Add cli flags LDAP group configuration

cmd/admin_auth_ldap.go

@@ -127,6 +127,34 @@ var (
 &cli.UintFlag{
 Name: "page-size",
 Usage: "Search page size.",
+},
+&cli.BoolFlag{
+Name: "enable-groups",
+Usage: "Enable LDAP groups",
+},
+&cli.StringFlag{
+Name: "group-search-base",
+Usage: "The LDAP base at which group accounts will be searched for.",
+},
+&cli.StringFlag{
+Name: "group-member-uid",
+Usage: "Group attribute containing list of users",
+},
+&cli.StringFlag{
+Name: "group-user-attribute",
+Usage: "User attribute listed in group",
+},
+&cli.StringFlag{
+Name: "group-filter",
+Usage: "Verify group membership in LDAP",
+},
+&cli.StringFlag{
+Name: "group-team-map",
+Usage: "Map LDAP groups to Organization teams",
+},
+&cli.BoolFlag{
+Name: "group-users-remove",
+Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group",
 })
 
 ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
@@ -273,6 +301,27 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 if c.IsSet("skip-local-2fa") {
 config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
 }
+if c.IsSet("enable-groups") {
+config.GroupsEnabled = c.Bool("enable-groups")
+}
+if c.IsSet("group-search-base") {
+config.GroupDN = c.String("group-search-base")
+}
+if c.IsSet("group-member-uid") {
+config.GroupMemberUID = c.String("group-member-uid")
+}
+if c.IsSet("group-user-attribute") {
+config.UserUID = c.String("group-user-attribute")
+}
+if c.IsSet("group-filter") {
+config.GroupFilter = c.String("group-filter")
+}
+if c.IsSet("group-team-map") {
+config.GroupTeamMap = c.String("group-team-map")
+}
+if c.IsSet("group-users-remove") {
+config.GroupTeamMapRemoval = c.Bool("group-users-remove")
+}
 return nil
 }
 

cmd/admin_auth_ldap_test.go

@@ -51,6 +51,13 @@ func TestAddLdapBindDn(t *testing.T) {
 "--attributes-in-bind",
 "--synchronize-users",
 "--page-size", "99",
+"--enable-groups",
+"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
+"--group-member-uid", "memberUid",
+"--group-user-attribute", "uid",
+"--group-filter", "(|(cn=gitea_users)(cn=admins))",
+"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+"--group-users-remove",
 },
 source: &auth.Source{
 Type: auth.LDAP,
@@ -78,6 +85,13 @@ func TestAddLdapBindDn(t *testing.T) {
 AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
 RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",
 Enabled: true,
+GroupsEnabled: true,
+GroupDN: "ou=group,dc=full-domain-bind,dc=org",
+GroupMemberUID: "memberUid",
+UserUID: "uid",
+GroupFilter: "(|(cn=gitea_users)(cn=admins))",
+GroupTeamMap: `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+GroupTeamMapRemoval: true,
 },
 },
 },
@@ -510,6 +524,13 @@ func TestUpdateLdapBindDn(t *testing.T) {
 "--bind-password", "secret-bind-full",
 "--synchronize-users",
 "--page-size", "99",
+"--enable-groups",
+"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
+"--group-member-uid", "memberUid",
+"--group-user-attribute", "uid",
+"--group-filter", "(|(cn=gitea_users)(cn=admins))",
+"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+"--group-users-remove",
 },
 id: 23,
 existingAuthSource: &auth.Source{
@@ -545,6 +566,13 @@ func TestUpdateLdapBindDn(t *testing.T) {
 AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
 RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",
 Enabled: true,
+GroupsEnabled: true,
+GroupDN: "ou=group,dc=full-domain-bind,dc=org",
+GroupMemberUID: "memberUid",
+UserUID: "uid",
+GroupFilter: "(|(cn=gitea_users)(cn=admins))",
+GroupTeamMap: `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+GroupTeamMapRemoval: true,
 },
 },
 },