refactor: ldap filter (#4329)

docs/content/en/configuration/first-factor/ldap.md

@@ -97,12 +97,12 @@ authentication_backend:
         DO NOT USE==
         -----END RSA PRIVATE KEY-----
     base_dn: DC=example,DC=com
-    additional_users_dn: ou=users
+    additional_users_dn: OU=users
     users_filter: (&({username_attribute}={input})(objectClass=person))
     username_attribute: uid
     mail_attribute: mail
     display_name_attribute: displayName
-    additional_groups_dn: ou=groups
+    additional_groups_dn: OU=groups
     groups_filter: (&(member={dn})(objectClass=groupOfNames))
     group_name_attribute: cn
     permit_referrals: false

docs/content/en/integration/ldap/introduction.md

@@ -37,8 +37,8 @@ In your Authelia configuration you will need to enter and update the following v
 * url `ldap://OpenLDAP:1389` - servers dns name & port.
   *tip: if you have Authelia on a container network that is routable, you can just use the container name*
 * server_name `ldap01.example.com` - servers name
-* base_dn `dc=example,dc=com` - common name of domain root.
+* base_dn `DC=example,DC=com` - common name of domain root.
-* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
+* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
 * user `authelia` - username for Authelia service account
 * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
 
@@ -52,16 +52,16 @@ In your Authelia configuration you will need to enter and update the following v
       server_name: ldap01.example.com
       skip_verify: true
       minimum_version: TLS1.2
-    base_dn: dc=example,dc=com
+    base_dn: DC=example,DC=com
-    additional_users_dn: ou=users
+    additional_users_dn: OU=users
     users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
     username_attribute: uid
     mail_attribute: mail
     display_name_attribute: displayName
-    additional_groups_dn: ou=groups
+    additional_groups_dn: OU=groups
-    groups_filter: (&(member=uid={input},ou=users,dc=example,dc=com)(objectclass=groupofnames))
+    groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
     group_name_attribute: cn
-    user: uid=authelia,ou=service accounts,dc=example,dc=com
+    user: UID=authelia,OU=service accounts,DC=example,DC=com
     password: "SUPER_COMPLEX_PASSWORD"
 ```
 Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@@ -84,8 +84,8 @@ login, and reference it within the filters below.
 In your Authelia configuration you will need to enter and update the following variables -
 * url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
 * server_name `ldap01.example.com` - servers name
-* base_dn `dc=example,dc=com` - common name of domain root.
+* base_dn `DC=example,DC=com` - common name of domain root.
-* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
+* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
 * user `authelia` - username for Authelia service account
 * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
 
@@ -99,16 +99,16 @@ In your Authelia configuration you will need to enter and update the following v
       server_name: ldap.example.com
       skip_verify: true
       minimum_version: TLS1.2
-    base_dn: dc=example,dc=com
+    base_dn: dc=example,DC=com
     username_attribute: uid
-    additional_users_dn: cn=users,cn=accounts
+    additional_users_dn: CN=users,CN=accounts
     users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
-    additional_groups_dn: ou=groups
+    additional_groups_dn: OU=groups
-    groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=example,dc=com)(objectclass=groupofnames))
+    groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
     group_name_attribute: cn
     mail_attribute: mail
     display_name_attribute: displayName
-    user: uid=authelia,cn=users,cn=accounts,dc=example,dc=com
+    user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
     password: "SUPER_COMPLEX_PASSWORD"
 ```
 Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@@ -128,7 +128,7 @@ within the filters below.
 In your Authelia configuration you will need to enter and update the following variables -
 * url `ldap://OpenLDAP:1389` - servers dns name & port.
   *tip: if you have Authelia on a container network that is routable, you can just use the container name*
-* base_dn `dc=example,dc=com` - common name of domain root.
+* base_dn `DC=example,DC=com` - common name of domain root.
 * user `authelia` - username for Authelia service account.
 * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
 
@@ -138,19 +138,19 @@ ldap:
     url: ldap://lldap:3890
     timeout: 5s
     start_tls: false
-    base_dn: dc=example,dc=com
+    base_dn: dc=example,DC=com
     username_attribute: uid
-    additional_users_dn: ou=people
+    additional_users_dn: OU=people
     # To allow sign in both with username and email, one can use a filter like
     # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
     users_filter: (&({username_attribute}={input})(objectClass=person))
-    additional_groups_dn: ou=groups
+    additional_groups_dn: OU=groups
     groups_filter: (member={dn})
     group_name_attribute: cn
     mail_attribute: mail
     display_name_attribute: displayName
     # The username and password of the admin or service user.
-    user: uid=authelia,ou=people,dc=example,dc=com
+    user: UID=authelia,OU=people,DC=example,DC=com
     password: "SUPER_COMPLEX_PASSWORD"
 ```
 Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with

docs/content/en/reference/guides/ldap.md

@@ -94,11 +94,18 @@ accounts. The active directory example has two attribute filters that accomplish
 be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that
 value is not 0 which means the password requires changing at the next login.
 
-| Implementation  |                                                                          Users Filter                                                                           |                       Groups Filter                       |
+| Implementation  |                                                                          Users Filter                                                                           |                         Groups Filter                         |
-|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------:|
+|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------:|
-|     custom      |                                                                               N/A                                                                               |                            N/A                            |
+|     custom      |                                                                               N/A                                                                               |                              N/A                              |
-| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(objectCategory=group)) |
+| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(sAMAccountType=268435456)) |
 
-*__Note:__* The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as
+##### Microsoft Active Directory sAMAccountType
-`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this
+
-and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx).
+| Account Type Value |        Description         |               Equivalent Filter                |
+|:------------------:|:--------------------------:|:----------------------------------------------:|
+|     268435456      |    Normal Group Objects    |                      N/A                       |
+|     805306368      |    Normal User Accounts    | `(&(objectCategory=person)(objectClass=user))` |
+
+*__References:__*
+- Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe).
+- LDAP Syntax Filters: [Microsoft TechNet Wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)

internal/configuration/schema/authentication.go

@@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
 	UsernameAttribute:    "sAMAccountName",
 	MailAttribute:        "mail",
 	DisplayNameAttribute: "displayName",
-	GroupsFilter:         "(&(member={dn})(objectClass=group))",
+	GroupsFilter:         "(&(member={dn})(sAMAccountType=268435456))",
 	GroupNameAttribute:   "cn",
 	Timeout:              time.Second * 5,
 	TLS: &TLSConfig{