[#12128] Bad search filter ldap Groups
Summary Bad search filter ldap Groups
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester samuele.tognini (at) unipi (dot) it
Created 2013-03-19 (2863 days ago)
Updated 2014-06-12 (2413 days ago)
Assigned 2013-08-27 (2702 days ago)
Resolved 2014-06-11 (2414 days ago)
Patch No

2014-06-12 12:32:20 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #18 Reply to this comment
If it just would have been that easy..
Yes, easy to solve but not so easy to find why it didn't work (for 
me)... imho.

A good things that you eventually corrected the code for the coherence 
of the coming upgrades...


Gérard Breiner

2014-06-11 14:42:43 Jan Schneider Comment #17
State ⇒ Resolved
Reply to this comment
If it just would have been that easy...
2014-06-11 14:18:22 Git Commit Comment #16 Reply to this comment
Changes have been made in Git (master):

commit 8dc055039bddd524b30fdbfbe058a0aba1cd5a0a
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jun 11 16:17:10 2014 +0200

     [jan] Add configuration for searching user DNs in LDAP groups 
(Bug #12128).

  framework/Core/lib/Horde/Config.php |    4 ++++
  framework/Core/package.xml          |    2 ++
  horde/config/conf.xml               |   10 +++++++---
  horde/docs/CHANGES                  |    1 +
  horde/package.xml                   |    6 +++---
  5 files changed, 17 insertions(+), 6 deletions(-)

2014-06-11 14:18:16 Git Commit Comment #15 Reply to this comment
Changes have been made in Git (master):

commit f9058a1289778209190afb7c7bee50065b8c583b
Author: Jan Schneider <jan@horde.org>
Date:   Wed Jun 11 16:13:14 2014 +0200

     Allow to specify base DN for searching user DNs (Bug #12128).

  framework/Core/lib/Horde/Config.php |  169 
  framework/Core/package.xml          |    2 +
  framework/Ldap/lib/Horde/Ldap.php   |    6 +-
  framework/Ldap/package.xml          |   16 ++--
  4 files changed, 114 insertions(+), 79 deletions(-)

2014-06-03 08:20:32 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #14
New Attachment: conf.xml Download
Reply to this comment
Here is the conf.xml in attachement.


[Show Quoted Text - 21 lines]
2014-06-02 13:36:10 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #13 Reply to this comment

It looks like the workaround I submitted below has not been noticed 
unless this ticket has been give up. Nevertheless, this issue was IMHO 
very critical for sharing by group when "attrisdn" is checked in 

The solution I propose is to add two parameters (uid and filter) in 

In order to make the update more easier, here is in attachment, the 

Thanks in advance for taking it in account.

Best regards.

Gérard Breiner
Institut d'Astrophysique Spatiale
Université Paris XI
FR-91405 Orsay-ville
2014-05-09 21:42:23 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #12 Reply to this comment
I forgot to precise that the lines :

<configstring name="uid" desc="User uid field">
<configstring name="filter" desc="User filter">

have to be added into horde/config/conf.xml into <configtab 
name="group"  <configsection name="params". I added them at line 918.

Then go to the interface admin/config--->Groups, you will see these 
two new parameters. You just have to click on the button "generate the 
configuration of horde). That's all.

Best regards.

Gérard Breiner

2014-05-09 13:58:11 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #11 Reply to this comment
Hello Jan and all,

I come with a solution that seems to solve the issue of bad filter 
(&(objectclass=)(=userid)) error when attrisdn is checked....

  My solution:

I added two parameters into horde/config/conf.xml just before attrisdn.

<configstring name="uid" desc="User uid field">
        <configstring name="filter" desc="User filter">

These params are only available in the user array in findUserDN for 
authentication during the logging.
When we are in kronolith interface, a command ""echo 
$this->_config['user']"" line 879 of Horde/Ldap.php  show us that 
these params  are not longer available. By adding them into conf.xml 
we can see immediately the result.

Here is below my config Horde Group which may be help for setting up 
the others things such as $conf[group][params][basedn]
dc=example,dc=com which is very important cause this is the baseDN 
that is used into findUserDN.

I will be pleased to know if  my little contribution is of any help.

