scimgateway 4.1.0 → 4.1.1

package/README.md

@@ -1139,28 +1139,42 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.1  
+[Added] 
+
+- plugin-ldap support userFilter/groupFilter configuration for restricting scope  
+
+    Configuration example:  
+
+        {
+          ...
+          "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+          "groupFilter": "(!(cn=grp2))",
+          ...
+        }
+
 ### v4.1.0  
 [Added] 
 
 - Supporting OAuth Client Credentials authentication
 
-Configuration example:  
+    Configuration example:  
 
-    "bearerOAuth": [
-      {
-        "client_id": "my_client_id",
-        "client_secret": "my_client_secret",
-        "readOnly": false,
-        "baseEntities": []
-      }
-    ]
+        "bearerOAuth": [
+          {
+            "client_id": "my_client_id",
+            "client_secret": "my_client_secret",
+            "readOnly": false,
+            "baseEntities": []
+          }
+        ]
 
 
-In example above, client using SCIM Gateway must have OAuth configuration:  
+    In example above, client using SCIM Gateway must have OAuth configuration:  
 
-    client_id = my_client_id
-    client_secret = my_client_secret
-    token request url = http(s)://<host>:<port>/oauth/token
+        client_id = my_client_id
+        client_secret = my_client_secret
+        token request url = http(s)://<host>:<port>/oauth/token
 
 
 ### v4.0.1  

package/config/plugin-ldap.json

@@ -94,6 +94,8 @@
         "ldap": {
           "userBase": "CN=Users,DC=test,DC=com",
           "groupBase": "OU=Groups,DC=test,DC=com",
+          "userFilter": null,
+          "groupFilter": null,
           "userNamingAttr": "CN",
           "groupNamingAttr": "CN",
           "userObjectClasses": [

package/lib/plugin-ldap.js

@@ -23,6 +23,13 @@
 //              "type": "string"
 //             }
 //
+// Additional user/group filtering for restricting scope may be configured in endpoint.entity.xxx.ldap e.g:
+// {
+//   ...
+//   "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+//   "groupFilter": "(!(cn=grp2))",
+//   ...
+//  }
 //
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
@@ -190,6 +197,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
@@ -209,6 +217,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
   }
   // end mandatory if-else logic
 
@@ -558,6 +567,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
@@ -578,6 +588,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
   }
   // mandatory if-else logic - end
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.0",
+  "version": "4.1.1",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",