Regression 2.0.0 -> 2.1.0-rc1

The dn reported by a search query contains 2 ou= thingies, both for the primary group and another group called "users". Like this: cn=hellerbarde,ou=superheros,ou=users,dc=example,dc=com

This dn is then used as a binddn, which gets rejected by glauth. See this log excerpt:

12:59:22.641675 Bind ▶ DEBU 009  "level"=6 "msg"="Bind request"  "basedn"="dc=example,dc=com" "binddn"="cn=hellerbarde,ou=superheros,ou=users,dc=example,dc=com" "src"={"IP":"127.0.0.1","Port":40340,"Zone":""}
12:59:22.641726 findUser ▶ WARN 00a  "level"=2 "msg"="BindDN should have only one or two parts"  "binddn"="cn=hellerbarde,ou=superheros,ou=users,dc=example,dc=com" "numparts"=3

I had this problem with both gitbucket and dex

I don't know enough LDAP-lingo to properly explain what's happening, but I'm assuming that the "users" group is implicit to all users?

In any case, I tried to find the code that returns the dn attribute but I couldn't figure it out. 😄

I also mentioned this in the matrix channel, but I figured a proper bug report couldn't hurt.