feat: ldap group acls (#590)

* wip * refactor: remove useless session struct abstraction * feat: retrieve and store groups from ldap provider * chore: fix merge issue * refactor: rework ldap group fetching logic * feat: store ldap group results in cache * fix: review nitpicks * fix: review feedback
2026-01-23 07:42:28 +00:00 · 2026-01-17 20:03:29 +02:00
parent c0dd432029
commit 4926e53409
18 changed files with 280 additions and 90 deletions
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -116,7 +116,7 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	return ldap.conn, nil
 }

-func (ldap *LdapService) Search(username string) (string, error) {
+func (ldap *LdapService) GetUserDN(username string) (string, error) {
 	// Escape the username to prevent LDAP injection
 	escapedUsername := ldapgo.EscapeFilter(username)
 	filter := fmt.Sprintf(ldap.config.SearchFilter, escapedUsername)
@@ -145,6 +145,48 @@ func (ldap *LdapService) Search(username string) (string, error) {
 	return userDN, nil
 }

+func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
+	escapedUserDN := ldapgo.EscapeFilter(userDN)
+
+	searchRequest := ldapgo.NewSearchRequest(
+		ldap.config.BaseDN,
+		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectclass=groupOfUniqueNames)(uniquemember=%s))", escapedUserDN),
+		[]string{"dn"},
+		nil,
+	)
+
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
+	searchResult, err := ldap.conn.Search(searchRequest)
+	if err != nil {
+		return []string{}, err
+	}
+
+	groupDNs := []string{}
+
+	for _, entry := range searchResult.Entries {
+		groupDNs = append(groupDNs, entry.DN)
+	}
+
+	groups := []string{}
+
+	// I guess it should work for most ldap providers
+	for _, dn := range groupDNs {
+		rdnParts, err := ldapgo.ParseDN(dn)
+		if err != nil {
+			return []string{}, err
+		}
+		if len(rdnParts.RDNs) == 0 || len(rdnParts.RDNs[0].Attributes) == 0 {
+			return []string{}, fmt.Errorf("invalid DN format: %s", dn)
+		}
+		groups = append(groups, rdnParts.RDNs[0].Attributes[0].Value)
+	}
+
+	return groups, nil
+}
+
 func (ldap *LdapService) BindService(rebind bool) error {
 	// Locks must not be used for initial binding attempt
 	if rebind {