Incorrect LDAP query behaviour with OR filter involving objectClass test #14256
Labels
bug
Something isn't working
Comments
|
For reference, here's my stalwart config. The user email is stored in the [directory.ldap]
type = "ldap"
url = "ldap://ak-outpost-ldap-outpost.services-authentik.svc"
base-dn = "dc=stalwart,dc=lama-corp,dc=space"
[directory.ldap.bind]
dn = "cn=%{file:/ldap-creds/username}%,ou=users,dc=stalwart,dc=lama-corp,dc=space"
secret = "%{file:/ldap-creds/key}%"
[directory.ldap.bind.auth]
enable = true
dn = "cn=?,ou=users,dc=stalwart,dc=lama-corp,dc=space"
search = false
[directory.ldap.filter]
name = "(&(cn=?)(mailPrimaryAddress=*))"
email = "(|(mailPrimaryAddress=?)(mailAlias=?))"
[directory.ldap.attributes]
name = "cn"
class = "objectClass"
description = "sAMAccountName"
groups = "memberOf"
email = "mailPrimaryAddress"
email-alias = "mailAlias" |
|
I eventually gave up using Authentik's LDAP server and moved to using LLDAP. This handled the queries as expected. Originally I thought it would be simpler to use Authentik's implementation. But as this resulted in an additional container being created anyway it was just as simple to deploy an LLAP container. And it took no more effort to configure Authentik to get its data from LLDAP as it did to configure Authentik's LLDAP server. So whilst I still think there's a bug in the implementation it is no longer blocking me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I’m trying to integrate the Stalwart mail server with the LDAP server exposed by Authentik. As part of the configuration I need filters that search across users and groups. So the mail server will run LDAP queries like this, where
Xis a user soobjectClasswill beposixAccount:(&(|(objectClass=posixAccount)(objectClass=posixGroup))(cn=X))This should return an entry with the
cnset toXandobjectClassset toposixAccount. But no entry is returned. However, if I change the query to be this(&(|(objectClass=posixGroup)(objectClass=posixAccount))(cn=X))then the entry is returned. So the OR condition is behaving very oddly. It looks like the first component of the OR is ignored. Which means I can’t write a query that will search across both users and groups. As other Stalwart users have similar filters I presume this is a problem with the Authentik LDAP implementation? Unless they use a different LDAP structure where users and groups are in the same OU? But even if the mapping to OUs is a problem I still wouldn't expect the order of things in an OR to be significant. Isn't an OR normally symmetric...
To Reproduce
Just perform a query on objectClass with an LDAP server provided by Authentik.
Expected behavior
The OR condition should either work symmetrically or generate an error if there is some reason why such a search can't succeed.
Version and Deployment (please complete the following information):
Docker deployment of latest release.
The text was updated successfully, but these errors were encountered: