Searching multiple base dn for users

[matrush900]

We are using an older version of Mattermost-LDAP, I'm not sure where to find the version number. Within the config_ldap.php file we had been using
$base = "cn=Users,dc=WAN,dc=BITS"
$filter = "objectClass=Person"

Now, our AD admins have started to split users out of the cn=Users,dc=WAN,cd=BITS OU into OUs like cn=East,dc=WAN,dc=BITS and cn=West,dc=WAN,dc=BITS OUs, so our original $base variable doesn't work anymore. I tried to change $base to "dc=WAN,dc=BITS", but I get a "LoginByOAuth: Could not parse auth data out of gitlab user object" error. Is there a remedy to this error, or can I search multiple $base OUs?

[Crivaledaz]

Hi,

Unfortunately LDAP with many user branchs are always difficult to handle in applications.

When you sign in Mattermost-LDAP, the Oauth server creates an LDAP filter by concatenating your username with the filter defined in config_ldap.php (line 111-115 in LDAP.PHP). Then, it runs a LDAP search on your LDAP server from the base DN defined in config_ldap.php, restricting the output with the previous filter.

Theoretically, this should be enough to cover your usecase, because LDAP search are recursive by default and search are performed in all child branches. In this case, you just need to define the base DN to the most common base for all your users. So in your example, you must have $base = "dc=WAN,dc=BITS" in config_ldap.php file.

However, the LDAP server can block recursive search. In this case I have no solution for you, sorry. For now, Mattermost-LDAP can not perform multiple search or use a multiple base DN. I think this change need a lot of work, and I don't plan to improve this at the moment.

You can check if the recursive LDAP search is working by using the following Bash command from the Oauth server :

ldapsearch -H ldap://<ldap_host>:<ldap_port> -b "<ldap_base_dn => dc=WAN,dc=BITS>" -D "<ldap_bind_dn>" -W '<dap_search_attribute>: <username>'

Note : The prompt will ask you to enter the bind user's password.

If you get username data, then recursive search on your LDAP server is not blocked. You can also use the ldap.php file available at the root of the repository to perform some tests with PHP.

Another solution could be to create a proxy LDAP server between Mattermost-LDAP and the AD server. The proxy could have a simple structure with all users in the same branch synchronized from the AD server, and authentication could be delegated to the AD server via SASL. However, this need work on your side to set up the proxy LDAP server, but could be useful for other apps with limited LDAP support.

I hope this will help solve your issue, keep me in touch.

Regards

[ghost]

Hi.
Faced the same problem. My AD has several OUs for users. Without specifying the OU in the base_dn, I also got an error. That being said, ldap_search worked fine.
The problem was solved by adding the line to oauth/LDAP/LDAP.php
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);