Merge pull request #536 from dbarzin/dev

dbarzin · web-flow · commit 091f2fab124d · 2025-10-03T14:39:24.000+02:00
add group match
diff --git a/.env.example b/.env.example
@@ -72,6 +72,9 @@ LDAP_TLS=false
 # OpenLDAP: uid, cn, mail ; AD: sAMAccountName, userPrincipalName, mail
 LDAP_LOGIN_ATTRIBUTES="uid,cn,mail,sAMAccountName,userPrincipalName"
 
+# Match user group or null for any group
+LDAP_GROUP=
+
 ##################################################
 # Socialite
 ##################################################
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
@@ -48,6 +48,12 @@ protected function ldapBindAndGetUser(string $appUsername, string $password): ?L
                 $query->in($base);
             }
 
+            // Optionel : resteindre à un group si configuré
+            $group = trim((string) config('app.ldap_group'));
+            if ($group !== '') {
+                $query->where('memberOf', $group);
+            }
+
             // Attributs de login à tester côté LDAP (uid, sAMAccountName, etc.)
             $attrs = array_values(array_filter(array_map('trim', explode(',', (string) config('app.ldap_login_attributes')))));
             if (empty($attrs)) {
diff --git a/config/app.php b/config/app.php
@@ -149,6 +149,7 @@
     'ldap_auto_provision' => (bool) env('LDAP_AUTO_PROVISION', false),
     'ldap_login_attributes' => env('LDAP_LOGIN_ATTRIBUTES', 'uid,cn,mail,sAMAccountName,userPrincipalName'),
     'ldap_users_base_dn' => env('LDAP_USERS_BASE_DN'),
+    'ldap_group' => env('LDAP_GROUP'),
 
     /*
     |--------------------------------------------------------------------------
