Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
master
-
None
-
None
Description
The LdapDeltaUserGroupBuilder constructs the LDAP filter in a way that is inconsistent with LdapUserGroupBuilder and generates a potentially invalid filter:
extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
Resulting in the following in the logs:
25 May 2017 04:23:11 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with -- groupSearchEnabled: true, groupSearchBase: [dc=local], groupSearchScope: 2, groupObjectClass: posixGroup, groupSearchFilter: , extendedGroupSearchFilter: (&null(|(memberUid={0})(memberUid={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: memberUid, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, memberUid, cn, modifytimestamp], groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore
NB - Various bits of the log line deleted for security purposes
Note the &null present in the filter
If you compare with how LdapUserGroupBuilder builds the filter it does the following first:
extendedGroupSearchFilter = "(objectclass=" + groupObjectClass + ")"; if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) { String customFilter = groupSearchFilter.trim(); if (!customFilter.startsWith("(")) { customFilter = "(" + customFilter + ")"; } extendedGroupSearchFilter = extendedGroupSearchFilter + customFilter; } extendedAllGroupsSearchFilter = "(&" + extendedGroupSearchFilter + ")"; if (!groupSearchFirstEnabled) { extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))"; }