Hi,
first thanks for this great tool - I was long looking for it. I was using pg_ldap_sync before, which was acceptable, but I'm not so for ruby,
Now I try to move to ldap2pg 5.9 and have this problem:
when searching for sAMAccountName of members of groups, the sub-query executed for each member won't find anything.
ldap2pg -v gives this output:
2025-03-12 10:59:30,456 INFO: ldap2pg.manager: Query LDAP for users.
2025-03-12 10:59:30,456 INFO: ldap2pg.manager: Querying LDAP DC=example,DC=com... (cn=DB-*...
2025-03-12 10:59:30,456 DEBUG: ldap2pg.ldap: Doing: ldapsearch -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -W -b DC=example,DC=com -s sub '(cn=DB-*)' member
2025-03-12 10:59:30,459 DEBUG: ldap2pg.manager: Got 4 entries from LDAP.
2025-03-12 10:59:30,459 DEBUG: ldap2pg.manager: Discarding ref: ['ldaps://DomainDnsZones.example.com/D.
2025-03-12 10:59:30,459 INFO: ldap2pg.manager: Sub-querying LDAP CN=User Name,OU=U...
2025-03-12 10:59:30,459 DEBUG: ldap2pg.ldap: Doing: ldapsearch -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -W -b CN=User Name,OU=Users,DC=example,DC=com -s sub '(objectClass=*)' sAMAccountName
Output of ldapsearch from DEBUG line:
$ ldapsearch -H ldaps://example.com -w $LDAPPASSWORD -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -b CN=User Name,OU=Users,DC=example,DC=com -s sub '(objectClass=*)' sAMAccountName
# extended LDIF
#
# LDAPv3
# base <CN=User> with scope subtree
# filter: Name,OU=Us
# requesting: User,OU=Users,DC=example,DC=com (objectClass=*) sAMAccountName
#
ldap_search_ext: Bad search filter (-7)
It's clear that base was cut up to fist space, and all following parameter shifted left.
When I quote the base, search is correct and I have desired output:
$ ldapsearch -H ldaps://example.com -w $LDAPPASSWORD -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -b 'CN=User Name,OU=Users,DC=example,DC=com' -s sub '(objectClass=*)' sAMAccountName
# extended LDIF
#
# LDAPv3
# base <CN=User Name,OU=Users,DC=example,DC=com> with scope subtree
# filter: (objectClass=*)
# requesting: sAMAccountName
#
The corresponding sync_map part of ldap2pg.yml:
- description: "Query LDAP for users."
ldapsearch:
base: DC=example,DC=com
filter: "(cn=CN=DB-*)"
role:
name: '"{member.sAMAccountName}"'
options: LOGIN
parent:
- ad_users
Just asking if you can fix it :)
Greetings,
Hubert
Hi,
first thanks for this great tool - I was long looking for it. I was using pg_ldap_sync before, which was acceptable, but I'm not so for ruby,
Now I try to move to ldap2pg 5.9 and have this problem:
when searching for sAMAccountName of members of groups, the sub-query executed for each member won't find anything.
ldap2pg -v gives this output:
Output of ldapsearch from DEBUG line:
It's clear that base was cut up to fist space, and all following parameter shifted left.
When I quote the base, search is correct and I have desired output:
The corresponding sync_map part of ldap2pg.yml:
Just asking if you can fix it :)
Greetings,
Hubert