LDAP: Issues with admin filter

Install/Maintain/Configure
1

Hi,
im currently playing arround with a ldap setup for my gitea instance.
Or more like im setting up ldap to synchronize the authantication between several services im hosting so users dont have to remember 5 different usernames/password.

I could easly get authentication working with both ldap methods but i cant get the admin filter working correctly.

I have two groups on my ldap server:

cn=gitea,ou=groups,dc=example,dc=com
cn=gitea_admin,ou=groups,dc=example,dc=com

my main user filter is the following:

(&(objectClass=posixAccount)(uid=%s)(memberOf=cn=gitea,ou=groups,dc=example,dc=com))

This works fine and only users which are a member of the gitea group can authenticate.

Tried the same for my admin filter:

(&(objectClass=posixAccount)(uid=%s)(memberOf=cn=gitea_admin,ou=groups,dc=example,dc=com))

But this fails, i can see why in my ldap server logs. The admin filter wont substitute the %s with the correct username so this search turns up empty. I also tried only filtering by memberOf:

(memberOf=cn=gitea_admin,ou=groups,dc=example,dc=com)

But this results in every user getting admin previlges… :stuck_out_tongue:
its seems like its just searching for this filter on the ldap server and doesnt care to which user this applies.

Any idea how to fix this or is it a bug that the substitution isnt working?
I can live without setting admin previlges using an ldap group as i always could set this using the gitea ui if i ever need it, still wondering whats the issue…

2

Hi,
I have the same issue.
Did you find a solution in the meantime?
Thx

3

I got never a reply and couldnt solve this on my own. As i dont need additional admins for now i also kind of forgot about it … :slight_smile:
Maybe we should create a issue on the official repository to get a bit more attention to this.

4

I was following this topic when it first appeared, but was since able to work out the details on my instance using Apache Directory Studio.

In my case, the memberOf approach was what I needed, but it may not be appropriate for your directory. Apache Directory Studio helped me see the results of various queries and view user attributes. I can’t promise anyone else will have the same results, but I recommend it.

5

so you just added a admin filter like (memberOf=cn=gitea_admin,ou=groups,dc=example,dc=com) and it works for you?
Like i said this will return true for every user account as it searches the whole directory and matches any user. Maybe this is because of my ldap server (glauth)…

6

Correct. My admin filter is as you describe.

Your issue may indeed be your choice of LDAP server.
See glauth issue #86 Cant enumerate groups or members of groups, which has been open for almost two years now.

7

ah thanks for the issue link.
I really love glauth for my usecase and this is a bummer.
Even wrote a web management ui for it while learning flask.

There was a workaround posted in the github issue for querying certain groups and its members, i will try this later and report back if this changes anything.

UPDATE:
Well i should have known better, as this also gives a result everytime with glauth and doesnt filter for the user doing the search. So admin for everyone again.
I dont have much experience with ldap, but with your server it seems to limit the search of the admin filter to the current user and with glauth this doesnt happen. And i really wonder why it isnt just checking the current user but performs a server wide search with the filter.

Haveing placeholders (%s) available for the admin filter would be i guess since this is a server specific issue this wont happen. Well i can live with setting this manually when i need it since glauth works nicely for everything else.