dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Not retrieving LDAP groups

Open FabioRighe opened this issue 2 years ago • 2 comments

Current Behavior

I configured Dependency Track with my LDAP instance (NetIQ/Novell eDirectory). The authentication goes well but when I try to map an LDAP group in a Team, the dependency track finds no groups: image

I checked logs but I didn't find the call to retrieve all LDAP groups. However, i think that the problem could be in LDAP search filters for groups. alpine.ldap.groups.filter and alpine.ldap.groups.search.filter.

I followed guidelines of the documentation and this is my config:

    ALPINE_LDAP_SERVER_URL: ldap://ldapmgsv.mycompany.it:389
    ALPINE_LDAP_BASEDN: o=Accounts,dc=CORP,dc=MYCOMPANY,dc=NET
    ALPINE_LDAP_SECURITY_AUTH: simple
    ALPINE_LDAP_AUTH_USERNAME_FORMAT: "%s"
    ALPINE_LDAP_BIND_USERNAME: cn=LDAP_ADMIN_READ,ou=Application,ou=Technical,o=Accounts,dc=CORP,dc=MYCOMPANY,dc=NET
    ALPINE_LDAP_BIND_PASSWORD: mypassword
    ALPINE_LDAP_ATTRIBUTE_NAME: cn
    ALPINE_LDAP_ATTRIBUTE_MAIL: mail
    ALPINE_LDAP_USER_PROVISIONING: "true"
    ALPINE_LDAP_TEAM_SYNCHRONIZATION: "true"
    ALPINE_LDAP_GROUPS_FILTER: (|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))
    ALPINE_LDAP_GROUPS_SEARCH_FILTER: (&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(cn=*{SEARCH_TERM}*))

I tried many others values in ALPINE_LDAP_GROUPS_FILTER and ALPINE_LDAP_GROUPS_SEARCH_FILTER, including the value proposed here for NetIQ/Novell eDirectory but the result is the same.

Logs:

2023-02-27 11:38:36,357 DEBUG [LdapAuthenticationService] Attempting to authenticate user: user7159
2023-02-27 11:38:36,357 DEBUG [LdapAuthenticationService] Validating credentials for: user7159
2023-02-27 11:38:36,374 DEBUG [LdapConnectionWrapper] Creating LDAP context for: cn=user7159,ou=User,o=Accounts,dc=CORP,dc=MYCOMPANY,dc=NET
2023-02-27 11:38:36,384 DEBUG [LdapAuthenticationService] The supplied credentials are valid for: user7159
2023-02-27 11:38:36,388 DEBUG [LdapAuthenticationService] Attempting to authenticate user: user7159
2023-02-27 11:38:38,213 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:com.mycompanygroup.arte\:ldap\-web\-services\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:38:38,314 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:.*\:ldap\-web\-services\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:38:38,314 DEBUG [FuzzyVulnerableSoftwareSearchManager] Performing lucene ~ fuzz matching on 'ldap-web-services'
2023-02-27 11:38:38,323 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: product:ldap-web-services~0.88 AND cpe23:/cpe\:2\.3\:*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:38:38,330 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:com.ggs.ldap\:ldap_jar\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:38:38,428 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:.*\:ldap_jar\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:38:38,428 DEBUG [FuzzyVulnerableSoftwareSearchManager] Performing lucene ~ fuzz matching on 'ldap_jar'
2023-02-27 11:38:38,429 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: product:ldap_jar~0.88 AND cpe23:/cpe\:2\.3\:*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:25,897 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:com.mycompanygroup.arte\:ldap\-web\-services\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:25,987 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:.*\:ldap\-web\-services\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:25,987 DEBUG [FuzzyVulnerableSoftwareSearchManager] Performing lucene ~ fuzz matching on 'ldap-web-services'
2023-02-27 11:39:25,995 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: product:ldap-web-services~0.88 AND cpe23:/cpe\:2\.3\:*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:26,006 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:com.ggs.ldap\:ldap_jar\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:26,107 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: cpe23:/cpe\:2\.3\:*\:.*\:ldap_jar\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits
2023-02-27 11:39:26,108 DEBUG [FuzzyVulnerableSoftwareSearchManager] Performing lucene ~ fuzz matching on 'ldap_jar'
2023-02-27 11:39:26,110 DEBUG [FuzzyVulnerableSoftwareSearchManager] Searching for: product:ldap_jar~0.88 AND cpe23:/cpe\:2\.3\:*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*\:.*/ - Total Hits: 0 hits

When the query to retrieve LDAP groups is done? In logs there is no trace of it. Why? How I have to change my configuration to make it works?

Steps to Reproduce

  1. Configure NetIQ/Novell eDirectory LDAP
  2. Authenticate
  3. In the Administration panel open Teams
  4. Click "+" on Mapped LDAP groups
  5. Result: No matching records found
  6. Check logs but finds nothing of LDAP query to retrieve all groups

Expected Behavior

To find all groups from LDAP in the dialog above

Dependency-Track Version

4.7.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

FabioRighe avatar Feb 27 '23 11:02 FabioRighe

I search the name of a group in the filter above and dependency track found the group so it works and the search now is logged. My question now is only why the search is done only when you filter groups.

I suspect that ALPINE_LDAP_GROUPS_FILTER isn't performed, instead of ALPINE_LDAP_GROUPS_SEARCH_FILTER which is working correctly.

FabioRighe avatar Feb 27 '23 14:02 FabioRighe

I have the same in DependencyTrack 4.13.5 integrated with AD LDAP. Even though using ldapsearch filter returns the group needed using: "(&(objectClass=group)(objectCategory=Group)(CN=groupname))", giving the same filter to alpine.ldap.groups.search.filter in application.properties it seems that I have Select LDAP Group empty. No logs to investigate what happened.

@FabioRighe : Did you kept both filters ALPINE_LDAP_GROUPS_FILTER and ALPINE_LDAP_GROUPS_SEARCH_FILTER when you were able to finally display the ldap group in DT?

I've tried with both and also with a single one at a time but the same result.

As for LDAP Users are getting populated at first login as it should with 403(Forbidden). The problem that I have is with Groups and the fact that I cannot see displayed the only group which I've filtered in Select LDAP Group.

application.properties Config:

alpine.ldap.server.url=ldaps://ldaps.example.com alpine.ldap.basedn=DC=example,DC=com alpine.ldap.security.auth=simple alpine.ldap.bind.username=CN=user_ldap,OU=Application,OU=Service Accounts,OU=Domain Users,DC=example,DC=com alpine.ldap.bind.password=password alpine.ldap.auth.username.format=%s alpine.ldap.attribute.name=sAMAccountName alpine.ldap.attribute.mail=mail alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)(cn=groupname)) alpine.ldap.user.groups.filter=(member=cn=testmember) alpine.ldap.groups.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=groupname)) alpine.ldap.users.search.filter=(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=groupname)) alpine.ldap.user.provisioning=true alpine.ldap.team.synchronization=true

In logs only (even if DEBUG logger level applied)

2025-12-05 13:09:06,747 [] INFO [alpine.server.tasks.LdapSyncTask] Starting LDAP synchronization task 2025-12-05 13:09:08,326 [] INFO [alpine.server.tasks.LdapSyncTask] LDAP synchronization complete

Thanks for some ideas

elenavgheorghiu avatar Dec 05 '25 13:12 elenavgheorghiu