From d714ec9de183dc87df02c67cd7b6febcf3cfb972 Mon Sep 17 00:00:00 2001
From: eisin <eisin@users.noreply.github.com>
Date: Fri, 20 Sep 2019 20:59:07 +0900
Subject: [PATCH 1/3] Make it possible to customize LDAP filter (UserFilter,
 GroupFilter)

---
 ldap_proxy.go | 4 ++--
 main.go       | 2 ++
 options.go    | 4 ++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ldap_proxy.go b/ldap_proxy.go
index 6ba3ac7..50d15d0 100644
--- a/ldap_proxy.go
+++ b/ldap_proxy.go
@@ -140,8 +140,8 @@ func NewLdapProxy(opts *Options, validator func(string) bool) *LdapProxy {
 		InsecureSkipVerify: true,
 		BindDN:             opts.LdapBindDn,
 		BindPassword:       opts.LdapBindDnPassword,
-		UserFilter:         "(&(objectClass=User)(uid=%s))",
-		GroupFilter:        "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))",
+		UserFilter:         opts.LdapUserFilter,
+		GroupFilter:        opts.LdapGroupFilter,
 		Attributes:         []string{"mail", "cn"},
 	}
 
diff --git a/main.go b/main.go
index ebf6d67..7dd0bcf 100644
--- a/main.go
+++ b/main.go
@@ -75,6 +75,8 @@ func main() {
 	flagSet.String("ldap-bind-dn", "", "Bind DN for LDAP bind")
 	flagSet.String("ldap-bind-dn-password", "", "Bind DN password for LDAP bind")
 	flagSet.Var(&ldapGroups, "ldap-groups", "Groups a user must be in")
+	flagSet.String("ldap-user-filter", "(&(objectClass=User)(uid=%s))", "Search filter for user")
+	flagSet.String("ldap-group-filter", "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))", "Search filter for group")
 
 	flagSet.Parse(os.Args[1:])
 
diff --git a/options.go b/options.go
index 18e85be..e7ce0ff 100644
--- a/options.go
+++ b/options.go
@@ -64,6 +64,8 @@ type Options struct {
 	LdapBindDn         string   `flag:"ldap-bind-dn" cfg:"ldap_bind_dn"`
 	LdapBindDnPassword string   `flag:"ldap-bind-dn-password" cfg:"ldap_bind_dn_password"`
 	LdapGroups         []string `flag:"ldap-groups" cfg:"ldap_groups"`
+	LdapUserFilter     string   `flag:"ldap-user-filter" cfg:"ldap_user_filter"`
+	LdapGroupFilter    string   `flag:"ldap-group-filter" cfg:"ldap_group_filter"`
 
 	// internal values that are set after config validation
 	proxyURLs         []*url.URL
@@ -94,6 +96,8 @@ func NewOptions() *Options {
 		PassUserHeaders:   true,
 		PassHostHeader:    true,
 		RequestLogging:    true,
+		LdapUserFilter:    "(&(objectClass=User)(uid=%s))",
+		LdapGroupFilter:   "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))",
 	}
 }
 

From cdf4c9e7087b708b110857f0f676666dd5f518ba Mon Sep 17 00:00:00 2001
From: eisin <eisin@users.noreply.github.com>
Date: Tue, 24 Sep 2019 11:50:42 +0900
Subject: [PATCH 2/3] Cut 0.4.1

---
 CHANGELOG.md | 4 ++++
 version.go   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8cc5a72..3014b4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+0.4.1 (2019-09-24)
+==================
+* Make it possible to customize LDAP filter (UserFilter, GroupFilter)
+
 0.4.0 (2018-11-23)
 ==================
 * URGENT SECURITY FIX: authentication bypass via LDAP passwordless auth LDAP permits passwordless Bind operations by clients - this application verified authentication without checking specifically for an empty password, thus allowing authentication as any valid user by leaving the password field blank. This issue has been present since the first release of this application.
diff --git a/version.go b/version.go
index 4972ad9..802e2cb 100644
--- a/version.go
+++ b/version.go
@@ -1,4 +1,4 @@
 package main
 
 // VERSION released
-const VERSION = "0.4.0"
+const VERSION = "0.4.1"

From dd78facd3052e8cde3c451ca2c5bd451b8515f51 Mon Sep 17 00:00:00 2001
From: eisin <eisin@users.noreply.github.com>
Date: Tue, 24 Sep 2019 15:39:17 +0900
Subject: [PATCH 3/3] Make it possible to customize redirect path when sign-in
 success

---
 CHANGELOG.md  |  1 +
 ldap_proxy.go | 24 +++++++++++++-----------
 main.go       |  1 +
 options.go    |  1 +
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3014b4b..28f06a3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 0.4.1 (2019-09-24)
 ==================
 * Make it possible to customize LDAP filter (UserFilter, GroupFilter)
+* Make it possible to customize redirect path when sign-in success
 
 0.4.0 (2018-11-23)
 ==================
diff --git a/ldap_proxy.go b/ldap_proxy.go
index 50d15d0..88a7ae2 100644
--- a/ldap_proxy.go
+++ b/ldap_proxy.go
@@ -51,12 +51,13 @@ type LdapProxy struct {
 	SignOutPath  string
 	AuthOnlyPath string
 
-	ProxyPrefix     string
-	SignInMessage   string
-	HtpasswdFile    *HtpasswdFile
-	serveMux        http.Handler
-	SetXAuthRequest bool
-	PassBasicAuth   bool
+	ProxyPrefix         string
+	SignInMessage       string
+	HtpasswdFile        *HtpasswdFile
+	serveMux            http.Handler
+	SetXAuthRequest     bool
+	PassBasicAuth       bool
+	RedirectDefaultPath string
 
 	PassUserHeaders   bool
 	BasicAuthPassword string
@@ -162,10 +163,11 @@ func NewLdapProxy(opts *Options, validator func(string) bool) *LdapProxy {
 		SignOutPath:  fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
 		AuthOnlyPath: fmt.Sprintf("%s/auth", opts.ProxyPrefix),
 
-		ProxyPrefix:     opts.ProxyPrefix,
-		serveMux:        serveMux,
-		SetXAuthRequest: opts.SetXAuthRequest,
-		PassBasicAuth:   opts.PassBasicAuth,
+		ProxyPrefix:         opts.ProxyPrefix,
+		serveMux:            serveMux,
+		SetXAuthRequest:     opts.SetXAuthRequest,
+		PassBasicAuth:       opts.PassBasicAuth,
+		RedirectDefaultPath: opts.RedirectDefaultPath,
 
 		PassUserHeaders:   opts.PassUserHeaders,
 		BasicAuthPassword: opts.BasicAuthPassword,
@@ -255,7 +257,7 @@ func (p *LdapProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code i
 		redirectURL = req.Header.Get("X-Auth-Request-Redirect")
 	}
 	if redirectURL == p.SignInPath {
-		redirectURL = "/"
+		redirectURL = p.RedirectDefaultPath
 	}
 
 	t := struct {
diff --git a/main.go b/main.go
index 7dd0bcf..898f9b1 100644
--- a/main.go
+++ b/main.go
@@ -44,6 +44,7 @@ func main() {
 	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
 	flagSet.String("real-ip-header", "X-Real-IP", "The header which specifies the real IP of the request. Caution: This header may allow a malicious actor to spoof an internal IP, bypassing whitelists. Set to the empty string to ignore")
 	flagSet.String("proxy-ip-header", "X-Forwarded-For", "The header which specifies the real IP of the proxied request. Caution: This header may allow a malicious actor to spoof an internal IP, bypassing whitelists. Set to the empty string to ignore")
+	flagSet.String("redirect-default-path", "/", "Default redirect path when sign-in success")
 
 	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
diff --git a/options.go b/options.go
index e7ce0ff..cb5af65 100644
--- a/options.go
+++ b/options.go
@@ -51,6 +51,7 @@ type Options struct {
 	SkipAuthPreflight     bool     `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
 	RealIPHeader          string   `flag:"real-ip-header" cfg:"real_ip_header"`
 	ProxyIPHeader         string   `flag:"proxy-ip-header" cfg:"proxy_ip_header"`
+	RedirectDefaultPath   string   `flag:"redirect-default-path" cfg:"redirect_default_path"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`