LDAP: improve POSIX support (#18235)

* LDAP: improve POSIX support

* Correctly abtain DN attributes result

* Allow more flexibility with comparison mapping between POSIX group & user

* Add devenv for POSIX LDAP server

* Correct the docs

Fixes #18140

pkg/services/ldap/helpers.go

@@ -29,6 +29,10 @@ func appendIfNotEmpty(slice []string, values ...string) []string {
 }
 
 func getAttribute(name string, entry *ldap.Entry) string {
+	if strings.ToLower(name) == "dn" {
+		return entry.DN
+	}
+
 	for _, attr := range entry.Attributes {
 		if attr.Name == name {
 			if len(attr.Values) > 0 {
@@ -40,6 +44,10 @@ func getAttribute(name string, entry *ldap.Entry) string {
 }
 
 func getArrayAttribute(name string, entry *ldap.Entry) []string {
+	if strings.ToLower(name) == "dn" {
+		return []string{entry.DN}
+	}
+
 	for _, attr := range entry.Attributes {
 		if attr.Name == name && len(attr.Values) > 0 {
 			return attr.Values

pkg/services/ldap/ldap.go

@@ -266,7 +266,9 @@ func (server *Server) Users(logins []string) (
 		return nil, err
 	}
 
-	server.log.Debug("LDAP users found", "users", spew.Sdump(serializedUsers))
+	server.log.Debug(
+		"LDAP users found", "users", spew.Sdump(serializedUsers),
+	)
 
 	return serializedUsers, nil
 }
@@ -327,6 +329,9 @@ func (server *Server) getSearchRequest(
 		inputs.Email,
 		inputs.Name,
 		inputs.MemberOf,
+
+		// In case for the POSIX LDAP schema server
+		server.Config.GroupSearchFilterUserAttribute,
 	)
 
 	search := ""
@@ -489,6 +494,7 @@ func (server *Server) requestMemberOf(entry *ldap.Entry) ([]string, error) {
 
 		if len(groupSearchResult.Entries) > 0 {
 			for _, group := range groupSearchResult.Entries {
+
 				memberOf = append(
 					memberOf,
 					getAttribute(groupIDAttribute, group),

pkg/services/ldap/ldap_helpers_test.go

@@ -105,6 +105,16 @@ func TestLDAPHelpers(t *testing.T) {
 	})
 
 	Convey("getAttribute()", t, func() {
+		Convey("Should get DN", func() {
+			entry := &ldap.Entry{
+				DN: "test",
+			}
+
+			result := getAttribute("dn", entry)
+
+			So(result, ShouldEqual, "test")
+		})
+
 		Convey("Should get username", func() {
 			value := []string{"roelgerrits"}
 			entry := &ldap.Entry{
@@ -137,6 +147,16 @@ func TestLDAPHelpers(t *testing.T) {
 	})
 
 	Convey("getArrayAttribute()", t, func() {
+		Convey("Should get DN", func() {
+			entry := &ldap.Entry{
+				DN: "test",
+			}
+
+			result := getArrayAttribute("dn", entry)
+
+			So(result, ShouldResemble, []string{"test"})
+		})
+
 		Convey("Should get username", func() {
 			value := []string{"roelgerrits"}
 			entry := &ldap.Entry{

pkg/services/ldap/ldap_private_test.go

@@ -11,6 +11,44 @@ import (
 )
 
 func TestLDAPPrivateMethods(t *testing.T) {
+	Convey("getSearchRequest()", t, func() {
+		Convey("with enabled GroupSearchFilterUserAttribute setting", func() {
+			server := &Server{
+				Config: &ServerConfig{
+					Attr: AttributeMap{
+						Username: "username",
+						Name:     "name",
+						MemberOf: "memberof",
+						Email:    "email",
+					},
+					GroupSearchFilterUserAttribute: "gansta",
+					SearchBaseDNs:                  []string{"BaseDNHere"},
+				},
+				log: log.New("test-logger"),
+			}
+
+			result := server.getSearchRequest("killa", []string{"gorilla"})
+
+			So(result, ShouldResemble, &ldap.SearchRequest{
+				BaseDN:       "killa",
+				Scope:        2,
+				DerefAliases: 0,
+				SizeLimit:    0,
+				TimeLimit:    0,
+				TypesOnly:    false,
+				Filter:       "(|)",
+				Attributes: []string{
+					"username",
+					"email",
+					"name",
+					"memberof",
+					"gansta",
+				},
+				Controls: nil,
+			})
+		})
+	})
+
 	Convey("serializeUsers()", t, func() {
 		Convey("simple case", func() {
 			server := &Server{