Enhancement: LDAP Authorization via security group

[dirkpetersen]

What features would you like to see added?

Many organizations would like to start slowly with giving their users access to LLM and govern access with Active Directory authorization (membership in a security group). Currently one can use LDAP_SEARCH_FILTER as a workaround, however the user gets a confusing error message: Unable to login with the information provided. Please check your credentials and try again. This is because the filter prevents the user from being found: { title: '(requireLdapAuth) Error: No user' }

More details

This is my LDAP config :

LDAP_URL=ldaps://ldap.domain.edu:636
LDAP_USER_SEARCH_BASE=OU=User Accounts,dc=domain,dc=edu
LDAP_BIND_DN=CN=ldapuser,OU=User Accounts,DC=domain,DC=edu
LDAP_BIND_CREDENTIALS=1233456
LDAP_SEARCH_FILTER=(&(mail={{username}})(memberOf=CN=LLM-Chat-Users,OU=Groups,DC=domain,DC=edu))
LDAP_FULL_NAME=displayName

A super simple solution would be a code change that checks for the string memberOf= in LDAP_SEARCH_FILTER and displays a different error message to the end user, e.g. "You are currently not authorized to login, please contact the Administrator of this application for access"

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[dirkpetersen]

of course , login with username instead of email also works

LDAP_URL=ldaps://ldap.domain.edu:636
LDAP_USER_SEARCH_BASE=OU=User Accounts,dc=domain,dc=edu
LDAP_BIND_DN=CN=ldapuser,OU=User Accounts,DC=domain,DC=edu
LDAP_BIND_CREDENTIALS=1233456
LDAP_LOGIN_USES_USERNAME=true
LDAP_SEARCH_FILTER=(&(sAMAccountName={{username}})(memberOf=CN=LLM-Chat-Users,OU=Groups,DC=domain,DC=edu))
LDAP_FULL_NAME=displayName