feat: ldap provider login (#5448)

Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2025-08-11 21:37:32 +00:00 · 2023-03-24 16:18:56 +01:00
parent a8bfcc166e
commit 41ff0bbc63
40 changed files with 2240 additions and 1142 deletions
--- a/internal/query/idp_template.go
+++ b/internal/query/idp_template.go
@@ -128,15 +128,16 @@ type GoogleIDPTemplate struct {
 }

 type LDAPIDPTemplate struct {
-	IDPID               string
-	Host                string
-	Port                string
-	TLS                 bool
-	BaseDN              string
-	UserObjectClass     string
-	UserUniqueAttribute string
-	Admin               string
-	Password            *crypto.CryptoValue
+	IDPID             string
+	Servers           []string
+	StartTLS          bool
+	BaseDN            string
+	BindDN            string
+	BindPassword      *crypto.CryptoValue
+	UserBase          string
+	UserObjectClasses []string
+	UserFilters       []string
+	Timeout           time.Duration
 	idp.LDAPAttributes
 }

@@ -515,36 +516,40 @@ var (
 		name:  projection.LDAPInstanceIDCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPHostCol = Column{
-		name:  projection.LDAPHostCol,
+	LDAPServersCol = Column{
+		name:  projection.LDAPServersCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPPortCol = Column{
-		name:  projection.LDAPPortCol,
-		table: ldapIdpTemplateTable,
-	}
-	LDAPTlsCol = Column{
-		name:  projection.LDAPTlsCol,
+	LDAPStartTLSCol = Column{
+		name:  projection.LDAPStartTLSCol,
 		table: ldapIdpTemplateTable,
 	}
 	LDAPBaseDNCol = Column{
 		name:  projection.LDAPBaseDNCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPUserObjectClassCol = Column{
-		name:  projection.LDAPUserObjectClassCol,
+	LDAPBindDNCol = Column{
+		name:  projection.LDAPBindDNCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPUserUniqueAttributeCol = Column{
-		name:  projection.LDAPUserUniqueAttributeCol,
+	LDAPBindPasswordCol = Column{
+		name:  projection.LDAPBindPasswordCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPAdminCol = Column{
-		name:  projection.LDAPAdminCol,
+	LDAPUserBaseCol = Column{
+		name:  projection.LDAPUserBaseCol,
 		table: ldapIdpTemplateTable,
 	}
-	LDAPPasswordCol = Column{
-		name:  projection.LDAPPasswordCol,
+	LDAPUserObjectClassesCol = Column{
+		name:  projection.LDAPUserObjectClassesCol,
+		table: ldapIdpTemplateTable,
+	}
+	LDAPUserFiltersCol = Column{
+		name:  projection.LDAPUserFiltersCol,
+		table: ldapIdpTemplateTable,
+	}
+	LDAPTimeoutCol = Column{
+		name:  projection.LDAPTimeoutCol,
 		table: ldapIdpTemplateTable,
 	}
 	LDAPIDAttributeCol = Column{
@@ -772,14 +777,15 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			GoogleScopesCol.identifier(),
 			// ldap
 			LDAPIDCol.identifier(),
-			LDAPHostCol.identifier(),
-			LDAPPortCol.identifier(),
-			LDAPTlsCol.identifier(),
+			LDAPServersCol.identifier(),
+			LDAPStartTLSCol.identifier(),
 			LDAPBaseDNCol.identifier(),
-			LDAPUserObjectClassCol.identifier(),
-			LDAPUserUniqueAttributeCol.identifier(),
-			LDAPAdminCol.identifier(),
-			LDAPPasswordCol.identifier(),
+			LDAPBindDNCol.identifier(),
+			LDAPBindPasswordCol.identifier(),
+			LDAPUserBaseCol.identifier(),
+			LDAPUserObjectClassesCol.identifier(),
+			LDAPUserFiltersCol.identifier(),
+			LDAPTimeoutCol.identifier(),
 			LDAPIDAttributeCol.identifier(),
 			LDAPFirstNameAttributeCol.identifier(),
 			LDAPLastNameAttributeCol.identifier(),
@@ -869,14 +875,15 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			googleScopes := database.StringArray{}

