Filter for subsearches

[kkrasnov1]

Hello

I want to filter only users for subsearches. But the filter is not applied.

ldap2pg.yml

• ldap2pg.yml

  - description: "Search LDAP"
    ldapsearch:
      base: CN=pg_userdb,OU=Groups,DC=example,DC=com
      filter: '(objectClass=Group)'
      scope: sub
      joins:
        member:
          scope: base
          filter: '(objectClass=User)'
      on_unexpected_dn: fail

Expectations

In debug mode, I see subsearch

cmd="ldapsearch -H ldaps://ldap1.example.com -l 30 -Y DIGEST-MD5 -U ldapusr1 -b 'CN=Role PostgreSQL Superusers,OU=DB Team,OU=Groups,DC=example,DC=com' ' -s sub '(objectClass=*)' sAMAccountName"

Why is the filter '(objectClass=User)' not applied to the subsearch? How can I specify a filter for a subsearch?

[bersace]

Hi @kkrasnov1 . can you share the role rule ?

[kkrasnov1]

   - description: "Search LDAP"
    ldapsearch:
      base: CN=pg_userdb,OU=Groups,DC=example,DC=com
      filter: '(objectClass=Group)'
      scope: sub
      joins:
        member:
          scope: base
          filter: '(objectClass=User)'
      on_unexpected_dn: fail
    roles:
    - name: '{sAMAccountName.lower()}_1'
      options: NOLOGIN
      comment: 'AD group: pg_userdb_1'
    - name: '{member.sAMAccountName.lower()}'
      options: LOGIN
      parent:
        - '{sAMAccountName.lower()}_1'
        - ldap_roles
      comment: 'AD user: {member.sAMAccountName.lower()}'
    grant:
      - privilege: 'priv_writers'
        role: '{sAMAccountName.lower()}_1'
        database: 'userdb'

[bersace]

This looks like a bug. I need to investigate.