LDAP: Teams not synching

[lukaspj]

When users log in using LDAP, they are not assigned the teams that matches their AD groups.

Steps to reproduce the issue:

1. Create a fresh install of Portainer
2. Set up LDAP authentication
3. Add a team with the same name as an AD group
4. Login as a user belonging to the AD group.

I set the following attributes on the LDAP settings:

• LDAP Server
• Reader DN
• Password
• All security: OFF
• Automatic User provision: ON
• User Base DN
• Username attribute: sAMAccountName
• Group Base DN
• Group Membership Attribute: member

I copy-pasted the DNs from LDAP Admin, so I'm pretty sure those values don't have typos.
One thing of note, the AD Group has _ and - in the name, which might cause some encoding issue?
I don't see anything in Portainer's stdout.

Edit: Group Name is USR_ADM_Dev-Environment

Technical details:

• Portainer version: 1.19.1
• Platform (windows/linux): Linux
• Browser: Chrome

[lukaspj]

I just tried synching a group without special characters, only letters, and it didn't work as well. So that wasn't it.

I tried moving up the Group Base DN to the root of the AD, that didn't help either.

Edit: If it matters, the CN of the user is on the form "John Doe (JDOE)"

Edit2: Another note, the service user I'm using for Portainer, is the same I'm using for Jenkins where group-lookup works fine.

[lukaspj]

Found the culprit!

The issue is that the CN on the form "John Doe (JDOE)" fails for some reason.
Logging in with a user that has a CN on the form "Jane Doe" without the (username) at the end works fine.

Now, to find the source of this discrepancy..

[lukaspj]

I'm not too strong at LDAP stuff, but is it possible that the parentheses would need to be escaped here:
https://github.com/portainer/portainer/blob/develop/api/ldap/ldap.go#L142
Since that comes out as:
(&...(member=CN=John Doe (JDOE),DN=....))

And if so, does anyone know how to escape those parentheses?

[lukaspj]

Based on:
http://www.rlmueller.net/CharactersEscaped.htm

Parentheses needs to be escaped when querying an AD backend through the LDAP protocol.

A further complication arises if you use LDAP filters to query Active Directory. For example, if you use ADO to query Active Directory, and you use the LDAP syntax, one of the clauses is an LDAP filter clause. Command line utilities like adfind and dsquery also accept LDAP filters. The LDAP filter specification assigns special meaning to the following characters:

* ( ) \ NUL

The NUL character is ASCII 00. In LDAP filters these 5 characters should be escaped with the backslash escape character, followed by the two digit ASCII hex representation of the character. The following table documents this:

* | \2A

( | \28

) | \29

\ | \5C

NUL | \00

Sorry for the horrible formatting of the table, on cellphone.

I will see if I can whip up a PR soon.