From 494721cc90c9d6dfc7ed136939a1bc562b08a09c Mon Sep 17 00:00:00 2001 From: Giteabot Date: Wed, 29 Mar 2023 15:00:12 -0400 Subject: [PATCH] Don't apply the group filter when listing LDAP group membership if it is empty (#23745) (#23788) Backport #23745 by @zeripath When running listLdapGroupMemberships check if the groupFilter is empty before using it to list memberships. Fix #23615 Signed-off-by: Andrew Thornton Co-authored-by: zeripath --- services/auth/source/ldap/source_search.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go index 5a2d25b0c4..2a61386ae1 100644 --- a/services/auth/source/ldap/source_search.go +++ b/services/auth/source/ldap/source_search.go @@ -208,7 +208,7 @@ func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGr } var searchFilter string - if applyGroupFilter { + if applyGroupFilter && groupFilter != "" { searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid)) } else { searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))