Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-1615

LdapUserGroupBuilder and LdapDeltaUserGroupBuilder build LDAP group filter inconsistently

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: master
    • Fix Version/s: None
    • Component/s: usersync
    • Labels:
      None

      Description

      The LdapDeltaUserGroupBuilder constructs the LDAP filter in a way that is inconsistent with LdapUserGroupBuilder and generates a potentially invalid filter:

      extendedGroupSearchFilter =  "(&"  + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
      

      Resulting in the following in the logs:

      25 May 2017 04:23:11  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with --   
      groupSearchEnabled: true,  groupSearchBase: [dc=local],  groupSearchScope: 2,  groupObjectClass: posixGroup,  
      groupSearchFilter: ,  extendedGroupSearchFilter: (&null(|(memberUid={0})(memberUid={1}))),  
      extendedAllGroupsSearchFilter: null,  groupMemberAttributeName: memberUid,  
      groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, memberUid, cn, modifytimestamp],  groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false,  ldapReferral: ignore
      

      NB - Various bits of the log line deleted for security purposes

      Note the &null present in the filter

      If you compare with how LdapUserGroupBuilder builds the filter it does the following first:

                      extendedGroupSearchFilter = "(objectclass=" + groupObjectClass + ")";
      		if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) {
      			String customFilter = groupSearchFilter.trim();
      			if (!customFilter.startsWith("(")) {
      				customFilter = "(" + customFilter + ")";
      			}
      			extendedGroupSearchFilter = extendedGroupSearchFilter + customFilter;
      		}
                      extendedAllGroupsSearchFilter = "(&"  + extendedGroupSearchFilter + ")";
      		if (!groupSearchFirstEnabled) {
      			extendedGroupSearchFilter =  "(&"  + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
      		}
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              rvesse Rob Vesse
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: