rackslab · rezib · Jun 27, 2025 · Jun 18, 2025 · Jun 27, 2025 · Jun 27, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,26 +8,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 
 ### Added
-- conf: Add gateway `bind_password_file` configuration parameter. Contribution
-  from @Cornelicorn.
 - gateway: Support loading LDAP bind password from separate file (#585).
   Contribution from @Cornelicorn.
 - ldap-check: Support loading LDAP bind password from separate file.
   Contribution from @Cornelicorn.
+- conf:
+  - Add gateway `[ldap]`>`bind_password_file` configuration parameter.
+    Contribution from @Cornelicorn.
+  - Add gateway `[ldap]`>`lookup_as_user` configuration parameter. Contribution
+    from @Cornelicorn.
 
 ### Changed
 - gateway:
   - Check agent version is greater or equal to the minimal supported version
     specified in gateway configuration settings.
   - Send asynchronous HTTP requests to discover agents (#438).
+  - After successful user authentication, when service bind dn and password
+    are defined in configuration, Slurm-web now retrieves user information
+    and user groups in LDAP with these credentials by default. Previous behavior
+    can be restored by setting `lookup_as_user = yes` under the `[ldap]` section
+    in gateway configuration file (#587). Contribution from @Cornelicorn.
 - agent:
  - Change route to information endpoint from `/v{version}/info` to `/info`.
  - Return version of agent in information endpoint.
  - Emit warning log entry when `SlurmwebMetricsDBError` is raised before
    responding HTTP/500.
 - conf: Update description of `agent` > `version` gateway parameter to describe
   its new semantic.
-- pkgs: Set Python _requests_ external library dependency on agent only.
+- pkgs:
+  - Set Python _requests_ external library dependency on agent only.
+  - Bump minimal version of `RFL.authentication` to v1.5.0.
 - docs: Update configuration reference documentation.
 
 ### Fixed

diff --git a/conf/vendor/gateway.yml b/conf/vendor/gateway.yml
@@ -217,6 +217,17 @@ ldap:
       read bind DN password from. When this parameter is defined, the
       `bind_password` parameter is ignored.
     ex: /etc/slurm-web/ldap_password
+  lookup_as_user:
+    type: bool
+    doc: |
+      After successful user authentication, when this parameter is set to _yes_,
+      Slurm-web retrieves user information and groups from LDAP directory with
+      authenticated user permissions. When this parameter is set to _no_
+      Slurm-web searches this information with service `bind_dn` and
+      `bind_password` when defined or performs the operation anonymously. When
+      this parameter is omitted in configuration (default), Slurm-web uses
+      service `bind_dn` and `bind_password` when defined or authenticated user
+      permissions as a fallback.
   restricted_groups:
     type: list
     content: str

diff --git a/docs/modules/conf/examples/gateway.ini b/docs/modules/conf/examples/gateway.ini
@@ -226,6 +226,16 @@ bind_password=SECR3T
 # `bind_password` parameter is ignored.
 bind_password_file=/etc/slurm-web/ldap_password
 
+# After successful user authentication, when this parameter is set to _yes_,
+# Slurm-web retrieves user information and groups from LDAP directory with
+# authenticated user permissions. When this parameter is set to _no_
+# Slurm-web searches this information with service `bind_dn` and
+# `bind_password` when defined or performs the operation anonymously. When
+# this parameter is omitted in configuration (default), Slurm-web uses
+# service `bind_dn` and `bind_password` when defined or authenticated user
+# permissions as a fallback.
+lookup_as_user=no
+
 # List of users groups allowed to connect. When this parameter is not
 # defined, all users in LDAP directory are authorized to sign in.
 restricted_groups=

diff --git a/docs/modules/conf/partials/conf-gateway.adoc b/docs/modules/conf/partials/conf-gateway.adoc
@@ -536,6 +536,24 @@ read bind DN password from. When this parameter is defined, the
 *Example:* `/etc/slurm-web/ldap_password`
 
 
+_No default value_
+
+|-
+
+|lookup_as_user
+|bool
+|After successful user authentication, when this parameter is set to _yes_,
+Slurm-web retrieves user information and groups from LDAP directory with
+authenticated user permissions. When this parameter is set to _no_
+Slurm-web searches this information with service `bind_dn` and
+`bind_password` when defined or performs the operation anonymously. When
+this parameter is omitted in configuration (default), Slurm-web uses
+service `bind_dn` and `bind_password` when defined or authenticated user
+permissions as a fallback.
+
+
+
+
 _No default value_
 
 |-

diff --git a/pyproject.toml b/pyproject.toml
@@ -14,7 +14,7 @@ authors = [
 ]
 dependencies = [
     "Flask",
-    "RFL.authentication >= 1.4.0",
+    "RFL.authentication >= 1.5.0",
     "RFL.core >= 1.1.0",
     "RFL.log >= 1.4.0",
     "RFL.settings >= 1.4.0",

diff --git a/slurmweb/apps/gateway.py b/slurmweb/apps/gateway.py
@@ -230,6 +230,7 @@ def __init__(self, seed):
                     bind_password=bind_password,
                     restricted_groups=self.settings.ldap.restricted_groups,
                     lookup_user_dn=self.settings.ldap.lookup_user_dn,
+                    lookup_as_user=self.settings.ldap.lookup_as_user,
                 )
             else:
                 raise SlurmwebConfigurationError(

diff --git a/slurmweb/apps/ldap.py b/slurmweb/apps/ldap.py
@@ -45,6 +45,7 @@ def run(self):
             bind_dn=self.settings.ldap.bind_dn,
             bind_password=bind_password,
             restricted_groups=self.settings.ldap.restricted_groups,
+            lookup_as_user=self.settings.ldap.lookup_as_user,
         )
         try:
             users = self.authentifier.users(with_groups=True)