* $conf[group][driver]
 Kolab  LDAP  No Groups  SQL 
What backend should we use for Horde Groups?
* $conf[group][params][driverconfig]
 Horde defaults  Custom parameters 
Driver configuration
* $conf[group][params][hostspec]
LDAP server/hostname

Port on which LDAP is listening, if non-standard

Use TLS to connect to the server?
* $conf[group][params][version]
 2 (deprecated)  3 
LDAP protocol version
* $conf[group][params][bindas]
 Bind anonymously  Bind as the currently logged-in user  Bind with 
administrative/system credentials 
Bind to LDAP as which user?
* $conf[group][params][basedn]
Base DN
* $conf[group][params][scope]
 Subtree search  One level 
Search scope
* $conf[group][params][gid]
The group search key
* $conf[group][params][memberuid]
Group membership field
* $conf[group][params][uid]
User uid field
* $conf[group][params][filter]
User filter

If checked, the user member attributes returned from LDAP are expected 
to be fully qualified DNs
* $conf[group][params][newgroup_objectclass]
posixGroup, hordeGroup
What objectclasses should a new group be member of? These 
objectclasses should cover the mail and gidnumber attributes as well 
as the group search key
DN used to bind for creating and editing LDAP groups.
Password for bind DN.
* $conf[group][params][search][filter_type]
 One or more objectclass filters  A complete LDAP filter expression 
How to specify a filter for the group lists
* $conf[group][params][search][objectclass]
The objectclass filter used to search for groups. Can be a single 
objectclass or a list.


2014-05-06 09:49:33 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #10 Reply to this comment
I'm wrong... $user =  $this->_ldap->findUserDN($user); is OK.
So, at this stage the only things that seems to be missed and that I 
have added in horde/config/conf.php is :
$conf['group']['params']['uid'] = 'uid';
This time I have no longer the message 'bad filter' but I get the 
error message

DN for user webadm not found
What is a good thing  at less is we know that we are in findUserDN()

2014-05-06 08:55:24 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #9 Reply to this comment

After having thought  about this issue, I realized that there is 
nothing to change into findUserDN(). This function are not in cause 
and does what she has to do which is to return the DN user.
But when we call from   the Horde group system Horde/Group/Ldap.php via
listGroups() the uid parameter is missed.
So I added the line $conf['group']['params']['uid'] = 'uid'; in 
myhorde/config/conf.php and conf.xml.

This time I have no longer the message 'bad filter' but I get the 
error message

DN for user webadm not found

So I look again at listGroups() in Horde/Group/Ldap.php and try to replace :
$user =  $this->_ldap->findUserDN($user);
$user =  Horde_ldap::findUserDN($user);

This time things are better but there is still something bad with the 
filter, in fact, in the interface kronolith I get the message :
Bad search filter Parameters: Base: dc=ias.u-psud,dc=fr Filter: 
(cn=**) Scope: sub.
Maybe it should be cn=* I suppose.

An idea ? Thanks in advance.

Best regards.

Gérard Breiner

2014-05-05 09:51:09 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #8 Reply to this comment
I am not sure my previous comment is well readable because of bad 
characters... So I formulate again what I meant.

When we go to the kronolith interface then the function 
listGroups($user) is called. This function is defined in 
Then listGroups($user) call findUserDN($user).
But at this time when we are in findUserDN()  the array 
$this->_config['user']['uid'] doesn't exist because we come from 
Horde_Group_Ldap which has no parameter uid in the group config.
In others words there is not $conf['group']['params']['uid'] = 'uid'; 
in horde/config/conf.php and it is right.
In fact it is  $conf['group']['params']['memberuid'] that should be 
evaluate against $user into findUserDN. But given that findUserDN is 
also used for authentication, I created a new function in 
Horde/Ldap.php that I call findGroupUserDN() and put into her 
memberuid instead uid  and replaced findUserDN by findGroupUserDN into 
This time I have no longer the message 'bad filter' but I get the 
error message :

DN for user webadm not found

  1. Kronolith_Ajax->init() /www/horde5/kronolith/index.php:137
  2. Kronolith_Ajax->_addBaseVars() /www/horde5/kronolith/lib/Ajax.php:32
  3. Kronolith::getDefaultCalendar() /www/horde5/kronolith/lib/Ajax.php:90
  4. Kronolith::listInternalCalendars() 
  5. Horde_Core_Share_Driver->listShares() 
  6. Horde_Core_Share_Driver->__call() 
  7. call_user_func_array() /www/horde5/pear/php/Horde/Core/Share/Driver.php:63
  8. Horde_Share_Sql->listShares()
  9. Horde_Share_Sql->getShareCriteria() 
10. Horde_Share_Sql->_getUserAndGroupCriteria() 
11. Horde_Group_Ldap->listGroups() 
12. Horde_Ldap->findGroupUserDN() 

At this stage I would be pleased to have some help.

Best regards.

Gérard Breiner
2014-05-02 14:42:10 gerard (dot) breiner (at) ias (dot) u-psud (dot) fr Comment #7 Reply to this comment

there is a long time I'm working on this issue because  ?sharing by 
group? is a very important feature for us and we encountered the same 
issue of bad filter.

So, from what I checked :

Function findUserDN is defined  in Horde_Ldap  and required ?uid?,   
and ?filter? or ?objectclass?.

When findUserDN() is called  by listGroups() in Horde_Group_Ldap   
(line 387) there is no ?uid?  in the user array because  there is no 
line :$conf['group']['params']['uid'] = 'uid'; in horde/config/conf.php

$filter = Horde_Ldap_Filter::combine(
Horde_Ldap_Filter::create($this->_config['user']['uid'], 'equals', 
So, no ?uid? is the first cause of this issue (IMHO)...

Anyway, so that to try, I added $conf['group']['params']['uid'] = 
'uid'; in horde/config/conf.php.
This time there is no longer the error ?Bad search filter Parameters: 
Base: dc=ias.u-psud,dc=fr Filter: (&(objectclass=)(=webadm)) Scope: sub?
But I get  the exception  ?DN for user webadm not found?  defined in 
the below code :

if (!$search->count()) {
              throw new Horde_Exception_NotFound('DN for user ' . 
$user . ' not found');

So an issue may hide another  that certainly has to do with.

In fact I suppose  that is memberuid  that should be evaluate against 
$user but given that  findUserDN() is required in other places like 
authentication, it may be needed to create another function.

I'm looking for at this but I need to know your what you think about this.

Best regards.

Gérard Breiner
2014-03-20 21:02:09 nlindq (at) maei (dot) ca Comment #6 Reply to this comment
I'm also having this issue, and in my case I'm wondering whether it's 
related to use of a non-standard UID.

From my horde/config/conf.php:

$conf['auth']['params']['uid'] = 'mail';
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['driver'] = 'ldap';

From function listUsers in pear/Horde/Group/Ldap.php:

             $users = array();
             foreach ($entry->getValue($attr, 'all') as $user) {
                 $dn = Horde_Ldap_Util::explodeDN($user,
                                                  array('onlyvalues' => true));
                 // Very simplified approach: assume the first element 
of the DN
                 // contains the user ID.
                 $user = $dn[0];
                 // Check for multi-value RDNs.
                 if (is_array($element)) {
                     $user = $element[0];
                 $users[] = $user;
             return $users;

In my case, the dn does not contain the "mail" attribute which I'm for 
authentication to ease virtual domain authentication with IMP/Cyrus 

Groups are properly listed in the Admin interface, but if I expand the 
groups in the interface, members are listed as bare uids rather than 
e-mail addresses.
2014-01-12 06:20:07 mj (at) netauth (dot) com Comment #5 Reply to this comment
This is a quite serious bug because horde doesn't really function at 
all when groups are stored in LDAP.

Which part of the code is it precisely that is forming the invalid 
search filters for the LDAP groups? I can probably fix it myself and 
submit a patch if I just knew where to look.
2013-08-27 10:37:50 Jan Schneider Assigned to Jan Schneider
State ⇒ Assigned
2013-06-19 14:05:06 steffo76 (at) gmx (dot) de Comment #4 Reply to this comment
Same here. Looking at the logs of the ldap server I see

SRCH base="" scope=0 deref=0 filter="(objectClass=*)"

after a normal bind.
2013-03-25 16:37:55 samuele (dot) tognini (at) unipi (dot) it Comment #3 Reply to this comment
$conf['ldap']['hostspec'] = 'ldaps://myserver.example.com';
$conf['ldap']['tls'] = false;
$conf['ldap']['version'] = 3;
$conf['ldap']['binddn'] = 'cn=binduser,ou=ldap,ou=system,dc=example,dc=com';
$conf['ldap']['bindpw'] = 'xxxxxxxxx';
$conf['ldap']['bindas'] = 'admin';
$conf['ldap']['useldap'] = true;


$conf['group']['params']['basedn'] = 'dc=example,dc=com';
$conf['group']['params']['scope'] = 'sub';
$conf['group']['params']['gid'] = 'cn';
$conf['group']['params']['memberuid'] = 'member';
$conf['group']['params']['attrisdn'] = true;
$conf['group']['params']['newgroup_objectclass'] = array('groupOfNames');
$conf['group']['params']['search']['objectclass'] = array('groupOfNames');
$conf['group']['params']['search']['filter_type'] = 'objectclass';
$conf['group']['params']['driverconfig'] = 'horde';
$conf['group']['driver'] = 'Ldap';
2013-03-25 16:01:09 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Please post the complete 'ldap' and 'group' sections from your 
2013-03-25 11:17:24 Jan Schneider Version ⇒ Git master
Queue ⇒ Horde Framework Packages
2013-03-19 11:07:53 samuele (dot) tognini (at) unipi (dot) it Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ Bad search filter ldap Groups
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
Reply to this comment
I can't get Groups to work with an ldap backend.
Horde is configured to retrieve groups from the OU groups and 
$conf[group][params][attrisdn] is enabled.
Groups and users are correctly displayed in the admin groups page but 
in the user permission shares there is no group the user belongs to.