 			ldapID := sql.NullString{}
-			ldapHost := sql.NullString{}
-			ldapPort := sql.NullString{}
-			ldapTls := sql.NullBool{}
+			ldapServers := database.StringArray{}
+			ldapStartTls := sql.NullBool{}
 			ldapBaseDN := sql.NullString{}
-			ldapUserObjectClass := sql.NullString{}
-			ldapUserUniqueAttribute := sql.NullString{}
-			ldapAdmin := sql.NullString{}
-			ldapPassword := new(crypto.CryptoValue)
+			ldapBindDN := sql.NullString{}
+			ldapBindPassword := new(crypto.CryptoValue)
+			ldapUserBase := sql.NullString{}
+			ldapUserObjectClasses := database.StringArray{}
+			ldapUserFilters := database.StringArray{}
+			ldapTimeout := sql.NullInt64{}
 			ldapIDAttribute := sql.NullString{}
 			ldapFirstNameAttribute := sql.NullString{}
 			ldapLastNameAttribute := sql.NullString{}
@@ -965,14 +972,15 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 				&googleScopes,
 				// ldap
 				&ldapID,
-				&ldapHost,
-				&ldapPort,
-				&ldapTls,
+				&ldapServers,
+				&ldapStartTls,
 				&ldapBaseDN,
-				&ldapUserObjectClass,
-				&ldapUserUniqueAttribute,
-				&ldapAdmin,
-				&ldapPassword,
+				&ldapBindDN,
+				&ldapBindPassword,
+				&ldapUserBase,
+				&ldapUserObjectClasses,
+				&ldapUserFilters,
+				&ldapTimeout,
 				&ldapIDAttribute,
 				&ldapFirstNameAttribute,
 				&ldapLastNameAttribute,
@@ -1083,15 +1091,16 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			}
 			if ldapID.Valid {
 				idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
-					IDPID:               ldapID.String,
-					Host:                ldapHost.String,
-					Port:                ldapPort.String,
-					TLS:                 ldapTls.Bool,
-					BaseDN:              ldapBaseDN.String,
-					UserObjectClass:     ldapUserObjectClass.String,
-					UserUniqueAttribute: ldapUserUniqueAttribute.String,
-					Admin:               ldapAdmin.String,
-					Password:            ldapPassword,
+					IDPID:             ldapID.String,
+					Servers:           ldapServers,
+					StartTLS:          ldapStartTls.Bool,
+					BaseDN:            ldapBaseDN.String,
+					BindDN:            ldapBindDN.String,
+					BindPassword:      ldapBindPassword,
+					UserBase:          ldapUserBase.String,
+					UserObjectClasses: ldapUserObjectClasses,
+					UserFilters:       ldapUserFilters,
+					Timeout:           time.Duration(ldapTimeout.Int64),
 					LDAPAttributes: idp.LDAPAttributes{
 						IDAttribute:                ldapIDAttribute.String,
 						FirstNameAttribute:         ldapFirstNameAttribute.String,
@@ -1189,14 +1198,15 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			GoogleScopesCol.identifier(),
 			// ldap
 			LDAPIDCol.identifier(),
-			LDAPHostCol.identifier(),
-			LDAPPortCol.identifier(),
-			LDAPTlsCol.identifier(),
+			LDAPServersCol.identifier(),
+			LDAPStartTLSCol.identifier(),
 			LDAPBaseDNCol.identifier(),
-			LDAPUserObjectClassCol.identifier(),
-			LDAPUserUniqueAttributeCol.identifier(),
-			LDAPAdminCol.identifier(),
-			LDAPPasswordCol.identifier(),
+			LDAPBindDNCol.identifier(),
+			LDAPBindPasswordCol.identifier(),
+			LDAPUserBaseCol.identifier(),
+			LDAPUserObjectClassesCol.identifier(),
+			LDAPUserFiltersCol.identifier(),
+			LDAPTimeoutCol.identifier(),
 			LDAPIDAttributeCol.identifier(),
 			LDAPFirstNameAttributeCol.identifier(),
 			LDAPLastNameAttributeCol.identifier(),
@@ -1290,14 +1300,15 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				googleScopes := database.StringArray{}

 				ldapID := sql.NullString{}
-				ldapHost := sql.NullString{}
-				ldapPort := sql.NullString{}
-				ldapTls := sql.NullBool{}
+				ldapServers := database.StringArray{}
+				ldapStartTls := sql.NullBool{}
 				ldapBaseDN := sql.NullString{}
-				ldapUserObjectClass := sql.NullString{}
-				ldapUserUniqueAttribute := sql.NullString{}
-				ldapAdmin := sql.NullString{}
-				ldapPassword := new(crypto.CryptoValue)
+				ldapBindDN := sql.NullString{}
+				ldapBindPassword := new(crypto.CryptoValue)
+				ldapUserBase := sql.NullString{}
+				ldapUserObjectClasses := database.StringArray{}
+				ldapUserFilters := database.StringArray{}
+				ldapTimeout := sql.NullInt64{}
 				ldapIDAttribute := sql.NullString{}
 				ldapFirstNameAttribute := sql.NullString{}
 				ldapLastNameAttribute := sql.NullString{}
@@ -1386,14 +1397,15 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 					&googleScopes,
 					// ldap
 					&ldapID,
-					&ldapHost,
-					&ldapPort,
-					&ldapTls,
+					&ldapServers,
+					&ldapStartTls,
 					&ldapBaseDN,
-					&ldapUserObjectClass,
-					&ldapUserUniqueAttribute,
-					&ldapAdmin,
-					&ldapPassword,
+					&ldapBindDN,
+					&ldapBindPassword,
+					&ldapUserBase,
+					&ldapUserObjectClasses,
+					&ldapUserFilters,
+					&ldapTimeout,
 					&ldapIDAttribute,
 					&ldapFirstNameAttribute,
 					&ldapLastNameAttribute,
@@ -1503,15 +1515,16 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				}
 				if ldapID.Valid {
 					idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
-						IDPID:               ldapID.String,
-						Host:                ldapHost.String,
-						Port:                ldapPort.String,
-						TLS:                 ldapTls.Bool,
-						BaseDN:              ldapBaseDN.String,
-						UserObjectClass:     ldapUserObjectClass.String,
-						UserUniqueAttribute: ldapUserUniqueAttribute.String,
-						Admin:               ldapAdmin.String,
-						Password:            ldapPassword,
+						IDPID:             ldapID.String,
+						Servers:           ldapServers,
+						StartTLS:          ldapStartTls.Bool,
+						BaseDN:            ldapBaseDN.String,
+						BindDN:            ldapBindDN.String,
+						BindPassword:      ldapBindPassword,
+						UserBase:          ldapUserBase.String,
+						UserObjectClasses: ldapUserObjectClasses,
+						UserFilters:       ldapUserFilters,
+						Timeout:           time.Duration(ldapTimeout.Int64),
 						LDAPAttributes: idp.LDAPAttributes{
 							IDAttribute:                ldapIDAttribute.String,
 							FirstNameAttribute:         ldapFirstNameAttribute.String,