From 686f0eda5e200a0fa5288b17c5f8e2d4c6e246e0 Mon Sep 17 00:00:00 2001
From: mizzoumatt <69531325+mizzoumatt@users.noreply.github.com>
Date: Mon, 5 May 2025 13:07:35 -0500
Subject: [PATCH] Update ldapauthenticator.py

The code doesn't provide for a search filter when doing get_user_attributes. With more complicated LDAP/Active Directory setups like at a major university this can create a major issue as (objectClass=*) will create problems by resolving multiple entries when the entry tied to objectClass=person would suffice. Changes allow for override of this field.
---
 ldapauthenticator/ldapauthenticator.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
index 78dc628..73b46f4 100644
--- a/ldapauthenticator/ldapauthenticator.py
+++ b/ldapauthenticator/ldapauthenticator.py
@@ -385,6 +385,18 @@ def _observe_escape_userdn(self, change):
         """,
     )
 
+    attributes_search_filter = Unicode(
+        config=True,
+        default_value="(objectClass=*)",
+        allow_none=True,
+        help="""
+        Filter for querying user attributes lookup.
+
+        Default value `'(objectClass=*)'` should be good enough for most
+        use cases.
+        """,
+    )
+
     auth_state_attributes = List(
         config=True,
         help="""
@@ -564,7 +576,7 @@ def get_user_attributes(self, conn, userdn):
             conn.search(
                 search_base=userdn,
                 search_scope=ldap3.SUBTREE,
-                search_filter="(objectClass=*)",
+                search_filter=self.attributes_search_filter,
                 attributes=self.auth_state_attributes,
             )