From 6a2d6d6989c092615f6773c78ee219a5ec9234b1 Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Tue, 18 Mar 2025 22:46:26 +0100
Subject: [PATCH 1/6] add flags for managing ldap groups

---
 cmd/admin_auth_ldap.go | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index aff2a1285541c..dc3589701f7d4 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -127,6 +127,30 @@ var (
 		&cli.UintFlag{
 			Name:  "page-size",
 			Usage: "Search page size.",
+		},
+		&cli.BoolFlag{
+			Name:  "enable-groups",
+			Usage: "Enable LDAP groups",
+		},
+		&cli.StringFlag{
+			Name:  "group-search-base",
+			Usage: "The LDAP base at which group accounts will be searched for.",
+		},
+		&cli.StringFlag{
+			Name:  "group-member-uid",
+			Usage: "Group attribte containing list of users",
+		},
+		&cli.StringFlag{
+			Name:  "group-user-attribute",
+			Usage: "User attribte listed in group",
+		},
+		&cli.StringFlag{
+			Name:  "group-filter",
+			Usage: "Verify group membership in LDAP",
+		},
+		&cli.StringFlag{
+			Name:  "group-team-map",
+			Usage: "Map LDAP groups to Organization teams",
 		})
 
 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
@@ -273,6 +297,24 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("skip-local-2fa") {
 		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
 	}
+	if c.IsSet("enable-groups") {
+		config.GroupsEnabled = c.Bool("enable-groups")
+	}
+	if c.IsSet("group-search-base") {
+		config.GroupDN = c.String("group-search-base")
+	}
+	if c.IsSet("group-member-uid") {
+		config.GroupMemberUID = c.String("group-member-uid")
+	}
+	if c.IsSet("group-user-attribute") {
+		config.UserUID = c.String("group-user-attribute")
+	}
+	if c.IsSet("group-filter") {
+		config.GroupFilter = c.String("group-filter")
+	}
+	if c.IsSet("group-team-map") {
+		config.GroupTeamMap = c.String("group-team-map")
+	}
 	return nil
 }
 

From 2c5d99079418d07d0c3083e614351797c8e9a9f1 Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Tue, 18 Mar 2025 22:57:28 +0100
Subject: [PATCH 2/6] add removal flag

---
 cmd/admin_auth_ldap.go      |  7 +++++++
 cmd/admin_auth_ldap_test.go | 14 ++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index dc3589701f7d4..7cfd4f14f62ba 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -151,6 +151,10 @@ var (
 		&cli.StringFlag{
 			Name:  "group-team-map",
 			Usage: "Map LDAP groups to Organization teams",
+		},
+		&cli.BoolFlag{
+			Name:  "group-users-remove",
+			Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group",
 		})
 
 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
@@ -315,6 +319,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("group-team-map") {
 		config.GroupTeamMap = c.String("group-team-map")
 	}
+	if c.IsSet("group-users-remove") {
+		config.GroupTeamMapRemoval = c.Bool("group-users-remove")
+	}
 	return nil
 }
 
diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index 7791f3a9cc14b..b4bdc56e3d24e 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -51,6 +51,13 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--attributes-in-bind",
 				"--synchronize-users",
 				"--page-size", "99",
+				"--enable-groups", "true",
+				"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
+				"--group-member-uid", "memberUid",
+				"--group-user-attribute", "uid",
+				"--group-filter", "(|(cn=gitea_user)(cn=admins))",
+				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+				"--group-users-remove", "true",
 			},
 			source: &auth.Source{
 				Type:          auth.LDAP,
@@ -78,6 +85,13 @@ func TestAddLdapBindDn(t *testing.T) {
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",
 					Enabled:               true,
+					GroupsEnabled:         true,
+					GroupDN:               "ou=group,dc=full-domain-bind,dc=org",
+					GroupMemberUID:        "memberUid",
+					UserUID:               "uid",
+					GroupFilter:           "(|(cn=gitea_users)(cn=admins))",
+					GroupTeamMap:          `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+					GroupTeamMapRemoval:   true,
 				},
 			},
 		},

From 51c45c0989b763625ecd621dca269c05adfc3b2b Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Tue, 18 Mar 2025 23:39:38 +0100
Subject: [PATCH 3/6] fix tests and typo

---
 cmd/admin_auth_ldap.go      |  4 ++--
 cmd/admin_auth_ldap_test.go | 18 ++++++++++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 7cfd4f14f62ba..ec86ab0c201db 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -138,11 +138,11 @@ var (
 		},
 		&cli.StringFlag{
 			Name:  "group-member-uid",
-			Usage: "Group attribte containing list of users",
+			Usage: "Group attribute containing list of users",
 		},
 		&cli.StringFlag{
 			Name:  "group-user-attribute",
-			Usage: "User attribte listed in group",
+			Usage: "User attribute listed in group",
 		},
 		&cli.StringFlag{
 			Name:  "group-filter",
diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index b4bdc56e3d24e..49ff4b27c6b6b 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -51,11 +51,11 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--attributes-in-bind",
 				"--synchronize-users",
 				"--page-size", "99",
-				"--enable-groups", "true",
+				"--enable-groups",
 				"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
 				"--group-member-uid", "memberUid",
 				"--group-user-attribute", "uid",
-				"--group-filter", "(|(cn=gitea_user)(cn=admins))",
+				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
 				"--group-users-remove", "true",
 			},
@@ -524,6 +524,13 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--bind-password", "secret-bind-full",
 				"--synchronize-users",
 				"--page-size", "99",
+				"--enable-groups",
+				"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
+				"--group-member-uid", "memberUid",
+				"--group-user-attribute", "uid",
+				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
+				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+				"--group-users-remove", "true",
 			},
 			id: 23,
 			existingAuthSource: &auth.Source{
@@ -559,6 +566,13 @@ func TestUpdateLdapBindDn(t *testing.T) {
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",
 					Enabled:               true,
+					GroupsEnabled:         true,
+					GroupDN:               "ou=group,dc=full-domain-bind,dc=org",
+					GroupMemberUID:        "memberUid",
+					UserUID:               "uid",
+					GroupFilter:           "(|(cn=gitea_users)(cn=admins))",
+					GroupTeamMap:          `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
+					GroupTeamMapRemoval:   true,
 				},
 			},
 		},

