From cd0c617fe7b93e6133e86d1fe2e0f936ec7a9f43 Mon Sep 17 00:00:00 2001
From: Cornelius Hoffmann <coding@volucra.de>
Date: Wed, 18 Jun 2025 12:29:46 +0200
Subject: [PATCH 1/4] feat(gateway): user and group lookup w/ service dn

After successful user authentication, when service bind dn and password
are defined in configuration, Slurm-web now retrieves user information
and user groups in LDAP with these credentials by default. This solves
issues where Slurm-web is unable to retrieve user groups when users do
not have read permissions in groups branch of LDAP directory.

When service bind dn and password are not defined in configuration,
Slurm-web keeps using authenticated user permissions lookup user
information and user groups.

The previous behavior can be restored by setting lookup_as_user = yes
under the [ldap] section in gateway configuration file.

fix #587
---
 CHANGELOG.md             | 5 +++++
 slurmweb/apps/gateway.py | 1 +
 slurmweb/apps/ldap.py    | 1 +
 3 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a428e0c9..0e546d874 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Check agent version is greater or equal to the minimal supported version
     specified in gateway configuration settings.
   - Send asynchronous HTTP requests to discover agents (#438).
+  - After successful user authentication, when service bind dn and password
+    are defined in configuration, Slurm-web now retrieves user information
+    and user groups in LDAP with these credentials by default. Previous behavior
+    can be restored by setting `lookup_as_user = yes` under the `[ldap]` section
+    in gateway configuration file (#587). Contribution from @Cornelicorn.
 - agent:
  - Change route to information endpoint from `/v{version}/info` to `/info`.
  - Return version of agent in information endpoint.
diff --git a/slurmweb/apps/gateway.py b/slurmweb/apps/gateway.py
index be3f72fd5..42cedf224 100644
--- a/slurmweb/apps/gateway.py
+++ b/slurmweb/apps/gateway.py
@@ -230,6 +230,7 @@ def __init__(self, seed):
                     bind_password=bind_password,
                     restricted_groups=self.settings.ldap.restricted_groups,
                     lookup_user_dn=self.settings.ldap.lookup_user_dn,
+                    lookup_as_user=self.settings.ldap.lookup_as_user,
                 )
             else:
                 raise SlurmwebConfigurationError(
diff --git a/slurmweb/apps/ldap.py b/slurmweb/apps/ldap.py
index 4f364f3bf..8ff051247 100644
--- a/slurmweb/apps/ldap.py
+++ b/slurmweb/apps/ldap.py
@@ -45,6 +45,7 @@ def run(self):
             bind_dn=self.settings.ldap.bind_dn,
             bind_password=bind_password,
             restricted_groups=self.settings.ldap.restricted_groups,
+            lookup_as_user=self.settings.ldap.lookup_as_user,
         )
         try:
             users = self.authentifier.users(with_groups=True)

From d3897dc000c6458c44dd17b2a76a048f88754133 Mon Sep 17 00:00:00 2001
From: Cornelius Hoffmann <coding@volucra.de>
Date: Fri, 27 Jun 2025 10:46:17 +0200
Subject: [PATCH 2/4] feat(conf): introduce [ldap]>lookup_as_user

---
 CHANGELOG.md            |  7 +++++--
 conf/vendor/gateway.yml | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e546d874..ea95944da 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,12 +8,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 
 ### Added
-- conf: Add gateway `bind_password_file` configuration parameter. Contribution
-  from @Cornelicorn.
 - gateway: Support loading LDAP bind password from separate file (#585).
   Contribution from @Cornelicorn.
 - ldap-check: Support loading LDAP bind password from separate file.
   Contribution from @Cornelicorn.
+- conf:
+  - Add gateway `[ldap]`>`bind_password_file` configuration parameter.
+    Contribution from @Cornelicorn.
+  - Add gateway `[ldap]`>`lookup_as_user` configuration parameter. Contribution
+    from @Cornelicorn.
 
 ### Changed
 - gateway:
diff --git a/conf/vendor/gateway.yml b/conf/vendor/gateway.yml
index b06e3b4d9..b53cb8b4b 100644
--- a/conf/vendor/gateway.yml
+++ b/conf/vendor/gateway.yml
@@ -217,6 +217,17 @@ ldap:
       read bind DN password from. When this parameter is defined, the
       `bind_password` parameter is ignored.
     ex: /etc/slurm-web/ldap_password
+  lookup_as_user:
+    type: bool
+    doc: |
+      After successful user authentication, when this parameter is set to _yes_,
+      Slurm-web retrieves user information and groups from LDAP directory with
+      authenticated user permissions. When this parameter is set to _no_
+      Slurm-web searches this information with service `bind_dn` and
+      `bind_password` when defined or performs the operation anonymously. When
+      this parameter is omitted in configuration (default), Slurm-web uses
+      service `bind_dn` and `bind_password` when defined or authenticated user
+      permissions as a fallback.
   restricted_groups:
     type: list
     content: str

From a2b3ddce29a1f8e8c05441a69c675edc6b1db7c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Palancher?= <remi@rackslab.io>
Date: Fri, 27 Jun 2025 10:47:37 +0200
Subject: [PATCH 3/4] docs: update conf references

---
 docs/modules/conf/examples/gateway.ini       | 10 ++++++++++
 docs/modules/conf/partials/conf-gateway.adoc | 18 ++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/docs/modules/conf/examples/gateway.ini b/docs/modules/conf/examples/gateway.ini
index 7c11596da..543a807aa 100644
--- a/docs/modules/conf/examples/gateway.ini
+++ b/docs/modules/conf/examples/gateway.ini
@@ -226,6 +226,16 @@ bind_password=SECR3T
 # `bind_password` parameter is ignored.
 bind_password_file=/etc/slurm-web/ldap_password
 
+# After successful user authentication, when this parameter is set to _yes_,
+# Slurm-web retrieves user information and groups from LDAP directory with
+# authenticated user permissions. When this parameter is set to _no_
+# Slurm-web searches this information with service `bind_dn` and
+# `bind_password` when defined or performs the operation anonymously. When
+# this parameter is omitted in configuration (default), Slurm-web uses
+# service `bind_dn` and `bind_password` when defined or authenticated user
+# permissions as a fallback.
+lookup_as_user=no
+
 # List of users groups allowed to connect. When this parameter is not
 # defined, all users in LDAP directory are authorized to sign in.
 restricted_groups=
diff --git a/docs/modules/conf/partials/conf-gateway.adoc b/docs/modules/conf/partials/conf-gateway.adoc
index 1595801d8..e9b7e8b05 100644
--- a/docs/modules/conf/partials/conf-gateway.adoc
+++ b/docs/modules/conf/partials/conf-gateway.adoc
@@ -536,6 +536,24 @@ read bind DN password from. When this parameter is defined, the
 *Example:* `/etc/slurm-web/ldap_password`
 
 
+_No default value_
+
+|-
+
+|lookup_as_user
+|bool
+|After successful user authentication, when this parameter is set to _yes_,
+Slurm-web retrieves user information and groups from LDAP directory with
+authenticated user permissions. When this parameter is set to _no_
+Slurm-web searches this information with service `bind_dn` and
+`bind_password` when defined or performs the operation anonymously. When
+this parameter is omitted in configuration (default), Slurm-web uses
+service `bind_dn` and `bind_password` when defined or authenticated user
+permissions as a fallback.
+
+
+
+
 _No default value_
 
 |-

From 8c8849d961062f3313fefe21386be587c126243d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Palancher?= <remi@rackslab.io>
Date: Fri, 27 Jun 2025 10:18:24 +0200
Subject: [PATCH 4/4] chore(pkg): bump dep on RFL.authentication 1.5.0

This is required to get LDAPAuthentifier() lookup_as_user argument.
---
 CHANGELOG.md   | 4 +++-
 pyproject.toml | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea95944da..de409063f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,7 +35,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
    responding HTTP/500.
 - conf: Update description of `agent` > `version` gateway parameter to describe
   its new semantic.
-- pkgs: Set Python _requests_ external library dependency on agent only.
+- pkgs:
+  - Set Python _requests_ external library dependency on agent only.
+  - Bump minimal version of `RFL.authentication` to v1.5.0.
 - docs: Update configuration reference documentation.
 
 ### Fixed
diff --git a/pyproject.toml b/pyproject.toml
index 625b71abf..04f2a1da0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -14,7 +14,7 @@ authors = [
 ]
 dependencies = [
     "Flask",
-    "RFL.authentication >= 1.4.0",
+    "RFL.authentication >= 1.5.0",
     "RFL.core >= 1.1.0",
     "RFL.log >= 1.4.0",
     "RFL.settings >= 1.4.0",