diff --git a/cmd/iam.go b/cmd/iam.go index 525242131..f5e12a1d0 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) { } sys.store.unlock() - expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers) + expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers) if err != nil { // Log and return on error - perhaps it'll work the next time. logger.LogIf(GlobalContext, err) diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go index d974077e3..7ebb8b791 100644 --- a/internal/config/identity/ldap/config.go +++ b/internal/config/identity/ldap/config.go @@ -478,9 +478,9 @@ func (l Config) IsLDAPUserDN(user string) bool { return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN) } -// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer -// present in the LDAP server. -func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) { +// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer +// present in the LDAP server or do not meet filter criteria anymore +func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) { if !l.isUsingLookupBind { return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts") } @@ -496,12 +496,15 @@ func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, return nil, err } + // Evaluate the filter again with generic wildcard instead of specific values + filter := strings.Replace(l.UserDNSearchFilter, "%s", "*", -1) + nonExistentUsers := []string{} for _, dn := range userDistNames { searchRequest := ldap.NewSearchRequest( dn, ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, - "(objectclass=*)", + filter, []string{}, // only need DN, so no pass no attributes here nil, )