Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group sync is showing error "entry would search outside of the base dn specified" but it's not. #1814

Closed
germanparente opened this issue Jul 5, 2024 · 2 comments
Closed

group sync is showing error "entry would search outside of the base dn specified" but it's not. #1814

germanparente opened this issue Jul 5, 2024 · 2 comments
Assignees
@germanparente

Comments

@germanparente
Copy link

This is a bug that is well known from support side and that can be seen multiple times in customer environments.

when sync'ing groups from ldap, usersquery.basedn or groupsquery.basedn is case sensitive when, in fact, ldap should not be.

As an example if we specify in the sync config file:

usersQuery:
    baseDN: "cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG"

we can have an error of this sort:

I0704 15:38:22.006947 27224 ldapinterface.go:99] membership lookup for user "cn=ipausers,cn=groups,cn=accounts,dc=demo1,dc=freeipa,dc=org" in group "uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" skipped because of "search for entry with dn="uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" would search outside of the base dn specified (dn="cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG")"

when in fact, we see cleary that in this case cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org is not outside of base dn cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG

The problem is that DN's should be normalized before being compared.

The issue seems to be in this piece of code:

            if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
                    return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
            }

There are some functions to normalize DN's only in library github.com/go-ldap/ldap/v3 v3.4.8

But the current library we are using github.com/go-ldap/ldap/v3 v3.4.8 already propose the former functions normalizing the parameters ( EqualFold / AncestorFold )

A quick fix that I have already tested could be:

diff --git a/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go b/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go
index 19f276f3e..8868f287a 100644
--- a/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go
+++ b/vendor/github.com/openshift/library-go/pkg/security/ldapquery/query.go
@@ -112,9 +112,9 @@ func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attribute
if err != nil {
return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)
}

  •           if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {

  •                   return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)

  •           }

  •            if !baseDN.AncestorOfFold(dn) && !baseDN.EqualFold(dn) {

  •                    return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)

  •            }
          return o.buildDNQuery(attributeValue, attributes), nil

  } else {
germanparente added a commit to germanparente/oc that referenced this issue Jul 5, 2024
@germanparente
Potential fix for openshift/issues/1814: group sync is showing error:…
3ec1dc1 
…'entry would search outside of the base dn specified
@germanparente
Copy link
Author

/assign

@germanparente
Copy link
Author

Closing this issue that should be fixed in:

https://github.com/openshift/library-go

Issue opened:
openshift/library-go#1755
in ldapquery, validation out of bounds query should be case insensitive as ldap is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@germanparente germanparente

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@germanparente