From 600d002a35f454b1cbd31460d0bf40d3555ac287 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 31 May 2023 11:17:40 -0700 Subject: [PATCH] Use groupSearch.userAttributeForFilter during ActiveDirectory group searches - Load the setting in the controller. - The LDAP auth code is shared between AD and LDAP, so no new changes there in this commit. --- .../active_directory_upstream_watcher.go | 11 +- .../active_directory_upstream_watcher_test.go | 213 ++++++++++-------- 2 files changed, 123 insertions(+), 101 deletions(-) diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go index 38a677f0..9cb773b5 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go @@ -204,7 +204,7 @@ func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Filter() string { } func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) UserAttributeForFilter() string { - return "" + return g.groupSearch.UserAttributeForFilter } func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string { @@ -333,10 +333,11 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, UIDAttribute: adUpstreamImpl.Spec().UserSearch().UIDAttribute(), }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: spec.GroupSearch.Base, - Filter: adUpstreamImpl.Spec().GroupSearch().Filter(), - GroupNameAttribute: adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(), - SkipGroupRefresh: spec.GroupSearch.SkipGroupRefresh, + Base: spec.GroupSearch.Base, + Filter: adUpstreamImpl.Spec().GroupSearch().Filter(), + UserAttributeForFilter: adUpstreamImpl.Spec().GroupSearch().UserAttributeForFilter(), + GroupNameAttribute: adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(), + SkipGroupRefresh: spec.GroupSearch.SkipGroupRefresh, }, Dialer: c.ldapDialer, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){ diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go index dc5fa693..9d8d8840 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package activedirectoryupstreamwatcher @@ -149,20 +149,25 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { now := metav1.NewTime(time.Now().UTC()) const ( - testNamespace = "test-namespace" - testName = "test-name" - testResourceUID = "test-uid" - testSecretName = "test-bind-secret" - testBindUsername = "test-bind-username" - testBindPassword = "test-bind-password" - testHost = "ldap.example.com:123" - testUserSearchBase = "test-user-search-base" - testUserSearchFilter = "test-user-search-filter" - testGroupSearchBase = "test-group-search-base" - testGroupSearchFilter = "test-group-search-filter" - testUsernameAttrName = "test-username-attr" - testGroupNameAttrName = "test-group-name-attr" - testUIDAttrName = "test-uid-attr" + testNamespace = "test-namespace" + testName = "test-name" + testResourceUID = "test-uid" + + testHost = "ldap.example.com:123" + + testBindSecretName = "test-bind-secret" + testBindUsername = "test-bind-username" + testBindPassword = "test-bind-password" + + testUserSearchBase = "test-user-search-base" + testUserSearchFilter = "test-user-search-filter" + testUserSearchUsernameAttrName = "test-username-attr" + testUserSearchUIDAttrName = "test-uid-attr" + + testGroupSearchBase = "test-group-search-base" + testGroupSearchFilter = "test-group-search-filter" + testGroupSearchUserAttributeForFilter = "test-group-search-filter-user-attr-for-filter" + testGroupSearchNameAttrName = "test-group-name-attr" ) testValidSecretData := map[string][]byte{"username": []byte(testBindUsername), "password": []byte(testBindPassword)} @@ -177,20 +182,21 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Spec: v1alpha1.ActiveDirectoryIdentityProviderSpec{ Host: testHost, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64Encoded}, - Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testSecretName}, + Bind: v1alpha1.ActiveDirectoryIdentityProviderBind{SecretName: testBindSecretName}, UserSearch: v1alpha1.ActiveDirectoryIdentityProviderUserSearch{ Base: testUserSearchBase, Filter: testUserSearchFilter, Attributes: v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{ - Username: testUsernameAttrName, - UID: testUIDAttrName, + Username: testUserSearchUsernameAttrName, + UID: testUserSearchUIDAttrName, }, }, GroupSearch: v1alpha1.ActiveDirectoryIdentityProviderGroupSearch{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, Attributes: v1alpha1.ActiveDirectoryIdentityProviderGroupSearchAttributes{ - GroupName: testGroupNameAttrName, + GroupName: testGroupSearchNameAttrName, }, SkipGroupRefresh: false, }, @@ -213,13 +219,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -252,7 +259,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Reason: "Success", Message: fmt.Sprintf( `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`, - testHost, testBindUsername, testSecretName, secretVersion), + testHost, testBindUsername, testBindSecretName, secretVersion), ObservedGeneration: gen, } } @@ -324,7 +331,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { validBindUserSecret := func(secretVersion string) *corev1.Secret { return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace, ResourceVersion: secretVersion}, + ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace, ResourceVersion: secretVersion}, Type: corev1.SecretTypeBasicAuth, Data: testValidSecretData, } @@ -417,7 +424,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Status: "False", LastTransitionTime: now, Reason: "SecretNotFound", - Message: fmt.Sprintf(`secret "%s" not found`, testSecretName), + Message: fmt.Sprintf(`secret "%s" not found`, testBindSecretName), ObservedGeneration: 1234, }, tlsConfigurationValidLoadedTrueCondition(1234), @@ -429,7 +436,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { name: "secret