Change from basic auth to header authentication

Add option to ban user by ip instead of username
Implement gRPC endpoint for envoy
2023-06-24 14:08:18 +02:00 · 2023-06-23 22:07:23 +02:00 · 2023-06-23 21:21:40 +02:00 · 2023-06-24 02:07:13 +10:00 · 2023-06-22 23:17:19 +10:00 · 2023-06-22 21:41:41 +10:00
71 changed files with 5022 additions and 2122 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -7,3 +7,4 @@
 !entrypoint.sh
 !healthcheck.sh
 !.healthcheck.env
+!dist/public_html/
--- a/MyNotes.md
+++ b/MyNotes.md
@ -0,0 +1,95 @@
+# Ausführen
+
+Um die Anwendung lokal auszuführen, können die folgenden Befehle verwendet werden.
+
+```
+export GOPATH=/tmp
+source bootstrap.sh
+authelia-scripts suites setup Standalone
+```
+
+Nun sollte der "Haupt-Enpunkt" unter `https://home.example.com:8080` und die API unter `https://authelia.example.com:9091` erreichbar sein. Achtung: es wird ein selbstsigniertes Zertifikat verwendet!
+Mithilfe der Hot-Reload kann jetzt gecoded werden.
+
+---
+
+Nach der Entwicklung kann die Testumgebung durch den folgenden Befehl wieder zurückgesetzt werden. 
+
+```
+go run ./cmd/authelia-scripts/ suites teardown Standalone
+```
+
+## Benutzerdefinierte Zertifikate
+
+Um ein benutzerdefiniertes Zertifikat für die Ausführung zu verwenden, muss die Datai `public.backend.crt` und `private.bakend.pem` unter [diesem](/internal/suites/common/pki/) Verzeichnis abgeändert werden. 
+Um die Gültigkeit zu testen, kann der folgendende Befehl ausgeführt werden.
+
+```
+curl https://auth.rpjosh.de:9091 --connect-to 'auth.rpjosh.de:9091:authelia.example.com:9091'
+```
+
+## Externe erreichbarkeit
+
+Im aktuellen Zustand sind die Endpunkte nur unter den Docker internen IP-Adressen erreichbar. Daher muss noch ein NAT Regel angelegt werden.
+
+```
+ip=$(ping -c 1 authelia.example.com | gawk -F'[()]' '/PING/{print $2}')
+sudo iptables -t nat -A PREROUTING -p tcp --dport 9091 -d 192.168.0.15 -j DNAT --to-destination 192.168.240.50:9091 -m comment --comment "Authelia-Test"
+sudo iptables -t nat -A PREROUTING -p tcp --dport 9092 -d 192.168.0.15 -j DNAT --to-destination 192.168.240.50:9092 -m comment --comment "Authelia-Test"
+sudo iptables -t nat -I OUTPUT -p tcp -o lo --dport 9091 -j DNAT --to-destination 192.168.240.50:9091
+```
+
+# Customizations
+
+Für das Starten des *gRPC* Servers müssen die folgenden Abhängigkeiten installiert werden.
+
+```
+go get github.com/envoyproxy/go-control-plane
+go get github.com/envoyproxy/go-control-plane/envoy/config/core/v3
+go get github.com/gogo/googleapis/google/rpc
+go get google.golang.org/grpc
+```
+
+## Konfiguration ändern
+
+Wenn die Konfiguration geändert wurde, müssen die Keys zur Validierung wieder erneut gebaut werden.
+
+```
+go run ./cmd/authelia-gen code keys
+```
+
+## Mocks abgeändert
+
+Wenn interfaces von den Mocks geändert werden, muss folgendes wieder ausgeführt werden:
+
+```
+export PATH=$PATH:$(go env GOPATH)/bin
+go generate ./...
+```
+
+## Bauen
+
+Um ein Docker Image für authelia zu bauen, müssen die folgenden Befehle ausgeführt werden.
+
+```sh
+# Dieser Befehle funktionieren aktuell nicht 
+authelia-scripts docker build
+authelia-scripts build
+
+# => Manuell bauen
+export CC=musl-gcc
+
+authelia-scripts build
+cp -r dist/public_html internal/server/
+go build -buildmode=pie -ldflags "-linkmode=external -s -w" -trimpath -buildmode=pie -o authelia ./cmd/authelia
+mv authelia authelia-linux-amd64-musl
+# Build docker image
+docker build --tag git.rpjosh.de/rpjosh/authelia/authelia:4.38.0-dev .
+docker push git.rpjosh.de/rpjosh/authelia/authelia:4.38.0-dev
+# Cleanup
+rm -rf internal/server/public_html/ ./authelia-linux-amd64-musl
+```
+
+# gRCP
+
+Um einen gRCP Endpunkt nutzen zu können, brauch mein eine *.proto* Datei. Für Envoy sieht diese wie in [dieser Datei](/ext-auth.proto) folgendermaßen aus.
--- a/cmd/authelia-scripts/cmd/gen.go
+++ b/cmd/authelia-scripts/cmd/gen.go
@ -7,5 +7,5 @@
 package cmd

 const (
-	versionSwaggerUI = "4.19.0"
+	versionSwaggerUI = "5.0.0"
 )
--- a/config.template.yml
+++ b/config.template.yml
@ -62,6 +62,10 @@ server:
  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
  disable_healthcheck: false

+  ## If a request over the insecure http protocol is received from authelias gRPC endpoint (only for envoy),
+  ## the request is by default redirected to the matching https URL (301)
+  disable_autho_https_redirect: false
+
  ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
  tls:
    ## The path to the DER base64/PEM format private key.
@ -73,6 +77,17 @@ server:
    ## The list of certificates for client authentication.
    client_certificates: []

+  ## Enable the support for gRPC ext authentication for envoy. If TLS is enabled in the above section,
+  ## the defined certificates will also be used for the gRPC endpoint
+  grpc:
+    address: 'tcp://:9092'
+
+    # Even if TLS is configured in the server setting (under server.tls), the grcp server won't use TLS
+    disableTLS: false
+
+  # By default the ban is issued for the user. With this options the IP instead of the user will be banned
+  use_ip_for_ban: true
+
  ## Server headers configuration/customization.
  headers:

@ -315,7 +330,7 @@ authentication_backend:
  ## because it allows Authelia to offload the stateful operations
  ## onto the LDAP service.
  # ldap:
-    ## The address of the LDAP server to connect to in the address common syntax.
+    ## The address of the directory server to connect to in the address common syntax.
    ## Format: [<scheme>://]<hostname>[:<port>].
    ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`.
    ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'.
@ -401,16 +416,6 @@ authentication_backend:
    ## See also: additional_users_dn, additional_groups_dn.
    # base_dn: 'dc=example,dc=com'

-    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
-    ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually
-    ## uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and the
-    ## configuration stored in database. Therefore only single value attributes are allowed and the value must never be
-    ## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
-    ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
-    ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
-    ## follow https://datatracker.ietf.org/doc/html/rfc2307.
-    # username_attribute: 'uid'
-
    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
    # additional_users_dn: 'ou=users'
@ -441,15 +446,9 @@ authentication_backend:
    ##    (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
    # groups_filter: '(&(member={dn})(objectClass=groupOfNames))'

-    ## The attribute holding the name of the group.
-    # group_name_attribute: 'cn'
-
-    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
-    ## first one returned by the LDAP server is used.
-    # mail_attribute: 'mail'
-
-    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
-    # display_name_attribute: 'displayName'
+    ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to
+    ## use 'memberof'. Also 'filter' is the best choice for most use cases.
+    # group_search_mode: 'filter'

    ## Follow referrals returned by the server.
    ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
@ -460,6 +459,37 @@ authentication_backend:
    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
    # password: 'password'

+    ## The attributes for users and objects from the directory server.
+    # attributes:
+
+      ## The distinguished name attribute if your directory server supports it. Users should read the docs before
+      ## configuring. Only used for the 'memberof' group search mode.
+      # distinguished_name: ''
+
+      ## The attribute holding the username of the user. This attribute is used to populate the username in the session
+      ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
+      ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and
+      ## the configuration stored in database; therefore only single value attributes are allowed and the value must
+      ## never be changed once attributed to a user otherwise it would break the configuration for that user.
+      ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead
+      ## advise to use a filter to perform alternative lookups and the attributes mentioned above
+      ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307.
+      # username: 'uid'
+
+      ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
+      # display_name: 'displayName'
+
+      ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only
+      ## the first one returned by the directory server is used.
+      # mail: 'mail'
+
+      ## The attribute which provides distinguished names of groups an object is a member of.
+      ## Only used for the 'memberof' group search mode.
+      # member_of: 'memberOf'
+
+      ## The attribute holding the name of the group.
+      # group_name: 'cn'
+
  ##
  ## File (Authentication Provider)
  ##
--- a/docs/content/en/configuration/first-factor/ldap.md
+++ b/docs/content/en/configuration/first-factor/ldap.md
@ -101,16 +101,20 @@ authentication_backend:
    base_dn: 'DC=example,DC=com'
    additional_users_dn: 'OU=users'
    users_filter: '(&({username_attribute}={input})(objectClass=person))'
-    username_attribute: 'uid'
-    mail_attribute: 'mail'
-    display_name_attribute: 'displayName'
    additional_groups_dn: 'OU=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
+    group_search_mode: 'filter'
    permit_referrals: false
    permit_unauthenticated_bind: false
    user: 'CN=admin,DC=example,DC=com'
    password: 'password'
+    attributes:
+      distinguished_name: 'distinguishedName'
+      username: 'uid'
+      display_name: 'displayName'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'
 ```

 ## Options
@ -209,66 +213,33 @@ The LDAP filter to narrow down which users are valid. This is important to set c
 The default value is dependent on the [implementation](#implementation), refer to the
 [attribute defaults](../../reference/guides/ldap.md#attribute-defaults) for more information.

-### username_attribute
-
-{{< confkey type="string" required="situational" >}}
-
-*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
-default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
-for more information.*
-
-The LDAP attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}`
-[placeholder](../../reference/guides/ldap.md#users-filter-replacements).
-
-### mail_attribute
-
-{{< confkey type="string" required="situational" >}}
-
-*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
-default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
-for more information.*
-
-The attribute to retrieve which contains the users email addresses. This is important for the device registration and
-password reset processes. The user must have an email address in order for Authelia to perform identity verification
-when a user attempts to reset their password or register a second factor device.
-
-### display_name_attribute
-
-{{< confkey type="string" required="situational" >}}
-
-*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
-default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.*
-
-The attribute to retrieve which is shown on the Web UI to the user when they log in.
-
 ### additional_groups_dn

 {{< confkey type="string" required="no" >}}

-Similar to [additional_users_dn](#additional_users_dn) but it applies to group searches.
+Similar to [additional_users_dn](#additionalusersdn) but it applies to group searches.

 ### groups_filter

 {{< confkey type="string" required="situational" >}}

 *__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
-default negating this requirement. Refer to the [filter defaults](#filter-defaults) for more information.*
+default negating this requirement. Refer to the [filter defaults](../../reference/guides/ldap.md#filter-defaults) for
+more information.*

-Similar to [users_filter](#users_filter) but it applies to group searches. In order to include groups the member is not
+Similar to [users_filter](#usersfilter) but it applies to group searches. In order to include groups the member is not
 a direct member of, but is a member of another group that is a member of those (i.e. recursive groups), you may try
 using the following filter which is currently only tested against Microsoft Active Directory:

 `(&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))`

-### group_name_attribute
+### group_search_mode

-{{< confkey type="string" required="situational" >}}
+{{< confkey type="string" default="filter" required="no" >}}

-*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
-default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more
-information.*
-
-The LDAP attribute that is used by Authelia to determine the group name.
+The group search mode controls how user groups are discovered. The default of `filter` directly uses the filter to
+determine the result. The `memberof` experimental mode does another special filtered search. See the
+[Reference Documentation](../../reference/guides/ldap.md#group-search-modes) for more information.

 ### permit_referrals

@ -313,6 +284,71 @@ It's __strongly recommended__ this is a
 [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
 characters and the user password is changed to this value.

+### attributes
+
+The following options configure The directory server attribute mappings.
+
+#### distinguished_name
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically not required however it is required when using the group search mode
+`memberof` replacement `{memberof:dn}`.*
+
+The directory server attribute which contains the distinguished name, primarily used to perform filtered searches. There
+is a clear distinction between the actual distinguished name and a distinguished name attribute, all directories have
+distinguished names for objects, but not all have an attribute representing this that can be searched on.
+
+The only known support at this time is with Active Directory.
+
+#### username
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
+default negating this requirement. Refer to the [attribute defaults] for more information.*
+
+The directory server attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}` [placeholder].
+
+#### display_name
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
+default negating this requirement. Refer to the [attribute defaults] for more information.*
+
+The directory server attribute to retrieve which is shown on the Web UI to the user when they log in.
+
+#### mail
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
+default negating this requirement. Refer to the [attribute defaults] for more information.*
+
+The directory server attribute to retrieve which contains the users email addresses. This is important for the device
+registration and password reset processes. The user must have an email address in order for Authelia to perform
+identity verification when a user attempts to reset their password or register a second factor device.
+
+#### member_of
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
+default negating this requirement. Refer to the [attribute defaults] for more information.*
+
+The directory server attribute which contains the groups a user is a member of. This is currently only used for the
+`memberof` group search mode.
+
+#### group_name
+
+{{< confkey type="string" required="situational" >}}
+
+*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
+default negating this requirement. Refer to the [attribute defaults] for more information.*
+
+The directory server attribute that is used by Authelia to determine the group name.
+
 ## Refresh Interval

 It's recommended you either use the default [refresh interval](introduction.md#refreshinterval) or configure this to
@ -332,6 +368,8 @@ for your users.

 - [LDAP Reference Guide](../../reference/guides/ldap.md)

-[username attribute]: #usernameattribute
+[username attribute]: #username
 [TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
 [RFC2307]: https://datatracker.ietf.org/doc/html/rfc2307
+[attribute defaults]: ../../reference/guides/ldap.md#attribute-defaults
+[placeholder]: ../../reference/guides/ldap.md#users-filter-replacements
--- a/docs/content/en/integration/deployment/docker.md
+++ b/docs/content/en/integration/deployment/docker.md
@ -92,35 +92,35 @@ Use this [Standalone Example](#standalone-example) if you want to use
 version: "3.8"
 secrets:
  JWT_SECRET:
-    file: ${PWD}/data/authelia/secrets/JWT_SECRET
+    file: '${PWD}/data/authelia/secrets/JWT_SECRET'
  SESSION_SECRET:
-    file: ${PWD}/data/authelia/secrets/SESSION_SECRET
+    file: '${PWD}/data/authelia/secrets/SESSION_SECRET'
  STORAGE_PASSWORD:
-    file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
+    file: '${PWD}/data/authelia/secrets/STORAGE_PASSWORD'
  STORAGE_ENCRYPTION_KEY:
-    file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
+    file: '${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
 services:
  authelia:
-    container_name: authelia
-    image: docker.io/authelia/authelia:latest
-    restart: unless-stopped
+    container_name: 'authelia'
+    image: 'docker.io/authelia/authelia:latest'
+    restart: 'unless-stopped'
    networks:
      net:
        aliases: []
    expose:
      - 9091
-    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
    environment:
-      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
-      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
-      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
-      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
+      AUTHELIA_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
+      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
+      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/run/secrets/STORAGE_PASSWORD'
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
    volumes:
-      - ${PWD}/data/authelia/config:/config
+      - '${PWD}/data/authelia/config:/config'
 networks:
  net:
    external: true
-    name: net
+    name: 'net'
 ...
 ```
 {{< /details >}}
@ -136,26 +136,26 @@ Use this [Standalone Example](#standalone-example) if you want to use a standard
 version: "3.8"
 services:
  authelia:
-    container_name: authelia
-    image: docker.io/authelia/authelia:latest
-    restart: unless-stopped
+    container_name: 'authelia'
+    image: 'docker.io/authelia/authelia:latest'
+    restart: 'unless-stopped'
    networks:
      net:
        aliases: []
    expose:
      - 9091
    environment:
-      AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET
-      AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET
-      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
-      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY
+      AUTHELIA_JWT_SECRET_FILE: '/secrets/JWT_SECRET'
+      AUTHELIA_SESSION_SECRET_FILE: '/secrets/SESSION_SECRET'
+      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/secrets/STORAGE_PASSWORD'
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/secrets/STORAGE_ENCRYPTION_KEY'
    volumes:
-      - ${PWD}/data/authelia/config:/config
-      - ${PWD}/data/authelia/secrets:/secrets
+      - '${PWD}/data/authelia/config:/config'
+      - '${PWD}/data/authelia/secrets:/secrets'
 networks:
  net:
    external: true
-    name: net
+    name: 'net'
 ```
 ...
 {{< /details >}}
--- a/docs/content/en/integration/ldap/introduction.md
+++ b/docs/content/en/integration/ldap/introduction.md
@ -55,14 +55,16 @@ In your Authelia configuration you will need to enter and update the following v
    base_dn: DC=example,DC=com
    additional_users_dn: OU=users
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
-    username_attribute: uid
-    mail_attribute: mail
-    display_name_attribute: displayName
    additional_groups_dn: OU=groups
    groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
-    group_name_attribute: cn
    user: UID=authelia,OU=service accounts,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
+    attributes:
+      distinguished_name: 'distinguishedName'
+      username: 'uid'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'
 ```
 Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
 Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
@ -100,16 +102,18 @@ In your Authelia configuration you will need to enter and update the following v
      skip_verify: true
      minimum_version: TLS1.2
    base_dn: dc=example,DC=com
-    username_attribute: uid
    additional_users_dn: CN=users,CN=accounts
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    additional_groups_dn: OU=groups
    groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
-    display_name_attribute: displayName
    user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
+    attributes:
+      distinguished_name: 'distinguishedName'
+      username: 'uid'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'
 ```
 Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
 Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
@ -139,19 +143,21 @@ ldap:
    timeout: 5s
    start_tls: false
    base_dn: dc=example,DC=com
-    username_attribute: uid
    additional_users_dn: OU=people
    # To allow sign in both with username and email, one can use a filter like
    # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: OU=groups
    groups_filter: (member={dn})
-    group_name_attribute: cn
-    mail_attribute: mail
-    display_name_attribute: displayName
    # The username and password of the admin or service user.
    user: UID=authelia,OU=people,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
+    attributes:
+      distinguished_name: 'distinguishedName'
+      username: 'uid'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'
 ```
 Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
 Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
--- a/docs/content/en/reference/guides/ldap.md
+++ b/docs/content/en/reference/guides/ldap.md
@ -75,6 +75,32 @@ The following implementations exist:
 [GLAuth]: https://glauth.github.io/
 [RFC2307bis]: https://datatracker.ietf.org/doc/html/draft-howard-rfc2307bis-02

+### Group Search Modes
+
+There are currently two group search modes that exist.
+
+#### Search Mode: filter
+
+The `filter` search mode is the default search mode. Generally this is recommended.
+
+#### Search Mode: memberof
+
+The `memberof` search mode is a special search mode. Generally this is discouraged and is currently experimental.
+
+Some systems provide a `memberOf` attribute which may include additional groups that the user is a member of. This
+search mode allows using this attribute as a method to determine their groups. How it works is the search is performed
+against the base with the subtree scope and the groups filter must include one of the `{memberof:*}` replacements, and
+the distinguished names of the results from the search are compared (case-insensitive) against the users `memberOf`
+attribute to determine if they are members.
+
+This means:
+
+1. The groups still must be in the search base that you have configured.
+2. The `memberOf` attribute *__MUST__* include the distinguished name of the group.
+3. If the `{memberof:dn}` replacement is used:
+   1. The distinguished name *__MUST__* be searchable by your directory server.
+3. The first relative distinguished name of the distinguished name *__MUST__* be search
+
 ### Filter replacements

 Various replacements occur in the user and groups filter. The replacements either occur at startup or upon an LDAP
@ -85,25 +111,65 @@ is ever established. In addition to this, during the startup phase we purposeful
 phase replacements exist so we only have to check if the replacement is necessary once, and we don't needlessly perform
 every possible replacement on every search regardless of if it's needed or not.

