How to set up group-search-base for several OUs in LDAP

1. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: 

I get this error (does not go past the login screen) javax.naming.PartialResultException: Unprocessed Continuation Reference(s):

DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: sga 
 INFO 1 --- [XNIO-2 task-11] o.s.s.ldap.SpringSecurityLdapTemplate    : Ignoring PartialResultException
DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Attempting to bind as cn=John sga. Doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp
DEBUG 1 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Retrieving attributes...
DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=John sga. Doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp
DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'sga', DN = 'cn=John sga. doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp', with filter (member={0}) in search base ''
ERROR 1 --- [XNIO-2 task-11] io.undertow.request                      : UT005023: Exception handling request to /login
org.springframework.ldap.PartialResultException: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

2. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (&(|(distinguishedName=*ORGANIGRAMA*)(distinguishedName=*EQUIPOS*))(member={0}))
    group-search-base: 

I get the javax.naming.InvalidNameException error:

DEBUG 1 --- [XNIO-2 task-11] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'sga', DN = 'cn=John sga. doe,ou=PERFIL-3.0.0.TECNICO,ou=3.0.0.LEAN,ou=3.0.LEAN,ou=3.LEAN,ou=ORGANIGRAMA,dc=company,dc=corp', with filter (member={0}) in search base '(|(OU=ORGANIGRAMA)(OU=EQUIPOS))'
ERROR 1 --- [XNIO-2 task-11] io.undertow.request                      : UT005023: Exception handling request to /login
org.springframework.ldap.InvalidNameException: (|(OU=ORGANIGRAMA)(OU=EQUIPOS)): [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of: 
'(|(OU=ORGANIGRAMA)(OU=EQUIPOS)),DC=company,DC=corp'
]; nested exception is javax.naming.InvalidNameException: (|(OU=ORGANIGRAMA)(OU=EQUIPOS)): [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of:
'(|(OU=ORGANIGRAMA)(OU=EQUIPOS)),DC=company,DC=corp'
]; remaining name '(|(OU=ORGANIGRAMA)(OU=EQUIPOS))'

3. When using

  ldap:
    url: ldap://192.168.x.xxx:389/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: (|(OU=ORGANIGRAMA)(OU=EQUIPOS))

I get the same error as above, javax.naming.InvalidNameException.

Some time later...

Looking in the internet for the javax.naming.PartialResultException: Unprocessed Continuation Reference(s) error led me to this SO post, which suggested changing LDAP port 389 to 3268, which worked great!! This configuration now works for me:

  ldap:
    url: ldap://192.168.x.xxx:3268/DC=company,DC=corp
    manager-dn: user@company.corp
    manager-password: user_password
    user-search-filter: (sAMAccountName={0})
    group-search-filter: (member={0})
    group-search-base: 

Now I realized, that I read this post where this feature was added to ShinyProxy 1.1.0. If you look carefully the OP is using port 3268… /facepalm

@tverbeke @tdekoninck maybe you could add a note about this to the url argument of https://www.shinyproxy.io/documentation/configuration/#ldap ?

PS

I just learn how to look at the logs, so I´ll write it here in case someone finds it useful.

It´s easy, you just have to docker ps and get your shinyproxy container name. Then bash into it docker exec -it your_shinyproxy_container_name /bin/bash and there if you ls you´ll see your shinyproxy.log file, the you can then cat shinyproxy.log to read it.

To specifically debug the login process remember to add this to your application.yml:

logging: 
  level:
    org.springframework.security.ldap.authentication: DEBUG
    org.springframework.security.ldap.userdetails: DEBUG
  file:
    shinyproxy.log