Group-related features do not work on Google Secure LDAP

[pruiz]

It turns out current code for handling/searching group membership information relies on LDAP Compare requests (ie. compare_s(...)), which are not supported by Goolge's Secure LDAP (https://support.google.com/a/answer/9048516?hl=en). As stated at https://support.google.com/a/answer/9167101?hl=en => "Unsupported actions are: Add, Compare, Del, Modify, and ModifyDn.".

As such, enabling features like AUTH_LDAP_REQUIRE_GROUP, AUTH_LDAP_USER_FLAGS_BY_GROUP, etc. breaks django-auth-ldap due to Google Secure LDAP throwing "Protocol error" on response to CompareRequests made during group membership gathering.

[jdufresne]

Do you have a suggestion on how to handle this?

[pruiz]

The only place were I've seen 'compare_s' being used is within LDAPGroupType child classes' is_member method.

I do not have the time right now, but I think there could be an an LDAPGroupType specific subclass for google's LDAP, which implementes an is_member using one of the following two alternates:

1. Use memberOf values obtained from querying a user by it's DN (as google does return the full DNs of each group the user is member of)
2. Make a query (ie. search_s) for any DN with base '$AUTH_LDAP_GROUP_BASE_DN', having member=$uid or similar.

Regards

[lucat1]

This turns out to be an issue also with lldap or any rust ldap3 based services which do not support compare. I just wanted to point out that memberOf is available also in lldap and is therefore a viable solution to this. Any interest in moving this forward?

[francoisfreitag]

It seems compare_s is deprecated, man 3 ldap_compare states:

DEPRECATED INTERFACES
The routines ldap_compare() and ldap_compare_s() are deprecated in favor of ldap_compare_ext() and ldap_compare_ext_s(), respectively.
Deprecated interfaces generally remain in the library. The macro LDAP_DEPRECATED can be defined to a non-zero value (e.g., -DLDAP_DEPRECATED=1) when compiling program designed to use deprecated interfaces. It is recommended that developers writing new programs, or updating old programs, avoid use of deprecated interfaces.
Over time, it is expected that documentation (and, eventually, support) for deprecated interfaces to be eliminated.

Ldapwiki has a section with title “Beware of memberOf”, which does not encourage using it.

https://ldapwiki.com/wiki/MemberOf#section-MemberOf-BewareOfMemberOf

I’m concerned using memberOf instead of compare would cause breakage in different setups. If there’s a standard way of retrieving group membership, that would be ideal. Barring that, I believe the next best thing is to provide a subclass that relies on memberOf, to help developers adapting the library to their LDAP setup.

[creshal]

We're running into the same problem. @francoisfreitag Do you have any pointers wrt that subclass? Did anyone write one yet?