+#### General filter replacements
+
+|          Placeholder           |  Phase  |                 Replacement                 |
+|:------------------------------:|:-------:|:-------------------------------------------:|
+| {distinguished_name_attribute} | startup | The configured distinguished name attribute |
+|      {username_attribute}      | startup |      The configured username attribute      |
+|        {mail_attribute}        | startup |        The configured mail attribute        |
+|    {display_name_attribute}    | startup |    The configured display name attribute    |
+|     {member_of_attribute}      | startup |     The configured member of attribute      |
+|            {input}             | search  |      The input into the username field      |
+
 #### Users filter replacements

-|       Placeholder        |  Phase  |                                                   Replacement                                                    |
-|:------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
-|   {username_attribute}   | startup |                                        The configured username attribute                                         |
-|     {mail_attribute}     | startup |                                          The configured mail attribute                                           |
-| {display_name_attribute} | startup |                                      The configured display name attribute                                       |
-|         {input}          | search  |                                        The input into the username field                                         |
-| {date-time:generalized}  | search  |          The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z`          |
-|     {date-time:unix}     | search  |                                    The current time formatted as a Unix epoch                                    |
-| {date-time:microsoft-nt} | search  | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |
+|          Placeholder           |  Phase  |                                                   Replacement                                                    |
+|:------------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
+|    {date-time:generalized}     | search  |          The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z`          |
+|        {date-time:unix}        | search  |                                    The current time formatted as a Unix epoch                                    |
+|    {date-time:microsoft-nt}    | search  | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |

 #### Groups filter replacements

-| Placeholder | Phase  |                                Replacement                                |
-|:-----------:|:------:|:-------------------------------------------------------------------------:|
-|   {input}   | search |                     The input into the username field                     |
-| {username}  | search | The username from the profile lookup obtained from the username attribute |
-|    {dn}     | search |              The distinguished name from the profile lookup               |
+|  Placeholder   | Phase  |                                                                     Replacement                                                                      |
+|:--------------:|:------:|:----------------------------------------------------------------------------------------------------------------------------------------------------:|
+|   {username}   | search |                                      The username from the profile lookup obtained from the username attribute                                       |
+|      {dn}      | search |                                                    The distinguished name from the profile lookup                                                    |
+| {memberof:dn}  | search |                                                            See the detailed section below                                                            |
+| {memberof:rdn} | search | Only allowed with the `memberof` search method and contains the first relative distinguished name of every `memberOf` entry a use has in parenthesis |
+
+##### memberof:dn
+
+Requirements:
+
+1. Must be using the `memberof` search mode.
+2. Must have the distinguished name attribute configured in Authelia.
+3. Directory server must support searching by the distinguished name attribute (many directory services *__DO NOT__*
+   have a distinguished name attribute).
+
+##### memberof:rdn
+
+Requirements:
+
+1. Must be using the `memberof` search mode.
+2. Directory server must support searching by the first relative distinguished name as an attribute.
+
+Splits every `memberOf` value to obtain th e first relative distinguished name and joins all of those after surrounding
+them in parenthesis. This makes the general suggested filter pattern for this particular replacement
+`(|{memberof:rdn})`. The format of this value is as follows:
+
+```text
+(<RDN>)
+```
+
+For example if the user has the following distinguished names in their object:
+
+- CN=abc,OU=groups,DC=example,DC=com
+- CN=xyz,OU=groups,DC=example,DC=com
+
+The value will be replaced with `(CN=abc)(CN=xyz)` which using the suggested pattern for the filter becomes
+`(|(CN=abc)(CN=xyz))` which will then return any user that as a `CN` of `abc` or `xyz`.

 ### Defaults

@ -122,14 +188,14 @@ The following set defaults for the `additional_users_dn` and `additional_groups_
 This table describes the attribute defaults for each implementation. i.e. the username_attribute is described by the
 Username column.

-| Implementation  |    Username    | Display Name | Mail | Group Name |
-|:---------------:|:--------------:|:------------:|:----:|:----------:|
-|     custom      |      N/A       | displayName  | mail |     cn     |
-| activedirectory | sAMAccountName | displayName  | mail |     cn     |
-|   rfc2307bis    |      uid       | displayName  | mail |     cn     |
-|     freeipa     |      uid       | displayName  | mail |     cn     |
-|      lldap      |      uid       |      cn      | mail |     cn     |
-|     glauth      |       cn       | description  | mail |     cn     |
+| Implementation  |    Username    | Display Name | Mail | Group Name | Distinguished Name | Member Of |
+|:---------------:|:--------------:|:------------:|:----:|:----------:|:------------------:|:---------:|
+|     custom      |      N/A       | displayName  | mail |     cn     |        N/A         |    N/A    |
+| activedirectory | sAMAccountName | displayName  | mail |     cn     | distinguishedName  | memberOf  |
+|   rfc2307bis    |      uid       | displayName  | mail |     cn     |        N/A         | memberOf  |
+|     freeipa     |      uid       | displayName  | mail |     cn     |        N/A         | memberOf  |
+|      lldap      |      uid       |      cn      | mail |     cn     |        N/A         | memberOf  |
+|     glauth      |       cn       | description  | mail |     cn     |        N/A         | memberOf  |

 #### Filter defaults

@ -146,8 +212,8 @@ the following conditions:
 - Their password is expired:
  - The [Active Directory] implementation achieves this via the `(!(pwdLastSet=0))` filter.
  - The [FreeIPA] implementation achieves this via the `(krbPasswordExpiration>={date-time:generalized})` filter.
+  - The [RFC2307bis] implementation achieves this via the `(!(pwdReset=TRUE))` filter.
  - The following implementations have no suitable attribute for this as far as we're aware:
-    - [RFC2307bis]
    - [GLAuth]
    - [lldap]
 - Their account is expired:
@ -162,7 +228,7 @@ the following conditions:
 |:---------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------------------:|
 |     custom      |                                                                                                                           N/A                                                                                                                            |                                                                    N/A                                                                    |
 | activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(&#124;(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))) |                               (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912)))                                |
-|   rfc2307bis    |                                                         (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(&#124;(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))                                                         | (&(&#124;(member={dn})(uniqueMember={dn}))(&#124;(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))) |
+|   rfc2307bis    |                                                (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(&#124;(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(!(pwdReset=TRUE)))                                                | (&(&#124;(member={dn})(uniqueMember={dn}))(&#124;(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))) |
 |     freeipa     |   (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(&#124;(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))   |                                                (&(member={dn})(objectClass=groupOfNames))                                                 |
 |      lldap      |                                                                                 (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))                                                                                  |                                                (&(member={dn})(objectClass=groupOfNames))                                                 |
 |     glauth      |                                                                 (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))                                                                 |                                              (&(uniqueMember={dn})(objectClass=posixGroup))                                               |
--- a/docs/data/configkeys.json
+++ b/docs/data/configkeys.json
--- a/envoy-proto/ext-auth.proto
+++ b/envoy-proto/ext-auth.proto
@ -0,0 +1,144 @@
+syntax = "proto3";
+
+package envoy.service.auth.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/service/auth/v3/attribute_context.proto";
+import "envoy/type/v3/http_status.proto";
+
+import "google/protobuf/struct.proto";
+import "google/rpc/status.proto";
+
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.service.auth.v3";
+option java_outer_classname = "ExternalAuthProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3;authv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Authorization service]
+
+// The authorization service request messages used by external authorization :ref:`network filter
+// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.
+
+// A generic interface for performing authorization check on incoming
+// requests to a networked service.
+service Authorization {
+  // Performs authorization check based on the attributes associated with the
+  // incoming request, and returns status `OK` or not `OK`.
+  rpc Check(CheckRequest) returns (CheckResponse) {
+  }
+}
+
+message CheckRequest {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest";
+
+  // The request attributes.
+  AttributeContext attributes = 1;
+}
+
+// HTTP attributes for a denied response.
+message DeniedHttpResponse {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.service.auth.v2.DeniedHttpResponse";
+
+  // This field allows the authorization service to send an HTTP response status code to the
+  // downstream client. If not set, Envoy sends ``403 Forbidden`` HTTP status code by default.
+  type.v3.HttpStatus status = 1;
+
+  // This field allows the authorization service to send HTTP response headers
+  // to the downstream client. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
+  // false when used in this message.
+  repeated config.core.v3.HeaderValueOption headers = 2;
+
+  // This field allows the authorization service to send a response body data
+  // to the downstream client.
+  string body = 3;
+}
+
+// HTTP attributes for an OK response.
+// [#next-free-field: 9]
+message OkHttpResponse {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.service.auth.v2.OkHttpResponse";
+
+  // HTTP entity headers in addition to the original request headers. This allows the authorization
+  // service to append, to add or to override headers from the original request before
+  // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
+  // false when used in this message. By setting the ``append`` field to ``true``,
+  // the filter will append the correspondent header value to the matched request header.
+  // By leaving ``append`` as false, the filter will either add a new header, or override an existing
+  // one if there is a match.
+  repeated config.core.v3.HeaderValueOption headers = 2;
+
+  // HTTP entity headers to remove from the original request before dispatching
+  // it to the upstream. This allows the authorization service to act on auth
+  // related headers (like ``Authorization``), process them, and consume them.
+  // Under this model, the upstream will either receive the request (if it's
+  // authorized) or not receive it (if it's not), but will not see headers
+  // containing authorization credentials.
+  //
+  // Pseudo headers (such as ``:authority``, ``:method``, ``:path`` etc), as well as
+  // the header ``Host``, may not be removed as that would make the request
+  // malformed. If mentioned in ``headers_to_remove`` these special headers will
+  // be ignored.
+  //
+  // When using the HTTP service this must instead be set by the HTTP
+  // authorization service as a comma separated list like so:
+  // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``.
+  repeated string headers_to_remove = 5;
+
+  // This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata
+  // <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`. Until it is removed,
+  // setting this field overrides :ref:`CheckResponse.dynamic_metadata
+  // <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`.
+  google.protobuf.Struct dynamic_metadata = 3
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+
+  // This field allows the authorization service to send HTTP response headers
+  // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>`
+  // defaults to false when used in this message.
+  repeated config.core.v3.HeaderValueOption response_headers_to_add = 6;
+
+  // This field allows the authorization service to set (and overwrite) query
+  // string parameters on the original request before it is sent upstream.
+  repeated config.core.v3.QueryParameter query_parameters_to_set = 7;
+
+  // This field allows the authorization service to specify which query parameters
+  // should be removed from the original request before it is sent upstream. Each
+  // element in this list is a case-sensitive query parameter name to be removed.
+  repeated string query_parameters_to_remove = 8;
+}
+
+// Intended for gRPC and Network Authorization servers ``only``.
+message CheckResponse {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.service.auth.v2.CheckResponse";
+
+  // Status ``OK`` allows the request. Any other status indicates the request should be denied, and
+  // for HTTP filter, if not overridden by :ref:`denied HTTP response status <envoy_v3_api_field_service.auth.v3.DeniedHttpResponse.status>`
+  // Envoy sends ``403 Forbidden`` HTTP status code by default.
+  google.rpc.Status status = 1;
+
+  // An message that contains HTTP response attributes. This message is
+  // used when the authorization service needs to send custom responses to the
+  // downstream client or, to modify/add request headers being dispatched to the upstream.
+  oneof http_response {
+    // Supplies http attributes for a denied response.
+    DeniedHttpResponse denied_response = 2;
+
+    // Supplies http attributes for an ok response.
+    OkHttpResponse ok_response = 3;
+  }
+
+  // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next
+  // filter. This metadata lives in a namespace specified by the canonical name of extension filter
+  // that requires it:
+  //
+  // - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter.
+  // - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter.
+  google.protobuf.Struct dynamic_metadata = 4;
+}
--- a/examples/compose/lite/docker-compose.yml
+++ b/examples/compose/lite/docker-compose.yml
@ -45,7 +45,7 @@ services:
      - TZ=Australia/Melbourne

  traefik:
-    image: traefik:v2.10.1
+    image: traefik:v2.10.3
    container_name: traefik
    volumes:
      - ./traefik:/etc/traefik
--- a/examples/compose/local/docker-compose.yml
+++ b/examples/compose/local/docker-compose.yml
@ -32,7 +32,7 @@ services:
      - TZ=Australia/Melbourne

  traefik:
-    image: traefik:v2.10.1
+    image: traefik:v2.10.3
    container_name: traefik
    volumes:
      - ./traefik:/etc/traefik
--- a/go.mod
+++ b/go.mod
@ -20,7 +20,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-retryablehttp v0.7.4
-	github.com/jackc/pgx/v5 v5.4.0
+	github.com/jackc/pgx/v5 v5.4.1
 	github.com/jmoiron/sqlx v1.3.5
 	github.com/knadh/koanf/parsers/yaml v0.1.0
 	github.com/knadh/koanf/providers/confmap v0.1.0
@ -33,8 +33,8 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/ory/fosite v0.44.0
 	github.com/ory/herodot v0.10.2
-	github.com/ory/x v0.0.561
-	github.com/otiai10/copy v1.11.0
+	github.com/ory/x v0.0.563
+	github.com/otiai10/copy v1.12.0
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.16.0
@ -43,7 +43,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/trustelem/zxcvbn v1.0.1
-	github.com/valyala/fasthttp v1.47.0
+	github.com/valyala/fasthttp v1.48.0
 	github.com/wneessen/go-mail v0.3.9
 	golang.org/x/net v0.11.0
 	golang.org/x/sync v0.3.0
@ -59,6 +59,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
 	github.com/dave/jennifer v1.6.0 // indirect
@ -68,12 +69,16 @@ require (
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/ecordell/optgen v0.0.6 // indirect
+	github.com/envoyproxy/go-control-plane v0.11.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-crypt/x v0.2.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-webauthn/revoke v0.1.9 // indirect
-	github.com/golang/glog v1.0.0 // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/glog v1.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
@ -97,7 +102,7 @@ require (
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/philhofer/fwd v1.1.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/redis/go-redis/v9 v9.0.4 // indirect
@ -119,12 +124,13 @@ require (
 	github.com/ysmood/leakless v0.8.0 // indirect
 	golang.org/x/crypto v0.10.0 // indirect
 	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
+	golang.org/x/tools v0.8.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd // indirect
-	google.golang.org/grpc v1.54.0 // indirect
+	google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect
+	google.golang.org/grpc v1.56.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -72,6 +72,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
+github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
@ -113,7 +115,11 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM=
+github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ=
+github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs=
 github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A=
 github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg=
 github.com/fasthttp/router v1.4.19 h1:RLE539IU/S4kfb4MP56zgP0TIBU9kEg0ID9GpWO0vqk=
@ -154,13 +160,19 @@ github.com/go-webauthn/revoke v0.1.9 h1:gSJ1ckA9VaKA2GN4Ukp+kiGTk1/EXtaDb1YE8Rkn
 github.com/go-webauthn/revoke v0.1.9/go.mod h1:j6WKPnv0HovtEs++paan9g3ar46gm1NarktkXBaPR+w=
 github.com/go-webauthn/webauthn v0.5.0 h1:Tbmp37AGIhYbQmcy2hEffo3U3cgPClqvxJ7cLUnF7Rc=
 github.com/go-webauthn/webauthn v0.5.0/go.mod h1:0CBq/jNfPS9l033j4AxMk8K8MluiMsde9uGNSPFLEVE=
+github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
+github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
+github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
+github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@ -256,8 +268,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.4.0 h1:BSr+GCm4N6QcgIwv0DyTFHK9ugfEFF9DzSbbzxOiXU0=
-github.com/jackc/pgx/v5 v5.4.0/go.mod h1:q6iHT8uDNXWiFNOlRqJzBTaSH3+2xCXkokxHZC5qWFY=
+github.com/jackc/pgx/v5 v5.4.1 h1:oKfB/FhuVtit1bBM3zNRRsZ925ZkMN3HXL+LgLUM9lE=
+github.com/jackc/pgx/v5 v5.4.1/go.mod h1:q6iHT8uDNXWiFNOlRqJzBTaSH3+2xCXkokxHZC5qWFY=
 github.com/jandelgado/gcov2lcov v1.0.5 h1:rkBt40h0CVK4oCb8Dps950gvfd1rYvQ8+cWa346lVU0=
 github.com/jandelgado/gcov2lcov v1.0.5/go.mod h1:NnSxK6TMlg1oGDBfGelGbjgorT5/L3cchlbtgFYZSss=
 github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
@ -267,6 +279,7 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
 github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
@ -331,10 +344,10 @@ github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTs
 github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
 github.com/ory/herodot v0.10.2 h1:gGvNMHgAwWzdP/eo+roSiT5CGssygHSjDU7MSQNlJ4E=
 github.com/ory/herodot v0.10.2/go.mod h1:MMNmY6MG1uB6fnXYFaHoqdV23DTWctlPsmRCeq/2+wc=
-github.com/ory/x v0.0.561 h1:SvNDGd6OhvAFl4XiPnYJuLCtR6iLxZJcF1Vzlo1IFTM=
-github.com/ory/x v0.0.561/go.mod h1:kup4ebSC4SzwU6KPZJ4G60UR3EEsHxJ0apQVflVw5yQ=
-github.com/otiai10/copy v1.11.0 h1:OKBD80J/mLBrwnzXqGtFCzprFSGioo30JcmR4APsNwc=
-github.com/otiai10/copy v1.11.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
+github.com/ory/x v0.0.563 h1:T77Bjt6ALMZmUJIsQ5UEkzDBCD+8vxfQlBCU1Y39uDk=
+github.com/ory/x v0.0.563/go.mod h1:kup4ebSC4SzwU6KPZJ4G60UR3EEsHxJ0apQVflVw5yQ=
+github.com/otiai10/copy v1.12.0 h1:cLMgSQnXBs1eehF0Wy/FAGsgDTDmAqFR7rQylBb1nDY=
+github.com/otiai10/copy v1.12.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
 github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
@ -363,6 +376,8 @@ github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
@ -436,8 +451,8 @@ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGr
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.47.0 h1:y7moDoxYzMooFpT5aHgNgVOQDrS3qlkfiP9mDtGGK9c=
-github.com/valyala/fasthttp v1.47.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
+github.com/valyala/fasthttp v1.48.0 h1:oJWvHb9BIZToTQS3MuQ2R3bJZiNSa2KiNdeI8A+79Tc=
+github.com/valyala/fasthttp v1.48.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
 github.com/wneessen/go-mail v0.3.9 h1:Q4DbCk3htT5DtDWKeMgNXCiHc4bBY/vv/XQPT6XDXzc=
 github.com/wneessen/go-mail v0.3.9/go.mod h1:zxOlafWCP/r6FEhAaRgH4IC1vg2YXxO0Nar9u0IScZ8=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@ -579,6 +594,10 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
 golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
+golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -707,6 +726,7 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
@ -716,6 +736,7 @@ golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
@ -724,6 +745,7 @@ golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -793,6 +815,10 @@ google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd h1:sLpv7bNL1AsX3fdnWh9WVh7ejIzXdOc1RRHGeAmeStU=
 google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e h1:Ao9GzfUMPH3zjVfzXG5rlWlk+Q8MXWKwWpwVQE1MXfw=
+google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e h1:NumxXLPfHSndr3wBBdeKiVHjGVFzi9RX2HwwQke94iY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -812,6 +838,10 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
+google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
+google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
+google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE=
+google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/grpc/examples v0.0.0-20210304020650-930c79186c99 h1:qA8rMbz1wQ4DOFfM2ouD29DG9aHWBm6ZOy9BGxiUMmY=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
--- a/internal/authentication/const.go
+++ b/internal/authentication/const.go
@ -60,12 +60,19 @@ const (
 )

 const (
-	ldapPlaceholderInput                        = "{input}"
-	ldapPlaceholderDistinguishedName            = "{dn}"
-	ldapPlaceholderUsername                     = "{username}"
-	ldapPlaceholderDateTimeGeneralized          = "{date-time:generalized}"
-	ldapPlaceholderDateTimeMicrosoftNTTimeEpoch = "{date-time:microsoft-nt}"
-	ldapPlaceholderDateTimeUnixEpoch            = "{date-time:unix}"
+	ldapPlaceholderInput                             = "{input}"
+	ldapPlaceholderDistinguishedName                 = "{dn}"
+	ldapPlaceholderMemberOfDistinguishedName         = "{memberof:dn}"
+	ldapPlaceholderMemberOfRelativeDistinguishedName = "{memberof:rdn}"
+	ldapPlaceholderUsername                          = "{username}"
+	ldapPlaceholderDateTimeGeneralized               = "{date-time:generalized}"
+	ldapPlaceholderDateTimeMicrosoftNTTimeEpoch      = "{date-time:microsoft-nt}"
+	ldapPlaceholderDateTimeUnixEpoch                 = "{date-time:unix}"
+	ldapPlaceholderDistinguishedNameAttribute        = "{distinguished_name_attribute}"
+	ldapPlaceholderUsernameAttribute                 = "{username_attribute}"
+	ldapPlaceholderDisplayNameAttribute              = "{display_name_attribute}"
+	ldapPlaceholderMailAttribute                     = "{mail_attribute}"
+	ldapPlaceholderMemberOfAttribute                 = "{member_of_attribute}"
 )

 const (
--- a/internal/authentication/gen.go
+++ b/internal/authentication/gen.go
@ -3,7 +3,7 @@ package authentication
 // This file is used to generate mocks. You can generate all mocks using the
 // command `go generate github.com/authelia/authelia/v4/internal/authentication`.

