LDAP: Limit auth to groups

[AlexSSP]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hello everyone!
How can I use SPRING_LDAP_USERFILTER_SEARCHFILTER for Active Directory authentication.
My env docker-compose.yml:
AUTH_TYPE: "LDAP"
SPRING_LDAP_URLS: "ldap://xxx:389"
SPRING_LDAP_USERFILTER_SEARCHBASE: "dc=dcname,dc=local"
SPRING_LDAP_USERFILTER_SEARCHFILTER: "(&(uid={0})(memberOf=cn=kafka_users,ou=Groups,dc=dcname,dc=local))"
SPRING_LDAP_ADMINUSER: "CN=ldap,DC=dcname,DC=local"
SPRING_LDAP_ADMINPASSWORD: "Password"
OAUTH2.LDAP.ACTIVEDIRECTORY: "true"
OAUTH2.LDAP.AСTIVEDIRECTORY.DOMAIN: "dcname.local"

With this configuration, authorization is successful for any users of Active Directory, not only for members of group kafka_users

Expected behavior

No response

Your installation details

v0.6.2

Steps to reproduce

SPRING_LDAP_USERFILTER_SEARCHFILTER not work for my config

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions]

Hello there AlexSSP! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[AlexSSP]

v0.7. problem persists

[sm-shevchenko]

v0.7. problem persists

I found than in version 0.7.0 (or before, but did not see this in previously used version 0.6.2) was changed , but not documented in the release-notes, some of LDAP parameters:
SPRING_LDAP_USERFILTER_SEARCHBASE -> SPRING_LDAP_USER_FILTER_SEARCH_BASE
SPRING_LDAP_USERFILTER_SEARCHFILTER -> SPRING_LDAP_USER_FILTER_SEARCH_FILTER
SPRING_LDAP_ADMINUSER -> SPRING_LDAP_ADMIN_USER
SPRING_LDAP_ADMINPASSWORD -> SPRING_LDAP_ADMIN_PASSWORD

and maybe some other...

[Haarolean]

@sm-shevchenko That's an unexpected side-effect, seems like spring's relaxed binding stopped working here.

This is why we recommend not using env properties mostly.

[Haarolean]

@AlexSSP I can confirm adding memberOf filter within user-filter-search-filter doesn't provide the result you're expecting, since the search is not performed (since BindAuthenticator does the binding successfully, thus, no search is being performed).
At this point, as a workaround, you could use RBAC with LDAP.
We'll take a look into this.