starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Expand LDAP group membership logic to fully support Active Directory group member DNs with non-username value. #211

New Issue
Closed
opened 2025-10-07 00:06:06 +03:00 by OVERLORD · 10 comments
OVERLORD commented 2025-10-07 00:06:06 +03:00
Owner
Copy Link

Originally created by @abjoseph on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

I have an Active Directory instance on-prem that I currently use to centrally manage users and groups within my environment.

Expected behavior

I expect that Pocket ID, once configured for LDAP Sync. is able to determine user group membership and correctly reflect that in the "User Group" tab in the Admin UI.

Actual Behavior

Pocket ID successfully creates the desired groups but is not able to correctly associate groups with the corresponding queried users.

Image

Version and Environment

Expand the LDAP group membership logic originally implemented as part of https://github.com/pocket-id/pocket-id/issues/234 to ALSO support Active Directory's Distinguished Name (DN) Format for the group member value. e.g. CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com where the CN is usually the user's "Full Name" if populated and likely would not match the value retrieved from the username attribute, which in my case is sAMAccountName.

The currently implemented assumption, which is not valid for the AD scenario I described above, can be found in file backend/internal/service/ldap_service.go at line 110

Code Snippet of the line referenced above show below:

Image

Log Output

No relevant logs, as an FYI - Troubleshooting surrounding LDAP sync would benefit greatly from improved/more verbose logging.

Originally created by @abjoseph on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps I have an Active Directory instance on-prem that I currently use to centrally manage users and groups within my environment. ### Expected behavior I expect that Pocket ID, once configured for LDAP Sync. is able to determine user group membership and correctly reflect that in the "User Group" tab in the Admin UI. ### Actual Behavior Pocket ID successfully creates the desired groups but is not able to correctly associate groups with the corresponding queried users. ![Image](https://github.com/user-attachments/assets/6626879e-15f0-4356-86c7-6e9dc3922948) ### Version and Environment Expand the LDAP group membership logic originally implemented as part of https://github.com/pocket-id/pocket-id/issues/234 to **_ALSO_** support Active Directory's _Distinguished Name_ (DN) Format for the group member value. e.g. `CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com` where the `CN` is usually the user's "Full Name" if populated and likely would not match the value retrieved from the username attribute, which in my case is `sAMAccountName`. The currently implemented assumption, which is not valid for the AD scenario I described above, can be found in file [`backend/internal/service/ldap_service.go at line 110`](https://github.com/kmendell/pocket-id/blob/72baad57270035c0f2a08d9b0ca8d2bd3754ff9f/backend/internal/service/ldap_service.go#L110) #### Code Snippet of the line referenced above show below: ![Image](https://github.com/user-attachments/assets/96b9eecf-b400-4b8e-9aa2-d60a34f3319c) ### Log Output No relevant logs, as an FYI - Troubleshooting surrounding LDAP sync would benefit greatly from improved/more verbose logging.
OVERLORD added the bug label 2025-10-07 00:06:06 +03:00
OVERLORD commented 2025-10-07 00:06:08 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@abjoseph Can you try this image ghcr.io/pocket-id/pocket-id:ad-fix and see if its fixed? It will use the ldap user attribute to compare for groups now instead of hardcoding the uid attribute. So make sure you have the sAMAccountName set for that.

@kmendell commented on GitHub: @abjoseph Can you try this image `ghcr.io/pocket-id/pocket-id:ad-fix` and see if its fixed? It will use the ldap user attribute to compare for groups now instead of hardcoding the uid attribute. So make sure you have the sAMAccountName set for that.
OVERLORD commented 2025-10-07 00:06:08 +03:00
Author
Owner
Copy Link

@abjoseph commented on GitHub:

@kmendell Thanks for working on this, unfortunately I was not able to test the change as I encountered issues with the image.

  1. The listening port seems to have changed from 80 to 1411.

    Image

  2. Also, I don't think even that port is working correctly as the "Login" page no longer works and no help logs are shown in the terminal.

    Image

@abjoseph commented on GitHub: @kmendell Thanks for working on this, unfortunately I was not able to test the change as I encountered issues with the image. 1. The listening port seems to have changed from 80 to 1411. ![Image](https://github.com/user-attachments/assets/b847330e-6be9-47e4-8704-a56f784b3dc2) 2. Also, I don't think even that port is working correctly as the "Login" page no longer works and no help logs are shown in the terminal. ![Image](https://github.com/user-attachments/assets/652ae71a-1381-4854-8587-99514c598114)
OVERLORD commented 2025-10-07 00:06:08 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Ahh okay understood, Ill look into this.

@kmendell commented on GitHub: Ahh okay understood, Ill look into this.
OVERLORD commented 2025-10-07 00:06:09 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

If you use one of the search filters to base it off of the sAMAccountName does it still not work? The where lines your referencing are for the pocket-id database nothing to do with LDAP specificially

@kmendell commented on GitHub: If you use one of the search filters to base it off of the sAMAccountName does it still not work? The where lines your referencing are for the pocket-id database nothing to do with LDAP specificially
OVERLORD commented 2025-10-07 00:06:09 +03:00
Author
Owner
Copy Link

@abjoseph commented on GitHub:

If you use one of the search filters to base it off of the sAMAccountName does it still not work? The where lines your referencing are for the pocket-id database nothing to do with LDAP specificially

Hello @kmendell, I'm already using a search filter for both users and groups, I know they're working since both users and groups are correctly populated in the Admin UI. The issue here is not the search filter, it's with the comparison logic on line 110 and the assumption it's based on.

