How to set up group-search-base for several OUs in LDAP

This is my LDAP tree:

There are different users in both “ORGANIGRAMA” and “EQUIPOS”.

This is my application.yml LDAP configuration:

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    user-search-base:
    group-search-filter: (member={0})
    group-search-base: ???

How can group-search-base be adjusted so that it works? I’ve tried:

• only group-search-base: OU=ORGANIGRAMA: users in both OUs can log-in but only users in ORGANIGRAMA can access apps based on the group they are.
• only group-search-base: OU=EQUIPOS: the other way around
• blank group-search-base: : in the hope that this way searches all OUs, but nope, no user can log-in
• group-search-base: (|(OU=ORGANIGRAMA)(OU=EQUIPOS)): this did not work either, no user can log-in
• group-search-base: (&(OU=ORGANIGRAMA)(OU=EQUIPOS)): again, no user can log-in but now an error message appears Could not sign in! Invalid user name or password.
• group-search-base: OU=ORGANIGRAMA,OU=EQUIPOS: also, no one can log-in because this looks for groups in domain.com/ORGANIGRAMA/EQUIPOS

I´ve read this issue, where group-search-base: is blank and it is said that the key when there are users in different locations in the tree is user-search-filter, but I am not sure if this is correct, beacuse this configuration

    user-search-filter: (sAMAccountName={0})
    user-search-base:
    group-search-filter: (member={0})
    group-search-base: OU=ORGANIGRAMA

allows users in OU=EQUIPOS to log-in, but their group is not retrieved so the access-groups option of the shiny apps does not work for them.

I just noticed that in the example app group-search-base is blank, don´t know why it doesn’t work for me. I guess it depends on the structure of the tree.

  # Example: 'ldap' authentication configuration
  ldap:
    url: ldap://ldap.forumsys.com:389/dc=example,dc=com
    user-dn-pattern: uid={0}
    group-search-base:
    group-search-filter: (uniqueMember={0})
    manager-dn: cn=read-only-admin,dc=example,dc=com
    manager-password: password

I don´t understand why if group-search-base is left blank I can’t log-in but if I write group-search-base: OU=ORGANIGRAMA I can.

EDIT: Now I can , reading this has helped:

group_search_base defines the subtree in which groups are stored, and will be used as the root of all LDAP queries which attempt to find the groups of which a user is a member.

How could you tell group_search_base to “look into these two subtrees” so that it can find members in both?

I´m also trying the following approach, with no success yet:

    user-search-filter: (&(|(distinguishedName=*ORGANIGRAMA*)(distinguishedName=*EQUIPOS*))(sAMAccountName={0}))
    user-search-base:
    group-search-filter: (&(|(distinguishedName=*ORGANIGRAMA*)(distinguishedName=*EQUIPOS*))(member={0}))
    group-search-base: 

1. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: 

I get this error (does not go past the login screen) javax.naming.PartialResultException: Unprocessed Continuation Reference(s):

DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: sga 
 INFO 1 --- [XNIO-2 task-11] o.s.s.ldap.SpringSecurityLdapTemplate    : Ignoring PartialResultException
DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Attempting to bind as cn=John sga. Doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp
DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Retrieving attributes...
DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=John sga. Doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp
DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'sga', DN = 'cn=John sga. doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp', with filter (member={0}) in search base ''
ERROR 1 --- [XNIO-2 task-11] io.undertow.request                      : UT005023: Exception handling request to /login
org.springframework.ldap.PartialResultException: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

2. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (&(|(distinguishedName=*ORGANIGRAMA*)(distinguishedName=*EQUIPOS*))(member={0}))
    group-search-base: 

I get the javax.naming.InvalidNameException error:

DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'sga', DN = 'cn=John sga. doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp', with filter (member={0}) in search base '(|(OU=ORGANIGRAMA)(OU=EQUIPOS))'
ERROR 1 --- [XNIO-2 task-11] io.undertow.request                      : UT005023: Exception handling request to /login
org.springframework.ldap.InvalidNameException: (|(OU=ORGANIGRAMA)(OU=EQUIPOS)): [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of: 
'(|(OU=ORGANIGRAMA)(OU=EQUIPOS)),DC=company,DC=corp'
]; nested exception is javax.naming.InvalidNameException: (|(OU=ORGANIGRAMA)(OU=EQUIPOS)): [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of:
'(|(OU=ORGANIGRAMA)(OU=EQUIPOS)),DC=company,DC=corp'
]; remaining name '(|(OU=ORGANIGRAMA)(OU=EQUIPOS))'

3. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: (|(OU=ORGANIGRAMA)(OU=EQUIPOS))

I get the same error as above, javax.naming.InvalidNameException.

Some time later...

Looking in the internet for the javax.naming.PartialResultException: Unprocessed Continuation Reference(s) error led me to this SO post, which suggested changing LDAP port 389 to 3268, which worked great!! This configuration now works for me:

  ldap:
    url: ldap://192.168.x.xxx:3268/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: 

Now I realized, that I read this post where this feature was added to ShinyProxy 1.1.0. If you look carefully the OP is using port 3268… /facepalm

@tverbeke @tdekoninck maybe you could add a note about this to the url argument of https://www.shinyproxy.io/documentation/configuration/#ldap ?

PS

I just learn how to look at the logs, so I´ll write it here in case someone finds it useful.

It´s easy, you just have to docker ps and get your shinyproxy container name. Then bash into it docker exec -it your_shinyproxy_container_name /bin/bash and there if you ls you´ll see your shinyproxy.log file, the you can then cat shinyproxy.log to read it.

To specifically debug the login process remember to add this to your application.yml:

logging: 
  level:
    org.springframework.security.ldap.authentication: DEBUG
    org.springframework.security.ldap.userdetails: DEBUG
  file:
    shinyproxy.log