npm - @sync-in/server - Versions diffs - 1.10.1 → 2.0.0 - Mend

@sync-in/server 1.10.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1057) hide show

package/server/authentication/providers/ldap/auth-provider-ldap.service.spec.js ADDED Viewed

@@ -0,0 +1,674 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+const _testing = require("@nestjs/testing");
+const _ldapts = require("ldapts");
+const _appconstants = require("../../../app.constants");
+const _user = require("../../../applications/users/constants/user");
+const _adminusersmanagerservice = require("../../../applications/users/services/admin-users-manager.service");
+const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
+const _functions = /*#__PURE__*/ _interop_require_wildcard(require("../../../common/functions"));
+const _configenvironment = require("../../../configuration/config.environment");
+const _authldapconstants = require("./auth-ldap.constants");
+const _authproviderldapservice = require("./auth-provider-ldap.service");
+function _getRequireWildcardCache(nodeInterop) {
+    if (typeof WeakMap !== "function") return null;
+    var cacheBabelInterop = new WeakMap();
+    var cacheNodeInterop = new WeakMap();
+    return (_getRequireWildcardCache = function(nodeInterop) {
+        return nodeInterop ? cacheNodeInterop : cacheBabelInterop;
+    })(nodeInterop);
+}
+function _interop_require_wildcard(obj, nodeInterop) {
+    if (!nodeInterop && obj && obj.__esModule) {
+        return obj;
+    }
+    if (obj === null || typeof obj !== "object" && typeof obj !== "function") {
+        return {
+            default: obj
+        };
+    }
+    var cache = _getRequireWildcardCache(nodeInterop);
+    if (cache && cache.has(obj)) {
+        return cache.get(obj);
+    }
+    var newObj = {
+        __proto__: null
+    };
+    var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor;
+    for(var key in obj){
+        if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) {
+            var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null;
+            if (desc && (desc.get || desc.set)) {
+                Object.defineProperty(newObj, key, desc);
+            } else {
+                newObj[key] = obj[key];
+            }
+        }
+    }
+    newObj.default = obj;
+    if (cache) {
+        cache.set(obj, newObj);
+    }
+    return newObj;
+}
+jest.mock('ldapts', ()=>{
+    const actual = jest.requireActual('ldapts');
+    const mockClientInstance = {
+        bind: jest.fn(),
+        search: jest.fn(),
+        unbind: jest.fn()
+    };
+    const Client = jest.fn().mockImplementation(()=>mockClientInstance);
+    return {
+        ...actual,
+        Client
+    };
+});
+const buildUser = (overrides = {})=>({
+        id: 0,
+        login: 'john',
+        email: 'old@example.org',
+        password: 'hashed',
+        role: _user.USER_ROLE.USER,
+        isGuest: false,
+        isActive: true,
+        isAdmin: false,
+        makePaths: jest.fn().mockResolvedValue(undefined),
+        setFullName: jest.fn(),
+        ...overrides
+    });
+const ldapClient = {
+    bind: jest.fn(),
+    search: jest.fn(),
+    unbind: jest.fn()
+};
+_ldapts.Client.mockImplementation(()=>ldapClient);
+describe(_authproviderldapservice.AuthProviderLDAP.name, ()=>{
+    let authProviderLDAP;
+    let usersManager;
+    let adminUsersManager;
+    const setLdapConfig = (overrides = {})=>{
+        const base = {
+            servers: [
+                'ldap://localhost:389'
+            ],
+            attributes: {
+                login: _authldapconstants.LDAP_LOGIN_ATTR.UID,
+                email: _authldapconstants.LDAP_COMMON_ATTR.MAIL
+            },
+            baseDN: 'ou=people,dc=example,dc=org',
+            filter: '',
+            options: {
+                autoCreateUser: true,
+                autoCreatePermissions: [],
+                enablePasswordAuthFallback: true
+            }
+        };
+        const next = {
+            ...base,
+            ...overrides,
+            attributes: {
+                ...base.attributes,
+                ...overrides.attributes || {}
+            },
+            options: {
+                ...base.options,
+                ...overrides.options || {}
+            }
+        };
+        _configenvironment.configuration.auth.ldap = next;
