You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
LDAP Server Type: Development: Built in emulator. Test and prod: ActiveDirectory
PHP Version: 8.1
Describe the bug:
I wanted a scope requiring to be member of one or more groups.
I therefore created a scope with an initial where for one group and two more orWhere for 2 other groups. Something like this:
This means that you have to be member of both Group1 and (Group2 or Groups 3), which is not what I intended. Still using the built in LDAP emulator I could be member of eg. Group3 only and still get included. In the test environment, however, I did not get included. The correct implementation for the scope is to use orWhere on all 3 groups like this:
Thanks @acharseth, apologies for the long reply here. Yes I agree, the emulator is the one not working properly. The query builder is working as expected. I'm able to reproduce this locally. Working on a patch -- haven't found a solution yet. Will report here once I do 👍
stevebauman
changed the title
[Bug]Wrong handling of where in emulator
[Bug] Wrong handling of orWhere in emulator
Feb 4, 2024
Environment:
Describe the bug:
I wanted a scope requiring to be member of one or more groups.
I therefore created a scope with an initial
where
for one group and two moreorWhere
for 2 other groups. Something like this:With experience from SQL this makes sense but does not in LDAP.
This creates the following LDAP filter (as decoded from the log):
This means that you have to be member of both Group1 and (Group2 or Groups 3), which is not what I intended. Still using the built in LDAP emulator I could be member of eg. Group3 only and still get included. In the test environment, however, I did not get included. The correct implementation for the scope is to use orWhere on all 3 groups like this:
This will create a correct LDAP-filter:
To my understanding ActiveDirectoy has a correct implementation of the filter and the built in emulator does not.
Agree?
The text was updated successfully, but these errors were encountered: