scimgateway 4.2.2 → 4.2.5

package/lib/plugin-forwardinc.js

@@ -64,7 +64,10 @@ scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no
 
 const wsdlDir = path.join(`${configDir}`, 'wsdls')
 const endpointUsername = config.username
-const endpointPassword = scimgateway.getPassword('endpoint.password', configFile)
+let endpointPassword
+if (!scimgateway.authPassThroughAllowed) { // not using Auth PassThrough
+  endpointPassword = scimgateway.getPassword('endpoint.password', configFile)
+}
 const _serviceClient = {}
 
 // =================================================
@@ -119,7 +122,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
       totalResults: null // not used - paging not supported
     }
 
-    const serviceClient = await getServiceClient(baseEntity, soapAction)
+    const serviceClient = await getServiceClient(baseEntity, soapAction, ctx)
 
     let result = await serviceClient[config[soapAction].method + 'Async'](soapRequest)
     if (!Array.isArray(result) || result.length < 4) {
@@ -221,7 +224,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
       }
     }
 
-    const serviceClient = await getServiceClient(baseEntity, action)
+    const serviceClient = await getServiceClient(baseEntity, action, ctx)
 
     let result = await serviceClient[config[action].method + 'Async'](soapRequest)
     if (!Array.isArray(result) || result.length < 4) {
@@ -246,7 +249,7 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   const action = 'deleteUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   try {
-    const serviceClient = await getServiceClient(baseEntity, action)
+    const serviceClient = await getServiceClient(baseEntity, action, ctx)
 
     const soapRequest = { userID: id }
 
@@ -311,7 +314,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
       } else userObj[key1] = attrObj[key1] // merge modified attr into userObj
     }
 
-    const serviceClient = await getServiceClient(baseEntity, action)
+    const serviceClient = await getServiceClient(baseEntity, action, ctx)
 
     const soapRequest = {
       user: {
@@ -394,7 +397,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   }
 
   try {
-    const serviceClient = await getServiceClient(baseEntity, soapAction)
+    const serviceClient = await getServiceClient(baseEntity, soapAction, ctx)
 
     let result = await serviceClient[config[soapAction].method + 'Async'](soapRequest)
     if (!Array.isArray(result) || result.length < 4) {
@@ -482,7 +485,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   }
 
   try {
-    const serviceClient = await getServiceClient(baseEntity, action)
+    const serviceClient = await getServiceClient(baseEntity, action, ctx)
 
     attrObj.members.forEach(async function (el) {
       if (el.operation && el.operation === 'delete') { // delete member from group
@@ -526,7 +529,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 // helpers
 // =================================================
 
-const getServiceClient = async (baseEntity, action) => {
+const getServiceClient = async (baseEntity, action, ctx) => {
   try {
     const entityService = config[action].service
 
@@ -575,13 +578,19 @@ const getServiceClient = async (baseEntity, action) => {
 
     try {
       const serviceClient = await soap.createClientAsync(urlToWsdl, wsdlOptions)
-      serviceClient.setSecurity(new soap.WSSecurity(endpointUsername, endpointPassword, { passwordType: 'PasswordText', hasTimeStamp: false })) // ForwardInc using WSSecurity
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough
+        const [user, secret] = getCtxAuth(ctx)
+        serviceClient.setSecurity(new soap.WSSecurity(user || endpointUsername, secret, { passwordType: 'PasswordText', hasTimeStamp: false })) // ForwardInc using WSSecurity
+      } else {
+        serviceClient.setSecurity(new soap.WSSecurity(endpointUsername, endpointPassword, { passwordType: 'PasswordText', hasTimeStamp: false })) // ForwardInc using WSSecurity
+      }
       serviceClient.addSoapHeader(customHeader)
       serviceClient.setEndpoint(serviceEndpoint) // https://FQDN/path/to/service (wsdl name without ?wsdl extension)
-
-      if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
-      _serviceClient[baseEntity][entityService] = serviceClient // serviceClient created
-      return _serviceClient[baseEntity][entityService]
+      if (!ctx?.request?.header?.authorization) { // not using Auth PassThrough, store serviceClient and will be reused on subsequent requests
+        if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
+        _serviceClient[baseEntity][entityService] = serviceClient // serviceClient created
+      }
+      return serviceClient
     } catch (err) {
       if (err.message) throw new Error(`createClient ${urlToWsdl} errorMessage: ${err.message}`)
       else throw new Error(`createClient ${urlToWsdl} errorMessage: invalid service definition - wsdl maybe not found?`)
@@ -590,7 +599,19 @@ const getServiceClient = async (baseEntity, action) => {
     const newErr = err
     throw newErr
   }
-} // getServiceClient
+}
+
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => {
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
 
 //
 // Cleanup on exit

package/lib/plugin-ldap.js

@@ -225,7 +225,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   if (!ldapOptions) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    const users = await doRequest(baseEntity, method, base, ldapOptions) // ignoring SCIM paging startIndex/count - get all
+    const users = await doRequest(baseEntity, method, base, ldapOptions, ctx) // ignoring SCIM paging startIndex/count - get all
     result.totalResults = users.length
     result.Resources = await Promise.all(users.map(async (user) => { // Promise.all because of async map
       if (user.name) delete user.name // because mapper converts to SCIM name.xxx
@@ -245,13 +245,13 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
           try {
             if (Array.isArray(user.memberOf)) {
               for (let i = 0; i < user.memberOf.length; i++) {
-                const id = await dnToSidGuid(baseEntity, user.memberOf[i])
+                const id = await dnToSidGuid(baseEntity, user.memberOf[i], ctx)
                 if (!id) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf[i]}`)
                 arr.push(id)
               }
               user.memberOf = arr
             } else {
-              const id = await dnToSidGuid(baseEntity, user.memberOf)
+              const id = await dnToSidGuid(baseEntity, user.memberOf, ctx)
               if (!id) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf}`)
               user.memberOf = [id]
             }
@@ -322,7 +322,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   const ldapOptions = endpointObj
 
   try {
-    await doRequest(baseEntity, method, base, ldapOptions)
+    await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return null
   } catch (err) {
     const newErr = new Error(`${action} error: ${err.message}`)
@@ -351,7 +351,7 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   const ldapOptions = {}
 
   try {
-    await doRequest(baseEntity, method, base, ldapOptions)
+    await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -403,14 +403,14 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
           operation: 'add',
           modification: body.add
         }
-        await doRequest(baseEntity, method, base, ldapOptions)
+        await doRequest(baseEntity, method, base, ldapOptions, ctx)
       }
       if (body.remove[groupsAttr].length > 0) {
         const ldapOptions = {
           operation: 'delete',
           modification: body.remove
         }
-        await doRequest(baseEntity, method, base, ldapOptions)
+        await doRequest(baseEntity, method, base, ldapOptions, ctx)
       }
     } catch (err) {
       throw new Error(`${action} error: ${err.message}`)
@@ -442,7 +442,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
       attributes: activeAttr
     }
 
-    const users = await doRequest(baseEntity, method, base, ldapOptions)
+    const users = await doRequest(baseEntity, method, base, ldapOptions, ctx)
     if (users.length === 0) throw new Error(`${action} error: ${id} not found`)
     else if (users.length > 1) throw new Error(`${action} error: ${ldapOptions.filter} returned more than one user for ${id}`)
     const usr = users[0]
@@ -480,7 +480,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   }
 
   try {
-    await doRequest(baseEntity, method, base, ldapOptions)
+    await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -601,22 +601,22 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   if (!ldapOptions) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    if (ldapOptions === 'getMemberOfGroups') result.Resources = await getMemberOfGroups(baseEntity, getObj.value)
+    if (ldapOptions === 'getMemberOfGroups') result.Resources = await getMemberOfGroups(baseEntity, getObj.value, ctx)
     else {
-      const groups = await doRequest(baseEntity, method, base, ldapOptions)
+      const groups = await doRequest(baseEntity, method, base, ldapOptions, ctx)
       result.Resources = await Promise.all(groups.map(async (group) => { // Promise.all because of async map
         if (config.useSID_id || config.useGUID_id) {
           if (group.member) {
             const arr = []
             if (Array.isArray(group.member)) {
               for (let i = 0; i < group.member.length; i++) {
-                const id = await dnToSidGuid(baseEntity, group.member[i])
+                const id = await dnToSidGuid(baseEntity, group.member[i], ctx)
                 if (!id) throw new Error(`dnToSidGuid() did not return any ${config.useSID_id ? 'objectSid' : 'objectGUID'} value for dn=${group.member[i]}`)
                 arr.push(id)
               }
               group.member = arr
             } else {
-              const id = await dnToSidGuid(baseEntity, group.member)
+              const id = await dnToSidGuid(baseEntity, group.member, ctx)
               if (!id) throw new Error(`dnToSidGuid() did not return any ${config.useSID_id ? 'objectSid' : 'objectGUID'} value for ${group.member}`)
               group.member = [id]
             }
@@ -654,7 +654,7 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const ldapOptions = endpointObj
 
   try {
-    await doRequest(baseEntity, method, base, ldapOptions)
+    await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return null
   } catch (err) {
     const newErr = new Error(`${action} error: ${err.message}`)
@@ -684,7 +684,7 @@ scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const ldapOptions = {}
 
   try {
-    await doRequest(baseEntity, method, base, ldapOptions)
+    await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -716,7 +716,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   for (let i = 0; i < attrObj.members.length; i++) {
     const el = attrObj.members[i]
     if (config.useSID_id || config.useGUID_id) {
-      const dn = await sidGuidToDn(baseEntity, el.value)
+      const dn = await sidGuidToDn(baseEntity, el.value, ctx)
       if (!dn) throw new Error(`${action} error: sidGuidToDn() did not return any objectGUID value for dn=${el.value}`)
       el.value = dn
     }
@@ -739,14 +739,14 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
         operation: 'add',
         modification: body.add
       }
-      await doRequest(baseEntity, method, base, ldapOptions)
+      await doRequest(baseEntity, method, base, ldapOptions, ctx)
     }
     if (body.remove[memberAttr].length > 0) {
       const ldapOptions = { // using ldap lookup (dn) instead of search
         operation: 'delete',
         modification: body.remove
       }
-      await doRequest(baseEntity, method, base, ldapOptions)
+      await doRequest(baseEntity, method, base, ldapOptions, ctx)
     }
     return null
   } catch (err) {
@@ -781,7 +781,7 @@ const getObjClassFilter = (baseEntity, type) => {
 //
 // dnToSidGuid is used for Active Directory to return objectGUID based on dn
 //
-const dnToSidGuid = async (baseEntity, dn) => {
+const dnToSidGuid = async (baseEntity, dn, ctx) => {
   const method = 'search'
   const ldapOptions = {}
   if (config.useSID_id) ldapOptions.attributes = ['objectSid']
@@ -790,7 +790,7 @@ const dnToSidGuid = async (baseEntity, dn) => {
 
   try {
     const base = dn
-    const objects = await doRequest(baseEntity, method, base, ldapOptions)
+    const objects = await doRequest(baseEntity, method, base, ldapOptions, ctx)
     if (objects.length !== 1) throw new Error(`did not find unique object having dn=${base}`)
     if (config.useSID_id) return objects[0].objectSid
     else return objects[0].objectGUID
@@ -803,7 +803,7 @@ const dnToSidGuid = async (baseEntity, dn) => {
 //
 // guidToDn is used for Active Directory to return dn based on objectGUID
 //
-const sidGuidToDn = async (baseEntity, id) => {
+const sidGuidToDn = async (baseEntity, id, ctx) => {
   const method = 'search'
   const ldapOptions = {
     attributes: ['dn']
@@ -818,7 +818,7 @@ const sidGuidToDn = async (baseEntity, id) => {
       const guid = Buffer.from(id, 'base64').toString('hex')
       base = `<GUID=${guid}>`
     } else throw new Error('invalid call to sidGuidToDn(), configuration not using objectSid or objectGUID')
-    const objects = await doRequest(baseEntity, method, base, ldapOptions)
+    const objects = await doRequest(baseEntity, method, base, ldapOptions, ctx)
     if (objects.length !== 1) throw new Error(`did not find unique object having ${config.useSID_id ? 'objectSid' : 'objectGUID'} =${id}`)
     return objects[0].dn
   } catch (err) {
@@ -900,7 +900,7 @@ const convertStringToSid = (sidStr) => {
 // getMemberOfGroups returns all groups the user is member of
 // [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
 //
-const getMemberOfGroups = async (baseEntity, id) => {
+const getMemberOfGroups = async (baseEntity, id, ctx) => {
   const action = 'getMemberOfGroups'
   if (!config.map.group) throw new Error('missing configuration endpoint.map.group') // not using groups
 
@@ -922,7 +922,7 @@ const getMemberOfGroups = async (baseEntity, id) => {
     }
 
     try {
-      const users = await doRequest(baseEntity, method, base, ldapOptions)
+      const users = await doRequest(baseEntity, method, base, ldapOptions, ctx)
       if (users.length !== 1) throw new Error(`${action} error: did not find unique user having ${config.useSID_id ? 'objectSid' : 'objectGUID'} =${id}`)
       idDn = users[0].dn
     } catch (err) {
@@ -948,7 +948,7 @@ const getMemberOfGroups = async (baseEntity, id) => {
   }
 
   try {
-    const groups = await doRequest(baseEntity, method, base, ldapOptions)
+    const groups = await doRequest(baseEntity, method, base, ldapOptions, ctx)
     return groups.map((grp) => {
       return { // { id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }
         id: encodeURIComponent(grp[attrs[0]]), // not mandatory, but included anyhow
@@ -962,10 +962,22 @@ const getMemberOfGroups = async (baseEntity, id) => {
   }
 }
 
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => { // eslint-disable-line
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
+
 //
 // getServiceClient returns LDAP client used by doRequest
 //
-const getServiceClient = async (baseEntity) => {
+const getServiceClient = async (baseEntity, ctx) => {
   const action = 'getServiceClient'
   if (!config.entity[baseEntity].passwordDecrypted) config.entity[baseEntity].passwordDecrypted = scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)
   if (!config.entity[baseEntity].baseUrl) config.entity[baseEntity].baseUrl = config.entity[baseEntity].baseUrls[0] // failover logic also updates baseUrl
@@ -983,7 +995,11 @@ const getServiceClient = async (baseEntity) => {
         strictDN: false // false => allows none standard ldap base dn e.g. <SID=...> / <GUID=...>  ref. objectSid/objectGUID
       })
       await new Promise((resolve, reject) => {
-        cli.bind(config.entity[baseEntity].username, config.entity[baseEntity].passwordDecrypted, (err, res) => err ? reject(err) : resolve(res))
+        if (ctx?.request?.header?.authorization) { // using ctx authentication PassThrough
+          const [username, password] = getCtxAuth(ctx)
+          if (username) cli.bind(username, password, (err, res) => err ? reject(err) : resolve(res)) // basic auth
+          else cli.bind(config.entity[baseEntity].username, password, (err, res) => err ? reject(err) : resolve(res)) // bearer token, using username from configuration
+        } else cli.bind(config.entity[baseEntity].username, config.entity[baseEntity].passwordDecrypted, (err, res) => err ? reject(err) : resolve(res))
         cli.on('error', (err) => reject(err))
       })
       return cli // client OK
@@ -1013,7 +1029,7 @@ const getServiceClient = async (baseEntity) => {
 //         "attributes": ["sAMAccountName","displayName","mail"]
 //       }
 //
-const doRequest = async (baseEntity, method, base, ldapOptions) => {
+const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
   let result = null
   let client = null
 
@@ -1029,7 +1045,7 @@ const doRequest = async (baseEntity, method, base, ldapOptions) => {
   }
 
   try {
-    client = await getServiceClient(baseEntity)
+    client = await getServiceClient(baseEntity, ctx)
     switch (method) {
       case 'search':
         options.paged = { pageSize: 200, pagePause: false } // parse entire directory calling 'page' method for each page

package/lib/plugin-loki.js

@@ -267,27 +267,27 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const userObj = res[0]
 
   for (const key in attrObj) {
-    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups)
-      attrObj[key].forEach(el => {
-        if (el.operation === 'delete') {
-          userObj[key] = userObj[key].filter(e => {
-            if (Object.prototype.hasOwnProperty.call(el, 'value') && el.value !== e.value) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'type') && el.type !== e.type) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'display') && el.display !== e.display) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'primary') && el.primary !== e.primary) return true
-            return false
-          })
-        } else { // add
-          if (!userObj[key]) userObj[key] = []
-          if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
-            if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
-              // delete any existing primary before adding
-              const index = userObj[key].findIndex(e => e.primary === el.primary)
-              if (index >= 0) userObj[key].splice(index, 1)
+    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups) or skipTypeConvert=true
+      const delArr = attrObj[key].filter(el => el.operation === 'delete')
+      const addArr = attrObj[key].filter(el => (!el.operation || el.operation !== 'delete'))
+      if (!userObj[key]) userObj[key] = []
+      // delete
+      userObj[key] = userObj[key].filter(el => {
+        if (delArr.findIndex(e => e.value === el.value) >= 0) return false
+        return true
+      })
+      // add
+      addArr.forEach(el => {
+        if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
+          if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
+            const index = userObj[key].findIndex(e => e.primary === el.primary)
+            if (index >= 0) {
+              if (key === 'roles') userObj[key].splice(index, 1) // roles, delete existing role having primary attribute true (new role with primary will be added)
+              else userObj[key][index].primary = undefined // remove primary attribute, only one primary
             }
           }
-          userObj[key].push(el)
         }
+        userObj[key].push(el)
       })
     } else if (scimgateway.isMultiValueTypes(key)) { // "type converted object" logic and original blank type having type "undefined"
       if (!attrObj[key]) delete userObj[key] // blank or null
@@ -300,6 +300,15 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
           if (userObj[key].length < 1) delete userObj[key]
         } else { // modify/create multivalue
           if (!userObj[key]) userObj[key] = []
+          if (attrObj[key][el].primary) { // remove any existing primary attribute, should only have one primary set
+            const primVal = attrObj[key][el].primary
+            if (primVal === true || (typeof primVal === 'string' && primVal.toLowerCase() === 'true')) {
+              const index = userObj[key].findIndex(e => e.primary === primVal)
+              if (index >= 0) {
+                userObj[key][index].primary = undefined
+              }
+            }
+          }
           const found = userObj[key].find((e, i) => {
             if (e.type === el || (!e.type && el === 'undefined')) {
               for (const k in attrObj[key][el]) {

package/lib/plugin-mongodb.js

@@ -49,20 +49,34 @@ scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no
 const validFilterOperators = ['eq', 'ne', 'aeq', 'dteq', 'gt', 'gte', 'lt', 'lte', 'between', 'jgt', 'jgte', 'jlt', 'jlte', 'jbetween', 'regex', 'in', 'nin', 'keyin', 'nkeyin', 'definedin', 'undefinedin', 'contains', 'containsAny', 'type', 'finite', 'size', 'len', 'exists']
 
 if (!config.entity) throw new Error('error: configuration entity is missing')
-for (const baseEntity in config.entity) {
-  if (config.entity[baseEntity].baseUrl) { // mongodb://host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]] - e.g: mongodb://localhost:27017/db?tls=true&tlsInsecure=true
-    const arr = config.entity[baseEntity].baseUrl.split('//')
-    if (arr.length !== 2 || arr[0] !== 'mongodb:') throw new Error('error: configuration baseUrls is not using expected format mongodb://hostname:port')
-    const username = config.entity[baseEntity].username
-    const password = scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)
-    const dbConn = `${arr[0]}//${encodeURIComponent(username)}:${encodeURIComponent(password)}@${arr[1]}` // percent encoded username/password
-    const client = new MongoClient(dbConn, { useUnifiedTopology: true })
-    loadHandler(baseEntity, client)
+if (!scimgateway.authPassThroughAllowed) { // not using Auth PassThrough, loading db handler at startup using username/password from config
+  for (const baseEntity in config.entity) {
+    loadHandler(baseEntity)
   }
 }
 
-async function loadHandler (baseEntity, client) {
+async function loadHandler (baseEntity, ctx) {
   const action = 'loadHander'
+  if (!config.entity[baseEntity].baseUrl) { // mongodb://host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]] - e.g: mongodb://localhost:27017/db?tls=true&tlsInsecure=true
+    throw new Error(`${action} error: configuration entity.${baseEntity}.baseUrl is missing`)
+  }
+  const arr = config.entity[baseEntity].baseUrl.split('//')
+  if (arr.length !== 2 || arr[0] !== 'mongodb:') throw new Error('error: configuration baseUrls is not using expected format mongodb://hostname:port')
+
+  let username
+  let password
+  if (ctx?.request?.header?.authorization) { // Auth PassThrough
+    const [user, secret] = getCtxAuth(ctx)
+    if (user) username = user
+    else username = config.entity[baseEntity].username // bearer token, using username from configuration
+    password = secret
+  } else {
+    username = config.entity[baseEntity].username
+    password = scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)
+  }
+  const dbConn = `${arr[0]}//${encodeURIComponent(username)}:${encodeURIComponent(password)}@${arr[1]}` // percent encoded username/password
+  const client = new MongoClient(dbConn, { useUnifiedTopology: true })
+
   const dbName = config.entity[baseEntity].database ? config.entity[baseEntity].database : 'scim'
   let db
   let users
@@ -72,7 +86,9 @@ async function loadHandler (baseEntity, client) {
     await client.connect()
     db = await client.db(dbName)
 
-    config.entity[baseEntity].client = client
+    const clientIdentifier = getClientIdentifier(ctx)
+    if (!config.entity[baseEntity][clientIdentifier]) config.entity[baseEntity][clientIdentifier] = {}
+    config.entity[baseEntity][clientIdentifier].client = client
     config.entity[baseEntity].db = db
 
     if (await isMongoCollection(baseEntity, 'users')) users = await db.collection('users')
@@ -131,10 +147,11 @@ async function loadHandler (baseEntity, client) {
       }
     }
   }
-
-  config.entity[baseEntity].collection = {}
-  config.entity[baseEntity].collection.users = users
-  config.entity[baseEntity].collection.groups = groups
+  const clientIdentifier = getClientIdentifier(ctx)
+  if (!config.entity[baseEntity][clientIdentifier]) config.entity[baseEntity][clientIdentifier] = {}
+  config.entity[baseEntity][clientIdentifier].collection = {}
+  config.entity[baseEntity][clientIdentifier].collection.users = users
+  config.entity[baseEntity][clientIdentifier].collection.groups = groups
 }
 
 // =================================================
@@ -186,7 +203,11 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     }
   }
 
-  const users = config.entity[baseEntity].collection.users
+  const clientIdentifier = getClientIdentifier(ctx)
+  if (ctx && !config.entity[baseEntity][clientIdentifier]) { // first (or previous failed) PassThrough attempt - have to load connection
+    await loadHandler(baseEntity, ctx)
+  }
+  const users = config.entity[baseEntity][clientIdentifier].collection.users
   let findObj
 
   // mandatory if-else logic - start
@@ -353,27 +374,27 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   let userObj = decodeDotDate(res[0])
 
   for (const key in attrObj) {
-    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups)
-      attrObj[key].forEach(el => {
-        if (el.operation === 'delete') {
-          userObj[key] = userObj[key].filter(e => {
-            if (Object.prototype.hasOwnProperty.call(el, 'value') && el.value !== e.value) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'type') && el.type !== e.type) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'display') && el.display !== e.display) return true
-            if (Object.prototype.hasOwnProperty.call(el, 'primary') && el.primary !== e.primary) return true
-            return false
-          })
-        } else { // add
-          if (!userObj[key]) userObj[key] = []
-          if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
-            if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
-              // delete any existing primary before adding
-              const index = userObj[key].findIndex(e => e.primary === el.primary)
-              if (index >= 0) userObj[key].splice(index, 1)
+    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups) or skipTypeConvert=true
+      const delArr = attrObj[key].filter(el => el.operation === 'delete')
+      const addArr = attrObj[key].filter(el => (!el.operation || el.operation !== 'delete'))
+      if (!userObj[key]) userObj[key] = []
+      // delete
+      userObj[key] = userObj[key].filter(el => {
+        if (delArr.findIndex(e => e.value === el.value) >= 0) return false
+        return true
+      })
+      // add
+      addArr.forEach(el => {
+        if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
+          if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
+            const index = userObj[key].findIndex(e => e.primary === el.primary)
+            if (index >= 0) {
+              if (key === 'roles') userObj[key].splice(index, 1) // roles, delete existing role having primary attribute true (new role with primary will be added)
+              else userObj[key][index].primary = undefined // remove primary attribute, only one primary
             }
           }
-          userObj[key].push(el)
         }
+        userObj[key].push(el)
       })
     } else if (scimgateway.isMultiValueTypes(key)) { // "type converted object" logic and original blank type having type "undefined"
       if (!attrObj[key]) delete userObj[key] // blank or null
@@ -386,6 +407,15 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
           if (userObj[key].length < 1) delete userObj[key]
         } else { // modify/create multivalue
           if (!userObj[key]) userObj[key] = []
+          if (attrObj[key][el].primary) { // remove any existing primary attribute, should only have one primary set
+            const primVal = attrObj[key][el].primary
+            if (primVal === true || (typeof primVal === 'string' && primVal.toLowerCase() === 'true')) {
+              const index = userObj[key].findIndex(e => e.primary === primVal)
+              if (index >= 0) {
+                userObj[key][index].primary = undefined
+              }
+            }
+          }
           const found = userObj[key].find((e, i) => {
             if (e.type === el || (!e.type && el === 'undefined')) {
               for (const k in attrObj[key][el]) {
@@ -709,11 +739,30 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 // =================================================
 // helpers
 // =================================================
+
+const getClientIdentifier = (ctx) => {
+  if (!ctx?.request?.header?.authorization) return undefined
+  const [user, secret] = getCtxAuth(ctx)
+  return `${encodeURIComponent(user)}_${encodeURIComponent(secret)}` // user_password or undefined_password
+}
+
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => {
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
+
 const decodeDotDate = (obj) => { // replace dot with unicode
   const retObj = JSON.parse(JSON.stringify(obj)) // new object - don't modify source
   Object.keys(retObj).forEach(function (key) {
     if (key.includes('·')) {
-      retObj[key.replace(/\·/g, '.')] = retObj[key]
+      retObj[key.replace(/\·/g, '.')] = retObj[key] // eslint-disable-line
       delete retObj[key]
     }
   })
@@ -785,12 +834,20 @@ async function dropMongoCollection (baseEntity, collection) {
 process.on('SIGTERM', () => {
   // kill
   for (const baseEntity in config.entity) {
-    if (config.entity[baseEntity].db) config.entity[baseEntity].db.close()
+    for (const key in config.entity[baseEntity]) {
+      if (config.entity[baseEntity][key].client) {
+        config.entity[baseEntity][key].client.close()
+      }
+    }
   }
 })
 process.on('SIGINT', () => {
   // Ctrl+C
   for (const baseEntity in config.entity) {
-    if (config.entity[baseEntity].db) config.entity[baseEntity].db.close()
+    for (const key in config.entity[baseEntity]) {
+      if (config.entity[baseEntity][key].client) {
+        config.entity[baseEntity][key].client.close()
+      }
+    }
   }
 })