Add search bind support, fix group_identifier typo, fix empty gidNumber query

- Add search_bind_enabled/search_bind_dn/search_bind_password to allow using a dedicated LDAP account for user and group searches. This is needed when regular LDAP users lack search permissions (common with restrictive ACLs on OpenLDAP). - Support both group_indentifier (original) and group_identifier config keys, falling back to 'cn' if neither is set. - Skip the gidNumber-based primary group query when the attribute is empty, avoiding broken LDAP filters on non-posixAccount setups.
2026-02-24 22:29:04 +01:00
parent 403350df9b
commit 6155c1fad2
4 changed files with 74 additions and 11 deletions
--- a/blueprints.yaml
+++ b/blueprints.yaml
@@ -108,6 +108,38 @@ form:
                  validate:
                      type: bool

+            search_bind_section:
+              type: section
+              title: PLUGIN_LOGIN_LDAP.SEARCH_BIND_CONFIGURATION
+              underline: true
+
+              fields:
+
+                search_bind_enabled:
+                  type: toggle
+                  label: PLUGIN_LOGIN_LDAP.SEARCH_BIND_ENABLE
+                  help: PLUGIN_LOGIN_LDAP.SEARCH_BIND_ENABLE_DESC
+                  default: 0
+                  highlight: 0
+                  options:
+                    1: Enabled
+                    0: Disabled
+                  validate:
+                    type: bool
+
+                search_bind_dn:
+                  type: text
+                  label: PLUGIN_LOGIN_LDAP.SEARCH_BIND_DN
+                  size: large
+                  placeholder: cn=readonly,dc=company,dc=com
+                  help: PLUGIN_LOGIN_LDAP.SEARCH_BIND_DN_DESC
+
+                search_bind_password:
+                  type: password
+                  label: PLUGIN_LOGIN_LDAP.SEARCH_BIND_PASSWORD
+                  size: large
+                  help: PLUGIN_LOGIN_LDAP.SEARCH_BIND_PASSWORD_DESC
+
            config_section:
              type: section
              title: LDAP Configuration