Process mulitple groups in LDAP/AD group filter

2025-07-25 08:09:43 +02:00 · 2018-08-30 11:37:05 +01:00 · 2018-08-30 11:37:05 +01:00 · 7df0fbcb2b
commit 7df0fbcb2b
parent e490407260
4 changed files with 121 additions and 108 deletions
--- a/domain/auth/ldap/ad_test.go
+++ b/domain/auth/ldap/ad_test.go
@ -21,6 +21,12 @@ import (
 	ld "gopkg.in/ldap.v2"
 )

+// Works against AD server in Azure confgiured using:
+//
+// https://auth0.com/docs/connector/test-dc
+//
+// Ensure VM network settings open up ports 389 and 636.
+
 func TestADServer_UserList(t *testing.T) {
 	c := lm.LDAPConfig{}
 	c.ServerHost = "40.117.188.17"
@ -110,7 +116,7 @@ func TestADServer_Groups(t *testing.T) {
 	c.BindDN = "CN=ad-admin,CN=Users,DC=mycompany,DC=local"
 	c.BindPassword = "8B5tNRLvbk8K"
 	c.UserFilter = ""
-	c.GroupFilter = "(cn=Accounting)"
+	c.GroupFilter = "(|(cn=Accounting)(cn=IT))"

 	address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)
 	t.Log("Connecting to AD server", address)
@ -173,49 +179,51 @@ func TestADServer_Groups(t *testing.T) {
 		return
 	}

-	// Get list of group members
-	rawMembers := sr.Entries[0].GetAttributeValues("member")
-	fmt.Printf("%s", sr.Entries[0].DN)
+	// Get list of group members for each group found.
+	for _, group := range sr.Entries {
+		rawMembers := group.GetAttributeValues("member")
+		fmt.Printf("%s", group.DN)

-	if len(rawMembers) == 0 {
-		t.Error("Error: group member attribute returned no users")
-		return
-	}
-
-	t.Logf("AD group contains %d members", len(rawMembers))
-
-	for _, entry := range rawMembers {
-		// get CN element from DN
-		parts := strings.Split(entry, ",")
-		if len(parts) == 0 {
+		if len(rawMembers) == 0 {
+			t.Log("Error: group member attribute returned no users")
 			continue
 		}
-		filter := fmt.Sprintf("(%s)", parts[0])

-		usr := ld.NewSearchRequest(
-			c.BaseDN,
-			ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
-			filter,
-			[]string{"dn", "cn", "givenName", "sn", "mail", "sAMAccountName"},
-			nil,
-		)
-		ue, err := l.Search(usr)
-		if err != nil {
-			t.Error("Error: unable to execute directory search for group member: ", err.Error())
-			return
-		}
+		t.Logf("AD group contains %d members", len(rawMembers))

-		if len(ue.Entries) > 0 {
-			for _, ur := range ue.Entries {
-				t.Logf("[%s] %s (%s %s) @ %s\n",
-					ur.GetAttributeValue("sAMAccountName"),
-					ur.GetAttributeValue("cn"),
-					ur.GetAttributeValue("givenName"),
-					ur.GetAttributeValue("sn"),
-					ur.GetAttributeValue("mail"))
+		for _, entry := range rawMembers {
+			// get CN element from DN
+			parts := strings.Split(entry, ",")
+			if len(parts) == 0 {
+				continue
+			}
+			filter := fmt.Sprintf("(%s)", parts[0])
+
+			usr := ld.NewSearchRequest(
+				c.BaseDN,
+				ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
+				filter,
+				[]string{"dn", "cn", "givenName", "sn", "mail", "sAMAccountName"},
+				nil,
+			)
+			ue, err := l.Search(usr)
+			if err != nil {
+				t.Log("Error: unable to execute directory search for group member: ", err.Error())
+				continue
+			}
+
+			if len(ue.Entries) > 0 {
+				for _, ur := range ue.Entries {
+					t.Logf("[%s] %s (%s %s) @ %s\n",
+						ur.GetAttributeValue("sAMAccountName"),
+						ur.GetAttributeValue("cn"),
+						ur.GetAttributeValue("givenName"),
+						ur.GetAttributeValue("sn"),
+						ur.GetAttributeValue("mail"))
+				}
+			} else {
+				t.Log("group member search failed:", filter)
 			}
-		} else {
-			t.Log("group member search failed:", filter)
 		}
 	}
 }