Default groupSearch.attributes.groupName to "dn" instead of "cn"

- DNs are more unique than CNs, so it feels like a safer default
2026-04-15 07:06:45 +00:00 · 2021-05-28 13:27:11 -07:00
parent a741041737
commit cedbe82bbb
19 changed files with 81 additions and 45 deletions
--- a/internal/upstreamldap/upstreamldap.go
+++ b/internal/upstreamldap/upstreamldap.go
@@ -31,7 +31,6 @@ import (
 const (
 	ldapsScheme                             = "ldaps"
 	distinguishedNameAttributeName          = "dn"
-	commonNameAttributeName                 = "cn"
 	searchFilterInterpolationLocationMarker = "{}"
 	groupSearchPageSize                     = uint32(250)
 	defaultLDAPPort                         = uint16(389)
@@ -367,7 +366,7 @@ func (p *Provider) searchGroupsForUserDN(conn Conn, userDN string) ([]string, er

 	groupAttributeName := p.c.GroupSearch.GroupNameAttribute
 	if len(groupAttributeName) == 0 {
-		groupAttributeName = commonNameAttributeName
+		groupAttributeName = distinguishedNameAttributeName
 	}

 	groups := []string{}
@@ -493,7 +492,7 @@ func (p *Provider) userSearchRequestedAttributes() []string {
 func (p *Provider) groupSearchRequestedAttributes() []string {
 	switch p.c.GroupSearch.GroupNameAttribute {
 	case "":
-		return []string{commonNameAttributeName}
+		return []string{}
 	case distinguishedNameAttributeName:
 		return []string{}
 	default:
--- a/internal/upstreamldap/upstreamldap_test.go
+++ b/internal/upstreamldap/upstreamldap_test.go
@@ -315,6 +315,29 @@ func TestEndUserAuthentication(t *testing.T) {
 				r.UID = base64.RawURLEncoding.EncodeToString([]byte(testUserSearchResultDNValue))
 			}),
 		},
+		{
+			name:     "when the GroupNameAttribute is empty then it defaults to dn",
+			username: testUpstreamUsername,
+			password: testUpstreamPassword,
+			providerConfig: providerConfig(func(p *ProviderConfig) {
+				p.GroupSearch.GroupNameAttribute = "" // blank means to use dn
+			}),
+			searchMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
+				conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
+				conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
+					r.Attributes = []string{}
+				}), expectedGroupSearchPageSize).
+					Return(exampleGroupSearchResult, nil).Times(1)
+				conn.EXPECT().Close().Times(1)
+			},
+			bindEndUserMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
+			},
+			wantAuthResponse: expectedAuthResponse(func(r *user.DefaultInfo) {
+				r.Groups = []string{testGroupSearchResultDNValue1, testGroupSearchResultDNValue2}
+			}),
+		},
 		{
 			name:     "when the GroupNameAttribute is dn",
 			username: testUpstreamUsername,
@@ -339,11 +362,11 @@ func TestEndUserAuthentication(t *testing.T) {
 			}),
 		},
 		{
-			name:     "when the GroupNameAttribute is empty then it defaults to cn",
+			name:     "when the GroupNameAttribute is cn",
 			username: testUpstreamUsername,
 			password: testUpstreamPassword,
 			providerConfig: providerConfig(func(p *ProviderConfig) {
-				p.GroupSearch.GroupNameAttribute = "" // blank means to use cn
+				p.GroupSearch.GroupNameAttribute = "cn"
 			}),
 			searchMocks: func(conn *mockldapconn.MockConn) {
 				conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)