fix: LDAP Group filter doesn't work and throws "No Such Object" error on login (#31377)

2 years ago · afd5fdd521
parent dd2967ce04
commit afd5fdd521
3 changed files with 11 additions and 7 deletions
--- a/.changeset/wet-crabs-brush.md
+++ b/.changeset/wet-crabs-brush.md
@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed LDAP "Group filter" malfunction, which prevented LDAP users from logging in.
--- a/apps/meteor/server/lib/ldap/Connection.ts
+++ b/apps/meteor/server/lib/ldap/Connection.ts
@ -465,9 +465,9 @@ export class LDAPConnection {

 		searchLogger.debug({ msg: 'Group filter LDAP:', filter: searchOptions.filter });

-		const result = await this.searchRaw(this.options.baseDN, searchOptions);
+		const result = await this.searchAndCount(this.options.baseDN, searchOptions);

-		if (!Array.isArray(result) || result.length === 0) {
+		if (result === 0) {
 			return false;
 		}
 		return true;
--- a/apps/meteor/server/lib/ldap/Manager.ts
+++ b/apps/meteor/server/lib/ldap/Manager.ts
@ -200,6 +200,10 @@ export class LDAPManager {
 			}

 			const [ldapUser] = users;
+			if (!(await ldap.isUserAcceptedByGroupFilter(escapedUsername, ldapUser.dn))) {
+				throw new Error('User not found');
+			}
+
 			if (!(await ldap.authenticate(ldapUser.dn, password))) {
 				logger.debug(`Wrong password for ${escapedUsername}`);
 				throw new Error('Invalid user or wrong password');
@ -212,11 +216,6 @@ export class LDAPManager {
 					authLogger.debug(`Bind successful but user ${ldapUser.dn} was not found via search`);
 				}
 			}
-
-			if (!(await ldap.isUserAcceptedByGroupFilter(escapedUsername, ldapUser.dn))) {
-				throw new Error('User not in a valid group');
-			}
-
 			return ldapUser;
 		} catch (error) {
 			logger.error(error);