🐛 Bug Report: Expand LDAP group membership logic to fully support Active Directory group member DNs with non-username value. #158

New Issue

AtHeartEngineer · 2025-07-08T08:41:16-04:00

AtHeartEngineer commented

2025-07-08 08:41:16 -04:00

Originally created by @abjoseph on 5/21/2025

Reproduction steps

I have an Active Directory instance on-prem that I currently use to centrally manage users and groups within my environment.

Expected behavior

I expect that Pocket ID, once configured for LDAP Sync. is able to determine user group membership and correctly reflect that in the "User Group" tab in the Admin UI.

Actual Behavior

Pocket ID successfully creates the desired groups but is not able to correctly associate groups with the corresponding queried users.

Version and Environment

Expand the LDAP group membership logic originally implemented as part of https://github.com/pocket-id/pocket-id/issues/234 to ALSO support Active Directory's Distinguished Name (DN) Format for the group member value. e.g. CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com where the CN is usually the user's "Full Name" if populated and likely would not match the value retrieved from the username attribute, which in my case is sAMAccountName.

The currently implemented assumption, which is not valid for the AD scenario I described above, can be found in file backend/internal/service/ldap_service.go at line 110

Code Snippet of the line referenced above show below:

Log Output

No relevant logs, as an FYI - Troubleshooting surrounding LDAP sync would benefit greatly from improved/more verbose logging.

*Originally created by @abjoseph on 5/21/2025* ### Reproduction steps I have an Active Directory instance on-prem that I currently use to centrally manage users and groups within my environment. ### Expected behavior I expect that Pocket ID, once configured for LDAP Sync. is able to determine user group membership and correctly reflect that in the "User Group" tab in the Admin UI. ### Actual Behavior Pocket ID successfully creates the desired groups but is not able to correctly associate groups with the corresponding queried users. ![Image](https://github.com/user-attachments/assets/6626879e-15f0-4356-86c7-6e9dc3922948) ### Version and Environment Expand the LDAP group membership logic originally implemented as part of https://github.com/pocket-id/pocket-id/issues/234 to **_ALSO_** support Active Directory's _Distinguished Name_ (DN) Format for the group member value. e.g. `CN=John Doe,OU=Users,OU=Security,DC=Example,DC=com` where the `CN` is usually the user's "Full Name" if populated and likely would not match the value retrieved from the username attribute, which in my case is `sAMAccountName`. The currently implemented assumption, which is not valid for the AD scenario I described above, can be found in file [`backend/internal/service/ldap_service.go at line 110`](https://github.com/kmendell/pocket-id/blob/72baad57270035c0f2a08d9b0ca8d2bd3754ff9f/backend/internal/service/ldap_service.go#L110) #### Code Snippet of the line referenced above show below: ![Image](https://github.com/user-attachments/assets/96b9eecf-b400-4b8e-9aa2-d60a34f3319c) ### Log Output No relevant logs, as an FYI - Troubleshooting surrounding LDAP sync would benefit greatly from improved/more verbose logging.

AtHeartEngineer closed this issue

2025-07-08 08:41:17 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2025-07-08 08:41:17 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#158