Default groupSearch.attributes.groupName to "dn" instead of "cn"

- DNs are more unique than CNs, so it feels like a safer default
2026-01-11 00:10:44 +00:00 · 2021-05-28 13:27:11 -07:00
parent a741041737
commit cedbe82bbb
19 changed files with 81 additions and 45 deletions
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -278,7 +278,7 @@ func TestE2EFullIntegration(t *testing.T) {
 	// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor LDAP upstream IDP", func(t *testing.T) {
 		expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
-		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsCNs
+		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs

 		// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
 		library.CreateTestClusterRoleBinding(t,
@@ -321,7 +321,7 @@ func TestE2EFullIntegration(t *testing.T) {
 				Base:   env.SupervisorUpstreamLDAP.GroupSearchBase,
 				Filter: "", // use the default value of "member={}"
 				Attributes: idpv1alpha1.LDAPIdentityProviderGroupSearchAttributes{
-					GroupName: "", // use the default value of "cn"
+					GroupName: "", // use the default value of "dn"
 				},
 			},
 		}, idpv1alpha1.LDAPPhaseReady)
--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@@ -243,6 +243,20 @@ func TestLDAPSearch(t *testing.T) {
 				}},
 			},
 		},
+		{
+			name:     "using the default group name attribute, which is dn",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.GroupNameAttribute = ""
+			})),
+			wantAuthResponse: &authenticator.Response{
+				User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{
+					"cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev",
+					"cn=seals,ou=groups,dc=pinniped,dc=dev",
+				}},
+			},
+		},
 		{
 			name:     "using some other custom group name attribute",
 			username: "pinny",
@@ -675,8 +689,8 @@ func defaultProviderConfig(env *library.TestEnv, port string) *upstreamldap.Prov
 		},
 		GroupSearch: upstreamldap.GroupSearchConfig{
 			Base:               "ou=groups,dc=pinniped,dc=dev",
-			Filter:             "", // defaults to member={}
-			GroupNameAttribute: "", // defaults to cn
+			Filter:             "",   // defaults to member={}
+			GroupNameAttribute: "cn", // defaults to dn, but here we set it to cn
 		},
 	}
 }