From 76c09851ea07a0045c9436790dead8bba4fcedee Mon Sep 17 00:00:00 2001
From: KuhnChris <761911+kuhnchris@users.noreply.github.com>
Date: Thu, 8 Jan 2026 23:09:18 +0100
Subject: [PATCH] Guard admin assignment/removal against empty filter

---
 src/api/client/session/ldap.rs | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/src/api/client/session/ldap.rs b/src/api/client/session/ldap.rs
index 68953ec1..85dd001a 100644
--- a/src/api/client/session/ldap.rs
+++ b/src/api/client/session/ldap.rs
@@ -60,22 +60,25 @@ pub(super) async fn ldap_login(
 			.await?;
 	}
 
-	let is_tuwunel_admin = services
-		.admin
-		.user_is_admin(lowercased_user_id)
-		.await;
+	// only perform admin add/remove check if admin_filter is set
+	if !services.config.ldap.admin_filter.is_empty() {
+		let is_tuwunel_admin = services
+			.admin
+			.user_is_admin(lowercased_user_id)
+			.await;
 
-	if is_ldap_admin && !is_tuwunel_admin {
-		services
-			.admin
-			.make_user_admin(lowercased_user_id)
-			.boxed()
-			.await?;
-	} else if !is_ldap_admin && is_tuwunel_admin {
-		services
-			.admin
-			.revoke_admin(lowercased_user_id)
-			.await?;
+		if is_ldap_admin && !is_tuwunel_admin {
+			services
+				.admin
+				.make_user_admin(lowercased_user_id)
+				.boxed()
+				.await?;
+		} else if !is_ldap_admin && is_tuwunel_admin {
+			services
+				.admin
+				.revoke_admin(lowercased_user_id)
+				.await?;
+		}
 	}
 
 	Ok(user_id)