feat: add ldap authentication type to config schema

1saac-k · 1saac-k · commit 4ec870713e15 · 2026-04-08T22:54:36.000+09:00
Add LDAP auth type definition to config.schema.json and
generated TypeScript types with LdapConfig interface.

Signed-off-by: Kwangjin Ko &lt;kyet@me.com&gt;
diff --git a/config.schema.json b/config.schema.json
@@ -505,6 +505,90 @@
           },
           "required": ["type", "enabled", "oidcConfig"]
         },
+        {
+          "title": "LDAP Auth Config",
+          "description": "Configuration for generic LDAP authentication using ldapts.",
+          "properties": {
+            "type": { "type": "string", "const": "ldap" },
+            "enabled": { "type": "boolean" },
+            "ldapConfig": {
+              "type": "object",
+              "description": "LDAP connection and search configuration.",
+              "properties": {
+                "url": {
+                  "type": "string",
+                  "description": "LDAP server URL, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com`."
+                },
+                "bindDN": {
+                  "type": "string",
+                  "description": "DN of the service account used to search for users, e.g. `cn=admin,dc=example,dc=com`."
+                },
+                "bindPassword": {
+                  "type": "string",
+                  "description": "Password for the service account."
+                },
+                "searchBase": {
+                  "type": "string",
+                  "description": "Base DN for user searches, e.g. `ou=people,dc=example,dc=com`."
+                },
+                "searchFilter": {
+                  "type": "string",
+                  "description": "LDAP search filter template. Use `{{username}}` as a placeholder for the login username. e.g. `(uid={{username}})`."
+                },
+                "userGroupDN": {
+                  "type": "string",
+                  "description": "DN of the group a user must belong to in order to log in."
+                },
+                "adminGroupDN": {
+                  "type": "string",
+                  "description": "DN of the admin group. Members of this group are granted admin privileges."
+                },
+                "groupSearchBase": {
+                  "type": "string",
+                  "description": "Base DN for group membership searches. If omitted, each group's own DN (`userGroupDN` or `adminGroupDN`) is used as the search base."
+                },
+                "groupSearchFilter": {
+                  "type": "string",
+                  "description": "LDAP filter for group membership checks. Use `{{dn}}` as a placeholder for the user's DN. Defaults to `(member={{dn}})`."
+                },
+                "usernameAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute to use as the username. Defaults to `uid`."
+                },
+                "emailAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's email. Defaults to `mail`."
+                },
+                "displayNameAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's display name. Defaults to `cn`."
+                },
+                "titleAttribute": {
+                  "type": "string",
+                  "description": "LDAP attribute for the user's title. Defaults to `title`."
+                },
+                "starttls": {
+                  "type": "boolean",
+                  "description": "Use STARTTLS to upgrade an ldap:// connection to TLS. Defaults to false."
+                },
+                "tlsOptions": {
+                  "type": "object",
+                  "description": "Node.js TLS options passed to the ldapts client (e.g. `rejectUnauthorized`, `ca`)."
+                }
+              },
+              "required": [
+                "url",
+                "bindDN",
+                "bindPassword",
+                "searchBase",
+                "searchFilter",
+                "userGroupDN",
+                "adminGroupDN"
+              ]
+            }
+          },
+          "required": ["type", "enabled", "ldapConfig"]
+        },
         {
           "title": "JWT Auth Config",
           "description": "Configuration for JWT authentication.",
diff --git a/src/config/generated/config.ts b/src/config/generated/config.ts
@@ -190,6 +190,10 @@ export interface AuthenticationElement {
    * Additional JWT configuration.
    */
   jwtConfig?: JwtConfig;
+  /**
+   * LDAP connection and search configuration.
+   */
+  ldapConfig?: LdapConfig;
   [property: string]: any;
 }
 
@@ -253,9 +257,32 @@ export interface OidcConfig {
   [property: string]: any;
 }
 
+/**
+ * LDAP connection and search configuration.
+ */
+export interface LdapConfig {
+  url: string;
+  bindDN: string;
+  bindPassword: string;
+  searchBase: string;
+  searchFilter: string;
+  userGroupDN: string;
+  adminGroupDN: string;
+  groupSearchBase?: string;
+  groupSearchFilter?: string;
+  usernameAttribute?: string;
+  emailAttribute?: string;
+  displayNameAttribute?: string;
+  titleAttribute?: string;
+  starttls?: boolean;
+  tlsOptions?: { [key: string]: any };
+  [property: string]: any;
+}
+
 export enum AuthenticationElementType {
   ActiveDirectory = 'ActiveDirectory',
   Jwt = 'jwt',
+  Ldap = 'ldap',
   Local = 'local',
   Openidconnect = 'openidconnect',
 }
@@ -811,6 +838,7 @@ const typeMap: any = {
       { json: 'userGroup', js: 'userGroup', typ: u(undefined, '') },
       { json: 'oidcConfig', js: 'oidcConfig', typ: u(undefined, r('OidcConfig')) },
       { json: 'jwtConfig', js: 'jwtConfig', typ: u(undefined, r('JwtConfig')) },
+      { json: 'ldapConfig', js: 'ldapConfig', typ: u(undefined, r('LdapConfig')) },
     ],
     'any',
   ),
@@ -844,6 +872,26 @@ const typeMap: any = {
     ],
     'any',
   ),
+  LdapConfig: o(
+    [
+      { json: 'url', js: 'url', typ: '' },
+      { json: 'bindDN', js: 'bindDN', typ: '' },
+      { json: 'bindPassword', js: 'bindPassword', typ: '' },
+      { json: 'searchBase', js: 'searchBase', typ: '' },
+      { json: 'searchFilter', js: 'searchFilter', typ: '' },
+      { json: 'userGroupDN', js: 'userGroupDN', typ: '' },
+      { json: 'adminGroupDN', js: 'adminGroupDN', typ: '' },
+      { json: 'groupSearchBase', js: 'groupSearchBase', typ: u(undefined, '') },
+      { json: 'groupSearchFilter', js: 'groupSearchFilter', typ: u(undefined, '') },
+      { json: 'usernameAttribute', js: 'usernameAttribute', typ: u(undefined, '') },
+      { json: 'emailAttribute', js: 'emailAttribute', typ: u(undefined, '') },
+      { json: 'displayNameAttribute', js: 'displayNameAttribute', typ: u(undefined, '') },
+      { json: 'titleAttribute', js: 'titleAttribute', typ: u(undefined, '') },
+      { json: 'starttls', js: 'starttls', typ: u(undefined, true) },
+      { json: 'tlsOptions', js: 'tlsOptions', typ: u(undefined, m('any')) },
+    ],
+    'any',
+  ),
   AttestationConfig: o(
     [{ json: 'questions', js: 'questions', typ: u(undefined, a(r('Question'))) }],
     false,
@@ -981,6 +1029,6 @@ const typeMap: any = {
     ],
     'any',
   ),
-  AuthenticationElementType: ['ActiveDirectory', 'jwt', 'local', 'openidconnect'],
+  AuthenticationElementType: ['ActiveDirectory', 'jwt', 'ldap', 'local', 'openidconnect'],
   DatabaseType: ['fs', 'mongo'],
 };
