LDAP Login in Active Directory Environments with Multiple Subfolders

[valentin2105]

Describe the bug

The LDAP connection works as expected in a typical LDAP setup when all users are located within the same Organizational Unit (OU).

However, in an Active Directory environment with multiple subfolders, users are required to provide the full distinguished name (DN) for login. For example:

CN=Valentin Ouvrard,OU=Users,OU=DSI,OU=Bureau1,OU=SITES,DC=place-holder,DC=prod

Even though the base DN is configured correctly (e.g., DC=place-holder,DC=prod), the LDAP login is unable to traverse or search through subfolders to find users in different OUs.

Steps to Reproduce

Set up LDAP in CloudBeaver with an Active Directory that has users organized in multiple sub-OUs.

Attempt to log in with a user account that is located in a subfolder (OU).

Example structure:

OU=Users
  OU=DSI
    OU=Bureau1
      OU=SITES

You will encounter the following error:

Caused by: org.jkiss.dbeaver.DBException: LDAP user access validation by filter failed: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=place-holder,DC=prod'
]

Expected Behavior
The LDAP login should be able to search through all subfolders under the configured base DN without requiring the user to provide the full DN path.

[EvgeniaBzzz]

Hi @valentin2105
Thank you for your report!
It is expected behavior for now. We'll improve it in one of the future releases.