The bug seems related to the findUserDN function build a wrong search filter:

2013-03-19T10:01:04+00:00 ERR: HORDE [kronolith] Bad search filter
Base: ou=groups,dc=domain,dc=com
Filter: (&(objectclass=)(=u090213))
Scope: sub [pid 4881 on line 395 of "/usr/share/php/Horde/Group/Ldap.php"]
2013-03-19T10:01:04+00:00 DEBUG: HORDE  1. Horde_PageOutput->header() 
  2. Horde_Injector->getInstance() /usr/share/php/Horde/PageOutput.php:810
  3. Horde_Injector->createInstance() /usr/share/php/Horde/Injector.php:247
  4. Horde_Injector_Binder_AnnotatedSetters->create() 
  5. Horde_Injector_Binder_Implementation->create() 
  6. Horde_Injector_Binder_Implementation->_getInstance() 
  7. ReflectionClass->newInstanceArgs() 
  8. Horde_View_Topbar->__construct()
  9. Horde_Core_Topbar->getTree() /var/www/horde/lib/View/Topbar.php:53
10. Horde_Registry->callAppMethod() /usr/share/php/Horde/Core/Topbar.php:184
11. Horde_Registry->pushApp() /usr/share/php/Horde/Registry.php:1149
12. Horde_Registry->callAppMethod() /usr/share/php/Horde/Registry.php:1557
13. call_user_func_array() /usr/share/php/Horde/Registry.php:1152
14. Horde_Registry_Application->init()
15. Kronolith_Application->_init() 
16. Kronolith::initialize() /var/www/horde/kronolith/lib/Application.php:75
17. Kronolith::listInternalCalendars() 
18. Horde_Core_Share_Driver->listShares() 
19. Horde_Core_Share_Driver->__call() 
20. call_user_func_array() /usr/share/php/Horde/Core/Share/Driver.php:61
21. Horde_Share_Sqlng->listShares()
22. Horde_Share_Sqlng->_getUserAndGroupShares() 
23. Horde_Group_Ldap->listGroups() /usr/share/php/Horde/Share/Sqlng.php:343
24. Horde_PageOutput->header() /var/www/horde/admin/config/index.php:359
25. Horde_Injector->getInstance() /usr/share/php/Horde/PageOutput.php:810
26. Horde_Injector->createInstance() /usr/share/php/Horde/Injector.php:247
27. Horde_Injector_Binder_AnnotatedSetters->create() 
28. Horde_Injector_Binder_Implementation->create() 
29. Horde_Injector_Binder_Implementation->_getInstance() 
30. ReflectionClass->newInstanceArgs() 
31. Horde_View_Topbar->__construct()
32. Horde_Core_Topbar->getTree() /var/www/horde/lib/View/Topbar.php:53
33. Horde_Registry->callAppMethod() /usr/share/php/Horde/Core/Topbar.php:184
34. Horde_Registry->pushApp() /usr/share/php/Horde/Registry.php:1149
35. Horde_Registry->callAppMethod() /usr/share/php/Horde/Registry.php:1557
36. call_user_func_array() /usr/share/php/Horde/Registry.php:1152
37. Horde_Registry_Application->init()
38. Kronolith_Application->_init() 
39. Kronolith::initialize() /var/www/horde/kronolith/lib/Application.php:75
40. Kronolith::listInternalCalendars() 
41. Horde_Core_Share_Driver->listShares() 
42. Horde_Core_Share_Driver->__call() 
43. call_user_func_array() /usr/share/php/Horde/Core/Share/Driver.php:61
44. Horde_Share_Sqlng->listShares()
45. Horde_Share_Sqlng->_getUserAndGroupShares() 
46. Horde_Group_Ldap->listGroups() /usr/share/php/Horde/Share/Sqlng.php:343
47. Horde_Ldap->findUserDN() /usr/share/php/Horde/Group/Ldap.php:387
48. Horde_Ldap->search() /usr/share/php/Horde/Ldap.php:871

Saved Queries