0

Morning,

I am trying to create a user filter to use in Atlassian's confluence, and I had a question about memberOf and regex.

(&(objectClass=Person)(memberOf=CN=Delivery Management Team,OU=EMEA,OU=Parks Lists,DC=emea,DC=company,DC=com))

Returns some users that are member of this group. However,

(&(objectClass=Person)(memberOf=CN=Delivery Management*))

fails with an error. It just appears regex does not work with memberOf, or is there a syntax method for this in ldap to achieve this goal other than using an asterisk (sorry Obelisk)?

David

Corion
  • 3,855
  • 1
  • 17
  • 27
archcutbank
  • 419
  • 1
  • 6
  • 17
  • Where in your LDAP query is a regular expression? I only see a wildcard, `*`. Also see https://stackoverflow.com/questions/9564120/using-wildcards-in-ldap-search-filters-queries and https://stackoverflow.com/questions/6293231/ldap-search-using-regular-expression – Corion Oct 25 '18 at 14:33
  • My apology. I guess I did call it regex. I think the intent of what I am trying is clear though with memberOf=CN=Delivery Management*, though. – archcutbank Oct 26 '18 at 15:03

1 Answers1

1

I assume you are using Active Directory in this instance, in which case the problem is simply that AD doesn't not support LDAP queries for DN values with wildcards (except for memberOf=* type queries where you're looking for anything with the value set).

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx:

The wildcard character "*" is allowed, except when the is a DN attribute. Examples of DN attributes are distinguishedName, manager, directReports, member, and memberOf. If the attribute is DN, then only the equality operator is allowed and you must specify the full distinguished name for the value (or the "*" character for all objects with any value for the attribute)

The approach I've taken to accomplish what you want to do is to create an "all users" group for the application -- so "All Confluence Users", and then access-level groups like "Confluence Admins", "Confluence Engineers", "Confluence Service Delivery". The process that provisions individuals into groups adds the all users group whenever someone is added to one of the access-level groups (bit of lazy coding, that; I don't want to check if they're already a member and can easily ignore ldap error 20-value already exists); accounts are removed from the all users group when the last access-level group has been removed from their account.

Both adding and removing individuals from the all members group could be done in batch -- and I'd probably do that if groups were manually provisioned in my environment. Anyone matching "(&(!(memberOf={the all users group))(|(memberOf={appgroup1})(memberOf={appgroup2})...(memberOf=appgroupN)))" gets added to my all users group; (&((memberOf={the all users group))(!(|(memberOf={appgroup1})(memberOf={appgroup2})...(memberOf=appgroupN)))) gets removed from my all users group.

My user filter is "(&(memberOf={the all user group}))" while who can actually access what is controlled by the other group memberships.

LisaJ
  • 1,666
  • 1
  • 12
  • 18
  • To clarify, you wrote:memberOf=* in your comment above. Are you saying that you can check if user is memberOf is not blank like you can for example with mail=* to make sure user has an email? In my example above with memberOf=CN=(,OU=EMEA,OU=Parks Lists,DC=emea,DC=company,DC=com, I could not write memberOf=*Delivery management* for example, which prompted my initial question. – archcutbank Oct 29 '18 at 14:56
  • Correct -- with attributes with DN syntax, you can use the wildcard '*' to filter on blank / not blank but cannot use it in the manner you show. – LisaJ Oct 29 '18 at 19:58
  • I've edited my answer to include how I've worked around this AD limitation. – LisaJ Oct 29 '18 at 20:20
  • The All Members group idea is good, and if I had setup the server originally I could have done that. Instead, I have a user base that tells me what groups they want to make sure are pulled into Confluence from AD so that they can setup permissions using those groups. They also wanted the users in those groups to get pulled in as well. I was not sure if adding all their groups into an All Users group would work. I see there is an option to allow groups in groups. – archcutbank Oct 31 '18 at 13:11
  • Adding the groups to an "all users" group should work -- you'd need to use the LDAP_MATCHING_RULE_IN_CHAIN matching rule in your filter (https://learn.microsoft.com/en-us/windows/desktop/ADSI/search-filter-syntax) Replacing "cn=AllConfluenceUsers,ou=groups,dc=domain,DC=gTLD" with the proper fully qualified DN for your 'all users' group, your filter would be: "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=AllConfluenceUsers,ou=groups,dc=domain,DC=gTLD))" – LisaJ Oct 31 '18 at 14:19