From 626f87d59211f4129098b91dc1d020edb4aca692 Mon Sep 17 00:00:00 2001
From: Kyle Mendell <kmendell@ofkm.us>
Date: Sat, 8 Feb 2025 11:16:57 -0600
Subject: [PATCH] feat: add custom ldap search filters (#216)

---
 backend/internal/dto/app_config_dto.go           |  2 ++
 backend/internal/model/app_config.go             |  2 ++
 backend/internal/service/app_config_service.go   | 10 ++++++++++
 backend/internal/service/ldap_service.go         |  5 ++---
 .../src/lib/types/application-configuration.ts   |  2 ++
 .../forms/app-config-ldap-form.svelte            | 16 ++++++++++++++++
 frontend/tests/application-configuration.spec.ts |  4 ++++
 7 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/backend/internal/dto/app_config_dto.go b/backend/internal/dto/app_config_dto.go
index 6694662..f0646ad 100644
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -28,6 +28,8 @@ type AppConfigUpdateDto struct {
 	LdapBindDn                         string `json:"ldapBindDn"`
 	LdapBindPassword                   string `json:"ldapBindPassword"`
 	LdapBase                           string `json:"ldapBase"`
+	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
 	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
 	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
 	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
diff --git a/backend/internal/model/app_config.go b/backend/internal/model/app_config.go
index 46ede47..5da49b5 100644
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -35,6 +35,8 @@ type AppConfig struct {
 	LdapBindDn                         AppConfigVariable
 	LdapBindPassword                   AppConfigVariable
 	LdapBase                           AppConfigVariable
+	LdapUserSearchFilter               AppConfigVariable
+	LdapUserGroupSearchFilter          AppConfigVariable
 	LdapSkipCertVerify                 AppConfigVariable
 	LdapAttributeUserUniqueIdentifier  AppConfigVariable
 	LdapAttributeUserUsername          AppConfigVariable
diff --git a/backend/internal/service/app_config_service.go b/backend/internal/service/app_config_service.go
index 5fc92c4..dfd748d 100644
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -138,6 +138,16 @@ var defaultDbConfig = model.AppConfig{
 		Key:  "ldapBase",
 		Type: "string",
 	},
+	LdapUserSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=person)",
+	},
+	LdapUserGroupSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserGroupSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=groupOfNames)",
+	},
 	LdapSkipCertVerify: model.AppConfigVariable{
 		Key:          "ldapSkipCertVerify",
 		Type:         "bool",
diff --git a/backend/internal/service/ldap_service.go b/backend/internal/service/ldap_service.go
index 8417e89..7bde5bc 100644
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -70,7 +70,7 @@ func (s *LdapService) SyncGroups() error {
 	baseDN := s.appConfigService.DbConfig.LdapBase.Value
 	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
 	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
-	filter := "(objectClass=groupOfUniqueNames)"
+	filter := s.appConfigService.DbConfig.LdapUserGroupSearchFilter.Value
 
 	searchAttrs := []string{
 		nameAttribute,
@@ -176,8 +176,7 @@ func (s *LdapService) SyncUsers() error {
 	firstNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserFirstName.Value
 	lastNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserLastName.Value
 	adminGroupAttribute := s.appConfigService.DbConfig.LdapAttributeAdminGroup.Value
-
-	filter := "(objectClass=person)"
+	filter := s.appConfigService.DbConfig.LdapUserSearchFilter.Value
 
