Unexpected LDAP failure reading group members: character ' ' not allowed in attribute type

[Luci2015]

Description
Error reading group members from oracle LDAP gives the error : Unexpected LDAP failure reading group members: character ' ' not allowed in attribute type
This is the space char that the error refers to.

Steps to reproduce
the ldap setup:

username: "uid=async,ou=Special Users,dc=domain,dc=local"
password: "thepasshere"
host: "ldap://some_IP_here"
base_dn: "dc=domain,dc=local"

Since this error was seen before in AD connections where the base_dn with spaces inside the value, such as: base_dn: "dc=domain, dc=local", I tried to fix the username value so that the space between Special Users be escaped, such as:
username: "uid=adobesync,ou=Special\ Users,dc=domain,dc=local"

The tool run OK for a couple of groups, then fails with same error:
Unexpected LDAP failure reading group members: character ' ' not allowed in attribute type

Another test was made with an username value that had no space char in the DN; the tool fails to read all members of all groups, just like in the escaped space workaround.

This does not happen in 2.3; I'm suspecting an update of the ldap3 package and also I suspect it is also linked to the data extracted from the ldap, since all that went in had no space.

Expected behavior
no error

Environment

• UST version: 2.6.2
• OS type and version: Windows
• Any other relevant info: oracle LDAP

[vossen-adobe]

ldap3 has validation for this here:
https://github.com/cannatag/ldap3/blob/dev/ldap3/utils/dn.py#L179

Im not sure we can do anything about this but maybe we can dig deeper.

I am not able to reproduce this with the following username with active directory. It looks like they may be using openldap implementation?

[adorton-adobe]

Unfortunately, I don't know if there is much we can do here. We can't revert to python-ldap since several new features depend on ldap3. If the customer can't find a reasonable workaround, they may need to develop their own extraction process to put users into a CSV to input into the sync tool.

@Luci2015 - you may want to raise this as a potential bug for the ldap3 maintainers. It seems like this should be supported, especially if python-ldap supports it.

[Luci2015]

this was mainly raised for visibility, ldap3 changed their logic as per the RFC, so not expecting a roll-back
I am having issues replicating in openLDAP as all results come back as expected :|

[EDIT]:
I think I found the function that generates the exception in our case.
iterating through LDAP users in two_step_lookup loop, we call this function: is_dn_within_base_dn_scope(base_dn, dn)
The function will call inside this method from ldap3:
split_dn = ldap3.utils.dn.parse_dn(dn.lower())

I made this test to prove (note the spaces inside the DN):

>>> import ldap3
>>> ldap3.utils.dn.parse_dn('uid=someUser, dc=domain, dc=local')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\Administrator\Desktop\ENV\lib\site-packages\ldap3\utils\dn.py", line 315, in parse_dn
    if not _validate_attribute_type(attribute_type):
  File "C:\Users\Administrator\Desktop\ENV\lib\site-packages\ldap3\utils\dn.py", line 179, in _validate_attribute_type
    raise LDAPInvalidDnError('character \'' + c + '\' not allowed in attribute type')
ldap3.core.exceptions.LDAPInvalidDnError: character ' ' not allowed in attribute type

I think what we can do at most in this case is that for whoever uses two_step_lookup to put the try-except routine inside the is_dn_within_base_dn_scope(base_dn, dn) function which, under except, should log a warning for user being skipped and maybe return False, for user_dn not a match to base_dn,
OR
replace the comma + space(s) string inside the DN ', ' to just comma, including in the base_dn

Note, the space and other special chars will not impact if they are added inside the group, ou or CN of teh object (i.e. this is not returning exception: uid=some User,ou=my organisational unit,dc=domain,dc=local