split LDAP filters (#399)

* split LDAP filters Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use uid attribute for testing Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-01-25 14:30:28 -05:00 · 2020-07-27 13:47:39 +02:00
parent ef92a0b3ff
commit 5e5ae356df
10 changed files with 66 additions and 26 deletions
--- a/.drone.star
+++ b/.drone.star
@@ -58,7 +58,7 @@ def apiTests(ctx, coreBranch = 'master', coreCommit = ''):
          'REVA_LDAP_BIND_DN': 'cn=admin,dc=owncloud,dc=com',
          'REVA_LDAP_BIND_PASSWORD': 'admin',
          'REVA_LDAP_BASE_DN': 'dc=owncloud,dc=com',
-          'REVA_LDAP_SCHEMA_DISPLAYNAME': 'displayName',
+          'REVA_LDAP_SCHEMA_UID': 'uid',
          'REVA_STORAGE_HOME_DATA_TEMP_FOLDER': '/srv/app/tmp/',
          'REVA_STORAGE_OWNCLOUD_DATADIR': '/srv/app/tmp/reva/data',
          'REVA_STORAGE_OC_DATA_TEMP_FOLDER': '/srv/app/tmp/',
@@ -272,7 +272,7 @@ def testing(ctx):
          'REVA_LDAP_BIND_DN': 'cn=admin,dc=owncloud,dc=com',
          'REVA_LDAP_BIND_PASSWORD': 'admin',
          'REVA_LDAP_BASE_DN': 'dc=owncloud,dc=com',
-          'REVA_LDAP_SCHEMA_DISPLAYNAME': 'displayName',
+          'REVA_LDAP_SCHEMA_UID': 'uid',
          'REVA_STORAGE_HOME_DATA_TEMP_FOLDER': '/srv/app/tmp/',
          'REVA_STORAGE_OWNCLOUD_DATADIR': '/srv/app/tmp/reva/data',
          'REVA_STORAGE_OC_DATA_TEMP_FOLDER': '/srv/app/tmp/',
--- a/changelog/unreleased/update-ldap-config.md
+++ b/changelog/unreleased/update-ldap-config.md
@@ -0,0 +1,12 @@
+Bugfix: Update LDAP filters
+
+With the separation of use and find filters we can now use a filter that taken into account a users uuid as well as his username. This is necessary to make sharing work with the new account service which assigns accounts an immutable account id that is different from the username. Furthermore, the separate find filters now allows searching users by their displayname or email as well.
+
+
+```
+userfilter = "(&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))"
+findfilter = "(&(objectclass=posixAccount)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))"
+```
+
+https://github.com/owncloud/ocis-reva/pull/399
+https://github.com/cs3org/reva/pull/996
--- a/changelog/unreleased/update-reva-to-20200724.md
+++ b/changelog/unreleased/update-reva-to-20200724.md
@@ -0,0 +1,13 @@
+Enhancement: update reva to v0.1.1-0.20200724135750-b46288b375d6
+
+- Update reva to v0.1.1-0.20200724135750-b46288b375d6
+- Split LDAP user filters (reva/#996)
+- meshdirectory: Add invite forward API to provider links (reva/#1000)
+- OCM: Pass the link to the meshdirectory service in token mail (reva/#1002)
+- Update github.com/go-ldap/ldap to v3 (reva/#1004)
+
+https://github.com/owncloud/ocis-reva/pull/399
+https://github.com/cs3org/reva/pull/996
+https://github.com/cs3org/reva/pull/1000
+https://github.com/cs3org/reva/pull/1002
+https://github.com/cs3org/reva/pull/1004
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/owncloud/ocis-reva
 go 1.13

 require (
-	github.com/cs3org/reva v0.1.1-0.20200722125752-6dea7936f9d1
+	github.com/cs3org/reva v0.1.1-0.20200724135750-b46288b375d6
 	github.com/gofrs/uuid v3.3.0+incompatible
 	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
 	github.com/haya14busa/goverage v0.0.0-20180129164344-eec3514a20b5 // indirect
@@ -19,5 +19,7 @@ require (
 	github.com/restic/calens v0.2.0
 	github.com/spf13/viper v1.6.1
 	github.com/uber/jaeger-client-go v2.20.1+incompatible // indirect
+	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/ini.v1 v1.51.1 // indirect
+	gopkg.in/ldap.v2 v2.5.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -34,6 +34,7 @@ github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocm
 github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
 github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
 github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88=
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -100,6 +101,7 @@ github.com/aws/aws-sdk-go v1.32.11/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZve
 github.com/aws/aws-sdk-go v1.32.13/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.33.1/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.33.7/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
+github.com/aws/aws-sdk-go v1.33.11/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-xray-sdk-go v0.9.4/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
@@ -182,6 +184,8 @@ github.com/cs3org/reva v0.1.1-0.20200722082002-1e57c4994e26 h1:F4Rq8kRwXvaQHDlSb
 github.com/cs3org/reva v0.1.1-0.20200722082002-1e57c4994e26/go.mod h1:yPtGZIud+QVWLN7lxPwZLNj2/BCx3xu2DNUcTJE1Mkk=
 github.com/cs3org/reva v0.1.1-0.20200722125752-6dea7936f9d1 h1:f/XZNSkCpS0ndLzMq/IRA0k2P1B/04Qvgf7s4qtQoGQ=
 github.com/cs3org/reva v0.1.1-0.20200722125752-6dea7936f9d1/go.mod h1:yPtGZIud+QVWLN7lxPwZLNj2/BCx3xu2DNUcTJE1Mkk=
+github.com/cs3org/reva v0.1.1-0.20200724135750-b46288b375d6 h1:xTJzgtusJvbz08fYVnxlxNu4BhyGCS46uwiD4QrYnOI=
+github.com/cs3org/reva v0.1.1-0.20200724135750-b46288b375d6/go.mod h1:qwW0YfYf6JaAcTxBXsPpa8JIn2wHxqt5j/bjH7myI1k=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decker502/dnspod-go v0.2.0/go.mod h1:qsurYu1FgxcDwfSwXJdLt4kRsBLZeosEb9uq4Sy+08g=
@@ -222,6 +226,7 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-acme/lego/v3 v3.1.0/go.mod h1:074uqt+JS6plx+c9Xaiz6+L+GBb+7itGtzfcDM2AhEE=
 github.com/go-acme/lego/v3 v3.3.0/go.mod h1:iGSY2vQrvQs3WezicSB/oVbO2eCrD88dpWPwb1qLqu0=
+github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
 github.com/go-chi/chi v4.0.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
@@ -230,6 +235,7 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-ini/ini v1.44.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-ldap/ldap/v3 v3.2.3/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-log/log v0.1.0/go.mod h1:4mBwpdRMFLiuXZDCwU2lKQFsoSCo72j3HqBK9d81N2M=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -459,6 +465,7 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -638,6 +645,7 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.3.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.3.2 h1:mRS76wmkOn3KkKAyXDu42V+6ebnXWIztFSYGN7GeoRg=
 github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -927,6 +935,7 @@ golang.org/x/crypto v0.0.0-20191108234033-bd318be0434a/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200320181102-891825fb96df h1:lDWgvUvNnaTnNBc/dwOty86cFeKoKWbwy2wQj0gIxbU=
 golang.org/x/crypto v0.0.0-20200320181102-891825fb96df/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
--- a/pkg/command/authbasic.go
+++ b/pkg/command/authbasic.go
@@ -97,8 +97,7 @@ func AuthBasic(cfg *config.Config) *cli.Command {
 										"hostname":      cfg.Reva.LDAP.Hostname,
 										"port":          cfg.Reva.LDAP.Port,
 										"base_dn":       cfg.Reva.LDAP.BaseDN,
-										"userfilter":    cfg.Reva.LDAP.UserFilter,
-										"groupfilter":   cfg.Reva.LDAP.GroupFilter,
+										"loginfilter":   cfg.Reva.LDAP.LoginFilter,
 										"bind_username": cfg.Reva.LDAP.BindDN,
 										"bind_password": cfg.Reva.LDAP.BindPassword,
 										"idp":           cfg.Reva.LDAP.IDP,
--- a/pkg/command/users.go
+++ b/pkg/command/users.go
@@ -97,6 +97,7 @@ func Users(cfg *config.Config) *cli.Command {
 										"port":          cfg.Reva.LDAP.Port,
 										"base_dn":       cfg.Reva.LDAP.BaseDN,
 										"userfilter":    cfg.Reva.LDAP.UserFilter,
+										"findfilter":    cfg.Reva.LDAP.FindFilter,
 										"groupfilter":   cfg.Reva.LDAP.GroupFilter,
 										"bind_username": cfg.Reva.LDAP.BindDN,
 										"bind_password": cfg.Reva.LDAP.BindPassword,
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -206,7 +206,9 @@ type LDAP struct {
 	Hostname     string
 	Port         int
 	BaseDN       string
+	LoginFilter  string
 	UserFilter   string
+	FindFilter   string
 	GroupFilter  string
 	BindDN       string
 	BindPassword string
--- a/pkg/flagset/authbasic.go
