You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
zitadel's userfilter works way different from what I would typically expect, which is fine in itself.
the problem arises when trying to configure filters that aren't just depended on the username.
for example, enabled=TRUE might be a typical filter one would want to use.
To reproduce
enter anything but an attribute name into the userfilter
Screenshots
No response
Expected behavior
userfilters are an optional configuration to further restrict users.
the ID Attribute is already a required field for configuring an LDAP provider, filtering for ($id_attribute=$username) should be done automatically since you don't allow us to template the username into the filter ourselfs.
Operating System
No response
Relevant Configuration
No response
Additional Context
by appending )(enabled=TRUE to the last User ObjectClasses entry you can smuggle arbitrary filters into the query anyways, though I really really don't want to do this in production.
being able to configure a dedicated enable filter, f.ex userAccountControl:1.2.840.113556.1.4.803:=2 when using MS AD would be really nice, though probably out of scope here
consider renaming user filters to loginname attributes as it more accurately reflects the purpose and adding a proper user filter field where I can provide plain LDAP filters without any automagic.
The text was updated successfully, but these errors were encountered:
Preflight Checklist
Environment
Self-hosted
Version
2.43.4
Database
PostgreSQL
Database Version
No response
Describe the problem caused by this bug
zitadel's userfilter works way different from what I would typically expect, which is fine in itself.
the problem arises when trying to configure filters that aren't just depended on the username.
for example,
enabled=TRUE
might be a typical filter one would want to use.To reproduce
enter anything but an attribute name into the userfilter
Screenshots
No response
Expected behavior
userfilters are an optional configuration to further restrict users.
the
ID Attribute
is already a required field for configuring an LDAP provider, filtering for($id_attribute=$username)
should be done automatically since you don't allow us to template the username into the filter ourselfs.Operating System
No response
Relevant Configuration
No response
Additional Context
by appending
)(enabled=TRUE
to the last User ObjectClasses entry you can smuggle arbitrary filters into the query anyways, though I really really don't want to do this in production.being able to configure a dedicated
enable
filter, f.exuserAccountControl:1.2.840.113556.1.4.803:=2
when using MS AD would be really nice, though probably out of scope hereconsider renaming user filters to
loginname attributes
as it more accurately reflects the purpose and adding a proper user filter field where I can provide plain LDAP filters without any automagic.The text was updated successfully, but these errors were encountered: