feat: add generic LDAP authentication strategy using ldapts

config.schema.json

@@ -529,6 +529,106 @@
             }
           },
           "required": ["type", "enabled", "jwtConfig"]
+        },
+        {
+          "title": "LDAP Auth Config",
+          "description": "Configuration for generic LDAP authentication using ldapts.",
+          "properties": {
+            "type": { "type": "string", "const": "ldap" },
+            "enabled": { "type": "boolean" },
+            "ldapConfig": {
+              "type": "object",
+              "description": "LDAP connection and search configuration.",
+              "properties": {
+                "url": {
+                  "type": "string",
+                  "description": "LDAP server URL, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com`."
+                },
+                "bindDN": {
+                  "type": "string",
+                  "description": "DN of the service account used to search for users, e.g. `cn=admin,dc=example,dc=com`."
+                },
+                "bindPassword": {
+                  "type": "string",
+                  "description": "Password for the service account."
+                },
+                "searchBase": {
+                  "type": "string",
+                  "description": "Base DN for user searches, e.g. `ou=people,dc=example,dc=com`."
+                },
+                "searchFilter": {
+                  "type": "string",
+                  "description": "LDAP search filter template. Use `{{username}}` as a placeholder for the login username. e.g. `(uid={{username}})`."
+                },
+                "userGroupDN": {
+                  "type": "string",
+                  "description": "DN of the group a user must belong to in order to log in."
+                },
+                "adminGroupDN": {
+                  "type": "string",
+                  "description": "DN of the admin group. Members of this group are granted admin privileges."
+                },
+                "groupSearchBase": {
+                  "type": "string",
+                  "description": "Base DN for group membership searches. If omitted, each group's own DN (`userGroupDN` or `adminGroupDN`) is used as the search base."
+                },
+                "groupSearchFilter": {
+                  "type": "string",
+                  "description": "LDAP filter for group membership checks. Use `{{dn}}` as a placeholder for the user's DN and `{{username}}` as a placeholder for the login username. Defaults to `(member={{dn}})`."
+                },
+                "usernameAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute to use as the username. Defaults to `uid`."
+                },
+                "emailAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's email. Defaults to `mail`."
+                },
+                "displayNameAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's display name. Defaults to `cn`."
+                },
+                "titleAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's title. Defaults to `title`."
+                },
+                "starttls": {
+                  "type": "boolean",
+                  "description": "Use STARTTLS to upgrade an ldap:// connection to TLS. Defaults to false."
+                },
+                "tlsOptions": {
+                  "type": "object",
+                  "description": "Node.js TLS options passed to the ldapts client (e.g. `rejectUnauthorized`, `ca`)."
+                },
+                "timeout": {
+                  "type": "number",
+                  "description": "LDAP client operation timeout in milliseconds."
+                },
+                "connectTimeout": {
+                  "type": "number",
+                  "description": "LDAP client connection timeout in milliseconds."
+                },
+                "searchTimeLimit": {
+                  "type": "number",
+                  "description": "LDAP search time limit in seconds."
+                },
+                "searchSizeLimit": {
+                  "type": "number",
+                  "description": "Maximum number of LDAP search entries to return."
+                }
+              },
+              "required": [
+                "url",
+                "bindDN",
+                "bindPassword",
+                "searchBase",
+                "searchFilter",
+                "userGroupDN",
+                "adminGroupDN"
+              ]
+            }
+          },
+          "required": ["type", "enabled", "ldapConfig"]
         }
       ]
     },

package.json

@@ -119,6 +119,7 @@
     "history": "5.3.0",
     "isomorphic-git": "^1.36.3",
     "jsonwebtoken": "^9.0.3",
+    "ldapts": "^8.1.7",
     "load-plugin": "^6.0.3",
     "lodash": "^4.17.23",
     "lusca": "^1.7.0",
@@ -129,6 +130,7 @@
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.4.0",
+    "passport-custom": "^1.1.1",
     "passport-local": "^1.0.0",
     "perfect-scrollbar": "^1.5.6",
     "react": "^16.14.0",

packages/git-proxy-cli/index.ts

@@ -604,7 +604,7 @@ yargs(hideBin(process.argv)) // eslint-disable-line @typescript-eslint/no-unused
   })
   .command({
     command: 'create-user',
-    describe: 'Create a new user',
+    describe: 'Create a new local database user',
     builder: {
       username: {
         describe: 'Username for the new user',

proxy.config.json

@@ -52,6 +52,31 @@
         "password": ""
       }
     },
+    {
+      "type": "ldap",
+      "enabled": false,
+      "ldapConfig": {
+        "url": "",
+        "bindDN": "",
+        "bindPassword": "",
+        "searchBase": "",
+        "searchFilter": "",
+        "userGroupDN": "",
+        "adminGroupDN": "",
+        "groupSearchBase": "",
+        "groupSearchFilter": "(member={{dn}})",
+        "usernameAttribute": "uid",
+        "emailAttribute": "mail",
+        "displayNameAttribute": "cn",
+        "titleAttribute": "title",
+        "starttls": false,
+        "tlsOptions": {},
+        "timeout": 5000,
+        "connectTimeout": 5000,
+        "searchTimeLimit": 5,
+        "searchSizeLimit": 10
+      }
+    },
     {
       "type": "openidconnect",
       "enabled": false,

src/config/generated/config.ts

@@ -190,6 +190,10 @@ export interface AuthenticationElement {
    * Additional JWT configuration.
    */
   jwtConfig?: JwtConfig;
+  /**
+   * LDAP connection and search configuration.
+   */
+  ldapConfig?: LDAPConfig;
   [property: string]: any;
 }
 
@@ -241,6 +245,92 @@ export interface RoleMapping {
   [property: string]: any;
 }
 
+/**
+ * LDAP connection and search configuration.
+ */
+export interface LDAPConfig {
+  /**
+   * DN of the admin group. Members of this group are granted admin privileges.
+   */
+  adminGroupDN: string;
+  /**
+   * DN of the service account used to search for users, e.g. `cn=admin,dc=example,dc=com`.
+   */
+  bindDN: string;
+  /**
+   * Password for the service account.
+   */
+  bindPassword: string;
+  /**
+   * LDAP client connection timeout in milliseconds.
+   */
+  connectTimeout?: number;
+  /**
+   * LDAP attribute for the user's display name. Defaults to `cn`.
+   */
+  displayNameAttribute?: string;
+  /**
+   * LDAP attribute for the user's email. Defaults to `mail`.
+   */
+  emailAttribute?: string;
+  /**
+   * Base DN for group membership searches. If omitted, each group's own DN (`userGroupDN` or
+   * `adminGroupDN`) is used as the search base.
+   */
+  groupSearchBase?: string;
+  /**
+   * LDAP filter for group membership checks. Use `{{dn}}` as a placeholder for the user's DN
+   * and `{{username}}` as a placeholder for the login username. Defaults to `(member={{dn}})`.
+   */
+  groupSearchFilter?: string;
+  /**
+   * Base DN for user searches, e.g. `ou=people,dc=example,dc=com`.
+   */
+  searchBase: string;
+  /**
+   * LDAP search filter template. Use `{{username}}` as a placeholder for the login username.
+   * e.g. `(uid={{username}})`.
+   */
+  searchFilter: string;
+  /**
+   * Maximum number of LDAP search entries to return.
+   */
+  searchSizeLimit?: number;
+  /**
+   * LDAP search time limit in seconds.
+   */
+  searchTimeLimit?: number;
+  /**
+   * Use STARTTLS to upgrade an ldap:// connection to TLS. Defaults to false.
+   */
+  starttls?: boolean;
+  /**
+   * LDAP client operation timeout in milliseconds.
+   */
+  timeout?: number;
+  /**
+   * LDAP attribute for the user's title. Defaults to `title`.
+   */
+  titleAttribute?: string;
+  /**
+   * Node.js TLS options passed to the ldapts client (e.g. `rejectUnauthorized`, `ca`).
+   */
+  tlsOptions?: { [key: string]: any };
+  /**
+   * LDAP server URL, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com`.
+   */
+  url: string;
+  /**
+   * DN of the group a user must belong to in order to log in.
+   */
+  userGroupDN: string;
+  /**
+   * LDAP attribute to use as the username. Defaults to `uid`.
+   */
+  usernameAttribute?: string;
+  [property: string]: any;
+}
+
 /**
  * Additional OIDC configuration.
  */
@@ -256,6 +346,7 @@ export interface OidcConfig {
 export enum AuthenticationElementType {
   ActiveDirectory = 'ActiveDirectory',
   Jwt = 'jwt',
+  LDAP = 'ldap',
   Local = 'local',
   Openidconnect = 'openidconnect',
 }
@@ -811,6 +902,7 @@ const typeMap: any = {
       { json: 'userGroup', js: 'userGroup', typ: u(undefined, '') },
       { json: 'oidcConfig', js: 'oidcConfig', typ: u(undefined, r('OidcConfig')) },
       { json: 'jwtConfig', js: 'jwtConfig', typ: u(undefined, r('JwtConfig')) },
+      { json: 'ldapConfig', js: 'ldapConfig', typ: u(undefined, r('LDAPConfig')) },
     ],
     'any',
   ),
@@ -834,6 +926,30 @@ const typeMap: any = {
     'any',
   ),
   RoleMapping: o([{ json: 'admin', js: 'admin', typ: u(undefined, m('any')) }], 'any'),
+  LDAPConfig: o(
+    [
+      { json: 'adminGroupDN', js: 'adminGroupDN', typ: '' },
+      { json: 'bindDN', js: 'bindDN', typ: '' },
+      { json: 'bindPassword', js: 'bindPassword', typ: '' },
+      { json: 'connectTimeout', js: 'connectTimeout', typ: u(undefined, 3.14) },
+      { json: 'displayNameAttribute', js: 'displayNameAttribute', typ: u(undefined, '') },
+      { json: 'emailAttribute', js: 'emailAttribute', typ: u(undefined, '') },
+      { json: 'groupSearchBase', js: 'groupSearchBase', typ: u(undefined, '') },
+      { json: 'groupSearchFilter', js: 'groupSearchFilter', typ: u(undefined, '') },
+      { json: 'searchBase', js: 'searchBase', typ: '' },
+      { json: 'searchFilter', js: 'searchFilter', typ: '' },
+      { json: 'searchSizeLimit', js: 'searchSizeLimit', typ: u(undefined, 3.14) },
+      { json: 'searchTimeLimit', js: 'searchTimeLimit', typ: u(undefined, 3.14) },
+      { json: 'starttls', js: 'starttls', typ: u(undefined, true) },
+      { json: 'timeout', js: 'timeout', typ: u(undefined, 3.14) },
+      { json: 'titleAttribute', js: 'titleAttribute', typ: u(undefined, '') },
+      { json: 'tlsOptions', js: 'tlsOptions', typ: u(undefined, m('any')) },
+      { json: 'url', js: 'url', typ: '' },
+      { json: 'userGroupDN', js: 'userGroupDN', typ: '' },
+      { json: 'usernameAttribute', js: 'usernameAttribute', typ: u(undefined, '') },
+    ],
+    'any',
+  ),
   OidcConfig: o(
     [
       { json: 'callbackURL', js: 'callbackURL', typ: '' },
@@ -981,6 +1097,6 @@ const typeMap: any = {
     ],
     'any',
   ),
-  AuthenticationElementType: ['ActiveDirectory', 'jwt', 'local', 'openidconnect'],
+  AuthenticationElementType: ['ActiveDirectory', 'jwt', 'ldap', 'local', 'openidconnect'],
   DatabaseType: ['fs', 'mongo'],
 };