From ed5e7d03c6c44666c6fe97a15e8ce33d223c4466 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Wed, 29 Mar 2023 10:54:36 +0100
Subject: [PATCH] Don't apply the group filter when listing LDAP group
 membership if it is empty (#23745)

When running listLdapGroupMemberships check if the groupFilter is empty
before using it to list memberships.

Fix #23615

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/auth/source/ldap/source_search.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 5a2d25b0c4..2a61386ae1 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -208,7 +208,7 @@ func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGr
 	}
 
 	var searchFilter string
-	if applyGroupFilter {
+	if applyGroupFilter && groupFilter != "" {
 		searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
 	} else {
 		searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))