Sub-search needs quoting if term contains spaces

[hubkos]

Hi,
first thanks for this great tool - I was long looking for it. I was using pg_ldap_sync before, which was acceptable, but I'm not so for ruby,

Now I try to move to ldap2pg 5.9 and have this problem:
when searching for sAMAccountName of members of groups, the sub-query executed for each member won't find anything.
ldap2pg -v gives this output:

2025-03-12 10:59:30,456 INFO:  ldap2pg.manager: Query LDAP for users.
2025-03-12 10:59:30,456 INFO:  ldap2pg.manager: Querying LDAP DC=example,DC=com... (cn=DB-*...
2025-03-12 10:59:30,456 DEBUG:  ldap2pg.ldap: Doing: ldapsearch -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -W -b DC=example,DC=com -s sub '(cn=DB-*)' member
2025-03-12 10:59:30,459 DEBUG:  ldap2pg.manager: Got 4 entries from LDAP.
2025-03-12 10:59:30,459 DEBUG:  ldap2pg.manager: Discarding ref: ['ldaps://DomainDnsZones.example.com/D.
2025-03-12 10:59:30,459 INFO:  ldap2pg.manager: Sub-querying LDAP CN=User Name,OU=U...
2025-03-12 10:59:30,459 DEBUG:  ldap2pg.ldap: Doing: ldapsearch -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -W -b CN=User Name,OU=Users,DC=example,DC=com -s sub '(objectClass=*)' sAMAccountName

Output of ldapsearch from DEBUG line:

$ ldapsearch -H ldaps://example.com -w $LDAPPASSWORD -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -b CN=User Name,OU=Users,DC=example,DC=com -s sub '(objectClass=*)' sAMAccountName
# extended LDIF
#
# LDAPv3
# base <CN=User> with scope subtree
# filter: Name,OU=Us
# requesting: User,OU=Users,DC=example,DC=com (objectClass=*) sAMAccountName
#
ldap_search_ext: Bad search filter (-7)

It's clear that base was cut up to fist space, and all following parameter shifted left.

When I quote the base, search is correct and I have desired output:

$ ldapsearch -H ldaps://example.com -w $LDAPPASSWORD -x -D 'CN=ldapqueryuser,OU=Users,DC=example,DC=com' -b 'CN=User Name,OU=Users,DC=example,DC=com' -s sub '(objectClass=*)' sAMAccountName
# extended LDIF
#
# LDAPv3
# base <CN=User Name,OU=Users,DC=example,DC=com> with scope subtree
# filter: (objectClass=*)
# requesting: sAMAccountName
#

The corresponding sync_map part of ldap2pg.yml:

- description: "Query LDAP for users."
  ldapsearch:
    base: DC=example,DC=com
    filter: "(cn=CN=DB-*)"
  role:
    name: '"{member.sAMAccountName}"'
    options: LOGIN
    parent:
    - ad_users

Just asking if you can fix it :)

Greetings,
Hubert

[hubkos]

sorry for formatting.... somehow it didn't work as expected