+        authProviderLDAP.ldapConfig = next;
+        authProviderLDAP.isAD = [
+            _authldapconstants.LDAP_LOGIN_ATTR.SAM,
+            _authldapconstants.LDAP_LOGIN_ATTR.UPN
+        ].includes(next.attributes.login);
+        authProviderLDAP.hasServiceBind = Boolean(next.serviceBindDN && next.serviceBindPassword);
+    };
+    const mockBindResolve = ()=>{
+        ldapClient.bind.mockResolvedValue(undefined);
+        ldapClient.unbind.mockResolvedValue(undefined);
+    };
+    const mockBindRejectInvalid = (message = 'invalid')=>{
+        ldapClient.bind.mockRejectedValue(new _ldapts.InvalidCredentialsError(message));
+        ldapClient.unbind.mockResolvedValue(undefined);
+    };
+    const mockSearchEntries = (entries)=>{
+        ldapClient.search.mockResolvedValue({
+            searchEntries: entries
+        });
+    };
+    beforeAll(async ()=>{
+        const module = await _testing.Test.createTestingModule({
+            providers: [
+                _authproviderldapservice.AuthProviderLDAP,
+                {
+                    provide: _usersmanagerservice.UsersManager,
+                    useValue: {
+                        findUser: jest.fn(),
+                        logUser: jest.fn(),
+                        updateAccesses: jest.fn().mockResolvedValue(undefined),
+                        validateAppPassword: jest.fn(),
+                        fromUserId: jest.fn()
+                    }
+                },
+                {
+                    provide: _adminusersmanagerservice.AdminUsersManager,
+                    useValue: {
+                        createUserOrGuest: jest.fn(),
+                        updateUserOrGuest: jest.fn()
+                    }
+                }
+            ]
+        }).compile();
+        module.useLogger([
+            'fatal'
+        ]);
+        authProviderLDAP = module.get(_authproviderldapservice.AuthProviderLDAP);
+        adminUsersManager = module.get(_adminusersmanagerservice.AdminUsersManager);
+        usersManager = module.get(_usersmanagerservice.UsersManager);
+    });
+    beforeEach(()=>{
+        jest.clearAllMocks();
+        setLdapConfig();
+        usersManager.updateAccesses.mockResolvedValue(undefined);
+    });
+    afterEach(()=>{
+        jest.restoreAllMocks();
+    });
+    it('should be defined', ()=>{
+        expect(authProviderLDAP).toBeDefined();
+        expect(usersManager).toBeDefined();
+        expect(adminUsersManager).toBeDefined();
+        expect(ldapClient).toBeDefined();
+    });
+    it('should authenticate a guest user via database and bypass LDAP', async ()=>{
+        const guestUser = {
+            id: 1,
+            login: 'guest1',
+            isGuest: true,
+            isActive: true
+        };
+        usersManager.findUser.mockResolvedValue(guestUser);
+        const dbAuthResult = {
+            ...guestUser,
+            token: 'jwt'
+        };
+        usersManager.logUser.mockResolvedValue(dbAuthResult);
+        const res = await authProviderLDAP.validateUser('guest1', 'pass', '127.0.0.1');
+        expect(res).toEqual(dbAuthResult);
+        expect(usersManager.logUser).toHaveBeenCalledWith(guestUser, 'pass', '127.0.0.1', undefined);
+        expect(_ldapts.Client).not.toHaveBeenCalled();
+    });
+    it('should bypass LDAP when scope is provided', async ()=>{
+        const user = buildUser({
+            id: 12
+        });
+        usersManager.findUser.mockResolvedValue(user);
+        usersManager.logUser.mockResolvedValue(user);
+        const res = await authProviderLDAP.validateUser('john', 'app-password', '10.0.0.2', 'webdav');
+        expect(res).toBe(user);
+        expect(usersManager.logUser).toHaveBeenCalledWith(user, 'app-password', '10.0.0.2', 'webdav');
+        expect(_ldapts.Client).not.toHaveBeenCalled();
+    });
+    it('should throw FORBIDDEN for locked account', async ()=>{
+        usersManager.findUser.mockResolvedValue({
+            login: 'john',
+            isGuest: false,
+            isActive: false
+        });
+        const loggerErrorSpy = jest.spyOn(authProviderLDAP['logger'], 'error').mockImplementation(()=>undefined);
+        await expect(authProviderLDAP.validateUser('john', 'pwd')).rejects.toThrow(/account locked/i);
+        expect(loggerErrorSpy).toHaveBeenCalled();
+    });
+    it('should return null on invalid LDAP credentials without fallback', async ()=>{
+        const existingUser = buildUser({
+            id: 1
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        mockBindRejectInvalid('invalid credentials');
+        const res = await authProviderLDAP.validateUser('john', 'badpwd', '10.0.0.1');
+        expect(res).toBeNull();
+        expect(usersManager.logUser).not.toHaveBeenCalled();
+        expect(usersManager.updateAccesses).not.toHaveBeenCalled();
+    });
+    it('should return null when LDAP search yields no entries or throws', async ()=>{
+        const existingUser = buildUser({
+            id: 10
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        mockBindResolve();
+        mockSearchEntries([]);
+        const resA = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(resA).toBeNull();
+        ldapClient.search.mockRejectedValue(new Error('search failed'));
+        const resB = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(resB).toBeNull();
+        expect(usersManager.updateAccesses).not.toHaveBeenCalled();
+    });
+    it('should fallback to local auth when LDAP is unavailable and fallback is enabled', async ()=>{
+        const existingUser = buildUser({
+            id: 2
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        usersManager.logUser.mockResolvedValue(existingUser);
+        const err = Object.assign(new Error('connect ECONNREFUSED'), {
+            code: Array.from(_appconstants.CONNECT_ERROR_CODE)[0]
+        });
+        ldapClient.bind.mockRejectedValue({
+            errors: [
+                err
+            ]
+        });
+        ldapClient.unbind.mockResolvedValue(undefined);
+        const res = await authProviderLDAP.validateUser('john', 'pwd', '10.0.0.3');
+        expect(res).toBe(existingUser);
+        expect(usersManager.logUser).toHaveBeenCalledWith(existingUser, 'pwd', '10.0.0.3');
+    });
+    it('should throw SERVICE_UNAVAILABLE when LDAP is unavailable and fallback is disabled', async ()=>{
+        setLdapConfig({
+            options: {
+                enablePasswordAuthFallback: false
+            }
+        });
+        const existingUser = buildUser({
+            id: 3
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        const err = Object.assign(new Error('connect ECONNREFUSED'), {
+            code: Array.from(_appconstants.CONNECT_ERROR_CODE)[0]
+        });
+        ldapClient.bind.mockRejectedValue({
+            errors: [
+                err
+            ]
+        });
+        ldapClient.unbind.mockResolvedValue(undefined);
+        await expect(authProviderLDAP.validateUser('john', 'pwd')).rejects.toThrow(/authentication service error/i);
+    });
+    it('should allow admin local fallback when LDAP is unavailable even if fallback is disabled', async ()=>{
+        setLdapConfig({
+            options: {
+                enablePasswordAuthFallback: false
+            }
+        });
+        const existingUser = buildUser({
+            id: 4,
+            isAdmin: true
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        usersManager.logUser.mockResolvedValue(existingUser);
+        const err = Object.assign(new Error('connect ECONNREFUSED'), {
+            code: Array.from(_appconstants.CONNECT_ERROR_CODE)[0]
+        });
+        ldapClient.bind.mockRejectedValue({
+            errors: [
+                err
+            ]
+        });
+        ldapClient.unbind.mockResolvedValue(undefined);
+        const res = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(res).toBe(existingUser);
+        expect(usersManager.logUser).toHaveBeenCalledWith(existingUser, 'pwd', undefined);
+    });
+    it('should return null when LDAP entry lacks required fields', async ()=>{
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'jane',
+                cn: 'Jane Doe',
+                mail: undefined
+            }
+        ]);
+        const loggerErrorSpy = jest.spyOn(authProviderLDAP['logger'], 'error').mockImplementation(()=>undefined);
+        const res = await authProviderLDAP.validateUser('jane', 'pwd');
+        expect(res).toBeNull();
+        expect(adminUsersManager.createUserOrGuest).not.toHaveBeenCalled();
+        expect(loggerErrorSpy).toHaveBeenCalled();
+    });
+    it('should throw UNAUTHORIZED when autoCreateUser is disabled', async ()=>{
+        setLdapConfig({
+            options: {
+                autoCreateUser: false
+            }
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        const checkAuthSpy = jest.spyOn(authProviderLDAP, 'checkAuth').mockResolvedValue({
+            uid: 'john',
+            mail: 'john@example.org'
+        });
+        await expect(authProviderLDAP.validateUser('john', 'pwd')).rejects.toThrow(/user not found/i);
+        checkAuthSpy.mockRestore();
+    });
+    it('should create a new admin user with permissions and name parsed from LDAP', async ()=>{
+        setLdapConfig({
+            options: {
+                adminGroup: 'Admins',
+                autoCreatePermissions: [
+                    _user.USER_PERMISSION.PERSONAL_SPACE,
+                    _user.USER_PERMISSION.WEBDAV
+                ]
+            }
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'john',
+                givenName: 'John',
+                sn: 'Doe',
+                mail: 'john@example.org',
+                memberOf: [
+                    'CN=Admins,OU=Groups,DC=example,DC=org'
+                ]
+            }
+        ]);
+        const createdUser = {
+            id: 2,
+            login: 'john',
+            isGuest: false,
+            isActive: true,
+            makePaths: jest.fn()
+        };
+        adminUsersManager.createUserOrGuest.mockResolvedValue(createdUser);
+        usersManager.fromUserId.mockResolvedValue(createdUser);
+        const res = await authProviderLDAP.validateUser('john', 'pwd', '192.168.1.10');
+        expect(adminUsersManager.createUserOrGuest).toHaveBeenCalledWith({
+            login: 'john',
+            email: 'john@example.org',
+            password: 'pwd',
+            role: _user.USER_ROLE.ADMINISTRATOR,
+            firstName: 'John',
+            lastName: 'Doe',
+            permissions: 'personal_space,webdav_access'
+        }, _user.USER_ROLE.ADMINISTRATOR);
+        expect(res).toBe(createdUser);
+        expect(usersManager.updateAccesses).toHaveBeenCalledWith(createdUser, '192.168.1.10', true);
+    });
+    it('should accept adminGroup as full DN', async ()=>{
+        setLdapConfig({
+            options: {
+                adminGroup: 'CN=Admins,OU=Groups,DC=example,DC=org'
+            }
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'john',
+                givenName: 'John',
+                sn: 'Doe',
+                mail: 'john@example.org',
+                memberOf: [
+                    'CN=Admins,OU=Groups,DC=example,DC=org'
+                ]
+            }
+        ]);
+        const createdUser = {
+            id: 9,
+            login: 'john',
+            isGuest: false,
+            isActive: true,
+            makePaths: jest.fn()
+        };
+        adminUsersManager.createUserOrGuest.mockResolvedValue(createdUser);
+        usersManager.fromUserId.mockResolvedValue(createdUser);
+        const res = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(adminUsersManager.createUserOrGuest).toHaveBeenCalledWith(expect.objectContaining({
+            role: _user.USER_ROLE.ADMINISTRATOR
+        }), _user.USER_ROLE.ADMINISTRATOR);
+        expect(res).toBe(createdUser);
+    });
+    it('should use groupOfNames to detect admin membership when memberOf is missing', async ()=>{
+        setLdapConfig({
+            options: {
+                adminGroup: 'Admins'
+            }
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        ldapClient.search.mockResolvedValueOnce({
+            searchEntries: [
+                {
+                    uid: 'john',
+                    cn: 'John Doe',
+                    mail: 'john@example.org',
+                    dn: 'uid=john,ou=people,dc=example,dc=org'
+                }
+            ]
+        }).mockResolvedValueOnce({
+            searchEntries: [
+                {
+                    cn: 'Admins'
+                }
+            ]
+        });
+        const createdUser = {
+            id: 3,
+            login: 'john',
+            isGuest: false,
+            isActive: true,
+            makePaths: jest.fn()
+        };
+        adminUsersManager.createUserOrGuest.mockResolvedValue(createdUser);
+        usersManager.fromUserId.mockResolvedValue(createdUser);
