L3 - Default Environment (Required on creation):
camunda-runtime-7.17.1-ee
LDAP Authentication
Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):
I am trying to filter the list of LDAP groups in the group admin dashboard page using the "LIKE" operator. No matter what I put in, no groups ever show up in the results. I can only find a group using = and an exact match.
Steps to reproduce (Required on creation):
I was able to reproduce the bug reported by this customer following these steps (note I used a public LDAP: https://www.forumsys.com/2022/05/10/online-ldap-test-server/) :
- Connect Camunda to an LDAP server (my default.yml is below with a test ldap setup)
- Log in with any user that has admin access (in my case newton/password)
- Go to Groups
- Try to search using 'Name LIKE Math' - no results returned
Are you able to confirm this bug?
camunda.bpm:
run:
cors:
enabled: true
allowed-origins: "*"
example:
enabled: true
ldap:
enabled: true
server-url: ldap://ldap.forumsys.com:389
administrator-group-name: camunda-admin
accept-untrusted-certificates: true
manager-dn: cn=read-only-admin,dc=example,dc=com
manager-password: password
base-dn: dc=example,dc=com
user-search-base: ''
user-search-filter: (objectclass=inetOrgPerson)
user-id-attribute: uid
user-firstname-attribute: cn
user-lastname-attribute: sn
user-email-ttribute: mail
user-password-attribute: userpassword
group-search-base: ''
group-search-filter: (objectclass=groupOfUniqueNames)
group-id-attribute: cn
group-name-attribute: cn
group-member-attribute: uniqueMember
sort-control-supported: false
Observed Behavior (Required on creation):
No groups are matched by the search
Expected behavior (Required on creation):
Groups should be found using LIKE
Root Cause (Required on prioritization):
We are sending a request with "%<searchString>%" to the backend. This is fine for DB-based groups. For LDAP however, we would have to use "*" instead of "%".
Solution Ideas (Optional):
- We make the webapps aware of what the wildcard character of the identity provider is
- We let the LDAP identity provider convert % to * in the like query parameters of user and group queries
- The web apps should not send the wildcarded LIKE String including "%" but rather the raw input from users. The backend has to take care of adding the right LIKE wildcards. => Careful: this would probably break the API
Hints (optional):
This is the controller panel for Smart Panels app
[CAM-14691] LIKE search does not return results for LDAP Groups
| Link | New: This issue is related to SUPPORT-13729 [ SUPPORT-13729 ] |
| Labels | Original: camunda-runtime | New: SUPPORT |
| Attachment | Original: Camunda Group Like Not working.docx [ 52286 ] |
| Description |
Original:
h3. Environment (Required on creation):
camunda-runtime-7.17.1-ee LDAP Authentication h3. Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket): I am trying to filter the list of LDAP groups in the group admin dashboard page using the "LIKE" operator. No matter what I put in, no groups ever show up in the results. I can only find a group using = and an exact match. h3. Steps to reproduce (Required on creation): I was able to reproduce the bug reported by this customer following these steps (note I used a public LDAP: [https://www.forumsys.com/2022/05/10/online-ldap-test-server/)] : # Connect Camunda to an LDAP server (my default.yml is below with a test ldap setup) # Log in with any user that has admin access (in my case newton/password) # Go to Groups # Try to search using 'Name LIKE Math' - no results returned Are you able to confirm this bug? ---- camunda.bpm: run: cors: enabled: true allowed-origins: "*" example: enabled: true ldap: enabled: true server-url: ldap://ldap.forumsys.com:389 administrator-group-name: camunda-admin accept-untrusted-certificates: true manager-dn: cn=read-only-admin,dc=example,dc=com manager-password: password base-dn: dc=example,dc=com user-search-base: '' user-search-filter: (objectclass=inetOrgPerson) user-id-attribute: uid user-firstname-attribute: cn user-lastname-attribute: sn user-email-ttribute: mail user-password-attribute: userpassword group-search-base: '' group-search-filter: (objectclass=groupOfUniqueNames) group-id-attribute: cn group-name-attribute: cn group-member-attribute: uniqueMember sort-control-supported: false h3. Observed Behavior (Required on creation): No groups are matched by the search h3. Expected behavior (Required on creation): Groups should be found using LIKE h3. Root Cause (Required on prioritization): We are sending a request with "%<searchString>%" to the backend. This is fine for DB-based groups. For LDAP however, we would have to use "*" instead of "%". The web apps should not send the wildcarded LIKE String including "%" but rather the raw input from users. The backend has to take care of adding the right LIKE wildcards. h3. Solution Ideas (Optional): h3. Hints (optional): |
New:
h3. Environment (Required on creation):
camunda-runtime-7.17.1-ee LDAP Authentication h3. Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket): I am trying to filter the list of LDAP groups in the group admin dashboard page using the "LIKE" operator. No matter what I put in, no groups ever show up in the results. I can only find a group using = and an exact match. h3. Steps to reproduce (Required on creation): I was able to reproduce the bug reported by this customer following these steps (note I used a public LDAP: [https://www.forumsys.com/2022/05/10/online-ldap-test-server/)] : # Connect Camunda to an LDAP server (my default.yml is below with a test ldap setup) # Log in with any user that has admin access (in my case newton/password) # Go to Groups # Try to search using 'Name LIKE Math' - no results returned Are you able to confirm this bug? ---- camunda.bpm: run: cors: enabled: true allowed-origins: "*" example: enabled: true ldap: enabled: true server-url: ldap://ldap.forumsys.com:389 administrator-group-name: camunda-admin accept-untrusted-certificates: true manager-dn: cn=read-only-admin,dc=example,dc=com manager-password: password base-dn: dc=example,dc=com user-search-base: '' user-search-filter: (objectclass=inetOrgPerson) user-id-attribute: uid user-firstname-attribute: cn user-lastname-attribute: sn user-email-ttribute: mail user-password-attribute: userpassword group-search-base: '' group-search-filter: (objectclass=groupOfUniqueNames) group-id-attribute: cn group-name-attribute: cn group-member-attribute: uniqueMember sort-control-supported: false h3. Observed Behavior (Required on creation): No groups are matched by the search h3. Expected behavior (Required on creation): Groups should be found using LIKE h3. Root Cause (Required on prioritization): We are sending a request with "%<searchString>%" to the backend. This is fine for DB-based groups. For LDAP however, we would have to use "*" instead of "%". h3. Solution Ideas (Optional): * We make the webapps aware of what the wildcard character of the identity provider is * We let the LDAP identity provider convert % to * in the like query parameters of user and group queries * The web apps should not send the wildcarded LIKE String including "%" but rather the raw input from users. The backend has to take care of adding the right LIKE wildcards. => *Careful*: this would probably break the API h3. Hints (optional): |
Hey Jeremy,
Thanks for your input. I think depending on which identity provider you use, it's either that groups are served from LDAP or DB, never both. Or am I misunderstanding your suggestion?
Cheers,
Thorben
Let's also check that the corresponding attributes support wildcard search (or what happens if they do not), e.g. see https://stackoverflow.com/questions/32829104/ldap-query-with-wildcard
| Remote Link | New: This issue links to "Page (camunda confluence)" [ 17515 ] |
Apologies for the delayed response. I've been away for a vacation.
Regarding the groups searching both LDAP and "regular" groups. I was mistaken. You are correct. I had mistakenly believed some test groups we had created prior to switching to LDAP were still in the list of groups, but they are not.
Regarding the attribute wildcard I agree completely.
Thanks!
I'd like to offer another solution idea, since it is possible to have both LDAP groups and Local DB groups, perhaps the LIKE should try both and concatenate the findings?