directory-connector icon indicating copy to clipboard operation
directory-connector copied to clipboard
verified publisher icon bitwarden

Missing paren(thesis ?) in directory connector

Open qay21 opened this issue 3 years ago • 2 comments

(initially posted on the community forum, but it might actually be more of a bug report than a support matter, so here we are)

Hi there,

The directory connector just updated itself to v2.9.10, latest at this point. I wanted to run a sync, so clicked on “sync now” as usual. I get a red error popup saying An error has occurred : missing paren. I guess “paren” here mean “parenthesis”.

I cleared sync cache, retried, same problem. No abnormal output on terminal. I opened the dev console, where I can see a logged LDAP request followed by the same error Received API exception: Error: missing paren at timer @ vendor.js:546353.

I spent quite some time investigating the faulty LDAP request. It seems that not containing ! elements inside parenthesis leads to a bad filter error (tried with ldapSearch). These filters didn’t change between Connector v2.9.10 and the previous one, and are redacted according to the tip under each field.

In the Connector’s GUI, the filter in the tip under the group filter is as follow :

(&!(name=Sales*)!(name=IT*))

This inserted in ldapSearch will also result in a bad filter error, while this fixed filter is okay :

(&(!(name=Sales*))(!(name=IT*)))

I think that Connector v2.9.10 is now using a more strict LDAP filter syntax checking than before, and this makes previously written filters raise errors. Not a bad thing, overall, but if I’m correct, I think filters field’s tips should be updated to better reflect this strict syntax check.

One could also consider fixing the error text, only writing “paren” made me initially think that the connector was broken somehow, not being able to display the correct error message.

Any thoughts ?

qay21 avatar Feb 18 '22 10:02 qay21

We updated our LDAP library recently, that could've caused a slight change in the accepted filter syntax. I'm just checking with our integration team to verify this and then we can update the example in the GUI.

eliykat avatar Feb 21 '22 07:02 eliykat

Our integration team is reviewing the examples in the GUI and some related items, I've passed this on to them and they will review and resolve as part of this work. Thanks!

eliykat avatar Feb 22 '22 21:02 eliykat

Hi @qay21

Since your original report, some changes have been applied to our Directory Connector client (https://github.com/bitwarden/directory-connector/pull/287). As a result, the team is no longer able to reproduce this bug.

Could you please try again and let us know if you are able to use Group filters again? Please make sure you update your Directory Connector client.

Greenderella avatar Feb 16 '23 09:02 Greenderella

Hi @Greenderella

I was always able to use group filters, I just had to write these in a stricter way than what was given as an example under the field itself.

Now I can see that the example has been updated, since it also follow the stricter syntax I've been using since I opened this issue. Since other LDAP browsing tools (mainly ldapsearch from LdapUtils on Debian) also seems to require this syntax, I guess it was the old Connector syntax that was a bad practice, so I did not try to use it again.

So in conclusion, Connector's accepted filters are consistent with Connector's examples AND with other LDAP tools. I would say this is fixed.

Thank you for your feedback !

qay21 avatar Feb 16 '23 09:02 qay21