Filter bug for session ldap with lemonldap ng

[swapon666]

Hi,

i use lemonldap with the fabulous docker image of Clement OUDOT ( coudot/lemonldap-ng:2.16.2). My session and my OIDC session are stored in openldap and that works, session are created with object class ApplicationProcess with cn and description.
But when i want used purgeCentralCache in order to delete old sessions, the script return always 0 sessions deleted. After reading code ( like saint thomas i trust only what i saw) , the problem is in /usr/share/perl5/Apache/Session/Browseable/LDAP.pm in get_key_from_all_sessions and his filter. This code use the following filter : (&(objectClass=applicationProcess)(ou=))
So it's always return 0 because session create by lemonldap doesn't have ou attribute (it's not mandatory in https://datatracker.ietf.org/doc/html/rfc4519#page-21 ). I modify the filter with th cn despite of ou (&(objectClass=applicationProcess)(cn=)) because when we use & operator in filter we must be sure that attribute is present, and after purge is working.

before submit PR i want to discuss we you on this defect because it's perhaps an invalid configuration on my image.

Best regards,

Pascal PEJAC

[coudot]

Hello Pascal,

with Apache::Session::Browseable::LDAP, you need to configure Index parameter: https://lemonldap-ng.org/documentation/latest/browseablesessionbackend.html#fieldstoindex

The Index values are stored in ou attribute, and so sessions should be seen by the purge script

What we could do is not to put ou attribute in filter if no Index is defined, but anyway it is not the way it should work

[swapon666]

Hello Clement,

yes it working if i use ldapAttributeIndex with "cn" in value. With "ou" in ldapAttributeIndex sessions are created without ou value. So it's appear very strange to change ldapAttributeIndex with default value to "ou" because sessions are created without this attribute.
I closed this issue

Thx very much Clement

best regards

[coudot]

That was not my suggestion. Keep ldapAttributeIndex to "ou", but configure Index with the list documented here: https://lemonldap-ng.org/documentation/latest/browseablesessionbackend.html#fieldstoindex

[swapon666]

yes i just try with index and now it's create muliple "ou" attribute with index values. So i can remove ldapAttributeIndex . By defaut we must configure an index, perhaps a defautlt value with _"session_kind _utime" can be set in order to work out of the box ?

[coudot]

Sorry for the late reply.

We could indeed set a default index but we must find one that would be common to all session type. So _session_kind could be a good candidate.

I keep this issue open to address it later.