Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Configuration: Changing Username Attribute #3076

Open
steffenba opened this issue Nov 18, 2024 · 5 comments
Open

LDAP Configuration: Changing Username Attribute #3076

steffenba opened this issue Nov 18, 2024 · 5 comments
Assignees
Labels

Comments

@steffenba
Copy link

steffenba commented Nov 18, 2024

Hey there,

I'm not sure if this is something I am misunderstanding regarding LDAP configuration.
I replicated this in a local Docker Compose environment with openldap and can confirm, that this happens in the Docker Version of Cloudbeaver CE.

I want to use another attribute than "cn" for logging in, since in my AD, the CN Attribute contains characters that are unhelpful (I can't do anything about that). Instead I would like to use sn in this example.

With other solutions, I would use the following config:

"authConfigurations": [
      {
        "id": "ldap",
        "provider": "ldap",
        "displayName": "LDAP",
        "disabled": false,
        "iconURL": "",
        "description": "",
        "parameters": {
          "ldap-host": "test-ldap",
          "ldap-port": "1389",
          "ldap-dn": "ou=users,dc=example,dc=org",
          "ldap-cn": "",
          "ldap-bind-user": "cn=admin,dc=example,dc=org",
          "ldap-bind-user-pwd": "admin",
          "ldap-filter": "(sn=%s)"
        }
      }
    ]
[openldap] | 673aefe1 conn=1002 fd=15 ACCEPT from IP=10.89.3.7:43074 (IP=0.0.0.0:1389)
[openldap] | 673aefe1 conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128
[openldap] | 673aefe1 conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE ssf=0
[openldap] | 673aefe1 conn=1002 op=0 RESULT tag=97 err=0 text=
[openldap] | 673aefe1 conn=1002 op=1 SRCH base="cn=Bar1,ou=users,dc=example,dc=org" scope=2 deref=3 filter="(sn=*)"
[openldap] | 673aefe1 conn=1002 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
[openldap] | 673aefe1 conn=1002 op=2 UNBIND
[openldap] | 673aefe1 conn=1002 fd=15 closed

(Bar1 is the sn value for user user01)

No matter which combination I try, setting ldap-cn to sn or whatever, Cloudbeaver always maps the entered Username to "cn=,"
Am I missing something here?

If desired I can provide a compose file to replicate my question.

@steffenba steffenba added question Further information is requested wait for review labels Nov 18, 2024
@EvgeniaBzzz
Copy link
Contributor

Hi @steffenba
The right attribute name is ldap-identifier-attr (instead on ldap-cn). We have an inaccuracy in the documentation, sorry for that.
Please try to use it.

@steffenba
Copy link
Author

Hey,

thank you for the feedback, sadly this doesn't yield the expected result.
What Cloudbeaver seems to be doing is trying to match a DN to the ldap-identifier-attribute, which won't work, because the DN attribute is CN.

What I expected it to do was just leaving out the cn= part, search for all users in a basedn using the filter "(sAMAccountname=%s)" where %s is the entered username and returning the result.

I cannot search for a user by uid=user01,ou=users,dc=example,dc=org, I verified this by using Apache Directory Studio.

The same problem has been identified in #2715

@kakawait
Copy link

kakawait commented Nov 18, 2024

I've similar issue, I've POC-ed something (please do not use that code in production, I even don't care about existing compatibility, is just a POC) to allow respond to the problem

devel...kakawait:cloudbeaver:username-available-inside-ldap-filter

I'm using https://docs.oracle.com/en/java/javase/11/docs/api/java.naming/javax/naming/directory/DirContext.html#search(javax.naming.Name,java.lang.String,java.lang.Object%5B%5D,javax.naming.directory.SearchControls) to allow people using userName inside filter like

(sn={0})

And so few modification after to retrieve DN from search result because incoming code after validation depends on DN.

I think I'll continue working on my fork to allow specify a mapping other Attributes as final username instead of first element of DN

But as of today is working on my use case, where I'm relying on uid instead of cn

@EvgeniaBzzz
Copy link
Contributor

@steffenba @kakawait
Thank you for detailed description. Improvements will be added in one of the future releases.

@EvgeniaBzzz EvgeniaBzzz added feature request Let's add something new and removed wait for response question Further information is requested labels Nov 18, 2024
@kakawait
Copy link

I'm using a bit same logic as Sonarqube https://docs.sonarsource.com/sonarqube/9.9/instance-administration/authentication/ldap/#configuration-sample

But is missing username mapping, but I don't think is a big deal, just I first time as testing and checking the codebase so I need to check how to add new conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants