✨ Support custom ldap attributes mapping

Author: jirutka

README.md

@@ -69,6 +69,11 @@ use OmniAuth::Strategies::LDAP,
   tls_options: {
     ssl_version: "TLSv1_2",
     ciphers: ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"],
+  },
+  mapping: {
+    'name' => 'cn;lang-en',
+    'email' => ['preferredEmail', 'mail'],
+    'nickname' => ['uid', 'userid', 'sAMAccountName']
   }
 # Or, alternatively:
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
@@ -199,6 +204,7 @@ The following options are available for configuring the OmniAuth LDAP strategy:
   - `adaptor.last_password_policy_response` — the matching password policy response control (implementation-specific object). This can indicate conditions such as password expired, account locked, reset required, or grace logins remaining (per the draft RFC).
 - `:connect_timeout` - Maximum time in seconds to wait when establishing the TCP connection to the LDAP server. Forwarded to `Net::LDAP`.
 - `:read_timeout` - Maximum time in seconds to wait for reads during LDAP operations (search/bind). Forwarded to `Net::LDAP`.
+- `:mapping` - allows you to customize mapping of LDAP attributes to the returned user info hash. The default mappings are defined in [ldap.rb](lib/omniauth/strategies/ldap.rb#L7), it will be merged with yours.
 
 Example enabling password policy:
 

lib/omniauth/strategies/ldap.rb

@@ -9,7 +9,7 @@ class LDAP
 
       InvalidCredentialsError = Class.new(StandardError)
 
-      CONFIG = {
+      option :mapping, {
         "name" => "cn",
         "first_name" => "givenName",
         "last_name" => "sn",
@@ -23,7 +23,7 @@ class LDAP
         "url" => ["wwwhomepage"],
         "image" => "jpegPhoto",
         "description" => "description",
-      }.freeze
+      }
       option :title, "LDAP Authentication" # default title for authentication form
       # For OmniAuth >= 2.0 the default allowed request method is POST only.
       # Ensure the strategy follows that default so GET /auth/:provider returns 404 as expected in tests.
@@ -91,7 +91,7 @@ def callback_phase
               return fail!(:invalid_credentials, InvalidCredentialsError.new("User not found for header #{hu}"))
             end
             @ldap_user_info = entry
-            @user_info = self.class.map_user(CONFIG, @ldap_user_info)
+            @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
             return super
           rescue => e
             return fail!(:ldap_error, e)
@@ -111,7 +111,7 @@ def callback_phase
           # Optionally attach policy info even on success (e.g., timeBeforeExpiration)
           attach_password_policy_env(@adaptor)
 
-          @user_info = self.class.map_user(CONFIG, @ldap_user_info)
+          @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
           super
         rescue => e
           fail!(:ldap_error, e)
@@ -205,7 +205,7 @@ def directory_lookup(adaptor, username)
         search_filter = filter(adaptor, username)
         adaptor.connection.open do |conn|
           rs = conn.search(filter: search_filter, size: 1)
-          entry = rs && rs.first
+          entry = rs&.first
         end
         entry
       end

spec/omniauth/strategies/ldap_spec.rb

@@ -432,6 +432,22 @@ def make_env(path = "/auth/ldap", props = {})
         expect(info.image).to eq "http://www.intridea.com/ping.jpg"
         expect(info.description).to eq "omniauth-ldap"
       end
+
+      context 'and mapping is set' do
+        let(:app) do
+          Rack::Builder.new {
+            use OmniAuth::Test::PhonySession
+            use MyLdapProvider, :name => 'ldap', :host => '192.168.1.145', :base => 'dc=score, dc=local', :mapping => { 'phone' => 'mobile' }
+            run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+          }.to_app
+        end
+
+        it 'should map user info according to customized mapping' do
+          post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+          auth_hash.info.phone.should == '444-444-4444'
+          auth_hash.info.mobile.should == '444-444-4444'
+        end
+      end
     end
   end