From 53bd12b19eade84e3bfe4ede27f41a4e3f348e01 Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Wed, 19 Mar 2025 09:09:24 +0100
Subject: [PATCH 4/6] fix flag usage

---
 cmd/admin_auth_ldap_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index 49ff4b27c6b6b..5ff0df2338113 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -57,7 +57,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--group-user-attribute", "uid",
 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
-				"--group-users-remove", "true",
+				"--group-users-remove",
 			},
 			source: &auth.Source{
 				Type:          auth.LDAP,
@@ -530,7 +530,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--group-user-attribute", "uid",
 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
-				"--group-users-remove", "true",
+				"--group-users-remove",
 			},
 			id: 23,
 			existingAuthSource: &auth.Source{

From ed251bfffbdda7b9fc3149d48bbff11e3243aecd Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Wed, 19 Mar 2025 17:35:35 +0100
Subject: [PATCH 5/6] improve consistency

---
 cmd/admin_auth_ldap.go      | 16 ++++++++--------
 cmd/admin_auth_ldap_test.go | 12 ++++++------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index ec86ab0c201db..388af551e81f8 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -133,11 +133,11 @@ var (
 			Usage: "Enable LDAP groups",
 		},
 		&cli.StringFlag{
-			Name:  "group-search-base",
-			Usage: "The LDAP base at which group accounts will be searched for.",
+			Name:  "group-search-base-dn",
+			Usage: "The LDAP base DN at which group accounts will be searched for",
 		},
 		&cli.StringFlag{
-			Name:  "group-member-uid",
+			Name:  "group-member-attribute",
 			Usage: "Group attribute containing list of users",
 		},
 		&cli.StringFlag{
@@ -153,7 +153,7 @@ var (
 			Usage: "Map LDAP groups to Organization teams",
 		},
 		&cli.BoolFlag{
-			Name:  "group-users-remove",
+			Name:  "group-team-map-removal",
 			Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group",
 		})
 
@@ -304,8 +304,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("enable-groups") {
 		config.GroupsEnabled = c.Bool("enable-groups")
 	}
-	if c.IsSet("group-search-base") {
-		config.GroupDN = c.String("group-search-base")
+	if c.IsSet("group-search-base-dn") {
+		config.GroupDN = c.String("group-search-base-dn")
 	}
 	if c.IsSet("group-member-uid") {
 		config.GroupMemberUID = c.String("group-member-uid")
@@ -319,8 +319,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("group-team-map") {
 		config.GroupTeamMap = c.String("group-team-map")
 	}
-	if c.IsSet("group-users-remove") {
-		config.GroupTeamMapRemoval = c.Bool("group-users-remove")
+	if c.IsSet("group-team-map-removal") {
+		config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
 	return nil
 }
diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index 5ff0df2338113..bab42226ae9c0 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -52,12 +52,12 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--synchronize-users",
 				"--page-size", "99",
 				"--enable-groups",
-				"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
-				"--group-member-uid", "memberUid",
+				"--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org",
+				"--group-member-attribute", "memberUid",
 				"--group-user-attribute", "uid",
 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
-				"--group-users-remove",
+				"--group-team-map-removal",
 			},
 			source: &auth.Source{
 				Type:          auth.LDAP,
@@ -525,12 +525,12 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--synchronize-users",
 				"--page-size", "99",
 				"--enable-groups",
-				"--group-search-base", "ou=group,dc=full-domain-bind,dc=org",
-				"--group-member-uid", "memberUid",
+				"--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org",
+				"--group-member-attribute", "memberUid",
 				"--group-user-attribute", "uid",
 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",
 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,
-				"--group-users-remove",
+				"--group-team-map-removal",
 			},
 			id: 23,
 			existingAuthSource: &auth.Source{

From cc72d7a9c034b373594f9faf8e0783223a75a8ec Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Wed, 19 Mar 2025 18:00:57 +0100
Subject: [PATCH 6/6] fix missed rename

---
 cmd/admin_auth_ldap.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 388af551e81f8..274ec181d14cf 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -307,8 +307,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("group-search-base-dn") {
 		config.GroupDN = c.String("group-search-base-dn")
 	}
-	if c.IsSet("group-member-uid") {
-		config.GroupMemberUID = c.String("group-member-uid")
+	if c.IsSet("group-member-attribute") {
+		config.GroupMemberUID = c.String("group-member-attribute")
 	}
 	if c.IsSet("group-user-attribute") {
 		config.UserUID = c.String("group-user-attribute")