Merge pull request #7162 from morgan55555/dev

LDAP auth fixes: do not store LDAP password, use default user role on first auth, allow ldap only form.

backend/open_webui/apps/webui/routers/auths.py

@@ -238,10 +238,20 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
 
             user = Users.get_user_by_email(mail)
             if not user:
-
                 try:
-                    hashed = get_password_hash(form_data.password)
-                    user = Auths.insert_new_auth(mail, hashed, cn)
+                    role = (
+                        "admin"
+                        if Users.get_num_users() == 0
+                        else request.app.state.config.DEFAULT_USER_ROLE
+                    )
+
+                    user = Auths.insert_new_auth(
+                        mail,
+                        str(uuid.uuid4()),
+                        cn,
+                        None,
+                        role,
+                    )
 
                     if not user:
                         raise HTTPException(
@@ -253,7 +263,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                 except Exception as err:
                     raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))
 
-            user = Auths.authenticate_user(mail, password=str(form_data.password))
+            user = Auths.authenticate_user_by_trusted_header(mail)
 
             if user:
                 token = create_token(

src/routes/auth/+page.svelte

@@ -203,7 +203,7 @@
 								{/if}
 							</div>
 
-							{#if $config?.features.enable_login_form}
+							{#if $config?.features.enable_login_form || $config?.features.enable_ldap}
 								<div class="flex flex-col mt-4">
 									{#if mode === 'signup'}
 										<div class="mb-2">
@@ -227,6 +227,7 @@
 												type="text"
 												class="my-0.5 w-full text-sm outline-none bg-transparent"
 												autocomplete="username"
+												name="username"
 												placeholder={$i18n.t('Enter Your Username')}
 												required
 											/>
@@ -239,6 +240,7 @@
 												type="email"
 												class="my-0.5 w-full text-sm outline-none bg-transparent"
 												autocomplete="email"
+												name="email"
 												placeholder={$i18n.t('Enter Your Email')}
 												required
 											/>
@@ -254,13 +256,14 @@
 											class="my-0.5 w-full text-sm outline-none bg-transparent"
 											placeholder={$i18n.t('Enter Your Password')}
 											autocomplete="current-password"
+											name="current-password"
 											required
 										/>
 									</div>
 								</div>
 							{/if}
 							<div class="mt-5">
-								{#if $config?.features.enable_login_form}
+								{#if $config?.features.enable_login_form || $config?.features.enable_ldap}
 									{#if mode === 'ldap'}
 										<button
 											class="bg-gray-700/5 hover:bg-gray-700/10 dark:bg-gray-100/5 dark:hover:bg-gray-100/10 dark:text-gray-300 dark:hover:text-white transition w-full rounded-full font-medium text-sm py-2.5"
@@ -309,7 +312,7 @@
 						{#if Object.keys($config?.oauth?.providers ?? {}).length > 0}
 							<div class="inline-flex items-center justify-center w-full">
 								<hr class="w-32 h-px my-4 border-0 dark:bg-gray-100/10 bg-gray-700/10" />
-								{#if $config?.features.enable_login_form}
+								{#if $config?.features.enable_login_form || $config?.features.enable_ldap}
 									<span
 										class="px-3 text-sm font-medium text-gray-900 dark:text-white bg-transparent"
 										>{$i18n.t('or')}</span
@@ -401,7 +404,7 @@
 							</div>
 						{/if}
 
-						{#if $config?.features.enable_ldap}
+						{#if $config?.features.enable_ldap && $config?.features.enable_login_form}
 							<div class="mt-2">
 								<button
 									class="flex justify-center items-center text-xs w-full text-center underline"