-//go:generate mockgen -package authentication -destination ldap_client_mock.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient
-//go:generate mockgen -package authentication -destination ldap_client_factory_mock.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
+//go:generate mockgen -package authentication -destination ldap_client_mock_test.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient
+//go:generate mockgen -package authentication -destination ldap_client_factory_mock_test.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
 //go:generate mockgen -package authentication -destination file_user_provider_database_mock_test.go -mock_names FileUserDatabase=MockFileUserDatabase github.com/authelia/authelia/v4/internal/authentication FileUserDatabase
 //go:generate mockgen -package authentication -destination file_user_provider_hash_mock_test.go -mock_names Hash=MockHash github.com/go-crypt/crypt/algorithm Hash
--- a/internal/authentication/ldap_client_factory_mock_test.go
+++ b/internal/authentication/ldap_client_factory_mock_test.go
--- a/internal/authentication/ldap_client_mock_test.go
+++ b/internal/authentication/ldap_client_mock_test.go
--- a/internal/authentication/ldap_control_types_test.go
+++ b/internal/authentication/ldap_control_types_test.go
@ -0,0 +1,17 @@
+package authentication
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestControlMsftServerPolicyHints(t *testing.T) {
+	ct := &controlMsftServerPolicyHints{
+		oid: ldapOIDControlMsftServerPolicyHints,
+	}
+
+	assert.Equal(t, ldapOIDControlMsftServerPolicyHints, ct.GetControlType())
+	assert.Equal(t, "Enforce the password history length constraint (MS-SAMR section 3.1.1.7.1) during password set: 1.2.840.113556.1.4.2239", ct.String())
+	assert.NotNil(t, ct.Encode())
+}
--- a/internal/authentication/ldap_user_provider.go
+++ b/internal/authentication/ldap_user_provider.go
@ -8,7 +8,7 @@ import (
 	"strconv"
 	"strings"

-	"github.com/go-ldap/ldap/v3"
+	ldap "github.com/go-ldap/ldap/v3"
 	"github.com/sirupsen/logrus"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
@ -40,11 +40,13 @@ type LDAPUserProvider struct {
 	usersFilterReplacementDateTimeMicrosoftNTTimeEpoch bool

 	// Dynamically generated groups values.
-	groupsBaseDN                    string
-	groupsAttributes                []string
-	groupsFilterReplacementInput    bool
-	groupsFilterReplacementUsername bool
-	groupsFilterReplacementDN       bool
+	groupsBaseDN                        string
+	groupsAttributes                    []string
+	groupsFilterReplacementInput        bool
+	groupsFilterReplacementUsername     bool
+	groupsFilterReplacementDN           bool
+	groupsFilterReplacementsMemberOfDN  bool
+	groupsFilterReplacementsMemberOfRDN bool
 }

 // NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory.
@ -86,6 +88,7 @@ func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, dis

 	provider.parseDynamicUsersConfiguration()
 	provider.parseDynamicGroupsConfiguration()
+	provider.parseDynamicConfiguration()

 	return provider
 }
@ -134,38 +137,11 @@ func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, er
 	}

 	var (
-		request *ldap.SearchRequest
-		result  *ldap.SearchResult
+		groups []string
 	)

-	// Search for the users groups.
-	request = ldap.NewSearchRequest(
-		p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
-		0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil,
-	)
-
-	p.log.
-		WithField("base_dn", request.BaseDN).
-		WithField("filter", request.Filter).
-		WithField("attr", request.Attributes).
-		WithField("scope", request.Scope).
-		WithField("deref", request.DerefAliases).
-		Trace("Performing group search")
-
-	if result, err = p.search(client, request); err != nil {
-		return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
-	}
-
-	groups := make([]string, 0)
-
-	for _, res := range result.Entries {
-		if len(res.Attributes) == 0 {
-			p.log.Warningf("No groups retrieved from LDAP for user %s", username)
-			break
-		}
-
-		// Append all values of the document. Normally there should be only one per document.
-		groups = append(groups, res.Attributes[0].Values...)
+	if groups, err = p.getUserGroups(client, username, profile); err != nil {
+		return nil, err
 	}

 	return &UserDetails{
@ -275,14 +251,12 @@ func (p *LDAPUserProvider) search(client LDAPClient, request *ldap.SearchRequest
 			} else {
 				result.Referrals = append(result.Referrals, referral)
 			}
+		} else {
+			return nil, err
 		}
 	}

 	if !p.config.PermitReferrals || len(result.Referrals) == 0 {
-		if err != nil {
-			return nil, err
-		}
-
 		return result, nil
 	}

@ -357,6 +331,11 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
 		return nil, fmt.Errorf("there were %d users found when searching for '%s' but there should only be 1", len(result.Entries), username)
 	}

+	return p.getUserProfileResultToProfile(username, result)
+}
+
+//nolint:gocyclo // Not overly complex.
+func (p *LDAPUserProvider) getUserProfileResultToProfile(username string, result *ldap.SearchResult) (profile *ldapUserProfile, err error) {
 	userProfile := ldapUserProfile{
 		DN: result.Entries[0].DN,
 	}
@ -364,35 +343,50 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
 	for _, attr := range result.Entries[0].Attributes {
 		attrs := len(attr.Values)

-		if attr.Name == p.config.UsernameAttribute {
+		switch attr.Name {
+		case p.config.Attributes.Username:
 			switch attrs {
 			case 1:
 				userProfile.Username = attr.Values[0]
+
+				if attr.Name == p.config.Attributes.DisplayName && userProfile.DisplayName == "" {
+					userProfile.DisplayName = attr.Values[0]
+				}
+
+				if attr.Name == p.config.Attributes.Mail && len(userProfile.Emails) == 0 {
+					userProfile.Emails = []string{attr.Values[0]}
+				}
 			case 0:
 				return nil, fmt.Errorf("user '%s' must have value for attribute '%s'",
-					username, p.config.UsernameAttribute)
+					username, p.config.Attributes.Username)
 			default:
 				return nil, fmt.Errorf("user '%s' has %d values for for attribute '%s' but the attribute must be a single value attribute",
-					username, attrs, p.config.UsernameAttribute)
+					username, attrs, p.config.Attributes.Username)
+			}
+		case p.config.Attributes.Mail:
+			if attrs == 0 {
+				continue
 			}
-		}

-		if attrs == 0 {
-			continue
-		}
-
-		if attr.Name == p.config.MailAttribute {
 			userProfile.Emails = attr.Values
-		}
+		case p.config.Attributes.DisplayName:
+			if attrs == 0 {
+				continue
+			}

-		if attr.Name == p.config.DisplayNameAttribute {
 			userProfile.DisplayName = attr.Values[0]
+		case p.config.Attributes.MemberOf:
+			if attrs == 0 {
+				continue
+			}
+
+			userProfile.MemberOf = attr.Values
 		}
 	}

 	if userProfile.Username == "" {
 		return nil, fmt.Errorf("user '%s' must have value for attribute '%s'",
-			username, p.config.UsernameAttribute)
+			username, p.config.Attributes.Username)
 	}

 	if userProfile.DN == "" {
@ -402,6 +396,118 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
 	return &userProfile, nil
 }

+func (p *LDAPUserProvider) getUserGroups(client LDAPClient, username string, profile *ldapUserProfile) (groups []string, err error) {
+	request := ldap.NewSearchRequest(
+		p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
+		0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil,
+	)
+
+	p.log.
+		WithField("base_dn", request.BaseDN).
+		WithField("filter", request.Filter).
+		WithField("attributes", request.Attributes).
+		WithField("scope", request.Scope).
+		WithField("deref", request.DerefAliases).
+		WithField("mode", p.config.GroupSearchMode).
+		Trace("Performing group search")
+
+	switch p.config.GroupSearchMode {
+	case "", "filter":
+		return p.getUserGroupsRequestFilter(client, username, profile, request)
+	case "memberof":
+		return p.getUserGroupsRequestMemberOf(client, username, profile, request)
+	default:
+		return nil, fmt.Errorf("could not perform group search with mode '%s' as it's unknown", p.config.GroupSearchMode)
+	}
+}
+
+func (p *LDAPUserProvider) getUserGroupsRequestFilter(client LDAPClient, username string, _ *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) {
+	var result *ldap.SearchResult
+
+	if result, err = p.search(client, request); err != nil {
+		return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
+	}
+
+	for _, entry := range result.Entries {
+		if group := p.getUserGroupFromEntry(entry); len(group) != 0 {
+			groups = append(groups, group)
+		}
+	}
+
+	return groups, nil
+}
+
+func (p *LDAPUserProvider) getUserGroupsRequestMemberOf(client LDAPClient, username string, profile *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) {
+	var result *ldap.SearchResult
+
+	if result, err = p.search(client, request); err != nil {
+		return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
+	}
+
+	for _, entry := range result.Entries {
+		if len(entry.Attributes) == 0 {
+			p.log.
+				WithField("dn", entry.DN).
+				WithField("attributes", request.Attributes).
+				WithField("mode", "memberof").
+				Trace("Skipping Group as the server did not return any requested attributes")
+
+			continue
+		}
+
+		if !utils.IsStringInSliceFold(entry.DN, profile.MemberOf) {
+			p.log.
+				WithField("dn", entry.DN).
+				WithField("mode", "memberof").
+				Trace("Skipping Group as it doesn't match the users memberof entries")
+
+			continue
+		}
+
+		if group := p.getUserGroupFromEntry(entry); len(group) != 0 {
+			groups = append(groups, group)
+		}
+	}
+
+	return groups, nil
+}
+
+func (p *LDAPUserProvider) getUserGroupFromEntry(entry *ldap.Entry) string {
+attributes:
+	for _, attr := range entry.Attributes {
+		switch attr.Name {
+		case p.config.Attributes.GroupName:
+			switch len(attr.Values) {
+			case 0:
+				p.log.
+					WithField("dn", entry.DN).
+					WithField("attribute", attr.Name).
+					Trace("Group skipped as the server returned a null attribute")
+			case 1:
+				switch len(attr.Values[0]) {
+				case 0:
+					p.log.
+						WithField("dn", entry.DN).
+						WithField("attribute", attr.Name).
+						Trace("Skipping group as the configured group name attribute had no value")
+
+				default:
+					return attr.Values[0]
+				}
+			default:
+				p.log.
+					WithField("dn", entry.DN).
+					WithField("attribute", attr.Name).
+					Trace("Group skipped as the server returned a multi-valued attribute but it should be a single-valued attribute")
+			}
+
+			break attributes
+		}
+	}
+
+	return ""
+}
+
 func (p *LDAPUserProvider) resolveUsersFilter(input string) (filter string) {
 	filter = p.config.UsersFilter

@ -445,6 +551,27 @@ func (p *LDAPUserProvider) resolveGroupsFilter(input string, profile *ldapUserPr
 		}
 	}

+	if p.groupsFilterReplacementsMemberOfDN {
+		sep := fmt.Sprintf(")(%s=", p.config.Attributes.DistinguishedName)
+		values := make([]string, len(profile.MemberOf))
+
+		for i, memberof := range profile.MemberOf {
+			values[i] = ldap.EscapeFilter(memberof)
+		}
+
+		filter = strings.ReplaceAll(filter, ldapPlaceholderMemberOfDistinguishedName, fmt.Sprintf("(%s=%s)", p.config.Attributes.DistinguishedName, strings.Join(values, sep)))
+	}
+
+	if p.groupsFilterReplacementsMemberOfRDN {
+		values := make([]string, len(profile.MemberOf))
+
+		for i, memberof := range profile.MemberOf {
+			values[i] = ldap.EscapeFilter(strings.SplitN(memberof, ",", 2)[0])
+		}
+
+		filter = strings.ReplaceAll(filter, ldapPlaceholderMemberOfRelativeDistinguishedName, fmt.Sprintf("(%s)", strings.Join(values, ")(")))
+	}
+
 	p.log.Tracef("Computed groups filter is %s", filter)

 	return filter
--- a/internal/authentication/ldap_user_provider_startup.go
+++ b/internal/authentication/ldap_user_provider_startup.go
@ -37,11 +37,6 @@ func (p *LDAPUserProvider) StartupCheck() (err error) {
 			"LDAP Server.")
 	}

-	if !p.features.Extensions.TLS && p.config.StartTLS {
-		p.log.Info("Your LDAP Server does not appear to support TLS but you enabled StartTLS which may result " +
-			"in an error.")
-	}
-
 	return nil
 }

@ -90,22 +85,24 @@ func (p *LDAPUserProvider) getServerSupportedFeatures(client LDAPClient) (featur
 }

 func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
-	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{username_attribute}", p.config.UsernameAttribute)
-	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{mail_attribute}", p.config.MailAttribute)
-	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{display_name_attribute}", p.config.DisplayNameAttribute)
+	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderDistinguishedNameAttribute, p.config.Attributes.DistinguishedName)
+	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderUsernameAttribute, p.config.Attributes.Username)
+	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderDisplayNameAttribute, p.config.Attributes.DisplayName)
+	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderMailAttribute, p.config.Attributes.Mail)
+	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderMemberOfAttribute, p.config.Attributes.MemberOf)

 	p.log.Tracef("Dynamically generated users filter is %s", p.config.UsersFilter)

-	if !utils.IsStringInSlice(p.config.UsernameAttribute, p.usersAttributes) {
-		p.usersAttributes = append(p.usersAttributes, p.config.UsernameAttribute)
+	if len(p.config.Attributes.Username) != 0 && !utils.IsStringInSlice(p.config.Attributes.Username, p.usersAttributes) {
+		p.usersAttributes = append(p.usersAttributes, p.config.Attributes.Username)
 	}

-	if !utils.IsStringInSlice(p.config.MailAttribute, p.usersAttributes) {
-		p.usersAttributes = append(p.usersAttributes, p.config.MailAttribute)
+	if len(p.config.Attributes.Mail) != 0 && !utils.IsStringInSlice(p.config.Attributes.Mail, p.usersAttributes) {
+		p.usersAttributes = append(p.usersAttributes, p.config.Attributes.Mail)
 	}

-	if !utils.IsStringInSlice(p.config.DisplayNameAttribute, p.usersAttributes) {
-		p.usersAttributes = append(p.usersAttributes, p.config.DisplayNameAttribute)
+	if len(p.config.Attributes.DisplayName) != 0 && !utils.IsStringInSlice(p.config.Attributes.DisplayName, p.usersAttributes) {
+		p.usersAttributes = append(p.usersAttributes, p.config.Attributes.DisplayName)
 	}

 	if p.config.AdditionalUsersDN != "" {
@ -137,8 +134,14 @@ func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
 }

 func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
-	p.groupsAttributes = []string{
-		p.config.GroupNameAttribute,
+	p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderDistinguishedNameAttribute, p.config.Attributes.DistinguishedName)
+	p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderUsernameAttribute, p.config.Attributes.Username)
+	p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderDisplayNameAttribute, p.config.Attributes.DisplayName)
+	p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderMailAttribute, p.config.Attributes.Mail)
+	p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderMemberOfAttribute, p.config.Attributes.MemberOf)
+
+	if len(p.config.Attributes.GroupName) != 0 && !utils.IsStringInSlice(p.config.Attributes.GroupName, p.groupsAttributes) {
+		p.groupsAttributes = append(p.groupsAttributes, p.config.Attributes.GroupName)
 	}

 	if p.config.AdditionalGroupsDN != "" {
@ -161,5 +164,25 @@ func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
 		p.groupsFilterReplacementDN = true
 	}

+	if strings.Contains(p.config.GroupsFilter, ldapPlaceholderMemberOfDistinguishedName) {
+		p.groupsFilterReplacementsMemberOfDN = true
+	}
+
+	if strings.Contains(p.config.GroupsFilter, ldapPlaceholderMemberOfRelativeDistinguishedName) {
+		p.groupsFilterReplacementsMemberOfRDN = true
+	}
+
 	p.log.Tracef("Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v", p.groupsFilterReplacementInput, p.groupsFilterReplacementUsername, p.groupsFilterReplacementDN)
 }
+
+func (p *LDAPUserProvider) parseDynamicConfiguration() {
+	if len(p.config.Attributes.MemberOf) != 0 {
+		if !utils.IsStringInSlice(p.config.Attributes.MemberOf, p.usersAttributes) {
+			p.usersAttributes = append(p.usersAttributes, p.config.Attributes.MemberOf)
+		}
+
+		if !utils.IsStringInSlice(p.config.Attributes.MemberOf, p.groupsAttributes) {
+			p.groupsAttributes = append(p.groupsAttributes, p.config.Attributes.MemberOf)
+		}
+	}
+}
--- a/internal/authentication/ldap_user_provider_test.go
+++ b/internal/authentication/ldap_user_provider_test.go
--- a/internal/authentication/ldap_util.go
+++ b/internal/authentication/ldap_util.go
@ -5,7 +5,7 @@ import (
 	"strings"

 	ber "github.com/go-asn1-ber/asn1-ber"
-	"github.com/go-ldap/ldap/v3"
+	ldap "github.com/go-ldap/ldap/v3"
 )

 func ldapEntriesContainsEntry(needle *ldap.Entry, haystack []*ldap.Entry) bool {
@ -67,12 +67,12 @@ func ldapEscape(inputUsername string) string {
 }

 func ldapGetReferral(err error) (referral string, ok bool) {
-	if !ldap.IsErrorWithCode(err, ldap.LDAPResultReferral) {
-		return "", false
-	}
-
 	switch e := err.(type) {
 	case *ldap.Error:
+		if e.ResultCode != ldap.LDAPResultReferral {
+			return "", false
+		}
+
 		if e.Packet == nil {
 			return "", false
 		}
--- a/internal/authentication/ldap_util_test.go
+++ b/internal/authentication/ldap_util_test.go
@ -193,6 +193,12 @@ func TestLDAPGetReferral(t *testing.T) {
 			expectedReferral: "",
 			expectedOK:       false,
 		},
+		{
+			description:      "ShouldNotGetInvalidErrType",
+			have:             errors.New("not an err"),
+			expectedReferral: "",
+			expectedOK:       false,
+		},
 	}

 	for _, tc := range testCases {
--- a/internal/authentication/types.go
+++ b/internal/authentication/types.go
@ -82,6 +82,7 @@ type ldapUserProfile struct {
 	Emails      []string
 	DisplayName string
 	Username    string
+	MemberOf    []string
 }

 // LDAPSupportedFeatures represents features which a server may support which are implemented in code.
--- a/internal/commands/services.go
+++ b/internal/commands/services.go
@ -16,6 +16,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/valyala/fasthttp"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"

 	"github.com/authelia/authelia/v4/internal/authentication"
 	"github.com/authelia/authelia/v4/internal/server"
@ -33,6 +34,17 @@ func NewServerService(name string, server *fasthttp.Server, listener net.Listene
 	}
 }

+// NewGRCPServerService creates a new ServerService with the appropriate logger etc.
+func NewGRCPServerService(name string, server *grpc.Server, listener net.Listener, isTLS bool, log *logrus.Logger) (service *GRCPServerService) {
+	return &GRCPServerService{
+		name:     name,
+		server:   server,
+		listener: listener,
+		isTLS:    isTLS,
+		log:      log.WithFields(map[string]any{logFieldService: serviceTypeServer, serviceTypeServer: name}),
+	}
+}
+
 // NewFileWatcherService creates a new FileWatcherService with the appropriate logger etc.
 func NewFileWatcherService(name, path string, reload ProviderReload, log *logrus.Logger) (service *FileWatcherService, err error) {
 	if path == "" {
@ -161,6 +173,54 @@ func (service *ServerService) Log() *logrus.Entry {
 	return service.log
 }

+// GRCPServerService is a Service which runs a gRCP server.
+type GRCPServerService struct {
+	name     string
+	server   *grpc.Server
+	isTLS    bool
+	listener net.Listener
+	log      *logrus.Entry
+}
+
+// ServiceType returns the service type for this service, which is always 'server'.
+func (service *GRCPServerService) ServiceType() string {
+	return serviceTypeServer
+}
+
+// ServiceName returns the individual name for this service.
+func (service *GRCPServerService) ServiceName() string {
+	return service.name
+}
+
+// Run the ServerService.
+func (service *GRCPServerService) Run() (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
+		}
+	}()
+
+	service.log.Infof(fmtLogServerListening, connectionType(service.isTLS), service.listener.Addr().String())
+
+	if err = service.server.Serve(service.listener); err != nil {
+		service.log.WithError(err).Error("Error returned attempting to serve requests")
+
+		return err
+	}
+
+	return nil
+}
+
+// Shutdown the ServerService.
+func (service *GRCPServerService) Shutdown() {
+	service.server.Stop()
+}
+
+// Log returns the *logrus.Entry of the ServerService.
+func (service *GRCPServerService) Log() *logrus.Entry {
+	return service.log
+}
+
 // FileWatcherService is a Service that watches files for changes.
 type FileWatcherService struct {
 	name string
@ -272,6 +332,19 @@ func svcSvrMetricsFunc(ctx *CmdCtx) (service Service) {
 	return service
 }

+func svcSvrGRPCFunc(ctx *CmdCtx) (service Service) {
+	switch svr, listener, isTLS, err := server.CreateGRPCServer(ctx.config, ctx.providers); {
+	case err != nil:
+		ctx.log.WithError(err).Fatal("Create Server Service (gRPC) returned error")
+	case svr != nil && listener != nil:
+		service = NewGRCPServerService("gRCP", svr, listener, isTLS, ctx.log)
+	default:
+		ctx.log.Debug("Create Server Service (gRPC) skipped")
+	}
+
+	return service
+}
+
 func svcWatcherUsersFunc(ctx *CmdCtx) (service Service) {
 	var err error

@ -312,7 +385,7 @@ func servicesRun(ctx *CmdCtx) {
 	)

 	for _, serviceFunc := range []func(ctx *CmdCtx) Service{
-		svcSvrMainFunc, svcSvrMetricsFunc,
+		svcSvrMainFunc, svcSvrGRPCFunc, svcSvrMetricsFunc,
 		svcWatcherUsersFunc,
 	} {
 		if service := serviceFunc(ctx); service != nil {
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@ -315,7 +315,7 @@ authentication_backend:
  ## because it allows Authelia to offload the stateful operations
  ## onto the LDAP service.
  # ldap:
-    ## The address of the LDAP server to connect to in the address common syntax.
+    ## The address of the directory server to connect to in the address common syntax.
    ## Format: [<scheme>://]<hostname>[:<port>].
    ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`.
    ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'.
@ -401,16 +401,6 @@ authentication_backend:
    ## See also: additional_users_dn, additional_groups_dn.
    # base_dn: 'dc=example,dc=com'

-    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
-    ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually
-    ## uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and the
-    ## configuration stored in database. Therefore only single value attributes are allowed and the value must never be
-    ## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
-    ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
-    ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
-    ## follow https://datatracker.ietf.org/doc/html/rfc2307.
-    # username_attribute: 'uid'
-
    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
    # additional_users_dn: 'ou=users'
@ -441,15 +431,9 @@ authentication_backend:
    ##    (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
    # groups_filter: '(&(member={dn})(objectClass=groupOfNames))'

-    ## The attribute holding the name of the group.
-    # group_name_attribute: 'cn'
-
-    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
-    ## first one returned by the LDAP server is used.
-    # mail_attribute: 'mail'
-
-    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
-    # display_name_attribute: 'displayName'
+    ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to
+    ## use 'memberof'. Also 'filter' is the best choice for most use cases.
+    # group_search_mode: 'filter'

    ## Follow referrals returned by the server.
    ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
@ -460,6 +444,37 @@ authentication_backend:
    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
    # password: 'password'

+    ## The attributes for users and objects from the directory server.
+    # attributes:
+
+      ## The distinguished name attribute if your directory server supports it. Users should read the docs before
+      ## configuring. Only used for the 'memberof' group search mode.
+      # distinguished_name: ''
+
+      ## The attribute holding the username of the user. This attribute is used to populate the username in the session
+      ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
+      ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and
+      ## the configuration stored in database; therefore only single value attributes are allowed and the value must
+      ## never be changed once attributed to a user otherwise it would break the configuration for that user.
+      ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead
+      ## advise to use a filter to perform alternative lookups and the attributes mentioned above
+      ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307.
+      # username: 'uid'
+
+      ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
+      # display_name: 'displayName'
+
+      ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only
+      ## the first one returned by the directory server is used.
+      # mail: 'mail'
+
+      ## The attribute which provides distinguished names of groups an object is a member of.
+      ## Only used for the 'memberof' group search mode.
+      # member_of: 'memberOf'
+
+      ## The attribute holding the name of the group.
+      # group_name: 'cn'
+
  ##
  ## File (Authentication Provider)
  ##
--- a/internal/configuration/deprecation.go
+++ b/internal/configuration/deprecation.go
@ -294,4 +294,36 @@ var deprecations = map[string]Deprecation{
 		MapFunc: nil,
 		ErrFunc: nil,
 	},
+	"authentication_backend.ldap.username_attribute": {
+		Version: model.SemanticVersion{Major: 4, Minor: 38},
+		Key:     "authentication_backend.ldap.username_attribute",
+		NewKey:  "authentication_backend.ldap.attributes.username",
+		AutoMap: true,
+		MapFunc: nil,
+		ErrFunc: nil,
+	},
+	"authentication_backend.ldap.mail_attribute": {
+		Version: model.SemanticVersion{Major: 4, Minor: 38},
+		Key:     "authentication_backend.ldap.mail_attribute",
+		NewKey:  "authentication_backend.ldap.attributes.mail",
+		AutoMap: true,
+		MapFunc: nil,
+		ErrFunc: nil,
+	},
+	"authentication_backend.ldap.display_name_attribute": {
+		Version: model.SemanticVersion{Major: 4, Minor: 38},
+		Key:     "authentication_backend.ldap.display_name_attribute",
+		NewKey:  "authentication_backend.ldap.attributes.display_name",
+		AutoMap: true,
+		MapFunc: nil,
+		ErrFunc: nil,
+	},
+	"authentication_backend.ldap.group_name_attribute": {
+		Version: model.SemanticVersion{Major: 4, Minor: 38},
+		Key:     "authentication_backend.ldap.group_name_attribute",
+		NewKey:  "authentication_backend.ldap.attributes.group_name",
+		AutoMap: true,
+		MapFunc: nil,
+		ErrFunc: nil,
+	},
 }
--- a/internal/configuration/provider_test.go
+++ b/internal/configuration/provider_test.go
@ -245,6 +245,28 @@ func TestShouldLoadURLList(t *testing.T) {
 	assert.Equal(t, "https://example.com", config.IdentityProviders.OIDC.CORS.AllowedOrigins[1].String())
 }

+func TestShouldDisableOIDCEntropy(t *testing.T) {
+	val := schema.NewStructValidator()
+	keys, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config_oidc_disable_entropy.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
+
+	assert.NoError(t, err)
+
+	validator.ValidateKeys(keys, DefaultEnvPrefix, val)
+
+	assert.Len(t, val.Errors(), 0)
+	assert.Len(t, val.Warnings(), 0)
+
+	assert.Equal(t, -1, config.IdentityProviders.OIDC.MinimumParameterEntropy)
+
+	validator.ValidateIdentityProviders(&config.IdentityProviders, val)
+
+	assert.Len(t, val.Errors(), 1)
+	require.Len(t, val.Warnings(), 2)
+
+	assert.EqualError(t, val.Warnings()[0], "identity_providers: oidc: option 'minimum_parameter_entropy' is disabled which is considered unsafe and insecure")
+	assert.Equal(t, -1, config.IdentityProviders.OIDC.MinimumParameterEntropy)
+}
+
 func TestShouldConfigureConsent(t *testing.T) {
 	val := schema.NewStructValidator()
 	keys, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config_oidc.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
--- a/internal/configuration/schema/authentication.go
+++ b/internal/configuration/schema/authentication.go
@ -108,11 +108,9 @@ type LDAPAuthenticationBackend struct {

 	AdditionalGroupsDN string `koanf:"additional_groups_dn"`
 	GroupsFilter       string `koanf:"groups_filter"`
+	GroupSearchMode    string `koanf:"group_search_mode"`

-	GroupNameAttribute   string `koanf:"group_name_attribute"`
-	UsernameAttribute    string `koanf:"username_attribute"`
-	MailAttribute        string `koanf:"mail_attribute"`
-	DisplayNameAttribute string `koanf:"display_name_attribute"`
+	Attributes LDAPAuthenticationAttributes `koanf:"attributes"`

 	PermitReferrals               bool `koanf:"permit_referrals"`
 	PermitUnauthenticatedBind     bool `koanf:"permit_unauthenticated_bind"`
@ -122,6 +120,16 @@ type LDAPAuthenticationBackend struct {
 	Password string `koanf:"password"`
 }

+// LDAPAuthenticationAttributes represents the configuration related to LDAP server attributes.
+type LDAPAuthenticationAttributes struct {
+	DistinguishedName string `koanf:"distinguished_name"`
+	Username          string `koanf:"username"`
+	DisplayName       string `koanf:"display_name"`
+	Mail              string `koanf:"mail"`
+	MemberOf          string `koanf:"member_of"`
+	GroupName         string `koanf:"group_name"`
+}
+
 // DefaultPasswordConfig represents the default configuration related to Argon2id hashing.
 var DefaultPasswordConfig = Password{
 	Algorithm: argon2,
@ -175,11 +183,14 @@ var DefaultCIPasswordConfig = Password{

 // DefaultLDAPAuthenticationBackendConfigurationImplementationCustom represents the default LDAP config.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = LDAPAuthenticationBackend{
-	UsernameAttribute:    ldapAttrUserID,
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrDisplayName,
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	GroupSearchMode: ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		Username:    ldapAttrUserID,
+		DisplayName: ldapAttrDisplayName,
+		Mail:        ldapAttrMail,
+		GroupName:   ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
@ -187,13 +198,18 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = LDAPAuth

 // DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory represents the default LDAP config for the LDAPImplementationActiveDirectory Implementation.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = LDAPAuthenticationBackend{
-	UsersFilter:          "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
-	UsernameAttribute:    "sAMAccountName",
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrDisplayName,
-	GroupsFilter:         "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
+	GroupsFilter:    "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
+	GroupSearchMode: ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		DistinguishedName: ldapAttrDistinguishedName,
+		Username:          ldapAttrSAMAccountName,
+		DisplayName:       ldapAttrDisplayName,
+		Mail:              ldapAttrMail,
+		MemberOf:          ldapAttrMemberOf,
+		GroupName:         ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
@ -201,13 +217,17 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =

 // DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis represents the default LDAP config for the LDAPImplementationRFC2307bis Implementation.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = LDAPAuthenticationBackend{
-	UsersFilter:          "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
-	UsernameAttribute:    ldapAttrUserID,
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrDisplayName,
-	GroupsFilter:         "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers)))",
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
+	GroupsFilter:    "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))(!(pwdReset=TRUE)))",
+	GroupSearchMode: ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		Username:    ldapAttrUserID,
+		DisplayName: ldapAttrDisplayName,
+		Mail:        ldapAttrMail,
+		MemberOf:    ldapAttrMemberOf,
+		GroupName:   ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
@ -215,13 +235,17 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = LDAP

 // DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA represents the default LDAP config for the LDAPImplementationFreeIPA Implementation.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = LDAPAuthenticationBackend{
-	UsersFilter:          "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
-	UsernameAttribute:    ldapAttrUserID,
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrDisplayName,
-	GroupsFilter:         "(&(member={dn})(objectClass=groupOfNames))",
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
+	GroupsFilter:    "(&(member={dn})(objectClass=groupOfNames))",
+	GroupSearchMode: ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		Username:    ldapAttrUserID,
+		DisplayName: ldapAttrDisplayName,
+		Mail:        ldapAttrMail,
+		MemberOf:    ldapAttrMemberOf,
+		GroupName:   ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
@ -229,15 +253,19 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = LDAPAut

 // DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP represents the default LDAP config for the LDAPImplementationLLDAP Implementation.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = LDAPAuthenticationBackend{
-	AdditionalUsersDN:    "OU=people",
-	AdditionalGroupsDN:   "OU=groups",
-	UsersFilter:          "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
-	UsernameAttribute:    ldapAttrUserID,
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrCommonName,
-	GroupsFilter:         "(&(member={dn})(objectClass=groupOfUniqueNames))",
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	AdditionalUsersDN:  "OU=people",
+	AdditionalGroupsDN: "OU=groups",
+	UsersFilter:        "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
+	GroupsFilter:       "(&(member={dn})(objectClass=groupOfUniqueNames))",
+	GroupSearchMode:    ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		Username:    ldapAttrUserID,
+		DisplayName: ldapAttrCommonName,
+		Mail:        ldapAttrMail,
+		MemberOf:    ldapAttrMemberOf,
+		GroupName:   ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
@ -245,13 +273,17 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = LDAPAuthe

 // DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth represents the default LDAP config for the LDAPImplementationGLAuth Implementation.
 var DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth = LDAPAuthenticationBackend{
-	UsersFilter:          "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
-	UsernameAttribute:    ldapAttrCommonName,
-	MailAttribute:        ldapAttrMail,
-	DisplayNameAttribute: ldapAttrDescription,
-	GroupsFilter:         "(&(uniqueMember={dn})(objectClass=posixGroup))",
-	GroupNameAttribute:   ldapAttrCommonName,
-	Timeout:              time.Second * 5,
+	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
+	GroupsFilter:    "(&(uniqueMember={dn})(objectClass=posixGroup))",
+	GroupSearchMode: ldapGroupSearchModeFilter,
+	Attributes: LDAPAuthenticationAttributes{
+		Username:    ldapAttrCommonName,
+		DisplayName: ldapAttrDescription,
+		Mail:        ldapAttrMail,
+		MemberOf:    ldapAttrMemberOf,
+		GroupName:   ldapAttrCommonName,
+	},
+	Timeout: time.Second * 5,
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
--- a/internal/configuration/schema/const.go
+++ b/internal/configuration/schema/const.go
@ -78,6 +78,14 @@ const (
 	LDAPImplementationGLAuth = "glauth"
 )

+const (
+	// LDAPGroupSearchModeFilter is the string for the filter group search mode.
+	LDAPGroupSearchModeFilter = "filter"
+
+	// LDAPGroupSearchModeMemberOf is the string for the memberOf group search mode.
+	LDAPGroupSearchModeMemberOf = "memberof"
+)
+
 // TOTP Algorithm.
 const (
 	TOTPAlgorithmSHA1   = "SHA1"
@ -121,11 +129,18 @@ const (
 )

 const (
-	ldapAttrMail        = "mail"
-	ldapAttrUserID      = "uid"
-	ldapAttrDisplayName = "displayName"
-	ldapAttrDescription = "description"
-	ldapAttrCommonName  = "cn"
+	ldapGroupSearchModeFilter = "filter"
+)
+
+const (
+	ldapAttrDistinguishedName = "distinguishedName"
+	ldapAttrMail              = "mail"
+	ldapAttrUserID            = "uid"
+	ldapAttrSAMAccountName    = "sAMAccountName"
+	ldapAttrDisplayName       = "displayName"
+	ldapAttrDescription       = "description"
+	ldapAttrCommonName        = "cn"
+	ldapAttrMemberOf          = "memberOf"
 )

 // Address Schemes.
--- a/internal/configuration/schema/keys.go
+++ b/internal/configuration/schema/keys.go
@ -120,10 +120,13 @@ var Keys = []string{
 	"authentication_backend.ldap.users_filter",
 	"authentication_backend.ldap.additional_groups_dn",
 	"authentication_backend.ldap.groups_filter",
-	"authentication_backend.ldap.group_name_attribute",
-	"authentication_backend.ldap.username_attribute",
-	"authentication_backend.ldap.mail_attribute",
-	"authentication_backend.ldap.display_name_attribute",
+	"authentication_backend.ldap.group_search_mode",
+	"authentication_backend.ldap.attributes.distinguished_name",
+	"authentication_backend.ldap.attributes.username",
+	"authentication_backend.ldap.attributes.display_name",
+	"authentication_backend.ldap.attributes.mail",
+	"authentication_backend.ldap.attributes.member_of",
+	"authentication_backend.ldap.attributes.group_name",
 	"authentication_backend.ldap.permit_referrals",
 	"authentication_backend.ldap.permit_unauthenticated_bind",
 	"authentication_backend.ldap.permit_feature_detection_failure",
@ -261,6 +264,8 @@ var Keys = []string{
 	"server.address",
 	"server.asset_path",
 	"server.disable_healthcheck",
+	"server.disable_autho_https_redirect",
+	"server.use_ip_for_ban",
 	"server.tls.certificate",
 	"server.tls.key",
 	"server.tls.client_certificates",
@ -271,6 +276,8 @@ var Keys = []string{
 	"server.endpoints.authz.*.implementation",
 	"server.endpoints.authz.*.authn_strategies",
 	"server.endpoints.authz.*.authn_strategies[].name",
+	"server.grpc.address",
+	"server.grpc.disableTLS",
 	"server.buffers.read",
 	"server.buffers.write",
 	"server.timeouts.read",
--- a/internal/configuration/schema/server.go
+++ b/internal/configuration/schema/server.go
@ -7,13 +7,16 @@ import (

 // ServerConfiguration represents the configuration of the http server.
 type ServerConfiguration struct {
-	Address            *AddressTCP `koanf:"address"`
-	AssetPath          string      `koanf:"asset_path"`
-	DisableHealthcheck bool        `koanf:"disable_healthcheck"`
+	Address                  *AddressTCP `koanf:"address"`
+	AssetPath                string      `koanf:"asset_path"`
+	DisableHealthcheck       bool        `koanf:"disable_healthcheck"`
+	DisableAutoHttpsRedirect bool        `koanf:"disable_autho_https_redirect"`
+	UseIPInsteadOfUserForBan bool        `koanf:"use_ip_for_ban"`

 	TLS       ServerTLS       `koanf:"tls"`
 	Headers   ServerHeaders   `koanf:"headers"`
 	Endpoints ServerEndpoints `koanf:"endpoints"`
+	GRPC      ServerGRPC      `koanf:"grpc"`

 	Buffers  ServerBuffers  `koanf:"buffers"`
 	Timeouts ServerTimeouts `koanf:"timeouts"`
@ -60,6 +63,15 @@ type ServerHeaders struct {
 	CSPTemplate string `koanf:"csp_template"`
 }

+// ServerGRCP contains configuration options for the gRCP server.
+type ServerGRPC struct {
+	// Address with port to listen on. If this field is empty, no grcp server
+	// will be spawned.
+	Address *AddressTCP `koanf:"address"`
+
+	DisableTLS bool `koanf:"disableTLS"`
+}
+
 // DefaultServerConfiguration represents the default values of the ServerConfiguration.
 var DefaultServerConfiguration = ServerConfiguration{
 	Address: &AddressTCP{Address{true, false, -1, 9091, &url.URL{Scheme: AddressSchemeTCP, Host: ":9091", Path: "/"}}},
--- a/internal/configuration/test_resources/config.durations.yml
+++ b/internal/configuration/test_resources/config.durations.yml
@ -66,14 +66,15 @@ authentication_backend:
        1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
        -----END RSA PRIVATE KEY-----
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config.filtered.yml
+++ b/internal/configuration/test_resources/config.filtered.yml
@ -47,14 +47,15 @@ authentication_backend:
        1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
        -----END RSA PRIVATE KEY-----
    base_dn: dc=example,dc=com
-    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
    user: cn=admin,dc=example,dc=com
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: deny
--- a/internal/configuration/test_resources/config.yml
+++ b/internal/configuration/test_resources/config.yml
@ -66,14 +66,15 @@ authentication_backend:
        1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
        -----END RSA PRIVATE KEY-----
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_alt.yml
+++ b/internal/configuration/test_resources/config_alt.yml
@ -18,14 +18,16 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
+
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      mail: 'mail'
+      group_name: 'cn'
+      username: 'uid'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_bad_keys.yml
+++ b/internal/configuration/test_resources/config_bad_keys.yml
@ -19,14 +19,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_domain_bad_regex.yml
+++ b/internal/configuration/test_resources/config_domain_bad_regex.yml
@ -18,14 +18,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_domain_regex.yml
+++ b/internal/configuration/test_resources/config_domain_regex.yml
@ -18,13 +18,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
+    attributes:
+      group_name: 'cn'
+      mail: 'mail'
+      username: 'uid'
+
    user: 'cn=admin,dc=example,dc=com'

 access_control:
--- a/internal/configuration/test_resources/config_oidc.yml
+++ b/internal/configuration/test_resources/config_oidc.yml
@ -18,14 +18,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_oidc_disable_entropy.yml
+++ b/internal/configuration/test_resources/config_oidc_disable_entropy.yml
@ -0,0 +1,137 @@
+---
+default_redirection_url: 'https://home.example.com:8080/'
+
+server:
+  address: 'tcp://127.0.0.1:9091'
+
+log:
+  level: 'debug'
+
+totp:
+  issuer: 'authelia.com'
+
+duo_api:
+  hostname: 'api-123456789.example.com'
+  integration_key: 'ABCDEF'
+
+authentication_backend:
+  ldap:
+    address: 'ldap://127.0.0.1'
+    base_dn: 'dc=example,dc=com'
+    additional_users_dn: 'ou=users'
+    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
+    additional_groups_dn: 'ou=groups'
+    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
+    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'
+
+access_control:
+  default_policy: 'deny'
+
+  rules:
+    # Rules applied to everyone
+    - domain: 'public.example.com'
+      policy: 'bypass'
+
+    - domain: 'secure.example.com'
+      policy: 'one_factor'
+      # Network based rule, if not provided any network matches.
+      networks:
+        - '192.168.1.0/24'
+    - domain: 'secure.example.com'
+      policy: 'two_factor'
+
+    - domain: ['singlefactor.example.com', 'onefactor.example.com']
+      policy: 'one_factor'
+
+    # Rules applied to 'admins' group
+    - domain: 'mx2.mail.example.com'
+      subject: 'group:admins'
+      policy: 'deny'
+    - domain: '*.example.com'
+      subject: 'group:admins'
+      policy: 'two_factor'
+
+    # Rules applied to 'dev' group
+    - domain: 'dev.example.com'
+      resources:
+        - '^/groups/dev/.*$'
+      subject: 'group:dev'
+      policy: 'two_factor'
+
+    # Rules applied to user 'john'
+    - domain: 'dev.example.com'
+      resources:
+        - '^/users/john/.*$'
+      subject: 'user:john'
+      policy: 'two_factor'
+
+    # Rules applied to 'dev' group and user 'john'
+    - domain: 'dev.example.com'
+      resources:
+        - '^/deny-all.*$'
+      subject: ['group:dev', 'user:john']
+      policy: 'deny'
+
+    # Rules applied to user 'harry'
+    - domain: 'dev.example.com'
+      resources:
+        - '^/users/harry/.*$'
+      subject: 'user:harry'
+      policy: 'two_factor'
+
+    # Rules applied to user 'bob'
+    - domain: '*.mail.example.com'
+      subject: 'user:bob'
+      policy: 'two_factor'
+    - domain: 'dev.example.com'
+      resources:
+        - '^/users/bob/.*$'
+      subject: 'user:bob'
+      policy: 'two_factor'
+
+session:
+  name: 'authelia_session'
+  expiration: '1h'  # 1 hour
+  inactivity: '5m'  # 5 minutes
+  domain: 'example.com'
+  redis:
+    host: '127.0.0.1'
+    port: 6379
+    high_availability:
+      sentinel_name: 'test'
+
+regulation:
+  max_retries: 3
+  find_time: '2m'
+  ban_time: '5m'
+
+storage:
+  mysql:
+    address: 'tcp://127.0.0.1:3306'
+    database: 'authelia'
+    username: 'authelia'
+
+notifier:
+  smtp:
+    address: 'smtp://127.0.0.1:1025'
+    username: 'test'
+    sender: 'admin@example.com'
+    disable_require_tls: true
+
+identity_providers:
+  oidc:
+    cors:
+      allowed_origins:
+        - 'https://google.com'
+        - 'https://example.com'
+    minimum_parameter_entropy: -1
+    clients:
+      - id: 'abc'
+        secret: '123'
+        consent_mode: 'explicit'
+        userinfo_signing_alg: 'none'
+...
--- a/internal/configuration/test_resources/config_oidc_modern.yml
+++ b/internal/configuration/test_resources/config_oidc_modern.yml
@ -1,108 +1,111 @@
 ---
-default_redirection_url: https://home.example.com:8080/
+default_redirection_url: 'https://home.example.com:8080/'

 server:
  host: 127.0.0.1
  port: 9091

 log:
-  level: debug
+  level: 'debug'

 totp:
-  issuer: authelia.com
+  issuer: 'authelia.com'

 duo_api:
-  hostname: api-123456789.example.com
-  integration_key: ABCDEF
+  hostname: 'api-123456789.example.com'
+  integration_key: 'ABCDEF'

 authentication_backend:
  ldap:
-    url: ldap://127.0.0.1
-    base_dn: dc=example,dc=com
-    username_attribute: uid
-    additional_users_dn: ou=users
-    users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
-    additional_groups_dn: ou=groups
-    groups_filter: (&(member={dn})(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
-    user: cn=admin,dc=example,dc=com
+    url: 'ldap://127.0.0.1'
+    base_dn: 'dc=example,dc=com'
+    additional_users_dn: 'ou=users'
+    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
+    additional_groups_dn: 'ou=groups'
+    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
+    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      mail: 'mail'
+      username: 'uid'
+      group_name: 'cn'

 access_control:
-  default_policy: deny
+  default_policy: 'deny'

  rules:
    # Rules applied to everyone
-    - domain: public.example.com
-      policy: bypass
+    - domain: 'public.example.com'
+      policy: 'bypass'

-    - domain: secure.example.com
-      policy: one_factor
+    - domain: 'secure.example.com'
+      policy: 'one_factor'
      # Network based rule, if not provided any network matches.
      networks:
-        - 192.168.1.0/24
-    - domain: secure.example.com
-      policy: two_factor
+        - '192.168.1.0/24'
+    - domain: 'secure.example.com'
+      policy: 'two_factor'

-    - domain: [singlefactor.example.com, onefactor.example.com]
-      policy: one_factor
+    - domain:
+        - 'singlefactor.example.com'
+        - 'onefactor.example.com'
+      policy: 'one_factor'

    # Rules applied to 'admins' group
-    - domain: "mx2.mail.example.com"
-      subject: "group:admins"
-      policy: deny
-    - domain: "*.example.com"
-      subject: "group:admins"
-      policy: two_factor
+    - domain: 'mx2.mail.example.com'
+      subject: 'group:admins'
+      policy: 'deny'
+    - domain: '*.example.com'
+      subject: 'group:admins'
+      policy: 'two_factor'

    # Rules applied to 'dev' group
-    - domain: dev.example.com
+    - domain: 'dev.example.com'
      resources:
-        - "^/groups/dev/.*$"
-      subject: "group:dev"
-      policy: two_factor
+        - '^/groups/dev/.*$'
+      subject: 'group:dev'
+      policy: 'two_factor'

    # Rules applied to user 'john'
-    - domain: dev.example.com
+    - domain: 'dev.example.com'
      resources:
-        - "^/users/john/.*$"
-      subject: "user:john"
-      policy: two_factor
+        - '^/users/john/.*$'
+      subject: 'user:john'
+      policy: 'two_factor'

    # Rules applied to 'dev' group and user 'john'
-    - domain: dev.example.com
+    - domain: 'dev.example.com'
      resources:
-        - "^/deny-all.*$"
-      subject: ["group:dev", "user:john"]
-      policy: deny
+        - '^/deny-all.*$'
+      subject: ['group:dev', 'user:john']
+      policy: 'deny'

    # Rules applied to user 'harry'
-    - domain: dev.example.com
+    - domain: 'dev.example.com'
      resources:
-        - "^/users/harry/.*$"
-      subject: "user:harry"
-      policy: two_factor
+        - '^/users/harry/.*$'
+      subject: 'user:harry'
+      policy: 'two_factor'

    # Rules applied to user 'bob'
-    - domain: "*.mail.example.com"
-      subject: "user:bob"
-      policy: two_factor
-    - domain: "dev.example.com"
+    - domain: '*.mail.example.com'
+      subject: 'user:bob'
+      policy: 'two_factor'
+    - domain: 'dev.example.com'
      resources:
-        - "^/users/bob/.*$"
-      subject: "user:bob"
-      policy: two_factor
+        - '^/users/bob/.*$'
+      subject: 'user:bob'
+      policy: 'two_factor'

 session:
-  name: authelia_session
+  name: 'authelia_session'
  expiration: 3600000  # 1 hour
  inactivity: 300000  # 5 minutes
-  domain: example.com
+  domain: 'example.com'
  redis:
    host: 127.0.0.1
    port: 6379
    high_availability:
-      sentinel_name: test
+      sentinel_name: 'test'

 regulation:
  max_retries: 3
@ -113,12 +116,12 @@ storage:
  mysql:
    host: 127.0.0.1
    port: 3306
-    database: authelia
-    username: authelia
+    database: 'authelia'
+    username: 'authelia'

 notifier:
  smtp:
-    username: test
+    username: 'test'
    host: 127.0.0.1
    port: 1025
    sender: admin@example.com
@ -126,7 +129,7 @@ notifier:

 identity_providers:
  oidc:
-    hmac_secret: 1nb2j3kh1b23kjh1b23jh1b23j1h2b3
+    hmac_secret: '1nb2j3kh1b23kjh1b23jh1b23j1h2b3'
    issuer_private_keys:
      keys:
        keya:
@ -202,10 +205,10 @@ identity_providers:
            -----END CERTIFICATE-----
    cors:
      allowed_origins:
-        - https://google.com
-        - https://example.com
+        - 'https://google.com'
+        - 'https://example.com'
    clients:
-      - id: abc
+      - id: 'abc'
        secret: '123'
-        consent_mode: explicit
+        consent_mode: 'explicit'
 ...
--- a/internal/configuration/test_resources/config_smtp_sender_blank.yml
+++ b/internal/configuration/test_resources/config_smtp_sender_blank.yml
@ -18,14 +18,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_smtp_sender_invalid.yml
+++ b/internal/configuration/test_resources/config_smtp_sender_invalid.yml
@ -18,14 +18,15 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/test_resources/config_with_secret.yml
+++ b/internal/configuration/test_resources/config_with_secret.yml
@ -20,14 +20,16 @@ authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
-    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
-    group_name_attribute: 'cn'
-    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'
+    attributes:
+      username: 'uid'
+      group_name: 'cn'
+      mail: 'mail'
+

 access_control:
  default_policy: 'deny'
--- a/internal/configuration/validator/authentication.go
+++ b/internal/configuration/validator/authentication.go
@ -364,7 +364,7 @@ func validateLDAPAuthenticationBackendImplementation(config *schema.Authenticati
 	case schema.LDAPImplementationGLAuth:
 		implementation = &schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth
 	default:
-		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendImplementation, strJoinOr(validLDAPImplementations), config.LDAP.Implementation))
+		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendOptionMustBeOneOf, "implementation", strJoinOr(validLDAPImplementations), config.LDAP.Implementation))
 	}

 	tlsconfig := &schema.TLSConfig{}
@ -394,32 +394,44 @@ func setDefaultImplementationLDAPAuthenticationBackendProfileAttributes(config *
 		config.AdditionalUsersDN = implementation.AdditionalUsersDN
 	}

-	if ldapImplementationShouldSetStr(config.AdditionalGroupsDN, implementation.AdditionalGroupsDN) {
-		config.AdditionalGroupsDN = implementation.AdditionalGroupsDN
-	}
-
 	if ldapImplementationShouldSetStr(config.UsersFilter, implementation.UsersFilter) {
 		config.UsersFilter = implementation.UsersFilter
 	}

-	if ldapImplementationShouldSetStr(config.UsernameAttribute, implementation.UsernameAttribute) {
-		config.UsernameAttribute = implementation.UsernameAttribute
-	}
-
-	if ldapImplementationShouldSetStr(config.DisplayNameAttribute, implementation.DisplayNameAttribute) {
-		config.DisplayNameAttribute = implementation.DisplayNameAttribute
-	}
-
-	if ldapImplementationShouldSetStr(config.MailAttribute, implementation.MailAttribute) {
-		config.MailAttribute = implementation.MailAttribute
+	if ldapImplementationShouldSetStr(config.AdditionalGroupsDN, implementation.AdditionalGroupsDN) {
+		config.AdditionalGroupsDN = implementation.AdditionalGroupsDN
 	}

 	if ldapImplementationShouldSetStr(config.GroupsFilter, implementation.GroupsFilter) {
 		config.GroupsFilter = implementation.GroupsFilter
 	}

-	if ldapImplementationShouldSetStr(config.GroupNameAttribute, implementation.GroupNameAttribute) {
-		config.GroupNameAttribute = implementation.GroupNameAttribute
+	if ldapImplementationShouldSetStr(config.GroupSearchMode, implementation.GroupSearchMode) {
+		config.GroupSearchMode = implementation.GroupSearchMode
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.DistinguishedName, implementation.Attributes.DistinguishedName) {
+		config.Attributes.DistinguishedName = implementation.Attributes.DistinguishedName
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.Username, implementation.Attributes.Username) {
+		config.Attributes.Username = implementation.Attributes.Username
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.DisplayName, implementation.Attributes.DisplayName) {
+		config.Attributes.DisplayName = implementation.Attributes.DisplayName
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.Mail, implementation.Attributes.Mail) {
+		config.Attributes.Mail = implementation.Attributes.Mail
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.MemberOf, implementation.Attributes.MemberOf) {
+		config.Attributes.MemberOf = implementation.Attributes.MemberOf
+	}
+
+	if ldapImplementationShouldSetStr(config.Attributes.GroupName, implementation.Attributes.GroupName) {
+		config.Attributes.GroupName = implementation.Attributes.GroupName
 	}
 }

@ -486,4 +498,32 @@ func validateLDAPRequiredParameters(config *schema.AuthenticationBackend, valida
 	} else if !strings.HasPrefix(config.LDAP.GroupsFilter, "(") || !strings.HasSuffix(config.LDAP.GroupsFilter, ")") {
 		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterEnclosingParenthesis, "groups_filter", config.LDAP.GroupsFilter, config.LDAP.GroupsFilter))
 	}
+
+	validateLDAPGroupFilter(config, validator)
+}
+
+func validateLDAPGroupFilter(config *schema.AuthenticationBackend, validator *schema.StructValidator) {
+	if config.LDAP.GroupSearchMode == "" {
+		config.LDAP.GroupSearchMode = schema.LDAPGroupSearchModeFilter
+	}
+
+	if !utils.IsStringInSlice(config.LDAP.GroupSearchMode, validLDAPGroupSearchModes) {
+		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendOptionMustBeOneOf, "group_search_mode", strJoinOr(validLDAPGroupSearchModes), config.LDAP.GroupSearchMode))
+	}
+
+	pMemberOfDN, pMemberOfRDN := strings.Contains(config.LDAP.GroupsFilter, "{memberof:dn}"), strings.Contains(config.LDAP.GroupsFilter, "{memberof:rdn}")
+
+	if config.LDAP.GroupSearchMode == schema.LDAPGroupSearchModeMemberOf {
+		if !pMemberOfDN && !pMemberOfRDN {
+			validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingPlaceholderGroupSearchMode, "groups_filter", strJoinOr([]string{"{memberof:rdn}", "{memberof:dn}"}), config.LDAP.GroupSearchMode))
+		}
+	}
+
+	if pMemberOfDN && config.LDAP.Attributes.DistinguishedName == "" {
+		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingAttribute, "distinguished_name", strJoinOr([]string{"{memberof:dn}"})))
+	}
+
+	if (pMemberOfDN || pMemberOfRDN) && config.LDAP.Attributes.MemberOf == "" {
+		validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingAttribute, "member_of", strJoinOr([]string{"{memberof:rdn}", "{memberof:dn}"})))
+	}
 }
--- a/internal/configuration/validator/authentication_test.go
+++ b/internal/configuration/validator/authentication_test.go
@ -577,7 +577,7 @@ func (suite *LDAPAuthenticationBackendSuite) SetupTest() {
 	suite.config.LDAP.User = testLDAPUser
 	suite.config.LDAP.Password = testLDAPPassword
 	suite.config.LDAP.BaseDN = testLDAPBaseDN
-	suite.config.LDAP.UsernameAttribute = "uid"
+	suite.config.LDAP.Attributes.Username = "uid"
 	suite.config.LDAP.UsersFilter = "({username_attribute}={input})"
 	suite.config.LDAP.GroupsFilter = "(cn={input})"
 }
@ -591,12 +591,12 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateCompleteConfigura

 func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementationAndUsernameAttribute() {
 	suite.config.LDAP.Implementation = ""
-	suite.config.LDAP.UsernameAttribute = ""
+	suite.config.LDAP.Attributes.Username = ""
 	ValidateAuthenticationBackend(&suite.config, suite.validator)

 	suite.Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation)

