LDAP Authentication "Bad Search Filter"

Hey All!

Running into a fun problem setting up Icinga Web using the Setup Module. I am trying to set the Authentication Backend to be LDAP w/ Windows Active Directory. Setting the resource worked with no problems.

Here’s what I’ve got right now as my config.

  • Backend Type ActiveDirectory
  • Backend Name icingaweb2
  • LDAP Connection icingaweb_ldap
  • LDAP User Object Class user
  • LDAP Filter MemberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com
  • LDAP User Name Attribute sAMAccountName
  • LDAP Base DN OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com

And heres the validation log

Connect without encryption
LDAP bind (domain\AdminUser / ***) to ldap://domain.segment.company.com:123 ldap://:123 successful
Microsoft Active Directory
Windows Server 2012 (or newer)
Supports STARTTLS: True
Default naming context: DC=domain,DC=segment,DC=company,DC=com
LDAP query “(&(memberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com)(objectClass=user))” (base OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com) failed.
Error: Bad search filter

However if I perform the exact same ldap query in powershell It works and lists the users in that group.

Get-ADUser -LDAPFilter “(& memberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com)(objectClass=user))”

If I remove the Filter entirely it says 1000 users found (also wrong as the entire domain contains alot more than that) but it at least doesn’t fail.

Additionally if I try using “(sAMAccountName=KnownUserName)” I always get a “1 Users Found in backend” each time I test a known username so I know that it is able to read the Active Directory but just doesn’t appear to like the “MemberOf” Filter.

Any suggestions from the geniuses in the community? :smiley: