Skip to content

Add LDAP BindPasswordFile#929

Open
Rycochet wants to merge 2 commits into
mainfrom
feat/ldap-bind-password-file
Open

Add LDAP BindPasswordFile#929
Rycochet wants to merge 2 commits into
mainfrom
feat/ldap-bind-password-file

Conversation

@Rycochet
Copy link
Copy Markdown
Collaborator

@Rycochet Rycochet commented Jun 8, 2026
edited by coderabbitai Bot
Loading

Fixes #927

Summary by CodeRabbit

  • New Features
    • LDAP bind password can now be supplied via a file path as an alternative to in-config passwords.
  • Bug Fixes / Behavior
    • When a file path is used, the service reads the password before performing the bind so credential sourcing works reliably at runtime.

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jun 8, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 20b3fa04-bfb8-4566-bb6d-715e47288d3a

📥 Commits

Reviewing files that changed from the base of the PR and between 3d28c6e and b90f95a.

📒 Files selected for processing (1)
  • internal/service/ldap_service.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • internal/service/ldap_service.go
📝 Walkthrough

Walkthrough

Adds LDAP bind password file support: configuration gains BindPasswordFile, and the bind path resolves file-based secrets via utils.GetSecret and uses the resolved password for the LDAP bind.

Changes

LDAP bind password file support

Layer / File(s) Summary
LDAP bind password file configuration
internal/model/config.go		 LDAPConfig struct adds BindPasswordFile field (YAML tag bindPasswordFile) to accept a file path for the LDAP bind password.
LDAP password secret resolution
internal/service/ldap_service.go		 Adds internal/utils import; BindService resolves the bind password via utils.GetSecret(...), stores it in LDAP.BindPassword, clears LDAP.BindPasswordFile, then performs the LDAP bind with the resolved secret.

Sequence Diagram

sequenceDiagram
  participant LDAPService
  participant utils
  participant LDAPConn
  LDAPService->>utils: GetSecret(BindPasswordFile or BindPassword)
  utils-->>LDAPService: resolved password
  LDAPService->>LDAPService: set LDAP.Config.LDAP.BindPassword
  LDAPService->>LDAPService: clear LDAP.Config.LDAP.BindPasswordFile
  LDAPService->>LDAPConn: Bind(bindDN, resolved password)
  LDAPConn-->>LDAPService: bind result
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nosed the file where secrets sleep,

A quiet path — no env var peep,
BindPasswordFile spilled its tea,
Resolved, cleared, and bound with glee,
TinyAuth hops safe and neat.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly and accurately describes the main change: adding LDAP BindPasswordFile support as a new configuration option.
Linked Issues check ✅ Passed The PR implements the requested feature: adds BindPasswordFile field to LDAPConfig and integrates file-based password resolution via utils.GetSecret() in BindService, matching issue #927 requirements.
Out of Scope Changes check ✅ Passed All changes are within scope: BindPasswordFile field addition and integration with password resolution logic directly implement the requested Docker secrets support feature.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/ldap-bind-password-file

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@dosubot
Copy link
Copy Markdown

dosubot Bot commented Jun 8, 2026

Related Knowledge

1 document with suggested updates is ready for review.

Tinyauth's Space

In TinyAuth v5, how can you restrict OIDC client access to only users belonging to a specific LDAP group (e.g., "family"), and is there a way to apply this restriction directly on the OIDC client rather than on app-level forward auth?
View Suggested Changes 
@@ -23,6 +23,7 @@
 TINYAUTH_LDAP_ADDRESS=ldap://lldap:3890
 TINYAUTH_LDAP_BINDDN=uid=tinyauth,ou=people,dc=example,dc=com
 TINYAUTH_LDAP_BINDPASSWORD=<password>
+# Alternatively, use TINYAUTH_LDAP_BINDPASSWORDFILE=/path/to/password/file for more secure credential management
 TINYAUTH_LDAP_BASEDN=dc=example,dc=com
 TINYAUTH_LDAP_SEARCHFILTER=(uid=%s)
 TINYAUTH_LDAP_GROUPCACHETTL=900

[Accept] [Edit] [Decline]

How did I do? Any feedback?  Join Discord

coderabbitai[bot]
coderabbitai Bot reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/service/ldap_service.go`:
- Around line 215-217: The build fails because utils.GetSecret used in
ldap_service.go (the lines assigning ldap.config.LDAP.BindPassword and clearing
BindPasswordFile) is undefined; add the package import
"github.com/tinyauthapp/tinyauth/internal/utils" to the imports in that file so
GetSecret can be referenced (ensure the import is added alongside other imports
and no alias conflicts exist).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 53335dbc-3ea6-46ef-a483-071b5519141b

📥 Commits

Reviewing files that changed from the base of the PR and between 426eac2 and 3d28c6e.

📒 Files selected for processing (2)
  • internal/model/config.go
  • internal/service/ldap_service.go

Comment thread internal/service/ldap_service.go
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 8, 2026

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/service/ldap_service.go 0.00% 3 Missing ⚠️

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add support for docker secrets for ldap - TINYAUTH_LDAP_BINDPASSWORDFILE

1 participant

@Rycochet