+        const res = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(adminUsersManager.createUserOrGuest).toHaveBeenCalledWith(expect.objectContaining({
+            role: _user.USER_ROLE.ADMINISTRATOR
+        }), _user.USER_ROLE.ADMINISTRATOR);
+        expect(res).toBe(createdUser);
+    });
+    it('should use service bind for LDAP searches when configured', async ()=>{
+        setLdapConfig({
+            serviceBindDN: 'cn=svc,dc=example,dc=org',
+            serviceBindPassword: 'secret'
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        ldapClient.search.mockResolvedValueOnce({
+            searchEntries: [
+                {
+                    uid: 'john',
+                    cn: 'John Doe',
+                    mail: 'john@example.org',
+                    dn: 'uid=john,ou=people,dc=example,dc=org'
+                }
+            ]
+        });
+        const createdUser = {
+            id: 8,
+            login: 'john',
+            isGuest: false,
+            isActive: true,
+            makePaths: jest.fn()
+        };
+        adminUsersManager.createUserOrGuest.mockResolvedValue(createdUser);
+        usersManager.fromUserId.mockResolvedValue(createdUser);
+        await authProviderLDAP.validateUser('john', 'pwd');
+        expect(ldapClient.bind).toHaveBeenCalledWith('cn=svc,dc=example,dc=org', 'secret');
+        expect(ldapClient.bind).toHaveBeenCalledWith('uid=john,ou=people,dc=example,dc=org', 'pwd');
+    });
+    it('should return null when service bind is set but user DN is not found', async ()=>{
+        setLdapConfig({
+            serviceBindDN: 'cn=svc,dc=example,dc=org',
+            serviceBindPassword: 'secret'
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        mockBindResolve();
+        ldapClient.search.mockResolvedValueOnce({
+            searchEntries: []
+        });
+        const res = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(res).toBeNull();
+        expect(ldapClient.bind).toHaveBeenCalledWith('cn=svc,dc=example,dc=org', 'secret');
+        expect(ldapClient.bind).not.toHaveBeenCalledWith('uid=john,ou=people,dc=example,dc=org', 'pwd');
+    });
+    it('should return null when user bind fails after service bind', async ()=>{
+        setLdapConfig({
+            serviceBindDN: 'cn=svc,dc=example,dc=org',
+            serviceBindPassword: 'secret'
+        });
+        usersManager.findUser.mockResolvedValue(null);
+        ldapClient.unbind.mockResolvedValue(undefined);
+        ldapClient.bind.mockResolvedValueOnce(undefined).mockRejectedValueOnce(new _ldapts.InvalidCredentialsError('invalid credentials'));
+        ldapClient.search.mockResolvedValueOnce({
+            searchEntries: [
+                {
+                    dn: 'uid=john,ou=people,dc=example,dc=org',
+                    cn: 'John Doe'
+                }
+            ]
+        });
+        const res = await authProviderLDAP.validateUser('john', 'pwd');
+        expect(res).toBeNull();
+        expect(ldapClient.bind).toHaveBeenCalledWith('cn=svc,dc=example,dc=org', 'secret');
+        expect(ldapClient.bind).toHaveBeenCalledWith('uid=john,ou=people,dc=example,dc=org', 'pwd');
+    });
+    it('should keep admin role when adminGroup is not configured', async ()=>{
+        setLdapConfig({
+            options: {
+                adminGroup: undefined
+            }
+        });
+        const existingUser = buildUser({
+            id: 5,
+            role: _user.USER_ROLE.ADMINISTRATOR
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'john',
+                cn: 'John Doe',
+                mail: 'john@example.org'
+            }
+        ]);
+        jest.spyOn(_functions, 'comparePassword').mockResolvedValue(true);
+        await authProviderLDAP.validateUser('john', 'pwd');
+        expect(adminUsersManager.updateUserOrGuest).toHaveBeenCalled();
+        const updateArgs = adminUsersManager.updateUserOrGuest.mock.calls[0][1];
+        expect(updateArgs).toEqual(expect.objectContaining({
+            email: 'john@example.org'
+        }));
+        expect(updateArgs).toEqual(expect.not.objectContaining({
+            role: expect.anything()
+        }));
+    });
+    it('should update existing user and avoid reassigning password locally', async ()=>{
+        const existingUser = buildUser({
+            id: 6
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'john',
