Capture LDAP configuration

domain/auth/ldap/ad_test.go

@@ -31,8 +31,8 @@ var testConfigPublicAD = lm.LDAPConfig{
 	BaseDN:                   "DC=mycompany,DC=local",
 	BindDN:                   "CN=ad-admin,CN=Users,DC=mycompany,DC=local",
 	BindPassword:             "8B5tNRLvbk8K",
-	UserFilter:               "",
+	UserFilter:               "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))",
-	GroupFilter:              "",
+	GroupFilter:              "(|(cn=Accounting)(cn=IT))",
 	AttributeUserRDN:         "sAMAccountName",
 	AttributeUserFirstname:   "givenName",
 	AttributeUserLastname:    "sn",
@@ -43,8 +43,6 @@ var testConfigPublicAD = lm.LDAPConfig{
 }
 
 func TestUserFilter_PublicAD(t *testing.T) {
-	testConfigPublicAD.UserFilter = "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))"
-
 	e, err := executeUserFilter(testConfigPublicAD)
 	if err != nil {
 		t.Error("unable to exeucte user filter", err.Error())
@@ -64,8 +62,6 @@ func TestUserFilter_PublicAD(t *testing.T) {
 }
 
 func TestGroupFilter_PublicAD(t *testing.T) {
-	testConfigPublicAD.GroupFilter = "(|(cn=Accounting)(cn=IT))"
-
 	e, err := executeGroupFilter(testConfigPublicAD)
 	if err != nil {
 		t.Error("unable to exeucte group filter", err.Error())

domain/auth/ldap/endpoint.go

@@ -14,9 +14,9 @@ package ldap
 import (
 	"crypto/tls"
 	// "database/sql"
-	// "encoding/json"
+	"encoding/json"
 	"fmt"
-	// "io/ioutil"
+	"io/ioutil"
 	"net/http"
 	// "sort"
 	// "strings"
@@ -24,15 +24,15 @@ import (
 	"github.com/documize/community/core/env"
 	"github.com/documize/community/core/response"
 	// "github.com/documize/community/core/secrets"
-	// "github.com/documize/community/core/streamutil"
+	"github.com/documize/community/core/streamutil"
 	// "github.com/documize/community/core/stringutil"
 	"github.com/documize/community/domain"
 	// "github.com/documize/community/domain/auth"
 	// usr "github.com/documize/community/domain/user"
 	ath "github.com/documize/community/model/auth"
 	lm "github.com/documize/community/model/auth"
+	"github.com/documize/community/model/user"
 	ld "gopkg.in/ldap.v2"
-	// "github.com/documize/community/model/user"
 )
 
 // Handler contains the runtime information such as logging and database.
@@ -41,6 +41,70 @@ type Handler struct {
 	Store   *domain.Store
 }
 
+// Preview connects to LDAP using paylaod and returns
+// first 100 users for.
+// and marks Keycloak disabled users as inactive.
+func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
+	h.Runtime.Log.Info("Sync'ing with LDAP")
+
+	ctx := domain.GetRequestContext(r)
+	if !ctx.Administrator {
+		response.WriteForbiddenError(w)
+		return
+	}
+
+	var result struct {
+		Message string      `json:"message"`
+		IsError bool        `json:"isError"`
+		Users   []user.User `json:"users"`
+	}
+
+	// Read the request.
+	defer streamutil.Close(r.Body)
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		result.Message = "Error: unable read request body"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	// Decode LDAP config.
+	c := lm.LDAPConfig{}
+	err = json.Unmarshal(body, &c)
+	if err != nil {
+		result.Message = "Error: unable read LDAP configuration payload"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	h.Runtime.Log.Info("Fetching LDAP users")
+
+	users, err := fetchUsers(c)
+	if err != nil {
+		result.Message = "Error: unable fetch users from LDAP"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	result.IsError = false
+	result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
+	if len(users) > 100 {
+		result.Users = users[:100]
+	} else {
+		result.Users = users
+	}
+
+	h.Runtime.Log.Info(result.Message)
+
+	response.WriteJSON(w, result)
+}
+
 // Sync gets list of Keycloak users and inserts new users into Documize
 // and marks Keycloak disabled users as inactive.
 func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
@@ -233,145 +297,145 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
 }
 
 // Authenticate checks Keycloak authentication credentials.
-// func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
-// 	method := "authenticate"
+	// 	method := "authenticate"
-// 	ctx := domain.GetRequestContext(r)
+	// 	ctx := domain.GetRequestContext(r)
 
-// 	defer streamutil.Close(r.Body)
+	// 	defer streamutil.Close(r.Body)
-// 	body, err := ioutil.ReadAll(r.Body)
+	// 	body, err := ioutil.ReadAll(r.Body)
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Bad payload")
+	// 		response.WriteBadRequestError(w, method, "Bad payload")
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	a := ath.KeycloakAuthRequest{}
+	// 	a := ath.KeycloakAuthRequest{}
-// 	err = json.Unmarshal(body, &a)
+	// 	err = json.Unmarshal(body, &a)
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, err.Error())
+	// 		response.WriteBadRequestError(w, method, err.Error())
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
+	// 	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
-// 	a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
+	// 	a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
-// 	a.Email = strings.TrimSpace(strings.ToLower(a.Email))
+	// 	a.Email = strings.TrimSpace(strings.ToLower(a.Email))
 
-// 	// Check for required fields.
+	// 	// Check for required fields.
-// 	if len(a.Email) == 0 {
+	// 	if len(a.Email) == 0 {
-// 		response.WriteUnauthorizedError(w)
+	// 		response.WriteUnauthorizedError(w)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
+	// 	org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteUnauthorizedError(w)
+	// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	ctx.OrgID = org.RefID
+	// 	ctx.OrgID = org.RefID
 
-// 	// Fetch Keycloak auth provider config
+	// 	// Fetch Keycloak auth provider config
-// 	ac := ath.KeycloakConfig{}
+	// 	ac := ath.KeycloakConfig{}
-// 	err = json.Unmarshal([]byte(org.AuthConfig), &ac)
+	// 	err = json.Unmarshal([]byte(org.AuthConfig), &ac)
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
+	// 		response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	// Decode and prepare RSA Public Key used by keycloak to sign JWT.
+	// 	// Decode and prepare RSA Public Key used by keycloak to sign JWT.
-// 	pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
+	// 	pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
+	// 		response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
-// 	pk := string(pkb)
+	// 	pk := string(pkb)
-// 	pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
+	// 	pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
 
-// 	// Decode and verify Keycloak JWT
+	// 	// Decode and verify Keycloak JWT
-// 	claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
+	// 	claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
-// 	if err != nil {
+	// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, err.Error())
+	// 		response.WriteBadRequestError(w, method, err.Error())
-// 		h.Runtime.Log.Info("decodeKeycloakJWT failed")
+	// 		h.Runtime.Log.Info("decodeKeycloakJWT failed")
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	// Compare the contents from JWT with what we have.
+	// 	// Compare the contents from JWT with what we have.
-// 	// Guards against MITM token tampering.
+	// 	// Guards against MITM token tampering.
-// 	if a.Email != claims["email"].(string) {
+	// 	if a.Email != claims["email"].(string) {
-// 		response.WriteUnauthorizedError(w)
+	// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Info(">> Start Keycloak debug")
+	// 		h.Runtime.Log.Info(">> Start Keycloak debug")
-// 		h.Runtime.Log.Info(a.Email)
+	// 		h.Runtime.Log.Info(a.Email)
-// 		h.Runtime.Log.Info(claims["email"].(string))
+	// 		h.Runtime.Log.Info(claims["email"].(string))
-// 		h.Runtime.Log.Info(">> End Keycloak debug")
+	// 		h.Runtime.Log.Info(">> End Keycloak debug")
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
+	// 	h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
 
-// 	u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
+	// 	u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
-// 	if err != nil && err != sql.ErrNoRows {
+	// 	if err != nil && err != sql.ErrNoRows {
-// 		response.WriteServerError(w, method, err)
+	// 		response.WriteServerError(w, method, err)
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	// Create user account if not found
+	// 	// Create user account if not found
-// 	if err == sql.ErrNoRows {
+	// 	if err == sql.ErrNoRows {
-// 		h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
+	// 		h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
 
-// 		u = user.User{}
+	// 		u = user.User{}
-// 		u.Firstname = a.Firstname
+	// 		u.Firstname = a.Firstname
-// 		u.Lastname = a.Lastname
+	// 		u.Lastname = a.Lastname
-// 		u.Email = a.Email
+	// 		u.Email = a.Email
-// 		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
+	// 		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
-// 		u.Salt = secrets.GenerateSalt()
+	// 		u.Salt = secrets.GenerateSalt()
-// 		u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
+	// 		u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
 
-// 		err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
+	// 		err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
-// 		if err != nil {
+	// 		if err != nil {
-// 			response.WriteServerError(w, method, err)
+	// 			response.WriteServerError(w, method, err)
-// 			h.Runtime.Log.Error(method, err)
+	// 			h.Runtime.Log.Error(method, err)
-// 			return
+	// 			return
-// 		}
+	// 		}
-// 	}
+	// 	}
 
-// 	// Password correct and active user
+	// 	// Password correct and active user
-// 	if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
+	// 	if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
-// 		response.WriteUnauthorizedError(w)
+	// 		response.WriteUnauthorizedError(w)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	// Attach user accounts and work out permissions.
+	// 	// Attach user accounts and work out permissions.
-// 	usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
+	// 	usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
 
-// 	// No accounts signals data integrity problem
+	// 	// No accounts signals data integrity problem
-// 	// so we reject login request.
+	// 	// so we reject login request.
-// 	if len(u.Accounts) == 0 {
+	// 	if len(u.Accounts) == 0 {
-// 		response.WriteUnauthorizedError(w)
+	// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Error(method, err)
+	// 		h.Runtime.Log.Error(method, err)
-// 		return
+	// 		return
-// 	}
+	// 	}
 
-// 	// Abort login request if account is disabled.
+	// 	// Abort login request if account is disabled.
-// 	for _, ac := range u.Accounts {
+	// 	for _, ac := range u.Accounts {
-// 		if ac.OrgID == org.RefID {
+	// 		if ac.OrgID == org.RefID {
-// 			if ac.Active == false {
+	// 			if ac.Active == false {
-// 				response.WriteUnauthorizedError(w)
+	// 				response.WriteUnauthorizedError(w)
-// 				h.Runtime.Log.Error(method, err)
+	// 				h.Runtime.Log.Error(method, err)
-// 				return
+	// 				return
-// 			}
+	// 			}
-// 			break
+	// 			break
-// 		}
+	// 		}
-// 	}
+	// 	}
 
-// 	// Generate JWT token
+	// 	// Generate JWT token
-// 	authModel := ath.AuthenticationModel{}
+	// 	authModel := ath.AuthenticationModel{}
-// 	authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
+	// 	authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
-// 	authModel.User = u
+	// 	authModel.User = u
 
-// 	response.WriteJSON(w, authModel)
+	// 	response.WriteJSON(w, authModel)
-// }
+}

domain/auth/ldap/ldap.go

@@ -16,8 +16,9 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/documize/community/core/stringutil"
 	lm "github.com/documize/community/model/auth"
-	// "github.com/documize/community/model/user"
+	"github.com/documize/community/model/user"
 	"github.com/pkg/errors"
 	ld "gopkg.in/ldap.v2"
 )
@@ -201,9 +202,79 @@ func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
 func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
 	u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)
 	u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)
-	u.Email = e.GetAttributeValue(c.AttributeUserEmail)
+	u.Email = strings.ToLower(e.GetAttributeValue(c.AttributeUserEmail))
 	u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)
 	u.CN = e.GetAttributeValue("cn")
 
+	// Make name elements from DisplayName if we can.
+	if (len(u.Firstname) == 0 || len(u.Firstname) == 0) &&
+		len(e.GetAttributeValue(c.AttributeUserDisplayName)) > 0 {
+	}
+
+	if len(u.Firstname) == 0 {
+		u.Firstname = "Empty"
+	}
+	if len(u.Lastname) == 0 {
+		u.Lastname = "Empty"
+	}
+
+	return
+}
+
+// ConvertUsers creates a unique list of users using email as primary key.
+// The result is a collection of Documize user objects.
+func convertUsers(c lm.LDAPConfig, lu []lm.LDAPUser) (du []user.User) {
+	for _, i := range lu {
+		add := true
+		for _, j := range du {
+			if len(j.Email) > 0 && i.Email == j.Email {
+				add = false
+				break
+			}
+		}
+		// skip if empty email address
+		add = len(i.Email) > 0
+		if add {
+			nu := user.User{}
+			nu.Editor = c.DefaultPermissionAddSpace
+			nu.Active = true
+			nu.Email = i.Email
+			nu.ViewUsers = false
+			nu.Analytics = false
+			nu.Admin = false
+			nu.Global = false
+			nu.Firstname = i.Firstname
+			nu.Lastname = i.Lastname
+			nu.Initials = stringutil.MakeInitials(i.Firstname, i.Lastname)
+
+			du = append(du, nu)
+		}
+	}
+
+	return
+}
+
+// FetchUsers from LDAP server using both User and Group filters.
+func fetchUsers(c lm.LDAPConfig) (du []user.User, err error) {
+	du = []user.User{}
+
+	e1, err := executeUserFilter(c)
+	if err != nil {
+		err = errors.Wrap(err, "unable to execute user filter")
+		return
+	}
+
+	e2, err := executeGroupFilter(c)
+	if err != nil {
+		err = errors.Wrap(err, "unable to execute group filter")
+		return
+	}
+
+	// convert users from LDAP format to Documize format.
+	e3 := []lm.LDAPUser{}
+	e3 = append(e3, e1...)
+	e3 = append(e3, e2...)
+	du = convertUsers(c, e3)
+
 	return
 }

domain/auth/ldap/local_test.go

@@ -60,6 +60,32 @@ func TestUserFilter_LocalLDAP(t *testing.T) {
 	}
 }
 
+func TestDualFilters_LocalLDAP(t *testing.T) {
+	testConfigLocalLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
+	e1, err := executeUserFilter(testConfigLocalLDAP)
+	if err != nil {
+		t.Error("unable to exeucte user filter", err.Error())
+		return
+	}
+
+	testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"
+	e2, err := executeGroupFilter(testConfigLocalLDAP)
+	if err != nil {
+		t.Error("unable to exeucte group filter", err.Error())
+		return
+	}
+
+	e3 := []lm.LDAPUser{}
+	e3 = append(e3, e1...)
+	e3 = append(e3, e2...)
+	users := convertUsers(testConfigLocalLDAP, e3)
+
+	for _, u := range users {
+		t.Logf("(%s %s) @ %s\n",
+			u.Firstname, u.Lastname, u.Email)
+	}
+}
+
 func TestGroupFilter_LocalLDAP(t *testing.T) {
 	testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"
 
@@ -74,11 +100,6 @@ func TestGroupFilter_LocalLDAP(t *testing.T) {
 	}
 
 	t.Logf("LDAP group search entries found: %d", len(e))
-
-	for _, u := range e {
-		t.Logf("[%s] %s (%s %s) @ %s\n",
-			u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
-	}
 }
 
 func TestAuthenticate_LocalLDAP(t *testing.T) {

gui/app/components/customize/auth-settings.js

@@ -20,12 +20,17 @@ import Component from '@ember/component';
 
 export default Component.extend(Notifier, {
 	appMeta: service(),
+
 	isDocumizeProvider: computed('authProvider', function() {
 		return this.get('authProvider') === this.get('constants').AuthProvider.Documize;
 	}),
 	isKeycloakProvider: computed('authProvider', function() {
 		return this.get('authProvider') === this.get('constants').AuthProvider.Keycloak;
 	}),
+	isLDAPProvider: computed('authProvider', function() {
+		return this.get('authProvider') === this.get('constants').AuthProvider.LDAP;
+	}),
+
 	KeycloakUrlError: empty('keycloakConfig.url'),
 	KeycloakRealmError: empty('keycloakConfig.realm'),
 	KeycloakClientIdError: empty('keycloakConfig.clientId'),
@@ -34,9 +39,28 @@ export default Component.extend(Notifier, {
 	KeycloakAdminPasswordError: empty('keycloakConfig.adminPassword'),
 	keycloakFailure: '',
 
+	ldapErrorServerHost: empty('ldapConfig.serverHost'),
+	ldapErrorServerPort: computed('ldapConfig.serverPort', function() {
+		return is.empty(this.get('ldapConfig.serverPort')) || is.not.number(parseInt(this.get('ldapConfig.serverPort')));
+	}),
+	ldapErrorBindDN: empty('ldapConfig.bindDN'),
+	ldapErrorBindPassword: empty('ldapConfig.bindPassword'),
+	ldapErrorNoFilter: computed('ldapConfig.{userFilter,groupFilter}', function() {
+		return is.empty(this.get('ldapConfig.userFilter')) && is.empty(this.get('ldapConfig.groupFilter'));
+	}),
+	ldapErrorAttributeUserRDN: empty('ldapConfig.attributeUserRDN'),
+	ldapErrorAttributeUserFirstname: empty('ldapConfig.attributeUserFirstname'),
+	ldapErrorAttributeUserLastname: empty('ldapConfig.attributeUserLastname'),
+	ldapErrorAttributeUserEmail: empty('ldapConfig.attributeUserEmail'),
+	ldapErrorAttributeGroupMember: computed('ldapConfig.{groupFilter,attributeGroupMember}', function() {
+		return is.not.empty(this.get('ldapConfig.groupFilter')) && is.empty(this.get('ldapConfig.attributeGroupMember'));
+	}),
+
 	init() {
 		this._super(...arguments);
 
+		let constants = this.get('constants');
+
 		this.keycloakConfig = {
 			url: '',
 			realm: '',
@@ -48,6 +72,27 @@ export default Component.extend(Notifier, {
 			disableLogout: false,
 			defaultPermissionAddSpace: false
 		};
+
+		this.ldapConfig =  {
+			serverType:               constants.AuthProvider.ServerTypeLDAP,
+			serverHost:               '',
+			serverPort:               389,
+			encryptionType:           constants.AuthProvider.EncryptionTypeStartTLS,
+			baseDN:                   "",
+			bindDN:                   "cn=admin,dc=planetexpress,dc=com",
+			bindPassword:             "GoodNewsEveryone",
+			userFilter:               "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
+			groupFilter:              "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))",
+			attributeUserRDN:         "uid",
+			attributeUserFirstname:   "givenName",
+			attributeUserLastname:    "sn",
+			attributeUserEmail:       "mail",
+			attributeUserDisplayName: "",
+			attributeUserGroupName:   "",
+			attributeGroupMember:     "member",
+			disableLogout: false,
+			defaultPermissionAddSpace: false
+		};
 	},
 
 	didReceiveAttrs() {
@@ -60,6 +105,7 @@ export default Component.extend(Notifier, {
 			case constants.AuthProvider.Documize:
 				// nothing to do
 				break;
+
 			case constants.AuthProvider.Keycloak: // eslint-disable-line no-case-declarations
 				let config = this.get('authConfig');
 
@@ -74,6 +120,19 @@ export default Component.extend(Notifier, {
 
 				this.set('keycloakConfig', config);
 				break;
+
+			case constants.AuthProvider.LDAP: // eslint-disable-line no-case-declarations
+				let ldapConfig = this.get('authConfig');
+
+				if (is.undefined(ldapConfig) || is.null(ldapConfig) || is.empty(ldapConfig) ) {
+					ldapConfig = {};
+				} else {
+					ldapConfig.defaultPermissionAddSpace = ldapConfig.hasOwnProperty('defaultPermissionAddSpace') ? ldapConfig.defaultPermissionAddSpace : false;
+					ldapConfig.disableLogout = ldapConfig.hasOwnProperty('disableLogout') ? ldapConfig.disableLogout : true;
+				}
+
+				this.set('ldapConfig', ldapConfig);
+				break;
 		}
 	},
 
@@ -88,6 +147,15 @@ export default Component.extend(Notifier, {
 			this.set('authProvider', constants.AuthProvider.Keycloak);
 		},
 
+		onLDAP() {
+			let constants = this.get('constants');
+			this.set('authProvider', constants.AuthProvider.LDAP);
+		},
+
+		onLDAPEncryption(e) {
+			this.set('ldapConfig.encryptionType', e);
+		},
+
 		onSave() {
 			let constants = this.get('constants');
 			let provider = this.get('authProvider');
@@ -99,6 +167,7 @@ export default Component.extend(Notifier, {
 				case constants.AuthProvider.Documize:
 					config = {};
 					break;
+
 				case constants.AuthProvider.Keycloak:
 					if (this.get('KeycloakUrlError')) {
 						this.$("#keycloak-url").focus();
@@ -142,13 +211,31 @@ export default Component.extend(Notifier, {
 
 					set(config, 'publicKey', encoding.Base64.encode(this.get('keycloakConfig.publicKey')));
 					break;
+
+				case constants.AuthProvider.LDAP:
+					if (this.get('ldapErrorServerHost')) {
+						this.$("#ldap-host").focus();
+						return;
+					}
+					if (this.get('ldapErrorServerPort')) {
+						this.$("#ldap-port").focus();
+						return;
+					}
+
+					config = copy(this.get('ldapConfig'));
+					config.serverHost = config.serverHost.trim();
+					config.serverPort = parseInt(this.get('ldapConfig.serverPort'));
+					break;
 			}
 
+			debugger;
+
 			this.showWait();
 
 			let data = { authProvider: provider, authConfig: JSON.stringify(config) };
 
 			this.get('onSave')(data).then(() => {
+				// Without sync we cannot log in
 				if (data.authProvider === constants.AuthProvider.Keycloak) {
 					this.get('onSync')().then((response) => {
 						if (response.isError) {
@@ -165,6 +252,7 @@ export default Component.extend(Notifier, {
 						}
 					});
 				}
+
 				this.showDone();
 			});
 		}

gui/app/constants/constants.js

@@ -24,7 +24,11 @@ let constants = EmberObject.extend({
     AuthProvider: { // eslint-disable-line ember/avoid-leaking-state-in-ember-objects
         Documize: 'documize',
 		Keycloak: 'keycloak',
-		LDAP: 'ldap'
+		LDAP: 'ldap',
+		ServerTypeLDAP: 'ldap',
+		ServerTypeAD: 'ad',
+		EncryptionTypeNone: 'none',
+		EncryptionTypeStartTLS: 'starttls'
     },
 
 	DocumentActionType: { // eslint-disable-line ember/avoid-leaking-state-in-ember-objects

gui/app/pods/customize/auth/route.js

@@ -26,11 +26,36 @@ export default Route.extend(AuthenticatedRouteMixin, {
 	},
 
 	model() {
+		let constants = this.get('constants');
+
 		let data = {
 			authProvider: this.get('appMeta.authProvider'),
 			authConfig: null,
 		};
 
+		let config = {
+			ServerType:               constants.AuthProvider.ServerTypeLDAP,
+			ServerHost:               "127.0.0.1",
+			ServerPort:               389,
+			EncryptionType:           constants.AuthProvider.EncryptionTypeStartTLS,
+			BaseDN:                   "ou=people,dc=planetexpress,dc=com",
+			BindDN:                   "cn=admin,dc=planetexpress,dc=com",
+			BindPassword:             "GoodNewsEveryone",
+			UserFilter:               "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
+			GroupFilter:              "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))",
+			AttributeUserRDN:         "uid",
+			AttributeUserFirstname:   "givenName",
+			AttributeUserLastname:    "sn",
+			AttributeUserEmail:       "mail",
+			AttributeUserDisplayName: "",
+			AttributeUserGroupName:   "",
+			AttributeGroupMember:     "member",
+		};
+
+		this.get('global').previewLDAP(config).then((r) => {
+			console.log(r);
+		});
+
 		return new EmberPromise((resolve) => {
 			let constants = this.get('constants');
 

gui/app/pods/customize/auth/template.hbs

@@ -1,2 +1,2 @@
-{{customize/auth-settings authProvider=model.authProvider authConfig=model.authConfig 
+{{customize/auth-settings authProvider=model.authProvider authConfig=model.authConfig
     onSave=(action 'onSave') onSync=(action 'onSync') onChange=(action 'onChange')}}

gui/app/services/global.js

@@ -106,6 +106,19 @@ export default Service.extend({
 		}
 	},
 
+	previewLDAP(config) {
+		if(this.get('sessionService.isAdmin')) {
+			return this.get('ajax').request(`global/sync/ldap/preview`, {
+				method: 'POST',
+				data: JSON.stringify(config)
+			}).then((response) => {
+				return response;
+			}).catch((error) => {
+				return error;
+			});
+		}
+	},
+
 	// Returns product license.
 	searchStatus() {
 		if (this.get('sessionService.isGlobalAdmin')) {

gui/app/styles/bootstrap.scss

@@ -80,9 +80,14 @@ $input-btn-focus-color:     rgba($color-primary, .25);
 		font-weight: 500;
 	}
 
-	> small {
+	> small, > div[class*="col"] > small {
 		font-size: 1rem;
 	}
+
+	> small.highlight, > div[class*="col"] > small.highlight {
+		font-size: 1rem;
+		color: $color-orange !important;
+	}
 }
 
 // links

gui/app/styles/color.scss

@@ -39,6 +39,7 @@ $color-red: #9E0D1F;
 $color-green: #348A37;
 $color-blue: #2667af;
 $color-goldy: #FFD700;
+$color-yellow: #fff8dc;
 $color-orange: #FFAD15;
 
 // widgets

gui/app/styles/widget/widget-list-picker.scss

@@ -7,37 +7,79 @@
 		padding: 0;
 
 		> .option {
-			@include ease-in();
+			@include border-radius(3px);
-			margin: 0 0 5px 0;
+			margin: 0 0 15px 0;
 			padding: 10px 15px;
 			color: $color-gray;
 			background-color: $color-off-white;
+			border: 1px solid $color-gray;
 			cursor: pointer;
 			position: relative;
 			list-style-type: none;
 		    line-height: 26px;
 
 			&:hover {
-				color: $color-black;
+				> .text-header, > .text {
-				// background-color: $color-primary-light;
+					color: $color-off-black;
+				}
+			}
+
+			> .text-header {
+				@include ease-in();
+				color: $color-gray;
+				font-size: 1.3rem;
+				font-weight: 600;
+				margin-bottom: 5px;
+				overflow: hidden;
+				text-overflow: ellipsis;
+				white-space: nowrap;
+				width: 80%;
 			}
 
 			> .text {
+				@include ease-in();
+				color: $color-gray;
+				font-size: 1rem;
+				font-weight: 500;
+				overflow: hidden;
+				text-overflow: ellipsis;
+				white-space: nowrap;
 				width: 80%;
-				font-weight: bold;
 			}
 
 			> .material-icons {
 				position: absolute;
 				top: 10px;
 				right: 10px;
-				color: $color-white;
+				color: $color-green;
+				font-weight: 700;
+				font-size: 1.3rem;
 			}
 		}
 
 		> .selected {
-			color: $color-white !important;
+			> .text-header, > .text {
-			background-color: $color-link !important;
+				color: $color-off-black;
+			}
+
+			background-color: $color-yellow !important;
+			border: 1px solid $color-goldy !important;
+		}
+	}
+}
+
+.widget-list-picker-horiz {
+	> .options {
+		> .option {
+			display: inline-block;
+			margin: 15px 15px 0 0;
+			padding: 10px 15px;
+			width: 30%;
+
+			@media only screen and (max-width: 1200px) {
+				display: block;
+				width: 100%;
+			}
 		}
 	}
 }

gui/app/templates/components/customize/auth-settings.hbs

@@ -9,91 +9,213 @@
 
 <div class="view-customize">
 	<form class="mt-5">
-		<div class="form-group row">
+		<div class="widget-list-picker widget-list-picker-horiz mb-5">
-			<label class="col-sm-2 col-form-label">Provider</label>
+			<ul class="options">
-			<div class="col-sm-10">
+				<li class="option {{if isDocumizeProvider 'selected'}}" {{action 'onDocumize'}}>
-				{{#ui/ui-radio selected=isDocumizeProvider onClick=(action 'onDocumize')}} Documize &mdash; email/password{{/ui/ui-radio}}
+					<div class="text-header">Documize</div>
-				{{#ui/ui-radio selected=isKeycloakProvider onClick=(action 'onKeycloak')}} Keycloak &mdash; bring your own authentication server{{/ui/ui-radio}}
+					<div class="text">Built-in email/password</div>
-				<small class="form-text text-muted">
+					{{#if isDocumizeProvider}}
-					External authentication servers, services must be accessible from the server running this Documize instance
+						<i class="material-icons">check</i>
-				</small>
+					{{/if}}
-			</div>
+				</li>
+				<li class="option {{if isKeycloakProvider 'selected'}}" {{action 'onKeycloak'}}>
+					<div class="text-header">Keycloak</div>
+					<div class="text">Via authentication server</div>
+					{{#if isKeycloakProvider}}
+						<i class="material-icons">check</i>
+					{{/if}}
+				</li>
+				<li class="option {{if isLDAPProvider 'selected'}}" {{action 'onLDAP'}}>
+					<div class="text-header">LDAP</div>
+					<div class="text">Connect to LDAP/ Active Directory</div>
+					{{#if isLDAPProvider}}
+						<i class="material-icons">check</i>
+					{{/if}}
+				</li>
+			</ul>
 		</div>
 
 		{{#if isKeycloakProvider}}
 			<div class="form-group row">
-				<label for="keycloak-url" class="col-sm-2 col-form-label">Keycloak Server URL</label>
+				<label for="keycloak-url" class="col-sm-3 col-form-label">Keycloak Server URL</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{focus-input id="keycloak-url" type="text" value=keycloakConfig.url class=(if KeycloakUrlError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">e.g. http://localhost:8888/auth</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-realm" class="col-sm-2 col-form-label">Keycloak Realm</label>
+				<label for="keycloak-realm" class="col-sm-3 col-form-label">Keycloak Realm</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{input id="keycloak-realm" type="text" value=keycloakConfig.realm class=(if KeycloakRealmError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">e.g. main</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-publicKey" class="col-sm-2 col-form-label">Keycloak Realm Public Key</label>
+				<label for="keycloak-publicKey" class="col-sm-3 col-form-label">Keycloak Realm Public Key</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{textarea id="keycloak-publicKey" type="text" value=keycloakConfig.publicKey rows=7 class=(if KeycloakPublicKeyError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">Copy the RSA Public Key from Realm Settings &rarr; Keys</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-clientId" class="col-sm-2 col-form-label">Keycloak OIDC Client ID</label>
+				<label for="keycloak-clientId" class="col-sm-3 col-form-label">Keycloak OIDC Client ID</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{input id="keycloak-clientId" type="text" value=keycloakConfig.clientId class=(if KeycloakClientIdError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">e.g. account</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-group" class="col-sm-2 col-form-label">Keycloak Group ID (Optional)</label>
+				<label for="keycloak-group" class="col-sm-3 col-form-label">Keycloak Group ID (Optional)</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{input id="keycloak-group" type="text" value=keycloakConfig.group class="form-control"}}
 					<small class="form-text text-muted">If you want to sync users in a particular Group (e.g. 'Documize Users'), provide the Group ID (e.g. 511d8b61-1ec8-45f6-bc8d-5de64d54c9d2)</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-admin-user" class="col-sm-2 col-form-label">Keycloak Username</label>
+				<label for="keycloak-admin-user" class="col-sm-3 col-form-label">Keycloak Username</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{input id="keycloak-admin-user" type="text" value=keycloakConfig.adminUser class=(if KeycloakAdminUserError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">Used to connect with Keycloak and sync users with Documize (create user under Master Realm and assign 'view-users' role
 						against Realm specified above)</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Keycloak Password</label>
+				<label for="keycloak-admin-password" class="col-sm-3 col-form-label">Keycloak Password</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
 					{{input id="keycloak-admin-password" type="password" value=keycloakConfig.adminPassword class=(if KeycloakAdminPasswordError 'form-control is-invalid' 'form-control')}}
 					<small class="form-text text-muted">Used to connect with Keycloak and sync users with Documize</small>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Logout</label>
+				<label class="col-sm-3 col-form-label">Disable Logout</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
-					<div class="form-check">
+					{{x-toggle value=keycloakConfig.disableLogout size="medium" theme="light" onToggle=(action (mut keycloakConfig.disableLogout))}}
-						{{input type="checkbox" class="form-check-input" id="keycloak-logout" checked=keycloakConfig.disableLogout}}
-						<label class="form-check-label" for="keycloak-logout">
-							Hide the logout button for Keycloak users
-						</label>
-					</div>
 				</div>
 			</div>
 			<div class="form-group row">
-				<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Space Permission</label>
+				<label for="ldap-defaultPermissionAddSpace" class="col-sm-3 col-form-label">Can Create Spaces</label>
-				<div class="col-sm-10">
+				<div class="col-sm-9">
-					<div class="form-check">
+					{{x-toggle value=keycloakConfig.defaultPermissionAddSpace size="medium" theme="light" onToggle=(action (mut keycloakConfig.defaultPermissionAddSpace))}}
-						{{input type="checkbox" class="form-check-input" id="keycloak-perm" checked=keycloakConfig.defaultPermissionAddSpace}}
-						<label class="form-check-label" for="keycloak-perm">
-							Can add spaces
-						</label>
-					</div>
 				</div>
 			</div>
 		{{/if}}
+
+		{{#if isLDAPProvider}}
+			<div class="form-group row">
+				<label for="ldap-host" class="col-sm-3 col-form-label">LDAP Server</label>
+				<div class="col-sm-9">
+					{{focus-input id="ldap-host" type="text" value=ldapConfig.serverHost class=(if ldapErrorServerHost 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">IP or host address, e.g. ldap.example.org, 127.0.0.1</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-port" class="col-sm-3 col-form-label">LDAP Server Port</label>
+				<div class="col-sm-9">
+					{{input id="ldap-port" type="number" value=ldapConfig.serverPort class=(if ldapErrorServerPort 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Port number, e.g. 389</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-encryption" class="col-sm-3 col-form-label">Encryption</label>
+				<div class="col-sm-9">
+					<select onchange={{action 'onLDAPEncryption' value="target.value"}} class="form-control">
+						<option value="{{constants.AuthProvider.EncryptionTypeNone}}" selected={{is-equal ldapConfig.encryptionType constants.AuthProvider.EncryptionTypeNone}}>
+							{{constants.AuthProvider.EncryptionTypeNone}}
+						</option>
+						<option value="{{constants.AuthProvider.EncryptionTypeStartTLS}}" selected={{is-equal ldapConfig.encryptionType constants.AuthProvider.EncryptionTypeStartTLS}}>
+							{{constants.AuthProvider.EncryptionTypeStartTLS}}
+						</option>
+					</select>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-baseDN" class="col-sm-3 col-form-label">Base DN</label>
+				<div class="col-sm-9">
+					{{input id="ldap-baseDN" type="number" value=ldapConfig.baseDN class='form-control'}}
+					<small class="form-text text-muted">Starting point for search filters, e.g. ou=users,dc=example,dc=com</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-bindDN" class="col-sm-3 col-form-label">Bind DN</label>
+				<div class="col-sm-9">
+					{{input id="ldap-bindDN" type="text" value=ldapConfig.bindDN class=(if ldapErrorBindDN 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">login credentials for LDAP server</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-bindPassword" class="col-sm-3 col-form-label">Bind Password</label>
+				<div class="col-sm-9">
+					{{input id="ldap-bindPassword" type="password" value=ldapConfig.bindPassword class=(if ldapErrorBindPassword 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">login credentials for LDAP server</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-userFilter" class="col-sm-3 col-form-label">User Filter</label>
+				<div class="col-sm-9">
+					{{input id="ldap-userFilter" type="text" value=ldapConfig.userFilter class=(if ldapErrorNoFilter 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Search filter for finding users, e.g. (|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))</small>
+					<small class="form-text text-muted highlight">Specify User Filter and/or Group Filter</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-groupFilter" class="col-sm-3 col-form-label">Group Filter</label>
+				<div class="col-sm-9">
+					{{input id="ldap-groupFilter" type="text" value=ldapConfig.groupFilter class=(if ldapErrorNoFilter 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Search filter for finding users via groups, e.g. (&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff))</small>
+				</div>
+			</div>
+
+			<div class="form-group row">
+				<label for="ldap-attributeUserRDN" class="col-sm-3 col-form-label">User Attribute RDN</label>
+				<div class="col-sm-9">
+					{{input id="ldap-attributeUserRDN" type="text" value=ldapConfig.attributeUserRDN class=(if ldapErrorAttributeUserRDN 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Username/login attribute, e.g. uid in LDAP, sAMAccountName in Active Directory</small>
+					<small class="form-text text-muted highlight">User Attributes used to retreive data when using User Filter</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-attributeUserFirstname" class="col-sm-3 col-form-label">User Attribute Firstname</label>
+				<div class="col-sm-9">
+					{{input id="ldap-attributeUserFirstname" type="text" value=ldapConfig.attributeUserFirstname class=(if ldapErrorAttributeUserFirstname 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Firstname attribute, e.g. givenName</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-attributeUserLastname" class="col-sm-3 col-form-label">User Attribute Lastname</label>
+				<div class="col-sm-9">
+					{{input id="ldap-attributeUserLastname" type="text" value=ldapConfig.attributeUserLastname class=(if ldapErrorAttributeUserLastname 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Lastname attribute, e.g. sn</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-attributeUserEmail" class="col-sm-3 col-form-label">User Attribute Email</label>
+				<div class="col-sm-9">
+					{{input id="ldap-attributeUserEmail" type="text" value=ldapConfig.attributeUserEmail class=(if ldapErrorAttributeUserEmail 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Email attribute, e.g. mail</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-attributeGroupMember" class="col-sm-3 col-form-label">Group Attribute Member</label>
+				<div class="col-sm-9">
+					{{input id="ldap-attributeGroupMember" type="text" value=ldapConfig.attributeGroupMember class=(if ldapErrorAttributeGroupMember 'form-control is-invalid' 'form-control')}}
+					<small class="form-text text-muted">Attribute that identifies individual group member, e.g. member or uniqueMember</small>
+					<small class="form-text text-muted highlight">Group Attributes used to retreive data when using Group Filter</small>
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-disableLogout" class="col-sm-3 col-form-label">Disable Logout</label>
+				<div class="col-sm-9">
+					{{x-toggle value=ldapConfig.disableLogout size="medium" theme="light" onToggle=(action (mut ldapConfig.disableLogout))}}
+				</div>
+			</div>
+			<div class="form-group row">
+				<label for="ldap-defaultPermissionAddSpace" class="col-sm-3 col-form-label">Can Create Spaces</label>
+				<div class="col-sm-9">
+					{{x-toggle value=ldapConfig.defaultPermissionAddSpace size="medium" theme="light" onToggle=(action (mut ldapConfig.defaultPermissionAddSpace))}}
+				</div>
+			</div>
+		{{/if}}
+
 		<div class="btn btn-success mt-4" {{action 'onSave'}}>Save</div>
 	</form>
 

server/routing/routes.go

@@ -214,7 +214,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
 	AddPrivate(rt, "global/search/status", []string{"GET", "OPTIONS"}, nil, meta.SearchStatus)
 	AddPrivate(rt, "global/search/reindex", []string{"POST", "OPTIONS"}, nil, meta.Reindex)
 	AddPrivate(rt, "global/sync/keycloak", []string{"GET", "OPTIONS"}, nil, keycloak.Sync)
-	AddPrivate(rt, "global/sync/ldap", []string{"GET", "OPTIONS"}, nil, ldap.Sync)
+	AddPrivate(rt, "global/sync/ldap/preview", []string{"POST", "OPTIONS"}, nil, ldap.Preview)
 
 	Add(rt, RoutePrefixRoot, "robots.txt", []string{"GET", "OPTIONS"}, nil, meta.RobotsTxt)
 	Add(rt, RoutePrefixRoot, "sitemap.xml", []string{"GET", "OPTIONS"}, nil, meta.Sitemap)