Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-8011

Searching group queries should not always use UID for the Group Member Attribute

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 4.0.2, 4.11.0
    • Fix Version/s: 4.1.0
    • Component/s: LDAP
    • Labels:
      None

      Description

      As a part of this commit, we have added the ability to filter the groups by memberUid OR fullDN.

      For example, today, when using STATIC group strategy and searching a group and filter it by username, Artifactory sends similar query as below:
      (&(objectClass=posixGroup)(|(memberUid=cn=shay,ou=myOU,ou=Users,dc=jfrog)(memberUid=shay)))

      This ability (the OR memberUid=uid) allow Artifactory to support posixGroup because on posixGroup, it is allowed to add the members by their ID instead of the member full distinguished name.

      The issue is that some LDAP servers, do not accept the search filter of 'member=shay' (uid value), even when this is a part of the OR search filter, so the LDAP server answering with an error 34 (34 Invalid DN syntax). Of course, some LDAP servers are able to ignore this and use the other part of the OR term, but not all of them.

      Instead of creating the OR filter by default, Artifactory should check if the inserted filter includes 'objectClass=posixGroup', and only on this case, allow sending the 'Group Member Attribute' with the user id instead of the full DN.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shayb Shay Bagants
                Reporter:
                shayb Shay Bagants
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: