fix: ldap username attibrute filter and filters extra args

SeDemal · Apr 22, 2024 · 420a46e · 420a46e
1 parent 39f416c
commit 420a46e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/env.js b/src/env.js
@@ -77,9 +77,11 @@ const env = createEnv({
           AUTH_LDAP_BASE: z.string(),
           AUTH_LDAP_SEARCH_SCOPE: z.enum(['base', 'one', 'sub']).default('base'),
           AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default('uid'),
+          AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: z.string().optional(),
           AUTH_LDAP_GROUP_CLASS: z.string().default('groupOfUniqueNames'),
           AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default('member'),
           AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default('dn'),
+          AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: z.string().optional(),
           AUTH_LDAP_ADMIN_GROUP: z.string().default('admin'),
           AUTH_LDAP_OWNER_GROUP: z.string().default('admin'),
         }
@@ -142,9 +144,11 @@ const env = createEnv({
     AUTH_LDAP_BASE: process.env.AUTH_LDAP_BASE,
     AUTH_LDAP_SEARCH_SCOPE: process.env.AUTH_LDAP_SEARCH_SCOPE?.toLowerCase(),
     AUTH_LDAP_USERNAME_ATTRIBUTE: process.env.AUTH_LDAP_USERNAME_ATTRIBUTE,
+    AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG,
     AUTH_LDAP_GROUP_CLASS: process.env.AUTH_LDAP_GROUP_CLASS,
     AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: process.env.AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE,
     AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: process.env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE,
+    AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_GROUP_FILTER_EXTRA_ARG,
     AUTH_LDAP_ADMIN_GROUP: process.env.AUTH_LDAP_ADMIN_GROUP,
     AUTH_LDAP_OWNER_GROUP: process.env.AUTH_LDAP_OWNER_GROUP,
     AUTH_OIDC_CLIENT_ID: process.env.AUTH_OIDC_CLIENT_ID,

diff --git a/src/utils/auth/ldap.ts b/src/utils/auth/ldap.ts
@@ -100,7 +100,7 @@ export default Credentials({
 
       const ldapUser = (
         await ldapSearch(client, env.AUTH_LDAP_BASE, {
-          filter: `(uid=${data.name})`,
+          filter: env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG ? `(&(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${data.name})${env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG})` : `(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${data.name})`,
           scope: env.AUTH_LDAP_SEARCH_SCOPE,
           // as const for inference
           attributes: ['uid', 'mail'] as const,
@@ -115,7 +115,7 @@ export default Credentials({
         await ldapSearch(client, env.AUTH_LDAP_BASE, {
           filter: `(&(objectclass=${env.AUTH_LDAP_GROUP_CLASS})(${
             env.AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE
-          }=${ldapUser[env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE as 'dn' | 'uid']}))`,
+          }=${ldapUser[env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE as 'dn' | 'uid']})${env.AUTH_LDAP_GROUP_FILTER_EXTRA_ARG ?? ''})`,
           scope: env.AUTH_LDAP_SEARCH_SCOPE,
           // as const for inference
           attributes: 'cn',