Fix group ldap filters

cs3org · Mar 7, 2023 · 861c31c · 861c31c
1 parent 9d45bd3
commit 861c31c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/changelog/unreleased/fix-ldap-filter.md b/changelog/unreleased/fix-ldap-filter.md
@@ -1,6 +1,6 @@
-Bugfix: Fix ldap filter when checking for enabled users
+Bugfix: Fix ldap filters when checking for enabled users
 
-This fixes the ldap filter that gets added when configured to filter out disabled users.
+This fixes the ldap filters for checking enabled/disabled users.
 
 
 https://github.com/cs3org/reva/pull/3696
diff --git a/pkg/utils/ldap/identity.go b/pkg/utils/ldap/identity.go
@@ -297,7 +297,7 @@ func (i *Identity) IsLDAPUserInDisabledGroup(log *zerolog.Logger, lc ldap.Client
 		return false
 	}
 
-	filter := fmt.Sprintf("(&(objectClass=groupOfNames)(%s=%s)", i.Group.Schema.Member, userEntry.DN)
+	filter := fmt.Sprintf("(&(objectClass=groupOfNames)(%s=%s))", i.Group.Schema.Member, userEntry.DN)
 	searchRequest := ldap.NewSearchRequest(
 		i.Group.LocalDisabledDN,
 		i.Group.scopeVal,
@@ -310,6 +310,8 @@ func (i *Identity) IsLDAPUserInDisabledGroup(log *zerolog.Logger, lc ldap.Client
 	sr, err := lc.Search(searchRequest)
 	if err != nil {
 		log.Error().Str("backend", "ldap").Err(err).Str("filter", filter).Msg("Error looking up error group")
+		// Err on the side of caution.
+		return true
 	}
 
 	return len(sr.Entries) > 0