-	suite.Equal(suite.config.LDAP.UsernameAttribute, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.UsernameAttribute)
+	suite.Equal(suite.config.LDAP.Attributes.Username, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Attributes.Username)
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)
 }
@ -743,7 +743,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsersFilter()
 }

 func (suite *LDAPAuthenticationBackendSuite) TestShouldNotRaiseOnEmptyUsernameAttribute() {
-	suite.config.LDAP.UsernameAttribute = ""
+	suite.config.LDAP.Attributes.Username = ""

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

@ -793,7 +793,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttrib
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal("cn", suite.config.LDAP.GroupNameAttribute)
+	suite.Equal("cn", suite.config.LDAP.Attributes.GroupName)
 }

 func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute() {
@ -802,7 +802,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal("mail", suite.config.LDAP.MailAttribute)
+	suite.Equal("mail", suite.config.LDAP.Attributes.Mail)
 }

 func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttribute() {
@ -811,7 +811,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttr
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal("displayName", suite.config.LDAP.DisplayNameAttribute)
+	suite.Equal("displayName", suite.config.LDAP.Attributes.DisplayName)
 }

 func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultRefreshInterval() {
@ -890,6 +890,64 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowSSL30() {
 	suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
 }

+func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnBadSearchMode() {
+	suite.config.LDAP.GroupSearchMode = "memberOF"
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'group_search_mode' must be one of 'filter' or 'memberof' but it's configured as 'memberOF'")
+}
+
+func (suite *LDAPAuthenticationBackendSuite) TestShouldNoErrorOnPlaceholderSearchMode() {
+	suite.config.LDAP.GroupSearchMode = memberof
+	suite.config.LDAP.GroupsFilter = filterMemberOfRDN
+	suite.config.LDAP.Attributes.MemberOf = memberOf
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Len(suite.validator.Warnings(), 0)
+	suite.Len(suite.validator.Errors(), 0)
+}
+
+func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingPlaceholderSearchMode() {
+	suite.config.LDAP.GroupSearchMode = memberof
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'groups_filter' must contain one of the '{memberof:rdn}' or '{memberof:dn}' placeholders when using a group_search_mode of 'memberof' but they're absent")
+}
+
+func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingDistinguishedNameDN() {
+	suite.config.LDAP.Attributes.DistinguishedName = ""
+	suite.config.LDAP.GroupsFilter = "(|({memberof:dn}))"
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
+
+	suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'distinguished_name' must be provided when using the '{memberof:dn}' placeholder but it's absent")
+	suite.EqualError(suite.validator.Errors()[1], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
+}
+
+func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingMemberOfRDN() {
+	suite.config.LDAP.Attributes.DistinguishedName = ""
+	suite.config.LDAP.GroupsFilter = filterMemberOfRDN
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
+}
+
 func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowTLSVerMinGreaterThanVerMax() {
 	suite.config.LDAP.TLS = &schema.TLSConfig{
 		MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
@ -909,9 +967,7 @@ func TestLDAPAuthenticationBackend(t *testing.T) {
 }

 type ActiveDirectoryAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackend
-	validator *schema.StructValidator
+	LDAPImplementationSuite
 }

 func (suite *ActiveDirectoryAuthenticationBackendSuite) SetupTest() {
@ -932,81 +988,30 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirec
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory)
 }

 func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
 	suite.config.LDAP.Timeout = time.Second * 2
 	suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
-	suite.config.LDAP.UsernameAttribute = "cn"
-	suite.config.LDAP.MailAttribute = "userPrincipalName"
-	suite.config.LDAP.DisplayNameAttribute = "name"
+	suite.config.LDAP.Attributes.Username = "cn"
+	suite.config.LDAP.Attributes.Mail = "userPrincipalName"
+	suite.config.LDAP.Attributes.DisplayName = "name"
 	suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=group)(objectCategory=group))"
-	suite.config.LDAP.GroupNameAttribute = "distinguishedName"
+	suite.config.LDAP.Attributes.GroupName = "distinguishedName"
 	suite.config.LDAP.AdditionalUsersDN = "OU=test"
 	suite.config.LDAP.AdditionalGroupsDN = "OU=grps"
+	suite.config.LDAP.Attributes.MemberOf = member
+	suite.config.LDAP.GroupSearchMode = memberof
+	suite.config.LDAP.Attributes.DistinguishedName = "objectGUID"

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory)
+
+	suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal("objectGUID", suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(memberof, suite.config.LDAP.GroupSearchMode)
 }

 func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldRaiseErrorOnInvalidURLWithHTTP() {
@ -1023,9 +1028,7 @@ func TestActiveDirectoryAuthenticationBackend(t *testing.T) {
 }

 type RFC2307bisAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackend
-	validator *schema.StructValidator
+	LDAPImplementationSuite
 }

 func (suite *RFC2307bisAuthenticationBackendSuite) SetupTest() {
@ -1046,78 +1049,29 @@ func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldSetDefaults() {
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis)
 }

 func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
 	suite.config.LDAP.Timeout = time.Second * 2
 	suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person))"
-	suite.config.LDAP.UsernameAttribute = "o"
-	suite.config.LDAP.MailAttribute = "Email"
-	suite.config.LDAP.DisplayNameAttribute = "Given"
+	suite.config.LDAP.Attributes.Username = "o"
+	suite.config.LDAP.Attributes.Mail = "Email"
+	suite.config.LDAP.Attributes.DisplayName = "Given"
 	suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup)(objectClass=top))"
-	suite.config.LDAP.GroupNameAttribute = "gid"
+	suite.config.LDAP.Attributes.GroupName = "gid"
+	suite.config.LDAP.Attributes.MemberOf = member
 	suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=OpenLDAP"
 	suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=OpenLDAP"
+	suite.config.LDAP.GroupSearchMode = memberof

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis)
+
+	suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
 }

 func TestRFC2307bisAuthenticationBackend(t *testing.T) {
@ -1125,9 +1079,7 @@ func TestRFC2307bisAuthenticationBackend(t *testing.T) {
 }

 type FreeIPAAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackend
-	validator *schema.StructValidator
+	LDAPImplementationSuite
 }

 func (suite *FreeIPAAuthenticationBackendSuite) SetupTest() {
@ -1148,75 +1100,29 @@ func (suite *FreeIPAAuthenticationBackendSuite) TestShouldSetDefaults() {
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA)
 }

 func (suite *FreeIPAAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
 	suite.config.LDAP.Timeout = time.Second * 2
 	suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=person)(!(nsAccountLock=TRUE)))"
-	suite.config.LDAP.UsernameAttribute = "dn"
-	suite.config.LDAP.MailAttribute = "email"
-	suite.config.LDAP.DisplayNameAttribute = "gecos"
+	suite.config.LDAP.Attributes.Username = "dn"
+	suite.config.LDAP.Attributes.Mail = "email"
+	suite.config.LDAP.Attributes.DisplayName = "gecos"
 	suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixgroup))"
-	suite.config.LDAP.GroupNameAttribute = "groupName"
+	suite.config.LDAP.GroupSearchMode = schema.LDAPGroupSearchModeMemberOf
+	suite.config.LDAP.Attributes.GroupName = "groupName"
+	suite.config.LDAP.Attributes.MemberOf = member
 	suite.config.LDAP.AdditionalUsersDN = "OU=people"
 	suite.config.LDAP.AdditionalGroupsDN = "OU=grp"

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA)
+
+	suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
 }

 func TestFreeIPAAuthenticationBackend(t *testing.T) {
@ -1224,9 +1130,7 @@ func TestFreeIPAAuthenticationBackend(t *testing.T) {
 }

 type LLDAPAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackend
-	validator *schema.StructValidator
+	LDAPImplementationSuite
 }

 func (suite *LLDAPAuthenticationBackendSuite) SetupTest() {
@ -1247,78 +1151,29 @@ func (suite *LLDAPAuthenticationBackendSuite) TestShouldSetDefaults() {
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP)
 }

 func (suite *LLDAPAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
 	suite.config.LDAP.Timeout = time.Second * 2
 	suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(nsAccountLock=TRUE)))"
-	suite.config.LDAP.UsernameAttribute = "username"
-	suite.config.LDAP.MailAttribute = "m"
-	suite.config.LDAP.DisplayNameAttribute = "fn"
+	suite.config.LDAP.Attributes.Username = "username"
+	suite.config.LDAP.Attributes.Mail = "m"
+	suite.config.LDAP.Attributes.DisplayName = "fn"
+	suite.config.LDAP.Attributes.MemberOf = member
 	suite.config.LDAP.GroupsFilter = "(&(member={dn})(!(objectClass=posixGroup)))"
-	suite.config.LDAP.GroupNameAttribute = "grpz"
+	suite.config.LDAP.Attributes.GroupName = "grpz"
 	suite.config.LDAP.AdditionalUsersDN = "OU=no"
 	suite.config.LDAP.AdditionalGroupsDN = "OU=yes"
+	suite.config.LDAP.GroupSearchMode = memberof

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP)
+
+	suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
 }

 func TestLLDAPAuthenticationBackend(t *testing.T) {
@ -1326,9 +1181,7 @@ func TestLLDAPAuthenticationBackend(t *testing.T) {
 }

 type GLAuthAuthenticationBackendSuite struct {
-	suite.Suite
-	config    schema.AuthenticationBackend
-	validator *schema.StructValidator
+	LDAPImplementationSuite
 }

 func (suite *GLAuthAuthenticationBackendSuite) SetupTest() {
@ -1349,80 +1202,80 @@ func (suite *GLAuthAuthenticationBackendSuite) TestShouldSetDefaults() {
 	suite.Len(suite.validator.Warnings(), 0)
 	suite.Len(suite.validator.Errors(), 0)

-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.Equal(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth)
 }

 func (suite *GLAuthAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
 	suite.config.LDAP.Timeout = time.Second * 2
 	suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(accountStatus=inactive)))"
-	suite.config.LDAP.UsernameAttribute = "description"
-	suite.config.LDAP.MailAttribute = "sender"
-	suite.config.LDAP.DisplayNameAttribute = "given"
+	suite.config.LDAP.Attributes.Username = "description"
+	suite.config.LDAP.Attributes.Mail = "sender"
+	suite.config.LDAP.Attributes.DisplayName = "given"
 	suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup))"
-	suite.config.LDAP.GroupNameAttribute = "grp"
+	suite.config.LDAP.Attributes.GroupName = "grp"
 	suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=GlAuth"
 	suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=GLAuth"
+	suite.config.LDAP.Attributes.MemberOf = member
+	suite.config.LDAP.GroupSearchMode = memberof

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
-		suite.config.LDAP.AdditionalUsersDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
-		suite.config.LDAP.AdditionalGroupsDN)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
-		suite.config.LDAP.Timeout)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
-		suite.config.LDAP.UsersFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsernameAttribute,
-		suite.config.LDAP.UsernameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.DisplayNameAttribute,
-		suite.config.LDAP.DisplayNameAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.MailAttribute,
-		suite.config.LDAP.MailAttribute)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
-		suite.config.LDAP.GroupsFilter)
-	suite.NotEqual(
-		schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupNameAttribute,
-		suite.config.LDAP.GroupNameAttribute)
+	suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth)
+
+	suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
 }

 func TestGLAuthAuthenticationBackend(t *testing.T) {
 	suite.Run(t, new(GLAuthAuthenticationBackendSuite))
 }
+
+type LDAPImplementationSuite struct {
+	suite.Suite
+	config    schema.AuthenticationBackend
+	validator *schema.StructValidator
+}
+
+func (suite *LDAPImplementationSuite) EqualImplementationDefaults(expected schema.LDAPAuthenticationBackend) {
+	suite.Equal(expected.Timeout, suite.config.LDAP.Timeout)
+	suite.Equal(expected.AdditionalUsersDN, suite.config.LDAP.AdditionalUsersDN)
+	suite.Equal(expected.AdditionalGroupsDN, suite.config.LDAP.AdditionalGroupsDN)
+	suite.Equal(expected.UsersFilter, suite.config.LDAP.UsersFilter)
+	suite.Equal(expected.GroupsFilter, suite.config.LDAP.GroupsFilter)
+	suite.Equal(expected.GroupSearchMode, suite.config.LDAP.GroupSearchMode)
+
+	suite.Equal(expected.Attributes.DistinguishedName, suite.config.LDAP.Attributes.DistinguishedName)
+	suite.Equal(expected.Attributes.Username, suite.config.LDAP.Attributes.Username)
+	suite.Equal(expected.Attributes.DisplayName, suite.config.LDAP.Attributes.DisplayName)
+	suite.Equal(expected.Attributes.Mail, suite.config.LDAP.Attributes.Mail)
+	suite.Equal(expected.Attributes.MemberOf, suite.config.LDAP.Attributes.MemberOf)
+	suite.Equal(expected.Attributes.GroupName, suite.config.LDAP.Attributes.GroupName)
+}
+
+func (suite *LDAPImplementationSuite) NotEqualImplementationDefaults(expected schema.LDAPAuthenticationBackend) {
+	suite.NotEqual(expected.Timeout, suite.config.LDAP.Timeout)
+	suite.NotEqual(expected.UsersFilter, suite.config.LDAP.UsersFilter)
+	suite.NotEqual(expected.GroupsFilter, suite.config.LDAP.GroupsFilter)
+	suite.NotEqual(expected.GroupSearchMode, suite.config.LDAP.GroupSearchMode)
+	suite.NotEqual(expected.Attributes.Username, suite.config.LDAP.Attributes.Username)
+	suite.NotEqual(expected.Attributes.DisplayName, suite.config.LDAP.Attributes.DisplayName)
+	suite.NotEqual(expected.Attributes.Mail, suite.config.LDAP.Attributes.Mail)
+	suite.NotEqual(expected.Attributes.GroupName, suite.config.LDAP.Attributes.GroupName)
+
+	if expected.Attributes.DistinguishedName != "" {
+		suite.NotEqual(expected.Attributes.DistinguishedName, suite.config.LDAP.Attributes.DistinguishedName)
+	}
+
+	if expected.AdditionalUsersDN != "" {
+		suite.NotEqual(expected.AdditionalUsersDN, suite.config.LDAP.AdditionalUsersDN)
+	}
+
+	if expected.AdditionalGroupsDN != "" {
+		suite.NotEqual(expected.AdditionalGroupsDN, suite.config.LDAP.AdditionalGroupsDN)
+	}
+
+	if expected.Attributes.MemberOf != "" {
+		suite.NotEqual(expected.Attributes.MemberOf, suite.config.LDAP.Attributes.MemberOf)
+	}
+}
--- a/internal/configuration/validator/const.go
+++ b/internal/configuration/validator/const.go
@ -98,9 +98,9 @@ const (
 	errFmtLDAPAuthBackendUnauthenticatedBindWithPassword     = "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when a password is specified"
 	errFmtLDAPAuthBackendUnauthenticatedBindWithResetEnabled = "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when password reset is enabled"

-	errFmtLDAPAuthBackendMissingOption    = "authentication_backend: ldap: option '%s' is required"
-	errFmtLDAPAuthBackendTLSConfigInvalid = "authentication_backend: ldap: tls: %w"
-	errFmtLDAPAuthBackendImplementation   = "authentication_backend: ldap: option 'implementation' " +
+	errFmtLDAPAuthBackendMissingOption     = "authentication_backend: ldap: option '%s' is required"
+	errFmtLDAPAuthBackendTLSConfigInvalid  = "authentication_backend: ldap: tls: %w"
+	errFmtLDAPAuthBackendOptionMustBeOneOf = "authentication_backend: ldap: option '%s' " +
 		errSuffixMustBeOneOf
 	errFmtLDAPAuthBackendFilterReplacedPlaceholders = "authentication_backend: ldap: option " +
 		"'%s' has an invalid placeholder: '%s' has been removed, please use '%s' instead"
@ -109,6 +109,10 @@ const (
 		"'%s' must contain enclosing parenthesis: '%s' should probably be '(%s)'"
 	errFmtLDAPAuthBackendFilterMissingPlaceholder = "authentication_backend: ldap: option " +
 		"'%s' must contain the placeholder '{%s}' but it's absent"
+	errFmtLDAPAuthBackendFilterMissingPlaceholderGroupSearchMode = "authentication_backend: ldap: option " +
+		"'%s' must contain one of the %s placeholders when using a group_search_mode of '%s' but they're absent"
+	errFmtLDAPAuthBackendFilterMissingAttribute = "authentication_backend: ldap: attributes: option " +
+		"'%s' must be provided when using the %s placeholder but it's absent"
 )

 // TOTP Error constants.
@ -374,17 +378,6 @@ const (
 	operatorNotPattern = "not pattern"
 )

-var (
-	validLDAPImplementations = []string{
-		schema.LDAPImplementationCustom,
-		schema.LDAPImplementationActiveDirectory,
-		schema.LDAPImplementationRFC2307bis,
-		schema.LDAPImplementationFreeIPA,
-		schema.LDAPImplementationLLDAP,
-		schema.LDAPImplementationGLAuth,
-	}
-)
-
 const (
 	legacy                      = "legacy"
 	authzImplementationLegacy   = "Legacy"
@ -400,6 +393,22 @@ var (
 	validAuthzAuthnStrategies = []string{"CookieSession", "HeaderAuthorization", "HeaderProxyAuthorization", "HeaderAuthRequestProxyAuthorization", "HeaderLegacy"}
 )

