From 445cc34fb22183f0212ff7e406ce430f97308f30 Mon Sep 17 00:00:00 2001
From: kwagga <janroot@gmail.com>
Date: Fri, 6 Dec 2024 13:25:47 +0100
Subject: [PATCH 1/3] Adds an option to enable sAMAccountname logins when
 upndomain is set

---
 ldap/client.go | 9 +++++++--
 ldap/config.go | 3 +++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ldap/client.go b/ldap/client.go
index 1c131a6..0c1ffd3 100644
--- a/ldap/client.go
+++ b/ldap/client.go
@@ -719,8 +719,13 @@ func (c *Client) getUserDN(bindDN, username string) (string, error) {
 	}
 	var userDN string
 	if c.conf.UPNDomain != "" {
-		// Find the distinguished name for the user if userPrincipalName used for login
-		filter := fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
+		// Find the distinguished name for the user if userPrincipalName used for login, or sAMAccountName if enabled.
+		var filter string
+		if c.conf.EnableSamaccountnameLogin {
+			filter = fmt.Sprintf("(|(userPrincipalName=%s@%s)(sAMAccountName=%s))", escapeValue(username), c.conf.UPNDomain, escapeValue(username))
+		} else {
+			filter = fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
+		}
 		result, err := c.conn.Search(&ldap.SearchRequest{
 			BaseDN:       c.conf.UserDN,
 			Scope:        ldap.ScopeWholeSubtree,
diff --git a/ldap/config.go b/ldap/config.go
index 6340799..8f05d51 100644
--- a/ldap/config.go
+++ b/ldap/config.go
@@ -230,6 +230,9 @@ type ClientConfig struct {
 	// the pre 1.1.1 Vault behavior.
 	// see: https://www.vaultproject.io/docs/upgrading/upgrade-to-1.1.1
 	DeprecatedVaultPre111GroupCNBehavior *bool `json:"use_pre111_group_cn_behavior"`
+
+	// EnableSamaccountnameLogin enables login with sAMAccountName in addition to UserPrincipalName when upndomain is set.
+	EnableSamaccountnameLogin bool `json:"enable_samaccountname_login"`
 }
 
 func (c *ClientConfig) clone() (*ClientConfig, error) {

From 921b2afd89c2f7bdbe1564d90ccb1a15c3d3b9a1 Mon Sep 17 00:00:00 2001
From: kwagga <janroot@gmail.com>
Date: Fri, 6 Dec 2024 16:31:09 +0100
Subject: [PATCH 2/3] added changelog entry

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0559dbc..122e997 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ Canonical reference for changes, improvements, and bugfixes for cap.
 ## Next
 
 * feat (oidc): add WithVerifier ([PR #141](https://github.com/hashicorp/cap/pull/141))
+* feat (ldap): add an option to enable sAMAccountname logins when upndomain is set ([PR #146](https://github.com/hashicorp/cap/pull/146))
 
 ## 0.7.0
 

From 96d4d16b5df8caabaa27cbd1e817e3165bd46d22 Mon Sep 17 00:00:00 2001
From: kwagga <janroot@gmail.com>
Date: Fri, 13 Dec 2024 17:05:37 +0100
Subject: [PATCH 3/3] Added unit tests for EnableSamaccountnameLogin

---
 ldap/client_exported_test.go | 51 ++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/ldap/client_exported_test.go b/ldap/client_exported_test.go
index 7c7983c..d795f52 100644
--- a/ldap/client_exported_test.go
+++ b/ldap/client_exported_test.go
@@ -458,6 +458,57 @@ func TestClient_Authenticate(t *testing.T) {
 			opts:       []ldap.Option{ldap.WithGroups()},
 			wantGroups: []string{groups[0].DN},
 		},
+		{
+			name:     "success-with-anon-bind-upn-domain-samaccountname",
+			username: "eve",
+			password: "password",
+			clientConfig: &ldap.ClientConfig{
+				URLs:                      []string{fmt.Sprintf("ldaps://127.0.0.1:%d", td.Port())},
+				Certificates:              []string{td.Cert()},
+				DiscoverDN:                true,
+				UserDN:                    testdirectory.DefaultUserDN,
+				GroupDN:                   testdirectory.DefaultGroupDN,
+				UPNDomain:                 "example.com",
+				EnableSamaccountnameLogin: true,
+			},
+			opts:       []ldap.Option{ldap.WithGroups()},
+			wantGroups: []string{groups[0].DN},
+		},
+		{
+			name:     "success-with-anon-bind-upn-domain-empty-userdn-samaccountname",
+			username: "eve",
+			password: "password",
+			clientConfig: &ldap.ClientConfig{
+				URLs:                           []string{fmt.Sprintf("ldaps://127.0.0.1:%d", td.Port())},
+				Certificates:                   []string{td.Cert()},
+				DiscoverDN:                     true,
+				UserDN:                         testdirectory.DefaultUserDN,
+				GroupDN:                        testdirectory.DefaultGroupDN,
+				UPNDomain:                      "example.com",
+				AnonymousGroupSearch:           true,
+				AllowEmptyAnonymousGroupSearch: true,
+				EnableSamaccountnameLogin:      true,
+			},
+			opts:       []ldap.Option{ldap.WithGroups()},
+			wantGroups: []string{groups[0].DN},
+		},
+		{
+			name:     "success-with-anon-bind-upn-domain-empty-userdn-opt-samaccountname",
+			username: "eve",
+			password: "password",
+			clientConfig: &ldap.ClientConfig{
+				URLs:                      []string{fmt.Sprintf("ldaps://127.0.0.1:%d", td.Port())},
+				Certificates:              []string{td.Cert()},
+				DiscoverDN:                true,
+				UserDN:                    testdirectory.DefaultUserDN,
+				GroupDN:                   testdirectory.DefaultGroupDN,
+				UPNDomain:                 "example.com",
+				AnonymousGroupSearch:      true,
+				EnableSamaccountnameLogin: true,
+			},
+			opts:       []ldap.Option{ldap.WithGroups(), ldap.WithEmptyAnonymousGroupSearch()},
+			wantGroups: []string{groups[0].DN},
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {