Enable account on explicit LDAP group match#636
Merged
adubovikov merged 2 commits intoJun 12, 2026
Conversation
When an LDAP user authenticates and explicitly matches the configured admin or user group, userData.Enabled was never set, leaving it at its zero value of false. The login controller then rejects the request with a 401 (controller/v1/user.go: `if !userData.Enabled`) despite a fully successful authentication and group match. The fallback branch (login permitted via UserMode/AdminMode with no group match) already sets Enabled = true, so the looser path worked while the stricter, explicit group-match path silently failed. Set userData.Enabled = true in both group-match branches to match the existing fallback behaviour. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
|
Member
|
thank you |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When an LDAP user authenticates and explicitly matches the configured admin group or user group, login still fails with a
401 Unauthorized, even though authentication and the group check both succeed.The cause is in
data/service/user.go(LoginUser). In the two explicit group-match branches,userData.IsAdminis set butuserData.Enabledis never set, so it keeps its zero value offalse. The login controller then rejects the request:Notably, the fallback branch — where login is permitted via
UserMode/AdminModewith no group match — already setsuserData.Enabled = true. So the looser path worked while the stricter, explicit group-match path silently failed.Fix
Set
userData.Enabled = truein both group-match branches, consistent with the existing fallback behaviour.Testing
Built from this branch and deployed in a container against a live LDAP/AD directory. Users matching the configured admin and user groups can now log in successfully; behaviour of the
UserMode/AdminModefallback paths is unchanged.🤖 Generated with Claude Code