feat(authentication): add a setting to toggle automatic user provisioning when u… (#2068)

* feat(api): add a setting to toggle automatic user provisioning when using LDAP authentication * fix(auth): fix an issue with AutoCreateUsers disabled
2025-08-02 20:35:25 +02:00 · 2018-07-24 08:49:17 +02:00 · 2018-07-24 08:49:17 +02:00 · 113da93145
commit 113da93145
parent c7cb515035
10 changed files with 44 additions and 18 deletions
--- a/api/bolt/migrator/migrate_dbversion12.go
+++ b/api/bolt/migrator/migrate_dbversion12.go
@ -8,6 +8,7 @@ func (m *Migrator) updateSettingsToVersion13() error {
 		return err
 	}

+	legacySettings.LDAPSettings.AutoCreateUsers = false
 	legacySettings.LDAPSettings.GroupSearchSettings = []portainer.LDAPGroupSearchSettings{
 		portainer.LDAPGroupSearchSettings{},
 	}
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@ -170,6 +170,7 @@ func (m *Migrator) Migrate() error {
 		}
 	}

+	// Portainer 1.18.2-dev
 	if m.currentDBVersion < 13 {
 		err := m.updateSettingsToVersion13()
 		if err != nil {
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@ -164,7 +164,8 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 			LogoURL:              *flags.Logo,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			LDAPSettings: portainer.LDAPSettings{
-				TLSConfig: portainer.TLSConfiguration{},
+				AutoCreateUsers: true,
+				TLSConfig:       portainer.TLSConfiguration{},
 				SearchSettings: []portainer.LDAPSearchSettings{
 					portainer.LDAPSearchSettings{},
 				},
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -3,6 +3,7 @@ package auth
 import (
 	"log"
 	"net/http"
+	"strings"

 	"github.com/asaskevich/govalidator"
 	"github.com/portainer/portainer"
@ -56,8 +57,10 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 	}

 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
-		if u == nil {
+		if u == nil && settings.LDAPSettings.AutoCreateUsers {
 			return handler.authenticateLDAPAndCreateUser(w, payload.Username, payload.Password, &settings.LDAPSettings)
+		} else if u == nil && !settings.LDAPSettings.AutoCreateUsers {
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
 		}
 		return handler.authenticateLDAP(w, u, payload.Password, &settings.LDAPSettings)
 	}
@ -167,7 +170,7 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain

 func teamExists(teamName string, ldapGroups []string) bool {
 	for _, group := range ldapGroups {
-		if group == teamName {
+		if strings.ToLower(group) == strings.ToLower(teamName) {
 			return true
 		}
 	}
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@ -13,7 +13,6 @@ type publicSettingsResponse struct {
 	AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
 	AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
 	AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
-	SnapshotInterval                   string                         `json:"SnapshotInterval"`
 }

 // GET request on /api/settings/public
@ -28,7 +27,6 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AuthenticationMethod:               settings.AuthenticationMethod,
 		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
-		SnapshotInterval:                   settings.SnapshotInterval,
 	}

 	return response.JSON(w, publicSettings)
--- a/api/portainer.go
+++ b/api/portainer.go
@ -53,6 +53,7 @@ type (
 		StartTLS            bool                      `json:"StartTLS"`
 		SearchSettings      []LDAPSearchSettings      `json:"SearchSettings"`
 		GroupSearchSettings []LDAPGroupSearchSettings `json:"GroupSearchSettings"`
+		AutoCreateUsers     bool                      `json:"AutoCreateUsers"`
 	}

 	// TLSConfiguration represents a TLS configuration.
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@ -2942,6 +2942,10 @@ definitions:
        type: "array"
        items:
          $ref: "#/definitions/LDAPGroupSearchSettings"
+      AutoCreateUsers:
+        type: "boolean"
+        example: "true"
+        description: "Automatically provision users and assign them to matching LDAP group names"

  Settings:
    type: "object"