From 39b46e99a9b930ea39cf640c3080530cfff5be6e Mon Sep 17 00:00:00 2001
From: Kyle Mendell <kmendell@ofkm.us>
Date: Sun, 16 Feb 2025 11:27:07 -0600
Subject: [PATCH] feat: add LDAP group membership attribute (#236)

Co-authored-by: Elias Schneider <login@eliasschneider.com>
---
 backend/internal/dto/app_config_dto.go                |  1 +
 backend/internal/model/app_config.go                  |  1 +
 backend/internal/service/app_config_service.go        |  5 +++++
 backend/internal/service/ldap_service.go              |  5 +++--
 frontend/src/lib/types/application-configuration.ts   |  1 +
 .../forms/app-config-ldap-form.svelte                 | 11 ++++++++++-
 6 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/backend/internal/dto/app_config_dto.go b/backend/internal/dto/app_config_dto.go
index f0646ad..c0cbc9a 100644
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -36,6 +36,7 @@ type AppConfigUpdateDto struct {
 	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
 	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
 	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
 	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
diff --git a/backend/internal/model/app_config.go b/backend/internal/model/app_config.go
index 5da49b5..7a834f8 100644
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -43,6 +43,7 @@ type AppConfig struct {
 	LdapAttributeUserEmail             AppConfigVariable
 	LdapAttributeUserFirstName         AppConfigVariable
 	LdapAttributeUserLastName          AppConfigVariable
+	LdapAttributeGroupMember           AppConfigVariable
 	LdapAttributeGroupUniqueIdentifier AppConfigVariable
 	LdapAttributeGroupName             AppConfigVariable
 	LdapAttributeAdminGroup            AppConfigVariable
diff --git a/backend/internal/service/app_config_service.go b/backend/internal/service/app_config_service.go
index c5e3471..b566749 100644
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -173,6 +173,11 @@ var defaultDbConfig = model.AppConfig{
 		Key:  "ldapAttributeUserLastName",
 		Type: "string",
 	},
+	LdapAttributeGroupMember: model.AppConfigVariable{
+		Key:          "ldapAttributeGroupMember",
+		Type:         "string",
+		DefaultValue: "member",
+	},
 	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
 		Key:  "ldapAttributeGroupUniqueIdentifier",
 		Type: "string",
diff --git a/backend/internal/service/ldap_service.go b/backend/internal/service/ldap_service.go
index e0afe7f..a8b652d 100644
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -70,12 +70,13 @@ func (s *LdapService) SyncGroups() error {
 	baseDN := s.appConfigService.DbConfig.LdapBase.Value
 	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
 	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
+	groupMemberOfAttribute := s.appConfigService.DbConfig.LdapAttributeGroupMember.Value
 	filter := s.appConfigService.DbConfig.LdapUserGroupSearchFilter.Value
 
 	searchAttrs := []string{
 		nameAttribute,
 		uniqueIdentifierAttribute,
-		"member",
+		groupMemberOfAttribute,
 	}
 
 	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
@@ -99,7 +100,7 @@ func (s *LdapService) SyncGroups() error {
 		s.db.Where("ldap_id = ?", ldapId).First(&databaseGroup)
 
 		// Get group members and add to the correct Group
-		groupMembers := value.GetAttributeValues("member")
+		groupMembers := value.GetAttributeValues(groupMemberOfAttribute)
 		for _, member := range groupMembers {
 			// Normal output of this would be CN=username,ou=people,dc=example,dc=com
 			// Splitting at the "=" and "," then just grabbing the username for that string
diff --git a/frontend/src/lib/types/application-configuration.ts b/frontend/src/lib/types/application-configuration.ts
index fc5976a..4cac776 100644
--- a/frontend/src/lib/types/application-configuration.ts
+++ b/frontend/src/lib/types/application-configuration.ts
@@ -31,6 +31,7 @@ export type AllAppConfig = AppConfig & {
 	ldapAttributeUserEmail: string;
 	ldapAttributeUserFirstName: string;
 	ldapAttributeUserLastName: string;
+	ldapAttributeGroupMember: string;
 	ldapAttributeGroupUniqueIdentifier: string;
 	ldapAttributeGroupName: string;
 	ldapAttributeAdminGroup: string;
diff --git a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
index ff7a6de..79772a3 100644
--- a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
@@ -38,6 +38,7 @@
 		ldapAttributeUserEmail: appConfig.ldapAttributeUserEmail,
 		ldapAttributeUserFirstName: appConfig.ldapAttributeUserFirstName,
 		ldapAttributeUserLastName: appConfig.ldapAttributeUserLastName,
+		ldapAttributeGroupMember: appConfig.ldapAttributeGroupMember,
 		ldapAttributeGroupUniqueIdentifier: appConfig.ldapAttributeGroupUniqueIdentifier,
 		ldapAttributeGroupName: appConfig.ldapAttributeGroupName,
 		ldapAttributeAdminGroup: appConfig.ldapAttributeAdminGroup
@@ -56,6 +57,7 @@
 		ldapAttributeUserEmail: z.string().min(1),
 		ldapAttributeUserFirstName: z.string().min(1),
 		ldapAttributeUserLastName: z.string().min(1),
+		ldapAttributeGroupMember: z.string(),
 		ldapAttributeGroupUniqueIdentifier: z.string().min(1),
 		ldapAttributeGroupName: z.string().min(1),
 		ldapAttributeAdminGroup: z.string()
@@ -98,8 +100,8 @@
 </script>
 
 <form onsubmit={onSubmit}>
+	<h4 class="text-lg font-semibold">Client Configuration</h4>
 	<fieldset disabled={uiConfigDisabled}>
-		<h4 class="text-lg font-semibold">Client Configuration</h4>
 		<div class="mt-4 grid grid-cols-1 items-start gap-5 md:grid-cols-2">
 			<FormInput
 				label="LDAP URL"
@@ -164,6 +166,12 @@
 				placeholder="sn"
 				bind:input={$inputs.ldapAttributeUserLastName}
 			/>
+			<FormInput
+				label="Group Members Attribute"
+				description="The attribute to use for querying members of a group."
+				placeholder="member"
+				bind:input={$inputs.ldapAttributeGroupMember}
+			/>
 			<FormInput
 				label="Group Unique Identifier Attribute"
 				description="The value of this attribute should never change."
@@ -183,6 +191,7 @@
 			/>
 		</div>
 	</fieldset>
+
 	<div class="mt-8 flex flex-wrap justify-end gap-3">
 		{#if ldapEnabled}
 			<Button variant="secondary" onclick={onDisable} disabled={uiConfigDisabled}>Disable</Button>