LDAP-Backend Multivalue attributes - bug?

Hello froum,

right now, I’m testing PI to replace our current 2FA solution. The basic functionallity is working. My problem occured during the speical use cases.
In the LDAP resolver (AD), I try to map “group” : “memberOf” with Multivalue Attributes = [“group”]. During saving there is a message in privacyidea.log:
[WARNING][privacyidea.lib.utils:421] the passed key ‘MULTIVALUEATTRIBUTES’ is not a parameter for the ldapresolver type ‘’

The related database entry seems to be incomplete, as type is empty:
| id | resolver_id | Key | Value | Type | Description |
| 93 | 3 | MULTIVALUEATTRIBUTES | [“group”] | | |

After enabeling the database log, there is this statement during saving:
UPDATE resolverconfig SET Value=‘["group"]’, Type=‘’, Description=‘’ WHERE resolverconfig.resolver_id = 3 AND resolverconfig.Key = ‘MULTIVALUEATTRIBUTES’

Here, too, type is empty.

I just did an update fom 3.7.4 to 3.9, the behaviour is the same.

To me there seems a bug in adding Multivalue Attributes. Or do I miss something?

Thank you for your help.

Hello and welcome to privacyIDEA.

Are you actually experiencing a problem?

Or do you only see the warning in the log file.
And do you expect that there should be an entry in the data base column “type”?

Hello cornelinux,

yes, I actually do have a problem. I try to write a policy based on group membership in AD. Since there is no mapping, the policy does not work.

I dug into the code and the database. There I found this (maybe) uncomplete entry. I don’t expect any “type” (since I’m not the developer); I just noticed the difference to the other entries. So I mentioned it as a hint.
Here is another one:
In the file “lib/python3.9/site-packages/privacyidea/api/resolver.py” is the function “getResolverClassDescriptor”. I read it as a mapping for “key” to “type” in the table “resolverconfig” . I didn’t check every DB entry for a match, but the one I checked are correct. And there is no mapping for “MULTIVALUEATTRIBUTES”. Maybe this is the reason.

Thank you for your help.


to the issue itself, I finally found the soulution. The bind user didn’t have the rights to read group membership. So everythins is working now.
But during saving the resolver settings, there is still the message about the MULTIVALUEATTRIBUTES in the log. The error seems to have no impact, but is misleading. Maybe this can be fixed.

1 Like

Look here: