LDAP group sync does not work with several LDAP Group mapping

[gd197]

Description

With a valid working LDAP authentication source configured for AD.
By Checking enable LDAP Groups and filling group search base, group attribute and user attribute in the configuration form and checking the 'remove users from synchronized teams...'.
Adding one mapping in the json form:
{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]}}
works fine , users are added or removed according to their membership of the ldap group.
But if we add a second mapping in the form:
{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]},"CN=p-AppGit-Usr,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"PROD": ["developers"]} }
the second mapping remove systematically users if they were manually added to the second team and they are not added at login phase despite their membership of the LDAP group p-AppGit-Usr .
Please note that a restart of gitea is required each time the LDAP auth source is changed/updated for taking into account the changes.
Please note the 2 teams have the same name in different organizations
Note also that logs are unclear as they mention adding user in the Organisation Name instead of the ORG/Team name
2022/08/25 11:43:20 ...source_group_sync.go:46:SyncLdapGroupsToTeams() [T] [63074437] LDAP group sync: adding user [axxxxxx] to team [TOOLS] <= that is the org name not the team name
Logs with expression 'ldap' and trace level does not show any significant information other tha "adding user to team" or "removing user from team"
Also no log errors about not finding teams or org.

Gitea Version

1.17.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.27.0

Operating System

RHEL 8

How are you running Gitea?

From Github release executable

Database

MySQL

[gd197]

after further testing, the second mapping in the example above does not work even alone.
There is anyway an issue with the logs and an issue with that group but I wonder what and no logs are available.
As far as the user is removed for the team group in gitea, the issue seems to come from the retrieval of the members of the ldap group. Member DN is containing escaped ',' characters ( '\,') and non escaped parenthesis '(' and ')'
here is the output of the ldapsearch command for the group

dn: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp
objectClass: top
objectClass: group
cn: p-AppGit-c
member: CN=NAME1\, Surname,OU=MA,OU=Internal,OU=People,DC=my,DC=company,DC=corp
member: CN=NAME-2\, Surname2 (Additional info there),OU=MA,OU=External,OU=People,DC=my,DC=company,DC=corp
member: CN=NAME3\, Surname3 (Additional info there),OU=ED,OU=External,OU=People,DC=my,DC=company,DC=corp
distinguishedName: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp
instanceType: 4
...

[gd197]

finally, the only difference between working ldap groups and non-working ldap groups in my case looks to be the parenthesis in the user DN for the member attribute inside a group object.
If that is confirmed, that mean that the membership retrieval fail with some specific characters in the user DN field

[gd197]

My bad, found the issue in wrongly typing the DN Path in the mapping configuration entry.
Note that having a non existent ldap group in in config lead to removal of users in the team without error log.
Maybe that is expected in this case I can close the issue.
Note also that logs are anyway confusing as mentioned in the original post

[drequivalent]

Having the same issue with FreeIPA. But this time, nothing works. Settings are as follows:

{"cn=developers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Developers"]},"cn=engineers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Engineers"]}}

Any help?