From 2fb3d5ad7200a1094998c60e5c3e108a2a25361d Mon Sep 17 00:00:00 2001
From: Sven Haardiek <sven.haardiek@uni-muenster.de>
Date: Sat, 11 Dec 2021 15:56:53 +0100
Subject: [PATCH 1/2] Add option search_filter to ldap

This patch adds the option to override the search_filter in ldap with an own
complex search_filter, because sometimes a single simple argument is not
sufficient.
---
 .../microservices/ldap_attribute_store.yaml.example       | 5 +++++
 src/satosa/micro_services/ldap_attribute_store.py         | 8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/example/plugins/microservices/ldap_attribute_store.yaml.example b/example/plugins/microservices/ldap_attribute_store.yaml.example
index 4efe85072..77be74e44 100644
--- a/example/plugins/microservices/ldap_attribute_store.yaml.example
+++ b/example/plugins/microservices/ldap_attribute_store.yaml.example
@@ -84,6 +84,11 @@ config:
 
       ldap_identifier_attribute: uid
 
+      # Override the contructed search_filter with ldap_identifier_attribute
+      # with an own filter. This allows more komplex queries.
+      # {0} will be injected with the ordered_identifier_candidates.
+      search_filter: None
+
       # Whether to clear values for attributes incoming
       # to this microservice. Default is no or false.
       clear_input_attributes: no
diff --git a/src/satosa/micro_services/ldap_attribute_store.py b/src/satosa/micro_services/ldap_attribute_store.py
index 6d61559b1..d5c1f05eb 100644
--- a/src/satosa/micro_services/ldap_attribute_store.py
+++ b/src/satosa/micro_services/ldap_attribute_store.py
@@ -46,6 +46,7 @@ class LdapAttributeStore(ResponseMicroService):
         "clear_input_attributes": False,
         "ignore": False,
         "ldap_identifier_attribute": None,
+        "search_filter": None,
         "ldap_url": None,
         "ldap_to_internal_map": None,
         "on_ldap_search_result_empty": None,
@@ -473,8 +474,11 @@ def process(self, context, data):
         logger.debug(logline)
 
         for filter_val in filter_values:
-            ldap_ident_attr = config["ldap_identifier_attribute"]
-            search_filter = "({0}={1})".format(ldap_ident_attr, filter_val)
+            if config["search_filter"]:
+                search_filter = config["search_filter"].format(filter_val)
+            else:
+                ldap_ident_attr = config["ldap_identifier_attribute"]
+                search_filter = "({0}={1})".format(ldap_ident_attr, filter_val)
             msg = {
                 "message": "LDAP query with constructed search filter",
                 "search filter": search_filter,

From 52dce96454fd83f359ad8524c524e5d261e44dca Mon Sep 17 00:00:00 2001
From: Sven Haardiek <sven.haardiek@uni-muenster.de>
Date: Tue, 22 Feb 2022 16:14:14 +0100
Subject: [PATCH 2/2] Update example like suggested in the Pull Request

---
 .../plugins/microservices/ldap_attribute_store.yaml.example   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/example/plugins/microservices/ldap_attribute_store.yaml.example b/example/plugins/microservices/ldap_attribute_store.yaml.example
index 77be74e44..033737924 100644
--- a/example/plugins/microservices/ldap_attribute_store.yaml.example
+++ b/example/plugins/microservices/ldap_attribute_store.yaml.example
@@ -85,8 +85,10 @@ config:
       ldap_identifier_attribute: uid
 
       # Override the contructed search_filter with ldap_identifier_attribute
-      # with an own filter. This allows more komplex queries.
+      # with an own filter. This allows more complex queries.
       # {0} will be injected with the ordered_identifier_candidates.
+      # For example:
+      # search_filter: "(&(uid={0})(isMemberOf=authorized))"
       search_filter: None
 
       # Whether to clear values for attributes incoming