has wrong type", inputUpstreams: []runtime.Object{validUpstream}, inputSecrets: []runtime.Object{&corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace}, + ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace}, Type: "some-other-type", Data: testValidSecretData, }}, @@ -445,7 +452,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Status: "False", LastTransitionTime: now, Reason: "SecretWrongType", - Message: fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testSecretName), + Message: fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName), ObservedGeneration: 1234, }, tlsConfigurationValidLoadedTrueCondition(1234), @@ -457,7 +464,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { name: "secret is missing key", inputUpstreams: []runtime.Object{validUpstream}, inputSecrets: []runtime.Object{&corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: testNamespace}, + ObjectMeta: metav1.ObjectMeta{Name: testBindSecretName, Namespace: testNamespace}, Type: corev1.SecretTypeBasicAuth, }}, wantErr: controllerlib.ErrSyntheticRequeue.Error(), @@ -472,7 +479,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Status: "False", LastTransitionTime: now, Reason: "SecretMissingKeys", - Message: fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testSecretName), + Message: fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName), ObservedGeneration: 1234, }, tlsConfigurationValidLoadedTrueCondition(1234), @@ -555,13 +562,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -624,13 +632,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: "sAMAccountName", + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: "sAMAccountName", }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -696,13 +705,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -725,7 +735,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Reason: "Success", Message: fmt.Sprintf( `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`, - "ldap.example.com", testBindUsername, testSecretName, "4242"), + "ldap.example.com", testBindUsername, testBindSecretName, "4242"), ObservedGeneration: 1234, }, searchBaseFoundInConfigCondition(1234), @@ -745,7 +755,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { Reason: "Success", Message: fmt.Sprintf( `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`, - "ldap.example.com", testBindUsername, testSecretName, "4242"), + "ldap.example.com", testBindUsername, testBindSecretName, "4242"), }, SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), }}, @@ -775,13 +785,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -838,13 +849,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -988,13 +1000,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: exampleDefaultNamingContext, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1137,13 +1150,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: exampleDefaultNamingContext, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1208,13 +1222,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: exampleDefaultNamingContext, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1477,9 +1492,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UIDAttribute: "objectGUID", }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))", - GroupNameAttribute: "sAMAccountName", + Base: testGroupSearchBase, + Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))", + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: "sAMAccountName", }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, GroupAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"sAMAccountName": groupSAMAccountNameWithDomainSuffix}, @@ -1537,9 +1553,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UIDAttribute: "objectGUID", }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: exampleDefaultNamingContext, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: exampleDefaultNamingContext, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1600,9 +1617,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UIDAttribute: "objectGUID", }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1663,9 +1681,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UIDAttribute: "objectGUID", }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: exampleDefaultNamingContext, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: exampleDefaultNamingContext, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1874,9 +1893,10 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UIDAttribute: "objectGUID", }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: exampleDefaultNamingContext, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, + Base: exampleDefaultNamingContext, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{ @@ -1931,14 +1951,15 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearch: upstreamldap.UserSearchConfig{ Base: testUserSearchBase, Filter: testUserSearchFilter, - UsernameAttribute: testUsernameAttrName, - UIDAttribute: testUIDAttrName, + UsernameAttribute: testUserSearchUsernameAttrName, + UIDAttribute: testUserSearchUIDAttrName, }, GroupSearch: upstreamldap.GroupSearchConfig{ - Base: testGroupSearchBase, - Filter: testGroupSearchFilter, - GroupNameAttribute: testGroupNameAttrName, - SkipGroupRefresh: true, + Base: testGroupSearchBase, + Filter: testGroupSearchFilter, + UserAttributeForFilter: testGroupSearchUserAttributeForFilter, + GroupNameAttribute: testGroupSearchNameAttrName, + SkipGroupRefresh: true, }, UIDAttributeParsingOverrides: map[string]func(*ldap.Entry) (string, error){"objectGUID": microsoftUUIDFromBinaryAttr("objectGUID")}, RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.RefreshAttributes) error{