+++ b/pkg/flagset/authbasic.go
@@ -123,18 +123,11 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 			Destination: &cfg.Reva.LDAP.BaseDN,
 		},
 		&cli.StringFlag{
-			Name:        "ldap-userfilter",
-			Value:       "(&(objectclass=posixAccount)(cn=%s))",
-			Usage:       "LDAP userfilter",
-			EnvVars:     []string{"REVA_LDAP_USERFILTER"},
-			Destination: &cfg.Reva.LDAP.UserFilter,
-		},
-		&cli.StringFlag{
-			Name:        "ldap-groupfilter",
-			Value:       "(&(objectclass=posixGroup)(cn=%s))",
-			Usage:       "LDAP groupfilter",
-			EnvVars:     []string{"REVA_LDAP_GROUPFILTER"},
-			Destination: &cfg.Reva.LDAP.GroupFilter,
+			Name:        "ldap-loginfilter",
+			Value:       "(&(objectclass=posixAccount)(|(cn={{login}})(mail={{login}})))",
+			Usage:       "LDAP login filter",
+			EnvVars:     []string{"REVA_LDAP_LOGINFILTER"},
+			Destination: &cfg.Reva.LDAP.LoginFilter,
 		},
 		&cli.StringFlag{
 			Name:        "ldap-bind-dn",
@@ -160,7 +153,7 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 		// ldap dn is always the dn
 		&cli.StringFlag{
 			Name:        "ldap-schema-uid",
-			Value:       "uid",
+			Value:       "ownclouduuid",
 			Usage:       "LDAP schema uid",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_UID"},
 			Destination: &cfg.Reva.LDAP.Schema.UID,
@@ -174,7 +167,7 @@ func AuthBasicWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-schema-displayName",
-			Value:       "sn",
+			Value:       "displayname",
 			Usage:       "LDAP schema displayName",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_DISPLAYNAME"},
 			Destination: &cfg.Reva.LDAP.Schema.DisplayName,
--- a/pkg/flagset/users.go
+++ b/pkg/flagset/users.go
@@ -107,15 +107,24 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-userfilter",
-			Value:       "(&(objectclass=posixAccount)(cn=%s*))",
-			Usage:       "LDAP userfilter",
+			Value:       "(&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))",
+			Usage:       "LDAP filter used when getting a user. The CS3 userid properties {{.OpaqueId}} and {{.Idp}} are available.",
 			EnvVars:     []string{"REVA_LDAP_USERFILTER"},
 			Destination: &cfg.Reva.LDAP.UserFilter,
 		},
 		&cli.StringFlag{
-			Name:        "ldap-groupfilter",
-			Value:       "(&(objectclass=posixGroup)(cn=%s*))",
-			Usage:       "LDAP groupfilter",
+			Name:        "ldap-findfilter",
+			Value:       "(&(objectclass=posixAccount)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))",
+			Usage:       "LDAP filter used when searching for recipients. {{query}} will be replaced with the search query",
+			EnvVars:     []string{"REVA_LDAP_FINDFILTER"},
+			Destination: &cfg.Reva.LDAP.FindFilter,
+		},
+		&cli.StringFlag{
+			Name: "ldap-groupfilter",
+			// FIXME the reva implementation needs to use the memberof overlay to get the cn when it only has the uuid,
+			// because the ldap schema either uses the dn or the member(of) attributes to establish membership
+			Value:       "(&(objectclass=posixGroup)(ownclouduuid={{.OpaqueId}}*))", // This filter will never work
+			Usage:       "LDAP filter used when getting the groups of a user. The CS3 userid properties {{.OpaqueId}} and {{.Idp}} are available.",
 			EnvVars:     []string{"REVA_LDAP_GROUPFILTER"},
 			Destination: &cfg.Reva.LDAP.GroupFilter,
 		},
@@ -143,7 +152,7 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		// ldap dn is always the dn
 		&cli.StringFlag{
 			Name:        "ldap-schema-uid",
-			Value:       "uid",
+			Value:       "ownclouduuid",
 			Usage:       "LDAP schema uid",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_UID"},
 			Destination: &cfg.Reva.LDAP.Schema.UID,
@@ -157,7 +166,7 @@ func UsersWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "ldap-schema-displayName",
-			Value:       "sn",
+			Value:       "displayname",
 			Usage:       "LDAP schema displayName",
 			EnvVars:     []string{"REVA_LDAP_SCHEMA_DISPLAYNAME"},
 			Destination: &cfg.Reva.LDAP.Schema.DisplayName,