+var (
+	validLDAPImplementations = []string{
+		schema.LDAPImplementationCustom,
+		schema.LDAPImplementationActiveDirectory,
+		schema.LDAPImplementationRFC2307bis,
+		schema.LDAPImplementationFreeIPA,
+		schema.LDAPImplementationLLDAP,
+		schema.LDAPImplementationGLAuth,
+	}
+
+	validLDAPGroupSearchModes = []string{
+		schema.LDAPGroupSearchModeFilter,
+		schema.LDAPGroupSearchModeMemberOf,
+	}
+)
+
 var (
 	validArgon2Variants    = []string{"argon2id", "id", "argon2i", "i", "argon2d", "d"}
 	validSHA2CryptVariants = []string{digestSHA256, digestSHA512}
--- a/internal/configuration/validator/const_test.go
+++ b/internal/configuration/validator/const_test.go
@ -13,6 +13,11 @@ const (
 	testLDAPURL       = "ldap://ldap"
 	testLDAPUser      = "user"
 	testEncryptionKey = "a_not_so_secure_encryption_key"
+
+	member            = "member"
+	memberof          = "memberof"
+	memberOf          = "memberOf"
+	filterMemberOfRDN = "(|({memberof:rdn}))"
 )

 const (
--- a/internal/handlers/handler_authz_grpc.go
+++ b/internal/handlers/handler_authz_grpc.go
@ -0,0 +1,410 @@
+package handlers
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+
+	"github.com/authelia/authelia/v4/internal/authorization"
+	"github.com/authelia/authelia/v4/internal/configuration/schema"
+	"github.com/authelia/authelia/v4/internal/middlewares"
+	"github.com/authelia/authelia/v4/internal/session"
+	"github.com/authelia/authelia/v4/internal/utils"
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	autha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	"github.com/gogo/googleapis/google/rpc"
+	"github.com/valyala/fasthttp"
+	rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc/codes"
+	healthpb "google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/status"
+
+	"context"
+)
+
+type AuthzGRCP struct {
+	Config         *schema.Configuration
+	Providers      middlewares.Providers
+	AuthStrategies []AuthnStrategy
+	Authz          Authz
+}
+
+func NewAuthzGRCP(config *schema.Configuration, providers middlewares.Providers) *AuthzGRCP {
+
+	// Determine the refresh interval
+	authBuilder := NewAuthzBuilder().WithConfig(config)
+
+	// Only the following strategies are supported. These are hardcoded at the moment and won't be taken from the configuration
+	strategies := []AuthnStrategy{NewHeaderProxyAuthorizationAuthnStrategy() /* NewHeaderAuthorizationAuthnStrategy(), */, NewCookieSessionAuthnStrategy(authBuilder.config.RefreshInterval)}
+
+	return &AuthzGRCP{
+		Config:         config,
+		Providers:      providers,
+		AuthStrategies: strategies,
+		Authz:          Authz{strategies: strategies},
+	}
+}
+
+type GRCPRequestData struct {
+	RemoteHost  string
+	Domain      string
+	Method      string
+	Protocol    string
+	Path        string
+	AutheliaURL string
+}
+
+func (data *GRCPRequestData) String() string {
+	return fmt.Sprintf(
+		`Extracted data from headers:
+Remote Host = %s
+Domain      = %s
+Method      = %s
+Protocol    = %s
+Path        = %s
+AutheliaURL = %s
+`, data.RemoteHost, data.Domain, data.Method, data.Protocol, data.Path, data.AutheliaURL)
+}
+
+// GetRequestURI returns a request URI from the provided Data inside this struct.
+// It returns an error if values are missing
+func (data *GRCPRequestData) GetRequestURI() (*url.URL, error) {
+	if len(data.Protocol) == 0 || len(data.Domain) == 0 || len(data.Path) == 0 || len(data.Method) == 0 {
+		return nil, fmt.Errorf("missing required values for URI. One of 'Protocol', 'Domain', 'Path' or 'Method' was not found")
+	}
+
+	return url.ParseRequestURI(fmt.Sprintf("%s://%s%s", data.Protocol, data.Domain, data.Path))
+}
+
+// GetAutheliaURI returns a URI for the authelia protal from the provided Data inside this struct.
+func (data *GRCPRequestData) GetAutheliaURI(provider *session.Session) (*url.URL, error) {
+	if len(data.AutheliaURL) == 0 {
+		return nil, fmt.Errorf("missing required 'AutheliaURL' for request")
+	}
+
+	// Parse the URL
+	uri, err := url.ParseRequestURI(data.AutheliaURL)
+	if err != nil {
+		return nil, err
+	}
+
+	// Validate URL
+	if !utils.HasURIDomainSuffix(uri, provider.Config.Domain) {
+		return nil, fmt.Errorf("authelia url '%s' is not valid for detected domain '%s' as the url does not have the domain as a suffix", data.AutheliaURL, provider.Config.Domain)
+	}
+
+	return uri, nil
+}
+
+// HandleGRPC is the authentication handler for envoy proxies via the gRPC protocoll.
+// It is oriented on handler_authz.go
+func (authz *AuthzGRCP) Check(goCtx context.Context, req *autha.CheckRequest) (*autha.CheckResponse, error) {
+	request, data := authz.GetHttpCtxFromGRPC(req)
+	ctx := middlewares.NewAutheliaCtx(request, *authz.Config, authz.Providers)
+
+	// Log the parsed data and the inbound headers
+	ctx.Logger.Debug(data)
+	b, err := json.MarshalIndent(req.Attributes.Request.Http.Headers, "", "  ")
+	if err == nil {
+		ctx.Logger.Trace("Inbound Headers: ")
+		ctx.Logger.Trace((string(b)))
+	}
+
+	// Get request URI
+	uri, err := data.GetRequestURI()
+	if err != nil {
+		ctx.Logger.WithError(err).Error("Error getting Target URL and Request Method")
+		return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad authentication request"), nil
+	}
+
+	// Get authentication object
+	object := authorization.NewObject(uri, data.Method)
+	if !utils.IsURISecure(object.URL) {
+		// Check for redirect
+		if !ctx.Configuration.Server.DisableAutoHttpsRedirect {
+			// Redirect to https
+			return authz.AuthResponseHeader(envoy_type.StatusCode_PermanentRedirect, "", []*core.HeaderValueOption{
+				{
+					Header: &core.HeaderValue{
+						Key:   "Location",
+						Value: fmt.Sprintf("https://%s%s", data.Domain, data.Path),
+					},
+				},
+			}), nil
+		}
+		ctx.Logger.Errorf("Target URL '%s' has an insecure scheme '%s', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely", object.URL.String(), object.URL.Scheme)
+		return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad protocol for authentication request"), nil
+	}
+
+	// Get provider
+	provider, err := ctx.GetSessionProviderByTargetURL(object.URL)
+	if err != nil {
+		ctx.Logger.WithError(err).WithField("target_url", object.URL.String()).Error("Target URL does not appear to have a relevant session cookies configuration")
+		return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad domain for authentication request"), nil
+	}
+
+	// Get authelia url
+	if len(data.AutheliaURL) == 0 {
+		ctx.Logger.Info("Received no authelia URL from headers. Using the default of https://auth.rpjosh.de")
+		data.AutheliaURL = "https://auth.rpjosh.de"
+	}
+	autheliaURI, err := data.GetAutheliaURI(provider)
+	if err != nil {
+		ctx.Logger.WithError(err).WithField("target_url", object.URL.String()).Error("Error occurred trying to determine the external Authelia URL for Target URL")
+		return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad authentication request"), nil
+	}
+	ctx.Logger.Trace("Using authelia URL " + autheliaURI.String())
+
+	var (
+		authn    Authn
+		strategy AuthnStrategy
+	)
+
+	// Get strategie
+	if authn, strategy, err = authz.Authz.authn(ctx, provider); err != nil {
+		authn.Object = object
+
+		ctx.Logger.WithError(err).Error("Error occurred while attempting to authenticate a request")
+
+		switch strategy {
+		case nil:
+			ctx.Logger.Trace("Received no strategy to use")
+			return authz.ErrAuthResponse(envoy_type.StatusCode_Unauthorized, "Unauthorized"), nil
+		default:
+			// Because the response is modified directly, we have to catch this and rewrite this function
+			if s, ok := strategy.(*HeaderAuthnStrategy); ok {
+				ctx.Logger.Trace("Rewriting HeaderAuthnStrategy")
+				ctx.Logger.Debugf("Responding %d %s", s.authn, autheliaURI)
+
+				headers := make([]*core.HeaderValueOption, 0)
+				if s.headerAuthenticate != nil {
+					headers = append(headers, &core.HeaderValueOption{
+						Header: &core.HeaderValue{
+							Key:   string(s.headerAuthenticate),
+							Value: string(headerValueAuthenticateBasic),
+						},
+					})
+				}
+
+				return authz.AuthResponseHeader(envoy_type.StatusCode(s.statusAuthenticate), "", headers), nil
+			} else if _, ok := strategy.(*CookieSessionAuthnStrategy); ok {
+				ctx.Logger.Trace("Rewriting CookieSessionAuthnStrategy")
+
+			}
+
+			ctx.Logger.Error("Received unsupported auth strategy for gRPC server")
+			// strategy.HandleUnauthorized(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI))
+		}
+
+		return authz.ErrAuthResponse(envoy_type.StatusCode_Unauthorized, "Unauthorized"), nil
+	}
+
+	authn.Object = object
+	authn.Method = friendlyMethod(authn.Object.Method)
+
+	ruleHasSubject, required := ctx.Providers.Authorizer.GetRequiredLevel(
+		authorization.Subject{
+			Username: authn.Details.Username,
+			Groups:   authn.Details.Groups,
+			IP:       net.ParseIP(data.RemoteHost),
+		},
+		object,
+	)
+
+	switch isAuthzResult(authn.Level, required, ruleHasSubject) {
+	case AuthzResultForbidden:
+		ctx.Logger.Infof("Access to '%s' is forbidden to user '%s'", object.URL.String(), authn.Username)
+		return authz.ErrAuthResponse(envoy_type.StatusCode_Forbidden, "Forbidden"), nil
+	case AuthzResultUnauthorized:
+		if strategy != nil {
+			ctx.Logger.Error("Handling not supported handler")
+			//strategy.HandleUnauthorized(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI))
+		} else {
+			ctx.Logger.Debugf("Redirecting user")
+			return authz.HandleUnauthorizedRedirect(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI)), nil
+		}
+	case AuthzResultAuthorized:
+		ctx.Logger.Debugf("Authorized request")
+		return authz.HandleAuthorized(ctx, &authn), nil
+		//authz.Authz.handleAuthorized(ctx, &authn)
+	}
+
+	ctx.Logger.Info("Handling default redirection")
+	return authz.HandleUnauthorizedRedirect(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI)), nil
+}
+
+// GetHttpCtxFromGRPC is an Adapter that converts common fields between a grpc request
+// a "normal" http request.
+// It also returns the
+func (authz *AuthzGRCP) GetHttpCtxFromGRPC(req *autha.CheckRequest) (*fasthttp.RequestCtx, *GRCPRequestData) {
+
+	// Extract headers
+	headers := req.Attributes.Request.Http.Headers
+
+	// Parse the header data
+	data := &GRCPRequestData{
+		RemoteHost:  headers["x-forwarded-for"],
+		Domain:      headers[":authority"],
+		Method:      headers[":method"],
+		Protocol:    headers["x-forwarded-proto"],
+		Path:        headers[":path"],
+		AutheliaURL: headers[""],
+	}
+
+	// Build fasthttp request with common types
+	rtc := &fasthttp.RequestCtx{}
+
+	// General headers
+	rtc.Request.Header.Set(fasthttp.HeaderXForwardedFor, data.RemoteHost)
+
+	// Needed for NewHeaderProxyAuthorizationAuthnStrategy and NewHeaderAuthorizationAuthnStrategy
+	authz.setHeaderIfSet(fasthttp.HeaderAuthorization, rtc, &headers)
+	authz.setHeaderIfSet(fasthttp.HeaderProxyAuthorization, rtc, &headers)
+	authz.setHeaderIfSet(fasthttp.HeaderWWWAuthenticate, rtc, &headers)
+	authz.setHeaderIfSet(fasthttp.HeaderProxyAuthenticate, rtc, &headers)
+
+	// Needed for CookieSesseionauthnStrategy
+	rtc.Request.Header.Set("cookie", headers["cookie"])
+
+	return rtc, data
+}
+
+// setHeaderIfSet sets the header in the given fastHttp request if the header from the envoy authentication
+// request was also set
+func (authz *AuthzGRCP) setHeaderIfSet(headerKeyFast string, rtc *fasthttp.RequestCtx, envoyHeaders *map[string]string) {
+	// Envoys provided header keys are always lower case
+	envoyHeaderKey := strings.ToLower(headerKeyFast)
+
+	if val, isSet := (*envoyHeaders)[envoyHeaderKey]; isSet {
+		rtc.Request.Header.Set(headerKeyFast, val)
+	}
+}
+
+// ErrAuthResponse returns an authentication error for envoy with the given status code
+// and the given text body
+func (authz *AuthzGRCP) ErrAuthResponse(statuscode envoy_type.StatusCode, body string) *autha.CheckResponse {
+	return &autha.CheckResponse{
+		Status: &rpcstatus.Status{
+			Code: int32(rpc.UNAUTHENTICATED),
+		},
+		HttpResponse: &autha.CheckResponse_DeniedResponse{
+			DeniedResponse: &autha.DeniedHttpResponse{
+				Status: &envoy_type.HttpStatus{
+					Code: statuscode,
+				},
+				Body: body,
+			},
+		},
+	}
+}
+
+// ErrAuthResponse returns an authentication error for envoy with the given status code
+// and the given text body
+func (authz *AuthzGRCP) AuthResponseHeader(statuscode envoy_type.StatusCode, body string, headers []*core.HeaderValueOption) *autha.CheckResponse {
+	return &autha.CheckResponse{
+		Status: &rpcstatus.Status{
+			Code: int32(rpc.UNAUTHENTICATED),
+		},
+		HttpResponse: &autha.CheckResponse_DeniedResponse{
+			DeniedResponse: &autha.DeniedHttpResponse{
+				Status: &envoy_type.HttpStatus{
+					Code: statuscode,
+				},
+				Body:    body,
+				Headers: headers,
+			},
+		},
+	}
+}
+
+func (authz *AuthzGRCP) HandleAuthorized(ctx *middlewares.AutheliaCtx, authn *Authn) *autha.CheckResponse {
+	return &autha.CheckResponse{
+		Status: &rpcstatus.Status{
+			Code: int32(rpc.OK),
+		},
+		HttpResponse: &autha.CheckResponse_OkResponse{
+			OkResponse: &autha.OkHttpResponse{
+				Headers: []*core.HeaderValueOption{
+					{
+						Header: &core.HeaderValue{
+							Key:   "Auth-Handler",
+							Value: getAuthType(authn.Type),
+						},
+					},
+					{
+						Header: &core.HeaderValue{
+							Key:   "Auth-Username",
+							Value: authn.Username,
+						},
+					},
+					{
+						Header: &core.HeaderValue{
+							Key:   "Auth-Username-Display",
+							Value: authn.Details.DisplayName,
+						},
+					},
+					{
+						Header: &core.HeaderValue{
+							Key:   "Auth-Realm",
+							Value: authn.Object.Domain,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (authz *AuthzGRCP) HandleUnauthorizedRedirect(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL) *autha.CheckResponse {
+	return &autha.CheckResponse{
+		Status: &rpcstatus.Status{
+			Code: int32(rpc.UNAUTHENTICATED),
+		},
+		HttpResponse: &autha.CheckResponse_DeniedResponse{
+			DeniedResponse: &autha.DeniedHttpResponse{
+				Status: &envoy_type.HttpStatus{
+					Code: 302,
+				},
+				Headers: []*core.HeaderValueOption{
+					{
+						Header: &core.HeaderValue{
+							Key:   "Location",
+							Value: redirectionURL.String(),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func getAuthType(t AuthnType) string {
+
+	switch t {
+	case AuthnTypeNone:
+		return "none"
+	case AuthnTypeCookie:
+		return "cookie"
+	case AuthnTypeProxyAuthorization:
+		return "proxy"
+	case AuthnTypeAuthorization:
+		return "header"
+	default:
+		return "unknown"
+	}
+}
+
+// HealthEndpoint implements a health function to check if the appliction is
+// still alive
+type HealthEndpoint struct{}
+
+func (s *HealthEndpoint) Check(ctx context.Context, in *healthpb.HealthCheckRequest) (*healthpb.HealthCheckResponse, error) {
+	return &healthpb.HealthCheckResponse{Status: healthpb.HealthCheckResponse_SERVING}, nil
+}
+
+func (s *HealthEndpoint) Watch(in *healthpb.HealthCheckRequest, srv healthpb.Health_WatchServer) error {
+	return status.Error(codes.Unimplemented, "Watch is not implemented")
+}
--- a/internal/handlers/handler_firstfactor.go
+++ b/internal/handlers/handler_firstfactor.go
@ -33,7 +33,7 @@ func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.Re
 			return
 		}

-		if bannedUntil, err := ctx.Providers.Regulator.Regulate(ctx, bodyJSON.Username); err != nil {
+		if bannedUntil, err := ctx.Providers.Regulator.Regulate(ctx, bodyJSON.Username, ctx.RemoteIP().String()); err != nil {
 			if errors.Is(err, regulation.ErrUserIsBanned) {
 				_ = markAuthenticationAttempt(ctx, false, &bannedUntil, bodyJSON.Username, regulation.AuthType1FA, nil)

--- a/internal/handlers/response.go
+++ b/internal/handlers/response.go
@ -277,13 +277,18 @@ func markAuthenticationAttempt(ctx *middlewares.AutheliaCtx, successful bool, ba
 	if successful {
 		ctx.Logger.Debugf("Successful %s authentication attempt made by user '%s'", authType, username)
 	} else {
+		reasonPhrase := "by user '" + username + "'"
+		if ctx.Configuration.Server.UseIPInsteadOfUserForBan {
+			reasonPhrase = fmt.Sprintf("by ip %q (user %q)", ctx.RemoteIP().String(), username)
+		}
+
 		switch {
 		case errAuth != nil:
-			ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s': %+v", authType, username, errAuth)
+			ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s: %+v", authType, reasonPhrase, errAuth)
 		case bannedUntil != nil:
-			ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s' and they are banned until %s", authType, username, bannedUntil)
+			ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s and they are banned until %s", authType, reasonPhrase, bannedUntil)
 		default:
-			ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s'", authType, username)
+			ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s", authType, reasonPhrase)
 		}
 	}

--- a/internal/mocks/storage.go
+++ b/internal/mocks/storage.go
@ -210,18 +210,18 @@ func (mr *MockStorageMockRecorder) FindIdentityVerification(arg0, arg1 interface
 }

 // LoadAuthenticationLogs mocks base method.
-func (m *MockStorage) LoadAuthenticationLogs(arg0 context.Context, arg1 string, arg2 time.Time, arg3, arg4 int) ([]model.AuthenticationAttempt, error) {
+func (m *MockStorage) LoadAuthenticationLogs(arg0 context.Context, arg1, arg2 string, arg3 time.Time, arg4, arg5 int) ([]model.AuthenticationAttempt, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "LoadAuthenticationLogs", arg0, arg1, arg2, arg3, arg4)
+	ret := m.ctrl.Call(m, "LoadAuthenticationLogs", arg0, arg1, arg2, arg3, arg4, arg5)
 	ret0, _ := ret[0].([]model.AuthenticationAttempt)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

 // LoadAuthenticationLogs indicates an expected call of LoadAuthenticationLogs.
-func (mr *MockStorageMockRecorder) LoadAuthenticationLogs(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
+func (mr *MockStorageMockRecorder) LoadAuthenticationLogs(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadAuthenticationLogs", reflect.TypeOf((*MockStorage)(nil).LoadAuthenticationLogs), arg0, arg1, arg2, arg3, arg4)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadAuthenticationLogs", reflect.TypeOf((*MockStorage)(nil).LoadAuthenticationLogs), arg0, arg1, arg2, arg3, arg4, arg5)
 }

 // LoadOAuth2BlacklistedJTI mocks base method.
--- a/internal/regulation/regulator.go
+++ b/internal/regulation/regulator.go
@ -40,13 +40,13 @@ func (r *Regulator) Mark(ctx Context, successful, banned bool, username, request

 // Regulate the authentication attempts for a given user.
 // This method returns ErrUserIsBanned if the user is banned along with the time until when the user is banned.
-func (r *Regulator) Regulate(ctx context.Context, username string) (time.Time, error) {
+func (r *Regulator) Regulate(ctx context.Context, username string, remoteIp string) (time.Time, error) {
 	// If there is regulation configuration, no regulation applies.
 	if !r.enabled {
 		return time.Time{}, nil
 	}

-	attempts, err := r.store.LoadAuthenticationLogs(ctx, username, r.clock.Now().Add(-r.config.BanTime), 10, 0)
+	attempts, err := r.store.LoadAuthenticationLogs(ctx, username, remoteIp, r.clock.Now().Add(-r.config.BanTime), 10, 0)
 	if err != nil {
 		return time.Time{}, nil
 	}
--- a/internal/regulation/regulator_test.go
+++ b/internal/regulation/regulator_test.go
@ -23,6 +23,8 @@ type RegulatorSuite struct {
 	mock *mocks.MockAutheliaCtx
 }

+// @TODO
+// Extend this test for IP ban :)
 func (s *RegulatorSuite) SetupTest() {
 	s.mock = mocks.NewMockAutheliaCtx(s.T())
 	s.mock.Ctx.Configuration.Regulation = schema.RegulationConfiguration{
@ -58,9 +60,9 @@ func (s *RegulatorSuite) TestShouldMark() {
 func (s *RegulatorSuite) TestShouldHandleRegulateError() {
 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	s.mock.StorageMock.EXPECT().LoadAuthenticationLogs(s.mock.Ctx, "john", s.mock.Clock.Now().Add(-s.mock.Ctx.Configuration.Regulation.BanTime), 10, 0).Return(nil, fmt.Errorf("failed"))
+	s.mock.StorageMock.EXPECT().LoadAuthenticationLogs(s.mock.Ctx, "john", "127.0.0.1", s.mock.Clock.Now().Add(-s.mock.Ctx.Configuration.Regulation.BanTime), 10, 0).Return(nil, fmt.Errorf("failed"))

