feat: add admin support for LDAP login

2025-05-06 21:38:51 +02:00
parent 824b962b60
commit 71ebf1e71a
4 changed files with 136 additions and 18 deletions
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -1651,7 +1651,8 @@
 # You can use the variable `{username}` that will be replaced by the
 # entered username. In such case, the password used to bind will be the
 # one provided for the login and not the one given by
-# `bind_password_file`.
+# `bind_password_file`. Beware: automatically granting admin rights will
+# not work if you use this direct bind instead of a LDAP search.
 #
 # example: "cn=ldap-reader,dc=example,dc=org" or
 # "cn={username},ou=users,dc=example,dc=org"
@@ -1667,6 +1668,9 @@

 # Search filter to limit user searches.
 #
+# You can use the variable `{username}` that will be replaced by the
+# entered username for more complex filters.
+#
 # example: "(&(objectClass=person)(memberOf=matrix))"
 #
 #filter = "(objectClass=*)"
@@ -1688,3 +1692,23 @@
 # example: "givenName" or "sn"
 #
 #name_attribute = "givenName"
+
+# Root of the searches for admin users.
+#
+# Defaults to `base_dn` if empty.
+#
+# example: "ou=admins,dc=example,dc=org"
+#
+#admin_base_dn = false
+
+# The LDAP search filter to find administrative users for tuwunel.
+#
+# If left blank, administrative state must be configured manually for each
+# user.
+#
+# You can use the variable `{username}` that will be replaced by the
+# entered username for more complex filters.
+#
+# example: "(objectClass=tuwunelAdmin)" or "(uid={username})"
+#
+#admin_filter = false