Fixes zammad#3634 - LDAP role assignment fails when more than 1500 us…

…ers are part of an active directory group.

Co-authored-by: Martin Edenhofer <[email protected]>

lib/ldap/group.rb

@@ -127,10 +127,14 @@ def handle_config(config)
 
       @uid_attribute = config[:uid_attribute]
       @filter        = config[:filter]
+      @user_filter   = config[:user_filter]
     end
 
     def group_user_dns(entry)
       return entry[:member] if entry[:member].present?
+      # workaround for windows ad's with more than 1500 group users
+      # https://metacpan.org/dist/perl-ldap/view/lib/Net/LDAP/FAQ.pod#How-do-I-search-for-all-members-of-a-large-group-in-AD
+      return group_user_memberof(entry) if entry.to_h.keys.any? { |key| key.to_s.include?('member;range') }
       return group_user_dns_memberuid(entry) if entry[:memberuid].present?
 
       entry[:uniquemember].presence
@@ -139,11 +143,19 @@ def group_user_dns(entry)
     def group_user_dns_memberuid(entry)
       entry[:memberuid].filter_map do |uid|
         dn = nil
-        @ldap.search("(&(uid=#{uid})#{Import::Ldap.config[:user_filter]})", attributes: %w[dn]) do |user|
+        @ldap.search("(&(uid=#{uid})#{@user_filter})", attributes: %w[dn]) do |user|
           dn = user.dn
         end
         dn
       end
     end
+
+    def group_user_memberof(entry)
+      result = []
+      @ldap.search("(&(memberOf=#{entry.dn})#{@user_filter})", attributes: %w[dn]) do |user|
+        result << user.dn
+      end
+      result
+    end
   end
 end

lib/sequencer/unit/import/ldap/users/user_roles.rb

@@ -9,7 +9,8 @@ def process
     state.provide(:dn_roles) do
 
       group_config = {
-        filter: ldap_config[:group_filter]
+        filter:      ldap_config[:group_filter],
+        user_filter: ldap_config[:user_filter],
       }
 
       ldap_group = ::Ldap::Group.new(group_config, ldap: ldap_connection)