Added LDAP email environment variables

Support for LDAP matching existing accounts with e-mail address.

7 files changed, 94 insertions, 1 deletions

diff --git a/Dockerfile b/Dockerfile
index 7957c72c..16ac6913 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -67,6 +67,10 @@ ARG LDAP_UNIQUE_IDENTIFIER_FIELD
 ARG LDAP_UTF8_NAMES_SLUGIFY
 ARG LDAP_USERNAME_FIELD
 ARG LDAP_FULLNAME_FIELD
+ARG LDAP_EMAIL_FIELD
+ARG LDAP_EMAIL_MATCH_ENABLE
+ARG LDAP_EMAIL_MATCH_REQUIRE
+ARG LDAP_EMAIL_MATCH_VERIFIED
 ARG LDAP_MERGE_EXISTING_USERS
 ARG LDAP_SYNC_USER_DATA
 ARG LDAP_SYNC_USER_DATA_FIELDMAP
@@ -149,6 +153,10 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth
     LDAP_USERNAME_FIELD="" \
     LDAP_FULLNAME_FIELD="" \
     LDAP_MERGE_EXISTING_USERS=false \
+    LDAP_EMAIL_FIELD="" \
+    LDAP_EMAIL_MATCH_ENABLE=false \
+    LDAP_EMAIL_MATCH_REQUIRE=false \
+    LDAP_EMAIL_MATCH_VERIFIED=false \
     LDAP_SYNC_USER_DATA=false \
     LDAP_SYNC_USER_DATA_FIELDMAP="" \
     LDAP_SYNC_GROUP_ROLES="" \
diff --git a/docker-compose.yml b/docker-compose.yml
index a9f11569..81cafb84 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -469,6 +469,22 @@ services:
       # LDAP_MERGE_EXISTING_USERS :
       # example : LDAP_MERGE_EXISTING_USERS=true
       #- LDAP_MERGE_EXISTING_USERS=false
+      #
+      # LDAP_EMAIL_MATCH_ENABLE : allow existing account matching by e-mail address when username does not match
+      # example: LDAP_EMAIL_MATCH_ENABLE=true
+      #- LDAP_EMAIL_MATCH_ENABLE=false
+      #
+      # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
+      # example: LDAP_EMAIL_MATCH_REQUIRE=true
+      #- LDAP_EMAIL_MATCH_REQUIRE=false
+      #
+      # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
+      # example: LDAP_EMAIL_MATCH_VERIFIED=true
+      #- LDAP_EMAIL_MATCH_VERIFIED=false
+      #
+      # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
+      # example: LDAP_EMAIL_FIELD=mail
+      #- LDAP_EMAIL_FIELD=
       #-----------------------------------------------------------------
       # LDAP_SYNC_USER_DATA :
       # example : LDAP_SYNC_USER_DATA=true
diff --git a/releases/virtualbox/start-wekan.sh b/releases/virtualbox/start-wekan.sh
index d8ac716e..2f2e9ea3 100755..100644
--- a/releases/virtualbox/start-wekan.sh
+++ b/releases/virtualbox/start-wekan.sh
@@ -227,6 +227,18 @@
         # LDAP_MERGE_EXISTING_USERS :
         # example :  export LDAP_MERGE_EXISTING_USERS=true
         #export LDAP_MERGE_EXISTING_USERS=false
+        # LDAP_EMAIL_MATCH_ENABLE : allow existing account matching by e-mail address when username does not match
+        # example: LDAP_EMAIL_MATCH_ENABLE=true
+        #export LDAP_EMAIL_MATCH_ENABLE=false
+        # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
+        # example: LDAP_EMAIL_MATCH_REQUIRE=true
+        #export LDAP_EMAIL_MATCH_REQUIRE=false
+        # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
+        # example: LDAP_EMAIL_MATCH_VERIFIED=true
+        #export LDAP_EMAIL_MATCH_VERIFIED=false
+        # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
+        # example: LDAP_EMAIL_FIELD=mail
+        #export LDAP_EMAIL_FIELD=
         # LDAP_SYNC_USER_DATA :
         # example :  export LDAP_SYNC_USER_DATA=true
         #export LDAP_SYNC_USER_DATA=false
diff --git a/snap-src/bin/config b/snap-src/bin/config
index e674afa0..c961c3d4 100755..100644
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values
 
 # list of supported keys
-keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_REQUEST_PERMISSIONS LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD"
+keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_REQUEST_PERMISSIONS LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD"
 
 # default values
 DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
@@ -290,6 +290,22 @@ DESCRIPTION_LDAP_MERGE_EXISTING_USERS="ldap-merge-existing-users . Default: fals
 DEFAULT_LDAP_MERGE_EXISTING_USERS="false"
 KEY_LDAP_MERGE_EXISTING_USERS="ldap-merge-existing-users"
 
+DESCRIPTION_LDAP_EMAIL_MATCH_ENABLE="ldap-email-match-enable . Default: false"
+DEFAULT_LDAP_EMAIL_MATCH_ENABLE="false"
+KEY_LDAP_EMAIL_MATCH_ENABLE="ldap-email-match-enable"
+
+DESCRIPTION_LDAP_EMAIL_MATCH_REQUIRE="ldap-email-match-require . Default: false"
+DEFAULT_LDAP_EMAIL_MATCH_REQUIRE="false"
+KEY_LDAP_EMAIL_MATCH_REQUIRE="ldap-email-match-require"
+
+DESCRIPTION_LDAP_EMAIL_MATCH_VERIFIED="ldap-email-match-verified . Default: false"
+DEFAULT_LDAP_EMAIL_MATCH_VERIFIED="false"
+KEY_LDAP_EMAIL_MATCH_VERIFIED="ldap-email-match-verified"
+
+DESCRIPTION_LDAP_EMAIL_FIELD="Which field contains the ldap e-mail address"
+DEFAULT_LDAP_EMAIL_FIELD=""
+KEY_LDAP_EMAIL_FIELD="ldap-email-field"
+
 DESCRIPTION_LDAP_SYNC_USER_DATA="ldap-sync-user-data . Default: false"
 DEFAULT_LDAP_SYNC_USER_DATA="false"
 KEY_LDAP_SYNC_USER_DATA="ldap-sync-user-data"
diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help
index 80cbc7ad..48c24633 100755..100644
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@@ -276,6 +276,19 @@ echo -e "\n"
 echo -e "Ldap Merge Existing Users."
 echo -e "\t$ snap set $SNAP_NAME ldap-merge-existing-users='true'"
 echo -e "\n"
+echo -e "Ldap Email Match Enable."
+echo -e "\t$ snap set $SNAP_NAME ldap-email-match-enable='true'"
+echo -e "\n"
+echo -e "Ldap Email Match Require."
+echo -e "\t$ snap set $SNAP_NAME ldap-email-match-require='true'"
+echo -e "\n"
+echo -e "Ldap Email Match Verified."
+echo -e "\t$ snap set $SNAP_NAME ldap-email-match-verfied='false'"
+echo -e "\n"
+echo -e "Ldap Fullname Field."
+echo -e "Which field contains the ldap email address:"
+echo -e "\t$ snap set $SNAP_NAME ldap-fullname-field='fullname'"
+echo -e "\n"
 echo -e "Ldap Sync User Data."
 echo -e "Enable synchronization of user data:"
 echo -e "\t$ snap set $SNAP_NAME ldap-sync-user-data='true'"
diff --git a/start-wekan.bat b/start-wekan.bat
index 9d6305b6..7ccf0c0e 100644
--- a/start-wekan.bat
+++ b/start-wekan.bat
@@ -221,6 +221,22 @@ REM # LDAP_MERGE_EXISTING_USERS :
 REM # example : LDAP_MERGE_EXISTING_USERS=true
 REM SET LDAP_MERGE_EXISTING_USERS=false
 
+REM # LDAP_EMAIL_MATCH_ENABLE : allow existing account matching by e-mail address when username does not match
+REM # example: LDAP_EMAIL_MATCH_ENABLE=true
+REM SET LDAP_EMAIL_MATCH_ENABLE=false
+
+REM # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
+REM # example: LDAP_EMAIL_MATCH_REQUIRE=true
+REM SET LDAP_EMAIL_MATCH_REQUIRE=false
+
+REM # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
+REM # example: LDAP_EMAIL_MATCH_VERIFIED=true
+REM SET LDAP_EMAIL_MATCH_VERIFIED=false
+
+REM # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
+REM # example: LDAP_EMAIL_FIELD=mail
+REM SET LDAP_EMAIL_FIELD=
+
 REM # LDAP_SYNC_USER_DATA :
 REM # example : LDAP_SYNC_USER_DATA=true
 REM SET LDAP_SYNC_USER_DATA=false
diff --git a/start-wekan.sh b/start-wekan.sh
index bbfbff2b..c9745af9 100755..100644
--- a/start-wekan.sh
+++ b/start-wekan.sh
@@ -245,6 +245,18 @@ function wekan_repo_check(){
       # LDAP_MERGE_EXISTING_USERS :
       # example :  export LDAP_MERGE_EXISTING_USERS=true
       #export LDAP_MERGE_EXISTING_USERS=false
+      # LDAP_EMAIL_MATCH_ENABLE : allow existing account matching by e-mail address when username does not match
+      # example: LDAP_EMAIL_MATCH_ENABLE=true
+      #export LDAP_EMAIL_MATCH_ENABLE=false
+      # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
+      # example: LDAP_EMAIL_MATCH_REQUIRE=true
+      #export LDAP_EMAIL_MATCH_REQUIRE=false
+      # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
+      # example: LDAP_EMAIL_MATCH_VERIFIED=true
+      #export LDAP_EMAIL_MATCH_VERIFIED=false
+      # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
+      # example: LDAP_EMAIL_FIELD=mail
+      #export LDAP_EMAIL_FIELD=
       # LDAP_SYNC_USER_DATA :
       # example :  export LDAP_SYNC_USER_DATA=true
       #export LDAP_SYNC_USER_DATA=false