LDAP information parsing error

We encountered with some technical problems which we believe is a bug in the latest mattermost docker version 5.7.1. After configuring the LDAP parameters we are getting this error:

error retrieving ldap groups — LDAP Result Code 201 “Filter Compile Error”: ldap: filter does not start with an ‘(’

The server logs says the following:
{“level”:“error”,“ts”:1599739178.383662,“caller”:“mlog/log.go:190”,“msg”:“Failed job”,“workername”:“EnterpriseLdapSync”,“error”:“LdapSession.getAllGroups: error retrieving ldap groups, LDAP Result Code 201 “Filter Compile Error”: ldap: filter does not start with an ‘(’”,“job_id”:“yeg1sbbe77rgzpcna67cpf8fhy”}​

Our LDAP server is sending all the user details, it seems the client (mattermost) not able to parse the information. Here is what is being sent from the LDAP server to the mattermost client:

Bind request

Transmission Control Protocol, Src Port: 38798 (38798), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 94
Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) “uid=radiusbind,cn=users,cn=accounts,dc=as15932,dc=net” simple
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name: uid=radiusbind,cn=users,cn=accounts,dc=as15932,dc=net
authentication: simple (0)
simple: 31556a4639756e414f614f4734485651305466386732454c…
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 38798 (38798), Seq: 1, Ack: 95, Len: 14
Lightweight Directory Access Protocol
LDAPMessage bindResponse(1) success
messageID: 1
protocolOp: bindResponse (1)
bindResponse
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 1764]
[Time: 0.002684212 seconds]

Search for users

Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) “dc=as15932,dc=net” wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: dc=as15932,dc=net
scope: wholeSubtree (2)
derefAliases: derefAlways (3)
sizeLimit: 0
timeLimit: 25
typesOnly: False
Filter: (uid=*)
filter: present (7)
present: uid
attributes: 5 items
AttributeDescription: uid
AttributeDescription: givenName
AttributeDescription: sn
AttributeDescription: mail
AttributeDescription: uid

User information

Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) “uid=t777693,cn=users,cn=compat,dc=as15932,dc=net” [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: uid=t777693,cn=users,cn=compat,dc=as15932,dc=net
attributes: 1 item
PartialAttributeList item uid
type: uid
vals: 1 item
AttributeValue: t777693
[Response To: 1768]
[Time: 0.024322130 seconds]
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) “uid=testosix,cn=users,cn=compat,dc=as15932,dc=net” [2 results]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: uid=testosix,cn=users,cn=compat,dc=as15932,dc=net
attributes: 1 item
PartialAttributeList item uid
type: uid
vals: 1 item
AttributeValue: testosix
[Response To: 1768]
[Time: 0.024322130 seconds]

    ​.... ....and it lists all our users using the same format

v5.7.1 is an unsupported version. Would you be open to upgrading to a more recent version such as v5.26? https://github.com/mattermost/mattermost-docker/releases

Thank you for the suggestion.
I installed a brand new Mattermost Version: 5.26.1 (not upgraded) and configured the LDAP, unfortunately we are experiencing the same issue.

Here is the server log:
{“level”:“info”,“ts”:1599745576.6959515,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase1GetLdapUsers-fm”}
{“level”:“info”,“ts”:1599745576.6998627,“caller”:“mlog/log.go:176”,“msg”:“Found users with LDAP configured”,“workername”:“EnterpriseLdapSync”,“num_ldap_users”:0}
{“level”:“info”,“ts”:1599745576.80187,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase2GetSamlUsers-fm”}
{“level”:“info”,“ts”:1599745576.9043784,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase3GetLdapUsersFromLdap-fm”}
{“level”:“info”,“ts”:1599745577.2734756,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase4SyncLdapUsers-fm”}
{“level”:“info”,“ts”:1599745577.3757,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase5SyncSamlUsers-fm”}
{“level”:“info”,“ts”:1599745577.478183,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase6GetGroups-fm”}
{“level”:“info”,“ts”:1599745577.5827017,“caller”:“mlog/log.go:176”,“msg”:“LDAP Sync Phase”,“workername”:“EnterpriseLdapSync”,“current_phase”:“github .com/mattermost/mattermost-server/v5/enterprise/ldap.(*LdapSyncWorker).phase7GetLdapGroups-fm”}
{“level”:“error”,“ts”:1599745577.5880783,“caller”:“mlog/log.go:190”,“msg”:“Failed job”,“workername”:“EnterpriseLdapSync”,“error”:“LdapSession.getAllGroups: error retrieving ldap groups, LDAP Result Code 201 “Filter Compile Error”: ldap: filter does not start with an ‘(’”,“job_id”:“xf85zmirqpytjjzcys7azcffjw”}

What are your config settings set to (settings related to LDAP)?

Here it is, from the config.json:

“LdapSettings”: {
“Enable”: true,
“EnableSync”: true,
“LdapServer”: “dns1.as15932.net”,
“LdapPort”: 389,
“ConnectionSecurity”: “”,
“BaseDN”: “dc=as15932,dc=net”,
“BindUsername”: “uid=radiusbind,cn=users,cn=accounts,dc=as15932,dc=net”,
“BindPassword”: “safepassword”,
“UserFilter”: “”,
“GroupFilter”: “”(objectClass=posixGroup)"",
“GuestFilter”: “”,
“EnableAdminFilter”: false,
“AdminFilter”: “”,
“GroupDisplayNameAttribute”: “cn”,
“GroupIdAttribute”: “”,
“FirstNameAttribute”: “givenName”,
“LastNameAttribute”: “sn”,
“EmailAttribute”: “mail”,
“UsernameAttribute”: “uid”,
“NicknameAttribute”: “”,
“IdAttribute”: “uid”,
“PositionAttribute”: “”,
“LoginIdAttribute”: “uid”,
“PictureAttribute”: “”,
“SyncIntervalMinutes”: 60,
“SkipCertificateVerification”: false,
“QueryTimeout”: 60,
“MaxPageSize”: 0,
“LoginFieldName”: “”,
“LoginButtonColor”: “#0000”,
“LoginButtonBorderColor”: “#2389D7”,
“LoginButtonTextColor”: “#2389D7”,
“Trace”: false
},

We get the same error with anonymous bind (without providing username and password). Connection test is ok, all the user information is being sent to mattermost we saw it on the wireshark capture

Hi, @Yoso89

Chiming in a little bit here based on the error that we are seeing here:

{“level”:“error”,“ts”:1599745577.5880783,“caller”:“mlog/log.go:190”,“msg”:“Failed job”,“workername”:“EnterpriseLdapSync”,“error”:“LdapSession.getAllGroups: error retrieving ldap groups, LDAP Result Code 201 “Filter Compile Error”: ldap: filter does not start with an ‘(’”,“job_id”:“xf85zmirqpytjjzcys7azcffjw”}

Since the error suggests that there is an issue with the LDAP filter, can you please check on the following?

“GroupFilter”: “”(objectClass=posixGroup)"",

If you have access to the front end, can you change it to (objectClass=posixGroup) only? For example:

image1824×256 41.8 KB

Click Save and see if the same issue continues to persist?

Thank you for your help! It works now