Hi @"Igor Solodovnikov"
So I think I have things configured correctly, but I can't get this to work. I think it may be due to the comma in the DN that needs to be escaped but it may not be happening.
``` security: authorization: enabled ldap: transportSecurity: none servers: ldap.internal.domain.com bind: queryUser: "CN=SVC_LDAP_RO,OU=General,OU=Service,OU=Accounts,DC=internal,DC=domain,DC=com" queryPassword: "password" userToDNMapping: >- [ { match: "(.+)", ldapQuery: "dc=internal,dc=domain,dc=com??sub?(&(objectClass=person)(sAMAccountName={0}))" } ] authz: # queryTemplate: "dc=internal,dc=domain,dc=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" queryTemplate: "{USER},memberOf,base"<p>No matter what I do, it doesn't seem to work.</p><p>With either queryTemplate, I get: "QUERY [js] Error: LDAP search failed with error: Operations error".</p><p>When I query from the console using ldapsearch, both of these return proper groups:</p><p>ldapsearch -LLL -h ldap.internal.domain.com -x -D "CN=SVC_LDAP_RO,OU=General,OU=Service,OU=Accounts,DC=internal,DC=domain,DC=com" -w password -b "DC=internal,DC=domain,DC=com" "(&(objectClass=person)(distinguishedName=CN=LName\5C, FName,OU=HQ,OU=Users,OU=Accounts,DC=internal,DC=domain,DC=com))" memberOf</p><p><br></p><p>ldapsearch -LLL -h ldap.internal.domain.com -x -D "CN=SVC_LDAP_RO,OU=General,OU=Service,OU=Accounts,DC=internal,DC=domain,DC=com" -w password -b "DC=internal,DC=domain,DC=com" "(&(objectClass=Group)(member:1.2.840.113556.1.4.1941:=CN=LName\\\\, FName,OU=HQ,OU=Users,OU=Accounts,DC=internal,DC=domain,DC=com))"</p><p>In both these queries, you have to escape using either 4 backslashes or \5C before the comma in the CN. I have a feeling that it's passing LName\, FName into the group query and not escaping it properly.</p><p>Is there a way to actually get this to work that you've used?</p>