-	until, err := regulator.Regulate(s.mock.Ctx, "john")
+	until, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")

 	s.NoError(err)
 	s.Equal(time.Time{}, until)
@ -76,12 +78,12 @@ func (s *RegulatorSuite) TestShouldNotThrowWhenUserIsLegitimate() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)
 }

@ -107,12 +109,12 @@ func (s *RegulatorSuite) TestShouldNotThrowWhenFailedAuthenticationNotInFindTime
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)
 }

@ -143,12 +145,12 @@ func (s *RegulatorSuite) TestShouldBanUserIfLatestAttemptsAreWithinFinTime() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
 }

@ -176,12 +178,12 @@ func (s *RegulatorSuite) TestShouldCheckUserIsStillBanned() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
 }

@ -200,12 +202,12 @@ func (s *RegulatorSuite) TestShouldCheckUserIsNotYetBanned() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)
 }

@ -232,12 +234,12 @@ func (s *RegulatorSuite) TestShouldCheckUserWasAboutToBeBanned() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)
 }

@ -268,12 +270,12 @@ func (s *RegulatorSuite) TestShouldCheckRegulationHasBeenResetOnSuccessfulAttemp
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)

-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)
 }

@ -303,7 +305,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
 	}

 	s.mock.StorageMock.EXPECT().
-		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
+		LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
 		Return(attemptsInDB, nil)

 	// Check Disabled Functionality.
@ -314,7 +316,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
 	}

 	regulator := regulation.NewRegulator(config, s.mock.StorageMock, &s.mock.Clock)
-	_, err := regulator.Regulate(s.mock.Ctx, "john")
+	_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.NoError(s.T(), err)

 	// Check Enabled Functionality.
@ -325,6 +327,6 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
 	}

 	regulator = regulation.NewRegulator(config, s.mock.StorageMock, &s.mock.Clock)
-	_, err = regulator.Regulate(s.mock.Ctx, "john")
+	_, err = regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
 	assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
 }
--- a/internal/server/handlers.go
+++ b/internal/server/handlers.go
@ -9,6 +9,7 @@ import (
 	"time"

 	duoapi "github.com/duosecurity/duo_api_golang"
+	autha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/fasthttp/router"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/sirupsen/logrus"
@ -16,6 +17,8 @@ import (
 	"github.com/valyala/fasthttp/expvarhandler"
 	"github.com/valyala/fasthttp/fasthttpadaptor"
 	"github.com/valyala/fasthttp/pprofhandler"
+	"google.golang.org/grpc"
+	healthpb "google.golang.org/grpc/health/grpc_health_v1"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/duo"
@ -189,7 +192,7 @@ func handleRouter(config *schema.Configuration, providers middlewares.Providers)
 		uri := path.Join(pathAuthz, name)

 		authz := handlers.NewAuthzBuilder().WithConfig(config).WithEndpointConfig(endpoint).Build()
-
+		// @HERE
 		handler := middlewares.Wrap(metricsVRMW, bridge(authz.Handler))

 		switch name {
@ -404,6 +407,12 @@ func handleRouter(config *schema.Configuration, providers middlewares.Providers)
 	return handler
 }

+func handleGRCP(server *grpc.Server, config *schema.Configuration, providers middlewares.Providers) {
+	// Register endpoints
+	healthpb.RegisterHealthServer(server, &handlers.HealthEndpoint{})
+	autha.RegisterAuthorizationServer(server, handlers.NewAuthzGRCP(config, providers))
+}
+
 func handleMetrics(path string) fasthttp.RequestHandler {
 	r := router.New()

--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -9,6 +9,8 @@ import (

 	"github.com/sirupsen/logrus"
 	"github.com/valyala/fasthttp"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/logging"
@ -44,30 +46,13 @@ func CreateDefaultServer(config *schema.Configuration, providers middlewares.Pro
 	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
 		isTLS, connectionScheme = true, schemeHTTPS

-		if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {
-			return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
+		tlsConfig, err := loadTLSCertificates(config)
+		if err != nil {
+			return nil, nil, nil, false, fmt.Errorf("HTTP server: %w", err)
 		}

-		if len(config.Server.TLS.ClientCertificates) > 0 {
-			caCertPool := x509.NewCertPool()
-
-			var cert []byte
-
-			for _, path := range config.Server.TLS.ClientCertificates {
-				if cert, err = os.ReadFile(path); err != nil {
-					return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
-				}
-
-				caCertPool.AppendCertsFromPEM(cert)
-			}
-
-			// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication
-			// but we don't want everybody on the Internet to be able to authenticate.
-			server.TLSConfig.ClientCAs = caCertPool
-			server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
-		}
-
-		listener = tls.NewListener(listener, server.TLSConfig.Clone())
+		// Apply configuration
+		listener = tls.NewListener(listener, tlsConfig.Clone())
 	}

 	if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),
@ -108,3 +93,72 @@ func CreateMetricsServer(config *schema.Configuration, providers middlewares.Pro

 	return server, listener, []string{config.Telemetry.Metrics.Address.Path()}, false, nil
 }
+
+// CreateGRPCServer creates a server for handling gRPC authentication requests from an envoy proxy.
+func CreateGRPCServer(config *schema.Configuration, providers middlewares.Providers) (server *grpc.Server, listener net.Listener, tls bool, err error) {
+	if config.Server.GRPC.Address == nil {
+		return nil, nil, false, nil
+	}
+
+	// Initialize gPRC server
+	lis, err := config.Server.GRPC.Address.Listener()
+	if err != nil {
+		return nil, nil, false, fmt.Errorf("error occurred while attempting to initialize grcp server listener for address '%s': %w", config.Server.GRPC.Address, err)
+	}
+
+	opts := []grpc.ServerOption{grpc.MaxConcurrentStreams(10)}
+
+	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" && !config.Server.GRPC.DisableTLS {
+		tlsConfig, err := loadTLSCertificates(config)
+		if err != nil {
+			return nil, nil, false, fmt.Errorf("gRPC server: %w", err)
+		}
+
+		opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
+		tls = true
+	}
+
+	s := grpc.NewServer(opts...)
+	handleGRCP(s, config, providers)
+
+	return s, lis, tls, nil
+}
+
+// loadTLSCertificates loads the server and client certificates from the files and returns a
+// tls.Config object for the server
+func loadTLSCertificates(config *schema.Configuration) (*tls.Config, error) {
+
+	// Load the server certificates
+	serverCert, err := tls.LoadX509KeyPair(config.Server.TLS.Certificate, config.Server.TLS.Key)
+	if err != nil {
+		return nil, fmt.Errorf("unable to load server certificate '%s' or key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
+	}
+
+	// Create the tls configuration
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+	}
+
+	// Load client certificates
+	if len(config.Server.TLS.ClientCertificates) > 0 {
+		caCertPool := x509.NewCertPool()
+
+		var cert []byte
+
+		for _, path := range config.Server.TLS.ClientCertificates {
+			if cert, err = os.ReadFile(path); err != nil {
+				return nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
+			}
+
+			caCertPool.AppendCertsFromPEM(cert)
+		}
+
+		// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication,
+		// but we don't want everybody on the Internet to be able to authenticate.
+		tlsConfig.ClientCAs = caCertPool
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
+	return tlsConfig, nil
+}
--- a/internal/storage/provider.go
+++ b/internal/storage/provider.go
@ -90,5 +90,5 @@ type Provider interface {
 // RegulatorProvider is an interface providing storage capabilities for persisting any kind of data related to the regulator.
 type RegulatorProvider interface {
 	AppendAuthenticationLog(ctx context.Context, attempt model.AuthenticationAttempt) (err error)
-	LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error)
+	LoadAuthenticationLogs(ctx context.Context, username string, ip string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error)
 }
--- a/internal/storage/sql_provider.go
+++ b/internal/storage/sql_provider.go
@ -33,6 +33,7 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa

 		sqlInsertAuthenticationAttempt:            fmt.Sprintf(queryFmtInsertAuthenticationLogEntry, tableAuthenticationLogs),
 		sqlSelectAuthenticationAttemptsByUsername: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByUsername, tableAuthenticationLogs),
+		sqlSelectAuthenticationAttemptyByIP:       fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByIP, tableAuthenticationLogs),

 		sqlInsertIdentityVerification:  fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
 		sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
@ -149,6 +150,7 @@ type SQLProvider struct {
 	// Table: authentication_logs.
 	sqlInsertAuthenticationAttempt            string
 	sqlSelectAuthenticationAttemptsByUsername string
+	sqlSelectAuthenticationAttemptyByIP       string

 	// Table: identity_verification.
 	sqlInsertIdentityVerification  string
@ -1021,10 +1023,18 @@ func (p *SQLProvider) AppendAuthenticationLog(ctx context.Context, attempt model
 }

 // LoadAuthenticationLogs retrieve the latest failed authentications from the authentication log.
-func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
+func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, ip string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
 	attempts = make([]model.AuthenticationAttempt, 0, limit)

-	if err = p.db.SelectContext(ctx, &attempts, p.sqlSelectAuthenticationAttemptsByUsername, fromDate, username, limit, limit*page); err != nil {
+	// Dynmaic values based on ip / username ban
+	query := p.sqlSelectAuthenticationAttemptsByUsername
+	placeholder := username
+	if p.config.Server.UseIPInsteadOfUserForBan {
+		query = p.sqlSelectAuthenticationAttemptyByIP
+		placeholder = ip
+	}
+
+	if err = p.db.SelectContext(ctx, &attempts, query, fromDate, placeholder, limit, limit*page); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, ErrNoAuthenticationLogs
 		}
@ -1033,4 +1043,5 @@ func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username strin
 	}

 	return attempts, nil
+
 }
--- a/internal/storage/sql_provider_backend_postgres.go
+++ b/internal/storage/sql_provider_backend_postgres.go
@ -71,6 +71,7 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo

 	provider.sqlInsertAuthenticationAttempt = provider.db.Rebind(provider.sqlInsertAuthenticationAttempt)
 	provider.sqlSelectAuthenticationAttemptsByUsername = provider.db.Rebind(provider.sqlSelectAuthenticationAttemptsByUsername)
+	provider.sqlSelectAuthenticationAttemptyByIP = provider.db.Rebind(provider.sqlSelectAuthenticationAttemptyByIP)

 	provider.sqlInsertMigration = provider.db.Rebind(provider.sqlInsertMigration)
 	provider.sqlSelectMigrations = provider.db.Rebind(provider.sqlSelectMigrations)
--- a/internal/storage/sql_provider_queries.go
+++ b/internal/storage/sql_provider_queries.go
@ -211,6 +211,14 @@ const (
 		ORDER BY time DESC
 		LIMIT ?
 		OFFSET ?;`
+
+	queryFmtSelect1FAAuthenticationLogEntryByIP = `
+		SELECT time, successful, username
+		FROM %s
+		WHERE time > ? AND remote_ip = ? AND auth_type = '1FA' AND banned = FALSE
+		ORDER BY time DESC
+		LIMIT ?
+		OFFSET ?;`
 )

 const (
--- a/internal/suites/HighAvailability/configuration.yml
+++ b/internal/suites/HighAvailability/configuration.yml
@ -21,16 +21,19 @@ authentication_backend:
  ldap:
    address: 'ldap://openldap'
    base_dn: dc=example,dc=com
-    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
-    display_name_attribute: displayName
    user: cn=admin,dc=example,dc=com
    password: password
+    attributes:
+      distinguished_name: 'distinguishedName'
+      username: 'uid'
+      display_name: 'displayName'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'

 access_control:
  default_policy: deny
--- a/internal/suites/LDAP/configuration.yml
+++ b/internal/suites/LDAP/configuration.yml
@ -22,16 +22,19 @@ authentication_backend:
    tls:
      skip_verify: true
    base_dn: dc=example,dc=com
-    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson))  # yamllint disable-line rule:line-length
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
-    display_name_attribute: displayName
    user: cn=pwmanager,dc=example,dc=com
    password: password
+    attributes:
+      distinguished_name: ''
+      username: 'uid'
+      display_name: 'displayName'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'

 session:
  secret: unsecure_session_secret
--- a/internal/suites/Standalone/configuration.yml
+++ b/internal/suites/Standalone/configuration.yml
@ -10,6 +10,9 @@ server:
  tls:
    certificate: /pki/public.backend.crt
    key: /pki/private.backend.pem
+  grpc:
+    address: 'tcp://0.0.0.0:9092'
+    disableTLS: false

 telemetry:
  metrics:
@ -17,7 +20,7 @@ telemetry:
    address: tcp://0.0.0.0:9959

 log:
-  level: debug
+  level: trace

 authentication_backend:
  file:
@ -30,6 +33,8 @@ session:
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://login.example.com:8080'
+    - domain: 'rpjosh.de'
+      authelia_url: 'https://ubuntugui.rpjosh.de:9091'

 storage:
  encryption_key: a_not_so_secure_encryption_key
@ -83,6 +88,18 @@ access_control:
      subject: "user:bob"
      policy: two_factor

+    - domain: auth.rpjosh.de
+      policy: bypass
+
+    - domain: datenbank.rpjosh.de
+      resources:
+        - "^/$"
+      policy: bypass
+    - domain: datenbank.rpjosh.de
+      resources:
+        - "^/hi.*$"
+      policy: one_factor
+

 regulation:
  # Set it to 0 to disable max_retries.
--- a/internal/suites/example/compose/authelia/Dockerfile.backend
+++ b/internal/suites/example/compose/authelia/Dockerfile.backend
@ -17,3 +17,4 @@ ENV PATH="/app:${PATH}" \
 VOLUME /config

 EXPOSE 9091
+EXPOSE 9092
--- a/internal/suites/example/compose/authelia/resources/entrypoint-frontend.sh
+++ b/internal/suites/example/compose/authelia/resources/entrypoint-frontend.sh
@ -2,4 +2,4 @@

 set -x

-pnpm install --frozen-lockfile && pnpm start
+pnpm start
--- a/internal/suites/example/compose/traefik2/docker-compose.yml
+++ b/internal/suites/example/compose/traefik2/docker-compose.yml
@ -2,7 +2,7 @@
 version: '3'
 services:
  traefik:
-    image: traefik:v2.10.1
+    image: traefik:v2.10.3
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    labels:
--- a/internal/suites/example/kube/authelia/configs/configuration.yml
+++ b/internal/suites/example/kube/authelia/configs/configuration.yml
@ -20,15 +20,18 @@ authentication_backend:
    tls:
      skip_verify: true
    base_dn: dc=example,dc=com
-    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
-    group_name_attribute: cn
-    mail_attribute: mail
-    display_name_attribute: displayName
    user: cn=admin,dc=example,dc=com
+    attributes:
+      distinguished_name: ''
+      username: 'uid'
+      display_name: 'displayName'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'

 access_control:
  default_policy: deny
--- a/web/package.json
+++ b/web/package.json
@ -19,18 +19,18 @@
    "@fortawesome/free-solid-svg-icons": "6.4.0",
    "@fortawesome/react-fontawesome": "0.2.0",
    "@mui/icons-material": "5.11.16",
-    "@mui/material": "5.13.5",
+    "@mui/material": "5.13.6",
    "@mui/styles": "5.13.2",
    "axios": "1.4.0",
    "broadcast-channel": "5.1.0",
    "classnames": "2.3.2",
-    "i18next": "22.5.1",
+    "i18next": "23.2.3",
    "i18next-browser-languagedetector": "7.0.2",
    "i18next-http-backend": "2.2.1",
    "qrcode.react": "3.1.0",
    "react": "18.2.0",
    "react-dom": "18.2.0",
-    "react-i18next": "12.3.1",
+    "react-i18next": "13.0.1",
    "react-loading": "2.0.3",
    "react-router-dom": "6.13.0",
    "react18-input-otp": "1.1.3",
@ -72,15 +72,15 @@
    "@testing-library/jest-dom": "5.16.5",
    "@testing-library/react": "14.0.0",
    "@types/node": "20.3.1",
-    "@types/react": "18.2.12",
-    "@types/react-dom": "18.2.5",
+    "@types/react": "18.2.13",
+    "@types/react-dom": "18.2.6",
    "@types/testing-library__jest-dom": "5.14.6",
    "@types/zxcvbn": "4.4.1",
-    "@typescript-eslint/eslint-plugin": "5.59.11",
-    "@typescript-eslint/parser": "5.59.11",
-    "@vitejs/plugin-react": "4.0.0",
+    "@typescript-eslint/eslint-plugin": "5.60.0",
+    "@typescript-eslint/parser": "5.60.0",
+    "@vitejs/plugin-react": "4.0.1",
    "@vitest/coverage-istanbul": "0.32.2",
-    "esbuild": "0.18.4",
+    "esbuild": "0.18.6",
    "eslint": "8.43.0",
    "eslint-config-prettier": "8.8.0",
    "eslint-config-react-app": "7.0.1",
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
Author	SHA1	Message	Date
Jonas Letzbor	dd673e0e82	Change from basic auth to header authentication	2023-06-24 14:08:18 +02:00
Jonas Letzbor	e9a383be0c	Add option to ban user by ip instead of username	2023-06-23 22:07:23 +02:00
Jonas Letzbor	c13e0e12ea	Implement gRPC endpoint for envoy	2023-06-23 21:21:40 +02:00
renovate[bot]	2128969afc	build(deps): update dependency @mui/material to v5.13.6 (#5598 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-24 02:07:13 +10:00
renovate[bot]	bb1e853b9f	build(deps): update module github.com/ory/x to v0.0.563 (#5596 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-22 23:17:19 +10:00
renovate[bot]	0a92f13f15	build(deps): update dependency i18next to v23.2.3 (#5594 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-22 21:41:41 +10:00
renovate[bot]	6af53a66dd	build(deps): update dependency react-i18next to v13.0.1 (#5595 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-22 16:38:41 +10:00
renovate[bot]	fb68177b23	build(deps): update traefik docker tag to v2.10.3 (#5591 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-22 00:00:54 +10:00
renovate[bot]	035070414b	build(deps): update dependency i18next to v23.2.2 (#5593 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-21 20:54:45 +10:00
renovate[bot]	2671151cae	build(deps): update dependency esbuild to v0.18.6 (#5590 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-21 10:02:07 +10:00
renovate[bot]	41e9c51245	build(deps): update dependency i18next to v23.2.1 (#5572 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 16:34:06 +00:00
renovate[bot]	360b672387	build(deps): update module github.com/valyala/fasthttp to v1.48.0 (#5589 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 21:18:05 +10:00
renovate[bot]	0f9a8994c2	build(deps): update dependency esbuild to v0.18.5 (#5588 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 15:48:56 +10:00
renovate[bot]	231c34ae08	build(deps): update dependency @vitejs/plugin-react to v4.0.1 (#5587 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 10:57:11 +10:00
renovate[bot]	977d490d5e	build(deps): update typescript-eslint monorepo to v5.60.0 (#5586 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 05:33:00 +10:00
renovate[bot]	38723ec5c4	build(deps): update react monorepo (#5584 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-20 02:32:58 +10:00
James Elliott	4c328e237d	build(deps): update dependency i18next to v23 (#5580 ) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>	2023-06-19 12:01:30 +10:00
renovate[bot]	aca740fdb7	build(deps): update module github.com/otiai10/copy to v1.12.0 (#5583 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-19 11:04:58 +10:00
renovate[bot]	0f5fae8646	build(deps): update module github.com/jackc/pgx/v5 to v5.4.1 (#5581 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-06-19 00:17:25 +10:00
James Elliott	f79db588be	feat(authentication): ldap memberof group search (#5418 ) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>	2023-06-18 14:40:38 +10:00
James Elliott	68ac62acab	build: update to swagger v5 (#5552 ) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>	2023-06-18 14:11:36 +10:00