fix: make Admin LDAP sign-in work against GLAuth

Three bugs blocked sign-in entirely: - Login.razor is static-SSR but its form model lacked [SupplyParameterFromForm], so the posted username/password never bound — SignInAsync saw empty fields and bailed before LDAP was contacted. Annotate the model; seed it in OnInitialized since BL0008 forbids an initializer on a [SupplyParameterFromForm] property. - appsettings.json ServiceAccountDn used ou=svcaccts, which GLAuth reads as a (non-existent) group — the service-account bind failed with "Group not found". Use cn=serviceaccount,dc=lmxopcua,dc=local. - LdapAuthService resolved the user DN by searching (uid=...), but GLAuth keys users by cn. Add an LdapOptions.UserNameAttribute knob (default cn for GLAuth; set sAMAccountName for Active Directory) and use it for the search filter. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 02:48:00 -04:00
parent 482d5f5637
commit 5f5bfe1ea5
4 changed files with 18 additions and 4 deletions
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs
@@ -29,6 +29,13 @@ public sealed class LdapOptions
    public string DisplayNameAttribute { get; set; } = "cn";
    public string GroupAttribute { get; set; } = "memberOf";

+    /// <summary>
+    ///     Attribute the service-account search matches the login name against to resolve the
+    ///     user's DN. <c>cn</c> for GLAuth (the dev default); set <c>sAMAccountName</c> for
+    ///     Active Directory.
+    /// </summary>
+    public string UserNameAttribute { get; set; } = "cn";
+
    /// <summary>
    ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
    ///     role whose source group is in their membership list. Example dev mapping: