Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Several problems with LDAP query filters #10

Open
istvanrath opened this issue Dec 10, 2013 · 5 comments
Open

Several problems with LDAP query filters #10

istvanrath opened this issue Dec 10, 2013 · 5 comments

Comments

@istvanrath
Copy link

Hi,

I have experimented with several LDAP filtered queries, and found that most filters basically don't work as expected:

  • (mail=whatever) incorrectly returns the entire list of users, regardless of whether the email address provided matches or not.
  • (uid=whatever) incorrectly returns substring matches as well, e.g. it returns "test.user" for the query filter "(uid=user)"

I have tested these cases with phpLDAPAdmin.

@dwimberger
Copy link
Owner

There was no requirement to implement a fully functional LDAP Server, so really only authentication within the boundaries of the apps I needed to integrate so far really works.

This is also the reason I made the repository public, because being open source, you can add functionality you need under the terms you prefer :)

I suppose that some things can be implemented on top of the provided search functionality in the REST API.

@istvanrath
Copy link
Author

OK that's fine, but at least the documentation should indicate this, as these are fairly prohibitive limitations once you need to provide authentication to practical front-ends such as e-mail management etc.

Just out of curiosity: is this really missing functionality from your code, or a bug (as I would have thought queries would be forwarded to the Apache Directory)?

@dwimberger
Copy link
Owner

I added a note about this to the Wiki actually :)
https://github.com/dwimberger/crowd-ldap-server/wiki

Yes it is missing functionality. And no, queries are not forwarded, they hare handled by a custom partition that essentially uses the Crowd REST API (Java Integration Client) for handling. The limiting factor in functionality will be the Integration/REST API (e.g. it does not permit to retrieve password hashes for example).

@istvanrath
Copy link
Author

Thanks for the reply. I've amended the wiki to make this a bit more clear.

And no, queries are not forwarded, they hare handled by a custom partition that essentially uses the Crowd REST API (Java Integration Client) for handling.

I'm wondering: wouldn't it be better to somehow "clone" as much info as possible from Crowd into the Apache Directory, and have that serve everything? This way, you would only have to pipe those request through the Crowd REST which cannot be copied over (e.g. password hashes).

@JanGe
Copy link

JanGe commented Aug 21, 2014

To connect Seafile with Crowd over LDAP, I did a quick hack to the findOneLevel() method to support filtering for email addresses. You can find the changes here: JanGe/crowd-ldap-server@0e53608
Not perfect, but it works. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants