Skip to content

fix: only search LDAP group by name #1724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rhafer merged 1 commit into from
Oct 28, 2025
Merged

fix: only search LDAP group by name #1724

rhafer merged 1 commit into from
Oct 28, 2025

Conversation

@sdwilsh
Copy link
Contributor

@sdwilsh sdwilsh commented Oct 28, 2025
edited by rhafer
Loading

Description

Searching an LDAP group by entryUUID does not make a lot of sense. This change drops that query.

Related Issue

Motivation and Context

As described in the related Issue, my LDAP backend, LLDAP does not support a substring query on entryUUID, and actually returns an error that completely breaks my ability to add anyone to a Space.

This is a breaking change if anybody actually depended on this behavior, but as @rhafer pointed out in the related Issue, other LDAP servers like OpenLDAP doesn't support this query either (but fail with no results), so it is dependent upon the LDAP server that is being used.

How Has This Been Tested?

  • cd services/graph/pkg/identity && go test

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation added

@sdwilsh sdwilsh marked this pull request as ready for review October 28, 2025 01:55
@sdwilsh sdwilsh mentioned this pull request Oct 28, 2025
Open
@micbar
Copy link
Contributor

micbar commented Oct 28, 2025

@rhafer FYI

@rhafer
Copy link
Contributor

rhafer commented Oct 28, 2025

@sdwilsh Thanks a lot for your contribution!

This is a breaking change if anybody actually depended on this behavior, but as @rhafer pointed out in the related Issue, other LDAP servers like OpenLDAP doesn't support this query either (but fail with no results), so it is dependent upon the LDAP server that is being used.

Actually this is not a breaking change. According to the LDAP Standards the UUID Syntax (as used for any UUID valued attribute) does not have a substring matching rule defined. So any substring filter for an attribute of a UUID type evaluates to undefined. And for the concrete filter that means that it will be ignored because it is ORed with another filter. (at least on a standards conform LDAP server). I removed the Breaking Change marker.

Additionally adding the GroupId to the filter for the group search seems to have been a bug from the beginning. Did doesn't really makes senses.

rhafer
rhafer approved these changes Oct 28, 2025
View reviewed changes
Copy link
Contributor

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for submitting this fix. It's highly appreciated!

@rhafer rhafer merged commit 920a691 into opencloud-eu:main Oct 28, 2025
59 checks passed
@openclouders openclouders mentioned this pull request Oct 27, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhafer rhafer rhafer approved these changes

Assignees

No one assigned

Labels

Type:Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LDAP searches can return weird matches based on an ID match

3 participants

@sdwilsh @micbar @rhafer