LDAP_SEARCH_FILTER syntax

Hello there.

I’m running a new instance which has LDAP_AUTH turned on. It’s not ment to be a “public” instance, as in “open to public”. Everyone can see it, but only users on my LDAP can use it.
Now, I need to filter out some of the users and to do that I’d like to use the LDAP_SEARCH_FILTER variable. The problem is that any filter I place in there, it will always show an error of “Invalid Syntax” when someone tries to login. I know the syntax is correct for ldapsearch (it works there), so if anyone can shed some light I would appreciate it.

Filter I’m using: LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=mastodon,cn=groups,cn=accounts,dc=r3pek,dc=org))"

1 Like

Hiii,

I’m searching for LDAP_SEARCH_FILTER syntax too but apparently nobody has responded to this post. Could someone please give some hints? :blush:

Thank you.

Hey Guys,
any luck figuring out the LDAP_SEARCH_FILTER syntax?
I tried leaving it out, but I can’t login using ldap users => the email or passowrd comes wrong

any help please?

^Bump this thing up

Search filter to user attributes or groups are not working with what I tried, any help?

Can you try to connect to the LDAP host whoami.am with the user DN cn=alfa,dc=whoami,dc=am, password Xg4Zm85WOZQH7v, base DN is dc=whoami,dc=am so I can see which queries is your installation sending?
I am logging all the requests on this test LDAP server.

I rather dont do this, I do not know what data is “leaked” to the LDAP server.
It looks like you have your own instance, dont you know how the filters are working?

E.g. how to check memberOf or if a specific attribute like “member” exist?

I can’t test this on the instance I have, sorry. All I can offer is this test LDAP server which was used for testing when this feature was added to Mastodon.

Would you mind helping me with the loglevel you are using to log the queries?
https://www.openldap.org/lists/openldap-software/200707/msg00396.html

I am using loglevel 7

The LDAP_SEARCH_FILTER by default is %{uid}=%{email}. You have those two variables to work with. The email attribute is what the user has entered into the e-mail field of the login form. The uid field is the value of LDAP_UID which by default is cn. So a default filter could translate into something like cn=alice.

Now mind that the way the filter is applied involves the value of LDAP_BASE as well, but this is handled by the net/ldap library, not our own code, so I’m not certain about the specifics. I believe the base gets you into the right subtree, then the filter selects the right row, and then the password is tested against that row.

1 Like

Thank you. The issue is, that I cannot check via these variables if an account is enabled.
I want to filter for custom attributes like “accountEnabled = TRUE”