E.g.

Given a user with a sAMAccountName of jdoe anda a DN value of CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com the logic on line 107 singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0] would yield a result of John Doe. However, following the user search and creation bit, John Doe would have been inserted into the database with a username value of jdoe.

Returning to line 110, that bit of code would result in a comparison of singleMember == username where singleMbember is John Doe and username is jdoe. The comparison fails and the group is never updated with the user that should have been marked as a member.

@abjoseph commented on GitHub: > If you use one of the search filters to base it off of the sAMAccountName does it still not work? The where lines your referencing are for the pocket-id database nothing to do with LDAP specificially Hello @kmendell, I'm already using a search filter for both users and groups, I know they're working since both users and groups are correctly populated in the Admin UI. The issue here is not the search filter, it's with the comparison logic on line 110 and the assumption it's based on. E.g. Given a user with a sAMAccountName of `jdoe` anda a DN value of `CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com` the logic on line 107 `singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0]` would yield a result of `John Doe`. However, following the user search and creation bit, `John Doe` would have been inserted into the database with a **_username_** value of `jdoe`. Returning to line 110, that bit of code would result in a comparison of `singleMember == username` where singleMbember is `John Doe` and username is `jdoe`. The comparison fails and the group is never updated with the user that should have been marked as a member.
OVERLORD commented 2025-10-07 00:06:10 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

hmm i dont have an AD Setup to test with but in theory this should work... Can you repull the image and try again? I made somemore changes taht i hope will fix it..

@kmendell commented on GitHub: hmm i dont have an AD Setup to test with but in theory this should work... Can you repull the image and try again? I made somemore changes taht i hope will fix it..
OVERLORD commented 2025-10-07 00:06:10 +03:00
Author
Owner
Copy Link

@abjoseph commented on GitHub:

@stonith404 @kmendell Ok, so I successfully migrated to v1.0.0 and then switched to the "ad-fix" image.

I performed the following steps:

  1. First, I Unchecked, Keep disabled users from LDAP. and then made some changes to the queries such that no users or groups would be found.
  2. I saved the configuration and clicked the Sync now button.
  3. I then verified both the pre-existing users and groups were removed.
  4. I then reverted the changes to the queries, saved the configuration and clicked Sync now.
  5. As expected, both the users and groups were re-created however, the Groups still do not reflect the user memberships of the AD users.

An aside: I'm not sure if it is security related or not but the logs do not show any errors or output related to the LDAP sync function.

Below is my LDAP configuration for context:

Image

@abjoseph commented on GitHub: @stonith404 @kmendell Ok, so I successfully migrated to v1.0.0 and then switched to the "ad-fix" image. I performed the following steps: 1. First, I Unchecked, `Keep disabled users from LDAP.` and then made some changes to the queries such that no users or groups would be found. 2. I saved the configuration and clicked the `Sync now` button. 3. I then verified both the pre-existing users and groups were removed. 4. I then reverted the changes to the queries, saved the configuration and clicked `Sync now`. 5. As expected, both the users and groups were re-created however, the Groups still do not reflect the user memberships of the AD users. _**An aside**: I'm not sure if it is security related or not but the logs do not show any **errors** or **output** related to the LDAP sync function._ ### Below is my LDAP configuration for context: ![Image](https://github.com/user-attachments/assets/d8f1dabf-bc76-40ff-8f2a-d804c967507b)
OVERLORD commented 2025-10-07 00:06:11 +03:00
Author
Owner
Copy Link

@abjoseph commented on GitHub:

hmm i dont have an AD Setup to test with but in theory this should work... Can you repull the image and try again? I made somemore changes taht i hope will fix it..

Those last changes fixed it!!, see screenshot below. Thank you again for the time and effort. FYI - I quite like this project and OSS in general; I also have a pretty extensive setup so if you need someone to be an extra pair of hands to test things, let me know.

Image

@abjoseph commented on GitHub: > hmm i dont have an AD Setup to test with but in theory this should work... Can you repull the image and try again? I made somemore changes taht i hope will fix it.. Those last changes fixed it!!, see screenshot below. Thank you again for the time and effort. FYI - I quite like this project and OSS in general; I also have a pretty extensive setup so if you need someone to be an extra pair of hands to test things, let me know. ![Image](https://github.com/user-attachments/assets/7cc09b2b-d6a0-4067-af10-7bf3ce711231)
OVERLORD commented 2025-10-07 00:06:11 +03:00
Author
Owner
Copy Link

@abjoseph commented on GitHub:

@stonith404 Completely missed that, I'll do the migration steps first and report back.

@abjoseph commented on GitHub: @stonith404 Completely missed that, I'll do the migration steps first and report back.
OVERLORD commented 2025-10-07 00:06:11 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@abjoseph Oh, you have to upgrade to v1.0.0 first. This release contains breaking changes so make sure to follow the migration docs.

@stonith404 commented on GitHub: @abjoseph Oh, you have to upgrade to `v1.0.0` first. This release contains breaking changes so make sure to follow the [migration docs](https://pocket-id.org/docs/setup/migrate-to-v1/).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#211
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?