Fix OpenLDAP custom queries to use search_scope parameter

[puretension]

What does this PR do?

Fixes the OpenLDAP integration to properly use the search_scope parameter in custom queries. The parameter was documented in the configuration but was being ignored during LDAP search operations.

Motivation

Users reported in #20685 that the search_scope parameter in OpenLDAP custom queries was not working as expected. The parameter is documented in conf.yaml.example but the actual search implementation was not using this parameter, making it impossible to control LDAP search scope (base, level, or subtree).

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.00%. Comparing base (9063f29) to head (039403f).
⚠️ Report is 21 commits behind head on master.

Additional details and impacted files

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AAraKKe]

Thanks a lot for the PR @puretension ! I just left a couple of small requests, once they are handled I am happy to go ahead with the merge.

My Feedback Legend

Here's a quick guide to the prefixes I use in my comments:

praise: no action needed, just celebrate!
question: I need clarification or I'm seeking to understand your approach.
suggestion: I'm proposing an improvement. This is optional but recommended.
nit: A minor, non-blocking issue (e.g., style, typo). Feel free to ignore.
request: A change I believe is necessary before this can be merged.

The only blocking comments are request, any other type of comment can be applied at discretion of the developer.

[AAraKKe]

request: thanks for defining the default in our side! Since the documentation clearly states the default it is good that we are not allowing this default to be chosen by the library implementation.

Can you please keep this default as an ldap3 constant as a class constant instead of hidden here? Something like DEFAULT_SEARCH_SCOPE = ldqp3.SUBREE would be great.

[puretension]

Hi @AAraKKe,

Thank you for the detailed feedback! I've addressed all your requests in the latest commit. I added the DEFAULT_SEARCH_SCOPE class constant using ldap3.SUBTREE instead of the hardcoded string, implemented the SEARCH_SCOPE_MAPPING dictionary for efficient lookups, and changed the error handling to skip invalid queries with proper logging instead of silently falling back to defaults.
For the tests, I created comprehensive parameterized tests covering all valid values in both cases, added a test for default behavior when the option is not supplied, and included a test that verifies invalid values log errors and skip the search entirely.
I noticed your suggested code used DEFAULT_SEARCH_SCOPE as the default value, but since it's an ldap3 constant, I kept the string subtree as the default to avoid issues with the .lower() call. Please let me know if there's anything else you'd like me to adjust!

[AAraKKe]

Thanks a lot for the follow up @puretension !! I just have a question and a very small request on the updated tests. Would you mind clarifying why the constant is not used? The intention of defining it is to use it there but I am not seeing why the lower method would be an issue.

Once clarified I am happy to merge it.

Thanks!!

My Feedback Legend

Here's a quick guide to the prefixes I use in my comments:

praise: no action needed, just celebrate!
note: just a comment/information, no need to take any action.
question: I need clarification or I'm seeking to understand your approach.
nit: A minor, non-blocking issue (e.g., style, typo). Feel free to ignore.
suggestion: I'm proposing an improvement. This is optional but recommended.
request: A change I believe is necessary before this can be merged.

The only blocking comments are request, any other type of comment can be applied at discretion of the developer.

[github-actions]

⚠️ The qa/skip-qa label has been added with shippable changes

The following files, which will be shipped with the agent, were modified in this PR and
the qa/skip-qa label has been added.

You can ignore this if you are sure the changes in this PR do not require QA. Otherwise, consider removing the label.

List of modified files that will be shipped with the agent

openldap/changelog.d/21385.fixed
openldap/datadog_checks/openldap/openldap.py

[puretension]

@AAraKKe Thanks for catching that! You're absolutely right! I missed using the constant even though it was already defined.

I've updated both the main code and tests to use DEFAULT_SEARCH_SCOPE instead of hardcoded values. Changed query.get("search_scope", "subtree") to query.get("search_scope", self.DEFAULT_SEARCH_SCOPE) in the main code and replaced all ldap3.SUBTREE with DEFAULT_SEARCH_SCOPE in the test assertions.

As you mentioned, ldap3.SUBTREE is indeed a string so .lower() works perfectly fine. The constant is now centralized and easily recognizable as intended. Thanks for the guidance!

[AAraKKe]

Thanks for the update @puretension! I left a small nit, will leave to you to decide if you want to change it but it is approved. Will check later and merge if nothing else has changed.

Review from AAraKKe is dismissed. Related teams and files:

• agent-integrations
  • openldap/tests/test_unit.py

[AAraKKe]

@puretension I was about to merge and noticed that there is a linting error, can you fix it? I cannot update the branch through the gh cli for some reason.

[AAraKKe]

Can you please make sure to update your branch with the latest in master to make sure you have the latest version to run the tests? It seems that you fix the issue and force push after I have updated it from the PR which downgrades it again.

• Upgrade your branch with the latest from master
• Run ddev test --fmt openldap
• Commit the current state and push

Thanks!

[puretension]

Hi @AAraKKe,

Thank you for your patience! I've completed all the requested steps.
I updated the branch with the latest master, ran ddev test --fmt openldap (after fixing the ddev configuration),
and pushed the changes.
The linting issues have been resolved and the PR should be ready for merge now.

I really appreciate you teaching me about the ddev test --fmt command. I wasn't familiar with it before.
Sorry for the multiple failed attempts, and thanks for your guidance throughout this process! 🙏

[AAraKKe]

Thanks @puretension ! All good from my side 🚀