specific values on a LDAP object that has multiple keys with the same name. It appears that only the first one an be matched.

For example, an object like

dn: cn=toto,ou=users,dc=example,dc=com
ldap_uniq: toto
...
cn: toto
gidNumber: 4009
uidNumber: 4009
goauthentik.io/ldap/active: true
sAMAccountName: toto
uid: ed9cb6b20e960ea66a952a582cbed35c7f1b09cb850aecf06f662a138c0d0ed0
name: toto toto
displayName: toto toto
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user

It has multiple objectClass.

I can query this object with '(&(cn=toto)(objectClass=user))' but (&(cn=toto)(objectClass=inetOrgPerson))' won't work.

Maybe I'm doing LDAP wrong ?

To Reproduce Steps to reproduce the behavior:

  1. Outpost created with a LDAP provider with: a search group, search mode direct/memory (doesn't change the behavior apparently)
  2. Search with given filters above

Expected behavior Be able to match a user with any of the values in objectClass

Logs

{"baseDN":"dc=example,dc=com","bindDN":"cn=test,ou=users,dc=example,dc=com","client":"172.18.0.1","event":"Search request","filter":"(&(cn=toto)(objectClass=organizationalPerson))","level":"info","requestId":"f8b0af40-1121-4ef7-9eea-e82ac4d6824b","scope":"Whole Subtree","timestamp":"2022-04-22T14:17:17Z","took-ms":0}

Version and Deployment (please complete the following information):

  • authentik version: 2022.4.1
  • Deployment: docker-compose
ae82497b5131   ghcr.io/goauthentik/ldap:2022.4.1     "/ldap"                  About an hour ago   Up About an hour (healthy)   9300/tcp, 0.0.0.0:389->3389/tcp, :::389->3389/tcp, 0.0.0.0:636->6636/tcp, :::636->6636/tcp   ak-outpost-ldapout
b0d9b51ceec7   ghcr.io/goauthentik/server:2022.4.1   "/lifecycle/ak server"   5 hours ago         Up 5 hours (healthy)         0.0.0.0:9000->9000/tcp, 0.0.0.0:9443->9443/tcp                                               authentik-server-1
9fc3714e9715   redis:alpine                          "docker-entrypoint.s…"   5 hours ago         Up 5 hours                   6379/tcp                                                                                     authentik-redis-1
953973768c7f   postgres:12-alpine                    "docker-entrypoint.s…"   5 hours ago         Up 5 hours                   5432/tcp                                                                                     authentik-postgresql-1
ee39bc19720d   ghcr.io/goauthentik/server:2022.4.1   "/lifecycle/ak worker"   5 hours ago         Up 5 hours (healthy)                                                                                                      authentik-worker-1

Additional context I'm also struggling with LDAP for other reasons. I'd like to have things as transparent and manageable as possible to make the exposed LDAP interface as similar to the one we had with our own openldap. Some attributes are not named the same way, and I don't know if and how it can be changed. phpldapadmin also seems to be off when plugged in the LDAP outpost.

Sorry if the question is irrelevant and is actually more about myself not being able to write LDAP search filters

fayak avatar Apr 22 '22 14:04 fayak

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 22 '22 05:06 stale[bot]

Can I bump it ?

fayak avatar Jun 22 '22 08:06 fayak

I have the same issue but only with objectClass, matching on other multivalued fields works just fine.

Mareo avatar Jun 27 '22 05:06 Mareo

I think I am facing to this issue.

I am trying to integrate authentik with VCenter as an OpenLDAP server. It seems that VCenter query users with a objectClass=inetOrgPerson filter and fails.

When I try to run query by myself, the outpost won't return anything when using a objectClass=inetOrgPerson but seems to work when using a objectClass=user filter.

adam-lebon avatar Aug 03 '22 00:08 adam-lebon

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 02 '22 00:10 stale[bot]

it's not completed tho

fayak avatar Oct 09 '22 15:10 fayak

@fayak It's not complete because it has been labeled as 'wontfix' which is a shame as this makes Authentik not compatible with vCenter using their LDAP implementation. vCenter uses the queries, as @adam-lebon pointed out objectClass=inetOrgPerson

This is not a configurable option in vCenter. I understand that there is a "way" to use OIDC with vCenter, but that requires your vCenter be joined to an ActiveDirectory domain among other things. Wish @BeryJu would reconsider adding support for this in the LDAP Provider.

obsidiangroup avatar Dec 14 '22 14:12 obsidiangroup

This is still relevant issue. Facing it while trying to use LDAP outpost for mail server.

Zekfad avatar Jan 20 '23 05:01 Zekfad

Apparently this issue still exists. Trying to bind a Synology server to it and it fails when checking the filter. I tried (objectClass=organizationalPerson), (objectClass=inetOrgPerson), (objectClass=goauthentik.io/ldap/user), (objectClass=user) and none of them gets past the filter check on the Synology. Has anyone been successful?

felipebaez avatar Jul 03 '23 12:07 felipebaez