From 00765288e696479901b00b717913ef5fa69ab432 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Mon, 22 Aug 2022 11:43:45 -0700
Subject: [PATCH] Added LDAP membership user group sync options (#4415)

---
 webserver.js | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/webserver.js b/webserver.js
index f484eddc..0fc04a66 100644
--- a/webserver.js
+++ b/webserver.js
@@ -13,7 +13,7 @@
 /*jshint esversion: 6 */
 'use strict';
 
-// SerialTunnel object is used to embed TLS within another connection.e
+// SerialTunnel object is used to embed TLS within another connection.
 function SerialTunnel(options) {
     var obj = new require('stream').Duplex(options);
     obj.forwardwrite = null;
@@ -486,6 +486,28 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                     if (userMembershipMatch === false) { parent.debug('ldap', 'Denying login to a user that is not a member of a LDAP required group.'); fn('denied'); return; } // If there is no match, deny the login
                 }
 
+                // See if we need to sync LDAP user memberships with user groups
+                if (domain.ldapsyncwithusergroups === true) { domain.ldapsyncwithusergroups = {}; }
+                if (typeof domain.ldapsyncwithusergroups == 'object') {
+                    // LDAP user memberships sync is enabled, see if there are any filters to apply
+                    if (typeof domain.ldapsyncwithusergroups.filter == 'string') { domain.ldapsyncwithusergroups.filter = [domain.ldapsyncwithusergroups.filter]; }
+                    if (Array.isArray(domain.ldapsyncwithusergroups.filter)) {
+                        const g = [];
+                        for (var i in userMemberships) {
+                            var match = false;
+                            for (var j in domain.ldapsyncwithusergroups.filter) {
+                                if (userMemberships[i].indexOf(domain.ldapsyncwithusergroups.filter[j]) >= 0) { match = true; }
+                            }
+                            if (match) { g.push(userMemberships[i]); }
+                        }
+                        console.log(g);
+                        userMemberships = g;
+                    }
+                } else {
+                    // LDAP user memberships sync is disabled, sync the user with empty membership
+                    userMemberships = [];
+                }
+
                 // Get the email address for this LDAP user
                 var email = null;
                 if (domain.ldapuseremail) { email = xxuser[domain.ldapuseremail]; } else if (xxuser['mail']) { email = xxuser['mail']; } // Use given feild name or default