+                displayName: 'Jane Doe',
+                mail: 'john@example.org'
+            }
+        ]);
+        const compareSpy = jest.spyOn(_functions, 'comparePassword').mockResolvedValue(false);
+        const splitSpy = jest.spyOn(_functions, 'splitFullName').mockReturnValue({
+            firstName: 'Jane',
+            lastName: 'Doe'
+        });
+        const res = await authProviderLDAP.validateUser('john', 'new-plain-password', '127.0.0.2');
+        expect(adminUsersManager.updateUserOrGuest).toHaveBeenCalledWith(6, expect.objectContaining({
+            email: 'john@example.org',
+            firstName: 'Jane',
+            lastName: 'Doe'
+        }));
+        expect(existingUser.password).toBe('hashed');
+        expect(existingUser).toMatchObject({
+            email: 'john@example.org',
+            firstName: 'Jane',
+            lastName: 'Doe'
+        });
+        expect(existingUser.setFullName).toHaveBeenCalledWith(true);
+        expect(usersManager.updateAccesses).toHaveBeenCalledWith(existingUser, '127.0.0.2', true);
+        expect(res).toBe(existingUser);
+        compareSpy.mockRestore();
+        splitSpy.mockRestore();
+    });
+    it('should throw FORBIDDEN when LDAP login does not match user login', async ()=>{
+        const existingUser = buildUser({
+            id: 7,
+            login: 'john'
+        });
+        usersManager.findUser.mockResolvedValue(existingUser);
+        mockBindResolve();
+        mockSearchEntries([
+            {
+                uid: 'jane',
+                cn: 'Jane Doe',
+                mail: 'jane@example.org'
+            }
+        ]);
+        await expect(authProviderLDAP.validateUser('john', 'pwd')).rejects.toThrow(/account matching error/i);
+    });
+    it('should build LDAP logins and filters for AD and standard LDAP', ()=>{
+        setLdapConfig({
+            attributes: {
+                login: _authldapconstants.LDAP_LOGIN_ATTR.UPN
+            },
+            upnSuffix: 'sync-in.com',
+            filter: '(memberOf=cn=staff)'
+        });
+        const adLogin = authProviderLDAP.buildLdapLogin('john');
+        expect(adLogin).toBe('john@sync-in.com');
+        const adFilter = authProviderLDAP.buildUserFilter('SYNC-IN\\john', '(memberOf=cn=staff)');
+        expect(adFilter).toContain('(sAMAccountName=john)');
+        expect(adFilter).toContain('(userPrincipalName=john)');
+        expect(adFilter).toContain('(mail=john)');
+        expect(adFilter).toContain('(memberOf=cn=staff)');
+        setLdapConfig({
+            attributes: {
+                login: _authldapconstants.LDAP_LOGIN_ATTR.UID
+            },
+            filter: '(department=IT)'
+        });
+        const ldapFilter = authProviderLDAP.buildUserFilter('john', '(department=IT)');
+        expect(ldapFilter).toContain('(uid=john)');
+        expect(ldapFilter).toContain('(cn=john)');
+        expect(ldapFilter).toContain('(mail=john)');
+        expect(ldapFilter).toContain('(department=IT)');
+    });
+    it('should normalize LDAP entries for memberOf and array attributes', ()=>{
+        const entry = {
+            uid: [
+                'john'
+            ],
+            mail: [
+                'john@example.org',
+                'john2@example.org'
+            ],
+            memberOf: [
+                'CN=Admins,OU=Groups,DC=example,DC=org',
+                'CN=Staff,OU=Groups,DC=example,DC=org'
+            ]
+        };
+        const normalized = authProviderLDAP.convertToLdapUserEntry(entry);
+        expect(normalized.uid).toBe('john');
+        expect(normalized.mail).toBe('john@example.org');
+        expect(normalized.memberOf).toEqual([
+            'CN=Admins,OU=Groups,DC=example,DC=org',
+            'Admins',
+            'CN=Staff,OU=Groups,DC=example,DC=org',
+            'Staff'
+        ]);
+    });
+    it('should build LDAP logins for SAM account name when netbiosName is set', ()=>{
+        setLdapConfig({
+            attributes: {
+                login: _authldapconstants.LDAP_LOGIN_ATTR.SAM
+            },
+            netbiosName: 'SYNC'
+        });
+        const samLogin = authProviderLDAP.buildLdapLogin('john');
+        expect(samLogin).toBe('SYNC\\john');
+    });
+});
+//# sourceMappingURL=auth-provider-ldap.service.spec.js.map