https://www.ejabberd.im/forum/29807/problem-ldapdnfilter en https://www.ejabberd.im/forum/29807/problem-ldapdnfilter#comment-67824 <p>Ok, I have done a lot of progress today, thanks mainly to Airwave and emias on the IRC channel.</p> <p>ldap_dn_filter parsing issues:</p> <p>With:</p> <div class="codeblock"><code>ldap_dn_filter: &quot;(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))&quot;:[&quot;uid&quot;]</code></div> <p>or</p> <div class="codeblock"><code>ldap_dn_filter: &quot;(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))&quot;: [&quot;uid&quot;]</code></div> <p>Error:</p> <div class="codeblock"><code>2018-02-26 13:56:17.636 [error] &lt;0.66.0&gt;@ejabberd_config:get_plain_terms_file:286 Cannot load /users/ejb00/ejb/conf/ejabberd.yml: Syntax error on line 267 at position 82: did not find expected key</code></div> <p>With:</p> <div class="codeblock"><code>ldap_dn_filter:<br />&nbsp; &quot;(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))&quot;</code></div> <p>Error:</p> <div class="codeblock"><code>2018-02-26 14:19:18.879 [error] &lt;0.66.0&gt;@ejabberd_config:validate_opts:1029 ignoring option &#039;ldap_dn_filter&#039; with invalid value: &lt;&lt;&quot;(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))&quot;&gt;&gt;</code></div> <p>With:</p> <div class="codeblock"><code>ldap_dn_filter:<br />&nbsp; &quot;(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))&quot;: [&quot;uid&quot;]</code></div> <p>SUCCESS </p> <p>This is the proper format: new line, two spaces, no '-'. The second part -after the ":"- is mandatory: this is the parameter of the first query results that will be used for parsing purposes with %s. Even if you are not usin %s, you should set it up.</p> <p>If I left ldap_filter blank, all the o=XXXXXXXX uids get queried, and the Virtual Domain tab doesn't get populated. I suppose this behaviour is caused if the LDAP server reply is truncated, i.e. it is set to send a maximum of 2000 results but the query results are bigger than that.</p> <p>If I filter a little more in the first query, we get the Virtual Domain user list populated. This can be a problem in big organizations, and it will be interesting to confirm if the behaviour is caused by the LDAP config or ejabberd.</p> <p>To filter by netgroup users with nisNetgroupTriple , there is a problem parsing the ( ) characters. I'm still trying how to figure that out, meanwhile you could use wildcards, but I don't like that from a security point of view.</p> <p>Also, in my LDAP uid is uppercase and the entry in nisNetgroupTriple is lowercase, so I had to search of a user property that holds the user in lowercase and use that with %s:</p> <p>"(&amp;(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(nisNetgroupTriple=*%s*))": ["uidux"]</p> Tue, 27 Feb 2018 13:20:23 +0000 madmalkav comment 67824 at https://www.ejabberd.im https://www.ejabberd.im/forum/29807/problem-ldapdnfilter#comment-67822 <p>I start to think ldap_dn_filter is not working OK. With this configuration:</p> <p>ldap_uids:<br /> - "uniqueMember"<br /> ldap_filter: "(cn=GROUPNAME)"<br /> ldap_dn_filter: "(%s)": "uniqueMember"</p> <p>I get:</p> <p>2018-02-26 11:34:28.698 [error] &lt;0.66.0&gt;@ejabberd_config:get_plain_terms_file:286 Cannot load /users/ejb00/ejb/conf/ejabberd.yml: Syntax error on line 267 at position 23: mapping values are not allowed in this context</p> <p>Or, I can try with the netgroups:</p> <p>ldap_uids:<br /> - "nisNetgroupTriple": "(,%u,)"<br /> ldap_filter: "(cn=NETGROUP)"<br /> ldap_dn_filter: "(uid=%u)"</p> <p>But then I don't get the LDAP query in the log, and I get: </p> <p>2018-02-26 12:03:41.166 [error] &lt;0.66.0&gt;@ejabberd_config:validate_opts:1029 ignoring option 'ldap_dn_filter' with invalid value: &lt;&lt;"(uid=%u)"&gt;&gt;</p> <p>I get the query in the log if I remove the : "(,%u,)"::</p> <p>2018-02-26 12:20:22.102 [debug] &lt;0.562.0&gt;@eldap:send_command:776 {searchRequest,{'SearchRequest',&lt;&lt;"o=XXXXXXXX"&gt;&gt;,wholeSubtree,neverDerefAliases,0,0,false,{and,[{equalityMatch,{'AttributeValueAssertion',&lt;&lt;"nisNetgroupTriple"&gt;&gt;,&lt;&lt;"USERID"&gt;&gt;}},{equalityMatch,{'AttributeValueAssertion',&lt;&lt;"cn"&gt;&gt;,&lt;&lt;"NETGROUP"&gt;&gt;}}]},[&lt;&lt;"nisNetgroupTriple"&gt;&gt;]}}</p> Mon, 26 Feb 2018 11:24:09 +0000 madmalkav comment 67822 at https://www.ejabberd.im https://www.ejabberd.im/forum/29807/problem-ldapdnfilter#comment-67820 <p>OK, after a good night of sleep, now I understand why the second option can't work. What I need is probably take the results of ldap_filter , like i.e. the list of nisNetgroupTriple , and feed then to ldap_dn_filter, but parsed somehow. Something like:</p> <p>(uid=%u): ["nisNetgroupTriple": "(,%u,)"]</p> <p>But I don't think that is supported.</p> <p>I also still get the "ignoring option 'ldap_dn_filter' with invalid value" error with different ldap_dn_filter I have tried.</p> Sat, 24 Feb 2018 12:01:00 +0000 madmalkav comment 67820 at https://www.ejabberd.im https://www.ejabberd.im/forum/29807/problem-ldapdnfilter#comment-67819 <p>There is other way I can try to get this working on my LDAP, with ladp_uids. but this is showing some problems:</p> <p>If, for example, I filter using a netgroup, I get a list of users in the format:</p> <p>nisNetgroupTriple: (,USERID,)</p> <p>But if I setup in my ejabberd.yml file:</p> <p>ldap_uids:<br /> - "nisNetgroupTriple": "(,%u,)"</p> <p>This still doesn't work.</p> <p>The other possibilty is using ldap_uids with the previously mentiones uniqueMember entries, but those are in the format:</p> <p>USER NAME AND SURNAME - USERID,ou=XXXXXXXX,o=XXXXXXXX</p> <p>I don't know how the ldap_uidattr_format format is parsed, so I don't know if I can use, i.e., a regular expression to get the USERID from that field.</p> Fri, 23 Feb 2018 18:51:15 +0000 madmalkav comment 67819 at https://www.ejabberd.im