 	searchAttrs := []string{
 		"memberOf",
diff --git a/frontend/src/lib/types/application-configuration.ts b/frontend/src/lib/types/application-configuration.ts
index ea8f08a..fc5976a 100644
--- a/frontend/src/lib/types/application-configuration.ts
+++ b/frontend/src/lib/types/application-configuration.ts
@@ -23,6 +23,8 @@ export type AllAppConfig = AppConfig & {
 	ldapBindDn: string;
 	ldapBindPassword: string;
 	ldapBase: string;
+	ldapUserSearchFilter: string;
+	ldapUserGroupSearchFilter: string;
 	ldapSkipCertVerify: boolean;
 	ldapAttributeUserUniqueIdentifier: string;
 	ldapAttributeUserUsername: string;
diff --git a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
index c630eeb..4a76967 100644
--- a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
@@ -28,6 +28,8 @@
 		ldapBindDn: appConfig.ldapBindDn,
 		ldapBindPassword: appConfig.ldapBindPassword,
 		ldapBase: appConfig.ldapBase,
+		ldapUserSearchFilter: appConfig.ldapUserSearchFilter,
+		ldapUserGroupSearchFilter: appConfig.ldapUserGroupSearchFilter,
 		ldapSkipCertVerify: appConfig.ldapSkipCertVerify,
 		ldapAttributeUserUniqueIdentifier: appConfig.ldapAttributeUserUniqueIdentifier,
 		ldapAttributeUserUsername: appConfig.ldapAttributeUserUsername,
@@ -44,6 +46,8 @@
 		ldapBindDn: z.string().min(1),
 		ldapBindPassword: z.string().min(1),
 		ldapBase: z.string().min(1),
+		ldapUserSearchFilter: z.string().min(1),
+		ldapUserGroupSearchFilter: z.string().min(1),
 		ldapSkipCertVerify: z.boolean(),
 		ldapAttributeUserUniqueIdentifier: z.string().min(1),
 		ldapAttributeUserUsername: z.string().min(1),
@@ -102,6 +106,18 @@
 		/>
 		<FormInput label="LDAP Bind Password" type="password" bind:input={$inputs.ldapBindPassword} />
 		<FormInput label="LDAP Base DN" placeholder="dc=example,dc=com" bind:input={$inputs.ldapBase} />
+		<FormInput
+			label="User Search Filter"
+			description="The Search filter to use to search/sync users."
+			placeholder="(objectClass=person)"
+			bind:input={$inputs.ldapUserSearchFilter}
+		/>
+		<FormInput
+			label="Groups Search Filter"
+			description="The Search filter to use to search/sync groups."
+			placeholder="(objectClass=groupOfNames)"
+			bind:input={$inputs.ldapUserGroupSearchFilter}
+		/>
 		<CheckboxWithLabel
 			id="skip-cert-verify"
 			label="Skip Certificate Verification"
diff --git a/frontend/tests/application-configuration.spec.ts b/frontend/tests/application-configuration.spec.ts
index 4ee36d4..8b0e3fc 100644
--- a/frontend/tests/application-configuration.spec.ts
+++ b/frontend/tests/application-configuration.spec.ts
@@ -58,6 +58,8 @@ test('Update LDAP configuration', async ({ page }) => {
 	await page.getByLabel('LDAP Bind DN').fill('cn=admin,dc=example,dc=com');
 	await page.getByLabel('LDAP Bind Password').fill('password');
 	await page.getByLabel('LDAP Base DN').fill('dc=example,dc=com');
+	await page.getByLabel('User Search Filter').fill('(objectClass=person)');
+	await page.getByLabel('Groups Search Filter').fill('(objectClass=groupOfUniqueNames)');
 	await page.getByLabel('User Unique Identifier Attribute').fill('uuid');
 	await page.getByLabel('Username Attribute').fill('uid');
 	await page.getByLabel('User Mail Attribute').fill('mail');
@@ -78,6 +80,8 @@ test('Update LDAP configuration', async ({ page }) => {
 	await expect(page.getByLabel('LDAP Bind DN')).toHaveValue('cn=admin,dc=example,dc=com');
 	await expect(page.getByLabel('LDAP Bind Password')).toHaveValue('password');
 	await expect(page.getByLabel('LDAP Base DN')).toHaveValue('dc=example,dc=com');
+	await page.getByLabel('User Search Filter').fill('(objectClass=person)');
+	await page.getByLabel('Groups Search Filter').fill('(objectClass=groupOfUniqueNames)');
 	await expect(page.getByLabel('User Unique Identifier Attribute')).toHaveValue('uuid');
 	await expect(page.getByLabel('Username Attribute')).toHaveValue('uid');
 	await expect(page.getByLabel('User Mail Attribute')).toHaveValue('mail');