Greenlight: ldap filters

Created on 25 Mar 2020  路  11Comments  路  Source: bigbluebutton/greenlight

As far as I see there is no option for ldap filters, is there some other way to filter out users who can login? Thanks!

Most helpful comment

We have no problem with complex filter (&, ! and | used!).

But I lost a lot of time debugging because I put quotes around the filter in the greenlight .env file, which were added to the filter, and thus not valid: LDAP_FILTER='(&(attr1=value1)(attr2=value2))' is not valid and generate the Net::LDAP::FilterSyntaxInvalidError error while LDAP_FILTER=(&(attr1=value1)(attr2=value2)) works as expected.

All 11 comments

Hi @mestia

Please see the comment here https://github.com/bigbluebutton/greenlight/issues/439#issuecomment-522026774

Unfortunately the proposed solution would not work in our LDAP server, where group memberships are stored in the "memberOf" attribute of each user object. As such all users are always children of a single users organizational unit. So filtering by that won't work.

Other software, such as Gitlab or Nextcloud, allows defining custom LDAP filters which are simply appended as query parameters when searching for users. e.g. the filter to limit our Nextcloud userbase is defined as:

(|(memberOf=staff)(memberOf=cloud))

It would be very helpful to also allow defining query filters like that in Greenlight as well.

I have to agree with @jancc that filtering described as in #439 is insufficient if you are using groups for permission management (and this is common in large directory setups for whole organizations).

We are using groups on our LDAP Server for permission managment. I don't think filtering by ou= only is definetly not sufficient. For the time being it is impossilbe for us to manage Role/Group matching eg. matching teachers to role moderator and students to role user.

Solution inside.
LDAP-Filters are important for many use cases.
This could be easily fixed by just changing two lines of code. I am not a ruby coder, but I am able to read and understand the code. I am unable to rebuild the whole environment (ruby, docker, red5) myself, but I suggest the following simple changes:
In https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/sessions_controller.rb
Line 141 add:

ldap_config[:filter] = if ENV['LDAP_FILTER'] == ''
'objectclass=*'
else
ENV['LDAP_FILTER']
end

I am assuming you use LDAP-Authentication from
https://github.com/blindsidenetworks/bn-ldap-authentication/blob/master/lib/bn-ldap-authentication.rb
There change line 27 to

filter: "(&(#{provider_info[:uid]}=#{user_params[:username]})(#{provider_info[:filter]}))",

And add for the documentation in

https://docs.bigbluebutton.org/greenlight/gl-config.html#ldap-auth
LDAP_FILTER=your_ldap_filter defaults to objectclass=*

This would be very helpful for a lot of people.
Thanks a lot for BBB and Greenlight!

Figured everything out. Just maked it all working. But there is only one trouble: one will get error with text "Net::LDAP::FilterSyntaxInvalidError (Invalid filter syntax.):" in case of using complex filter string with multiple conditions (with "(" and ")"). Backslashing will not help it... If anyone know how to use complex filter with ruby Net::LDAP - please let me know.

For anyone interested, we generated a Greenlight Docker image (!from the master branch!) that
support LDAP filter (https://hub.docker.com/r/unistra/greenlight).

This was done by updating the dependencies to use our fork of bn-ldap-authentication in the Gemfile and by manually updating the Gemfile.lock file (which is probably not a good practice) before rebuilding the image using docker buid . -t <TAG>.

For anyone interested, we generated a Greenlight Docker image (!from the master branch!) that
support LDAP filter (https://hub.docker.com/r/unistra/greenlight).

This was done by updating the dependencies to use our fork of bn-ldap-authentication in the Gemfile and by manually updating the Gemfile.lock file (which is probably not a good practice) before rebuilding the image using docker buid . -t <TAG>.

As I mentioned above: do you have troubles with complex filter in your patch ?

We have no problem with complex filter (&, ! and | used!).

But I lost a lot of time debugging because I put quotes around the filter in the greenlight .env file, which were added to the filter, and thus not valid: LDAP_FILTER='(&(attr1=value1)(attr2=value2))' is not valid and generate the Net::LDAP::FilterSyntaxInvalidError error while LDAP_FILTER=(&(attr1=value1)(attr2=value2)) works as expected.

yes, the ' is not allowed in the filter because in the code it is capsuled by ":

filter: "(&(#{provider_info[:uid]}=#{user_params[:username]})(#{provider_info[:filter]}))",

Thanks a lot for adding the code to the docker image! You made my day!

We have no problem with complex filter (&, ! and | used!).

But I lost a lot of time debugging because I put quotes around the filter in the greenlight .env file, which were added to the filter, and thus not valid: LDAP_FILTER='(&(attr1=value1)(attr2=value2))' is not valid and generate the Net::LDAP::FilterSyntaxInvalidError error while LDAP_FILTER=(&(attr1=value1)(attr2=value2)) works as expected.

Nice. I will test your code in my greenlight fork. Thank you very much for your work!

Was this page helpful?
0 / 5 - 0 ratings