LDAP-Backend Multivalue attributes - bug?

hstrkh · November 22, 2023, 1:52pm

Hello froum,

right now, I’m testing PI to replace our current 2FA solution. The basic functionallity is working. My problem occured during the speical use cases.
In the LDAP resolver (AD), I try to map “group” : “memberOf” with Multivalue Attributes = [“group”]. During saving there is a message in privacyidea.log:
[WARNING][privacyidea.lib.utils:421] the passed key ‘MULTIVALUEATTRIBUTES’ is not a parameter for the ldapresolver type ‘’

The related database entry seems to be incomplete, as type is empty:
±—±------------±---------------------±----------±-----±------------+
| id | resolver_id | Key | Value | Type | Description |
±—±------------±---------------------±----------±-----±------------+
| 93 | 3 | MULTIVALUEATTRIBUTES | [“group”] | | |
±—±------------±---------------------±----------±-----±------------+

After enabeling the database log, there is this statement during saving:
UPDATE resolverconfig SET Value=‘["group"]’, Type=‘’, Description=‘’ WHERE resolverconfig.resolver_id = 3 AND resolverconfig.Key = ‘MULTIVALUEATTRIBUTES’

Here, too, type is empty.

I just did an update fom 3.7.4 to 3.9, the behaviour is the same.

To me there seems a bug in adding Multivalue Attributes. Or do I miss something?

Thank you for your help.

cornelinux · November 29, 2023, 2:25pm

Hello and welcome to privacyIDEA.

Are you actually experiencing a problem?

Or do you only see the warning in the log file.
And do you expect that there should be an entry in the data base column “type”?

hstrkh · November 29, 2023, 4:24pm

Hello cornelinux,

yes, I actually do have a problem. I try to write a policy based on group membership in AD. Since there is no mapping, the policy does not work.

I dug into the code and the database. There I found this (maybe) uncomplete entry. I don’t expect any “type” (since I’m not the developer); I just noticed the difference to the other entries. So I mentioned it as a hint.
Here is another one:
In the file “lib/python3.9/site-packages/privacyidea/api/resolver.py” is the function “getResolverClassDescriptor”. I read it as a mapping for “key” to “type” in the table “resolverconfig” . I didn’t check every DB entry for a match, but the one I checked are correct. And there is no mapping for “MULTIVALUEATTRIBUTES”. Maybe this is the reason.

Thank you for your help.

hstrkh · January 26, 2024, 1:19pm

Hello,

to the issue itself, I finally found the soulution. The bind user didn’t have the rights to read group membership. So everythins is working now.
But during saving the resolver settings, there is still the message about the MULTIVALUEATTRIBUTES in the log. The error seems to have no impact, but is misleading. Maybe this can be fixed.

cornelinux · January 31, 2024, 8:00am

Look here:

github.com/privacyidea/privacyidea

LDAP resolver: missing config description multivalueattribute

opened 07:59AM - 31 Jan 24 UTC

cornelinux

Topic: Resolver Type: Possible bug

When saving the LDAP resolver the config values are checked. The log file con…tains a warning about the missing config value MULTIVALUEATTRIBUTE; that originates from here: https://github.com/privacyidea/privacyidea/blob/0d32822cf7e90710960c4f1811b9e57fd50a367c/privacyidea/lib/utils/__init__.py#L424 The reason is, that the "MULTIVALUEATTRIBUTE" is not contained in the LDAP Resolver class descriptor. https://github.com/privacyidea/privacyidea/blob/d8abb69b8df65dc31501cab9def4428ec5576dc5/privacyidea/lib/resolvers/LDAPIdResolver.py#L1006