Metabase v0.36.6
OS: Red Hat Enterprise Linux 8
Browser: Firefox 78.3.0
Hi,
when creating an LDAP group mapping, LDAP group names with slashes are not accepted ("… is no valid DN"). Not sure about the LDAP standard, to be honest, but my company uses slashes in their DNs.
When I manually insert the mapping directly into the “setting” DB table, everything works as expected. So it seems that the restriction is only applied by the UI without technical necessity.
Can this behavior be changed in the future?
BR,
Eric
Hi @wolleric
It looks like it’s definitely not recommended using slashes:
https://ldapwiki.com/wiki/Best%20Practices%20For%20LDAP%20Naming%20Attributes
And the recommendation is to use hex representation instead - so / would be \2F
Hi @flamber,
thanks for your info. Sadly I will have to live with what my employer decided to implement.
In any case, since it actually is working if I manually put the slash into the DB entry, I do not see a reason why Metabase should unnecessarily enforce good LDAP practices here.
Or can there be other cases where this might break something?
@wolleric
Metabase is using another library for validation:
https://github.com/pauldorman/clj-ldap
https://github.com/metabase/metabase/blob/23e577c9053d593bf8785842edab42ad2f05086f/src/metabase/integrations/ldap.clj#L84
https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/DN.html#isValidDN(java.lang.String)
So it would either require that the upstream function accepts slashes (perhaps newer versions does, but I haven’t tested) or we would have to write our own validator.
But if the hex representation works (you didn’t note if you had tested that), then that would be the correct way to write it.