Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
master
-
None
-
None
Description
The LdapDeltaUserGroupBuilder constructs the LDAP filter in a way that is inconsistent with LdapUserGroupBuilder and generates a potentially invalid filter:
extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
Resulting in the following in the logs:
25 May 2017 04:23:11 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with --
groupSearchEnabled: true, groupSearchBase: [dc=local], groupSearchScope: 2, groupObjectClass: posixGroup,
groupSearchFilter: , extendedGroupSearchFilter: (&null(|(memberUid={0})(memberUid={1}))),
extendedAllGroupsSearchFilter: null, groupMemberAttributeName: memberUid,
groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, memberUid, cn, modifytimestamp], groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore
NB - Various bits of the log line deleted for security purposes
Note the &null present in the filter
If you compare with how LdapUserGroupBuilder builds the filter it does the following first:
extendedGroupSearchFilter = "(objectclass=" + groupObjectClass + ")";
if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) {
String customFilter = groupSearchFilter.trim();
if (!customFilter.startsWith("(")) {
customFilter = "(" + customFilter + ")";
}
extendedGroupSearchFilter = extendedGroupSearchFilter + customFilter;
}
extendedAllGroupsSearchFilter = "(&" + extendedGroupSearchFilter + ")";
if (!groupSearchFirstEnabled) {
extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(|(" + groupMemberAttributeName + "={0})(" + groupMemberAttributeName + "={1})))";
}