From d869aa1d5aff8066c121ba09679a00b1d9e5524f Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Tue, 8 Sep 2020 18:00:25 +0200
Subject: [PATCH 1/2] Extend query if searchBaseDN already is a user/group

---
 pkg/server/glauth/handler.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/server/glauth/handler.go b/pkg/server/glauth/handler.go
index b79d292b4a..b3b74bd674 100644
--- a/pkg/server/glauth/handler.go
+++ b/pkg/server/glauth/handler.go
@@ -143,6 +143,15 @@ func (h ocisHandler) Search(bindDN string, searchReq ldap.SearchRequest, conn ne
 				ResultCode: code,
 			}, fmt.Errorf("Search Error: error parsing filter: %s", searchReq.Filter)
 		}
+
+		// check if the searchBaseDN already has a username and add it to the query
+		parts := strings.Split(strings.TrimSuffix(searchBaseDN, baseDN), ",")
+		if len(parts) > 0 && strings.HasPrefix(parts[0], "cn=") {
+			if len(query) > 0 {
+				query += " AND "
+			}
+			query += fmt.Sprintf("on_premises_sam_account_name eq '%s'", escapeValue(strings.TrimPrefix(parts[0], "cn=")))
+		}
 	}
 
 	entries := []*ldap.Entry{}
@@ -292,7 +301,7 @@ func (h ocisHandler) mapGroups(groups []*accounts.Group) []*ldap.Entry {
 	return entries
 }
 
-// LDAP filters might ask for grouips and users at the same time, eg.
+// LDAP filters might ask for groups and users at the same time, eg.
 // (|
 //   (&(objectClass=posixaccount)(cn=einstein))
 //   (&(objectClass=posixgroup)(cn=users))

From d5c5b3b16f656ab8e4b6d927840e23a8d4a3b8a3 Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Tue, 8 Sep 2020 18:05:28 +0200
Subject: [PATCH 2/2] Changelog

---
 changelog/unreleased/fix-searchbasedn.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 changelog/unreleased/fix-searchbasedn.md

diff --git a/changelog/unreleased/fix-searchbasedn.md b/changelog/unreleased/fix-searchbasedn.md
new file mode 100644
index 0000000000..6635a722bf
--- /dev/null
+++ b/changelog/unreleased/fix-searchbasedn.md
@@ -0,0 +1,6 @@
+Bugfix: Use searchBaseDN if already a user/group name
+
+In case of the searchBaseDN already referencing a user or group, the search query was ignoring the user/group name entirely, because the searchBaseDN is not part of the LDAP filters. We fixed this by including an additional query part if the searchBaseDN contains a CN.
+
+https://github.com/owncloud/product/issues/214
+https://github.com/owncloud/ocis-glauth/pull/32