Spring LDAP search with organisational units returns zero results

0
votes

I'm working on a plain java command line software which performs a recursive LDAP search with Spring LDAP, starting from a specified group and searching all the users from the specified groups and subgroups.

The search fails to find anything if the group distinguished name contains organisational units (=ou), but works in other cases.

Here is the short version of implementation, recursion omitted:

private void searchLdapGroup(List<UserDTO> users, LdapTemplate ldapTemplate, String groupName) {
    // recursion guard omitted
    String base = groupName.substring(groupName.indexOf(',') + 1);
    AndFilter filter = new AndFilter().and(new EqualsFilter("objectclass", "group")).and(new EqualsFilter("memberof", groupName));
    List<String> subgroups = ldapTemplate.search(base, filter.encode(), new GroupNameMapper());

    // recursive calls for subgroups omitted
    getAllUsers(users, ldapTemplate, groupName, base);
}

private void getAllUsers(List<UserDTO> users, LdapTemplate ldapTemplate, String groupName, String base) {
    AndFilter filter = new AndFilter().and(new EqualsFilter("objectclass", "person")).and(new EqualsFilter("memberof", groupName));
    // Paged search omitted.
    List<UserDTO> result = ldapTemplate.search(base,filter.encode(),new UserAttributesMapper());
    users.addAll(result);       
}

The GroupNameMapper returns distinguishedName as Strings and UserAttributesMapper returns user objects from different attributes such as sAMAccountName and givenName.

The code (with recursion) finds all the 36 users in the first test group, where the specified group is like:

CN=import_users,CN=Users,DC=example,DC=test,DC=org

in the same exact test environment it returns zero persons and subgroups when the group distinguished name contains one or more organisational units, such as

CN=import_users,OU=testou,DC=example,DC=test,DC=org

This can't be due to wrong group distinguished name, "memberof" not working or group containing no users, since i tested lookup:

String[] test = (String[])ldapTemplate.lookup("CN=import_users,OU=testou,DC=example,DC=test,DC=org", new ContextMapper() {
        public Object mapFromContext(Object ctx) {
            DirContextAdapter adapter = (DirContextAdapter) ctx;
            return adapter.getStringAttributes("Member");
        }
 });

which finds

CN=John Doe,CN=Users,DC=example,DC=test,DC=org

and lookup for the user John Doe

String[] test = (String[])ldapTemplate.lookup("CN=John Doe,CN=Users,DC=example,DC=test,DC=org", new ContextMapper() {
        public Object mapFromContext(Object ctx) {
            DirContextAdapter adapter = (DirContextAdapter) ctx;
            return adapter.getStringAttributes("memberof");
        }
    });

gives results:

CN=import_users,OU=testou,DC=example,DC=test,DC=org CN=import_users,CN=Users,DC=example,DC=test,DC=org

How come the search does not find anything when organisational units are involved?

Library user: spring-ldap-core - 2.0.4.RELEASE

1
active-directoryspring-ldapldap-queryou

1 Answers

0
votes

The devil is in the details: The member of the group CN=import_users,OU=testou,DC=example,DC=test,DC=org is

CN=John Doe,CN=Users,DC=example,DC=test,DC=org

But you appear to be searching for users under

OU=testou,DC=example,DC=test,DC=org

That is, it appears all users are under CN=Users,DC=example,DC=test,DC=org, but when you are actually searching for users you assume they are placed relative to the group.