Skip to content

fix(ldap): use DN instead of uid in basicAuth GetLDAPUser call#1015

Open
tsushanth wants to merge 1 commit into
tinyauthapp:mainfrom
tsushanth:fix/ldap-basic-auth-use-dn-not-uid
Open

fix(ldap): use DN instead of uid in basicAuth GetLDAPUser call#1015
tsushanth wants to merge 1 commit into
tinyauthapp:mainfrom
tsushanth:fix/ldap-basic-auth-use-dn-not-uid

Conversation

@tsushanth

@tsushanth tsushanth commented Jul 16, 2026

Copy link
Copy Markdown

Problem

basicAuth and cookieAuth both call SearchUser to resolve an incoming username, then call GetLDAPUser with the result — but they pass different arguments:

Function Argument passed to GetLDAPUser
cookieAuth (LDAP branch, line 197) search.Username (the DN returned by SearchUser)
basicAuth (LDAP branch, line 285) username (the raw uid from the HTTP Authorization header)

GetLDAPUser builds a group-membership query using uniquemember=<value>. LDAP uniquemember attributes store full Distinguished Names (e.g. uid=alice,ou=users,dc=example,dc=com), not bare uids. Passing a raw uid produces zero matches, so user.Groups is always empty for any LDAP user authenticating via Basic Auth. All group-based ACL rules are silently bypassed or denied depending on policy.

cookieAuth has the correct pattern: it uses search.Username, which is the DN that SearchUser returns. basicAuth should do the same.

Fix

One-line change in internal/middleware/context_middleware.go, basicAuth LDAP case:

// before
user, err := m.auth.GetLDAPUser(username)

// after
user, err := m.auth.GetLDAPUser(search.Username)

search is already in scope — it is the *model.UserSearch returned by the SearchUser call earlier in the same function.

Closes #848

Summary by CodeRabbit

  • Bug Fixes
    • Improved LDAP authentication by consistently using the authenticated username when retrieving user details.
    • Helps ensure the correct LDAP user context is created during login.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 12a6bf09-0ad0-48ce-96b7-eee77c321f31

📥 Commits

Reviewing files that changed from the base of the PR and between 04a06ec and e04f7b8.

📒 Files selected for processing (1)
  • internal/middleware/context_middleware.go

📝 Walkthrough

Walkthrough

The LDAP BasicAuth path now retrieves user details using the username returned by the LDAP search.

Changes

LDAP authentication

Layer / File(s) Summary
Use searched LDAP username
internal/middleware/context_middleware.go
The LDAP user lookup now passes search.Username to GetLDAPUser instead of the incoming BasicAuth username.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: steveiliop56

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The change only swaps the LDAP identifier and does not address the TinyAuth proxying, injected credentials, or error-handling requirements in #848. Implement the full TinyAuth/Dispatcharr basic-auth flow, including credential injection, internal auth support, and explicit failure handling.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the LDAP BasicAuth change from uid to DN in GetLDAPUser.
Out of Scope Changes check ✅ Passed The one-line LDAP identifier change is directly related to the stated objective and introduces no unrelated code.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Dispatcharr basic auth via tinyauth.

1 participant