release: 0.6.1

Neither supports limits, but we can delete all the duplicate memberships and re-insert a single one

.devcontainer/Dockerfile

@@ -1,7 +1,9 @@
-FROM rust:1.66
+FROM rust:1.74
 
 ARG USERNAME=lldapdev
-ARG USER_UID=1000
+# We need to keep the user as 1001 to match the GitHub runner's UID.
+# See https://github.com/actions/checkout/issues/956.
+ARG USER_UID=1001
 ARG USER_GID=$USER_UID
 
 # Create the user
@@ -21,4 +23,4 @@ RUN RUSTFLAGS=-Ctarget-feature=-crt-static cargo install wasm-pack \
 
 USER $USERNAME
 ENV CARGO_HOME=/home/$USERNAME/.cargo
-ENV SHELL=/bin/bash
+ENV SHELL=/bin/bash

.dockerignore

@@ -2,6 +2,7 @@
 .git/*
 .github/*
 .gitignore
+.gitattributes
 
 # Don't track cargo generated files
 target/*
@@ -17,6 +18,7 @@ Dockerfile
 *.md
 LICENSE
 CHANGELOG.md
+README.md
 docs/*
 example_configs/*
 
@@ -32,12 +34,20 @@ package.json
 .vscode
 .devcontainer
 
+# Created databases
+*.db
+*.db-shm
+*.db-wal
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
 # Various config files that shouldn't be tracked
 .env
 lldap_config.toml
 server_key
-users.db*
 screenshot.png
 recipe.json
+lldap_config.toml
 cert.pem
 key.pem

.gitattributes

@@ -0,0 +1,10 @@
+example_configs/** linguist-documentation
+docs/** linguist-documentation
+*.md linguist-documentation
+lldap_config.docker_template.toml linguist-documentation
+
+schema.graphql linguist-generated
+
+.github/**  -linguist-detectable
+.devcontainer/**  -linguist-detectable
+.config/**  -linguist-detectable

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @nitnelave

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: [lldap]
+
+custom: ['https://bmc.link/nitnelave']

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Logs**
+If applicable, add logs to explain the problem.
+LLDAP should be started in verbose mode (`LLDAP_VERBOSE=true` env variable, or `verbose = true` in the config). Include the logs in triple-backtick "```"
+If integrating with another service, please add its configuration (paste it or screenshot it) as well as any useful logs or screenshots (showing the error, for instance).
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE REQUEST]"
+labels: enhancement
+assignees: ''
+
+---
+
+**Motivation**
+Why do you want the feature? What problem do you have, what use cases would it enable?
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered. You can include workarounds that are currently possible.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/integration-request.md

@@ -0,0 +1,25 @@
+---
+name: Integration request
+about: Request for integration with a service
+title: "[INTEGRATION]"
+labels: integration
+assignees: ''
+
+---
+
+**Checklist**
+- [ ] Check if there is already an [example config](https://github.com/lldap/lldap/tree/main/example_configs) for it.
+- [ ] Try to figure out the configuration values for the new service yourself.
+  - You can use other example configs for inspiration.
+  - If you're having trouble, you can ask on [Discord](https://discord.gg/h5PEdRMNyP) or create an issue.
+  - If you succeed, make sure to contribute an example configuration, or a configuration guide.
+- If you hit a block because of an unimplemented feature, create an issue.
+
+**Description of the service**
+Quick summary of what the service is and how it's using LDAP. Link to the service's documentation on configuring LDAP.
+
+**What you've tried**
+A sample configuration that you've tried.
+
+**What's not working**
+Error logs, error screenshots, features that are not working, missing features.

.github/codecov.yml

@@ -1,12 +1,23 @@
 codecov:
   require_ci_to_pass: yes
 comment:
-  layout: "diff,flags"
+  layout: "header,diff,files"
   require_changes: true
   require_base: true
   require_head: true
+coverage:
+  status:
+    project:
+      default:
+        target: "75%"
+        threshold: "0.1%"
+        removed_code_behavior: adjust_base
+github_checks:
+  annotations: true
 ignore:
   - "app"
   - "docs"
   - "example_configs"
   - "migration-tool"
+  - "scripts"
+  - "set-password"

.github/workflows/Dockerfile.ci.alpine

@@ -1,72 +1,6 @@
-FROM debian:bullseye AS lldap
-ARG DEBIAN_FRONTEND=noninteractive
-ARG TARGETPLATFORM
-RUN apt update && apt install -y wget
-WORKDIR /dim
-COPY bin/ bin/
-COPY web/ web/
-
-RUN mkdir -p target/
-RUN mkdir -p /lldap/app
-
-RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then \
-    mv bin/x86_64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
-    mv bin/x86_64-unknown-linux-musl-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/x86_64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
-    mv bin/aarch64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
-    mv bin/aarch64-unknown-linux-musl-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/aarch64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-RUN if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then \
-    mv bin/armv7-unknown-linux-gnueabihf-lldap-bin/lldap target/lldap && \
-    mv bin/armv7-unknown-linux-gnueabihf-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/armv7-unknown-linux-gnueabihf-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-# Web and App dir
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY lldap_config.docker_template.toml /lldap/
-COPY web/index_local.html web/index.html
-RUN cp target/lldap /lldap/ && \
-    cp target/migration-tool /lldap/ && \
-    cp target/lldap_set_password /lldap/ && \
-    cp -R web/index.html \
-          web/pkg \
-          web/static \
-          /lldap/app/
-
-WORKDIR /lldap
-RUN set -x \
-    && for file in $(cat /lldap/app/static/libraries.txt); do wget -P app/static "$file"; done \
-    && for file in $(cat /lldap/app/static/fonts/fonts.txt); do wget -P app/static/fonts "$file"; done \
-    && chmod a+r -R .
-
-FROM alpine:3.16
-WORKDIR /app
-ENV UID=1000
-ENV GID=1000
-ENV USER=lldap
-ENV GOSU_VERSION 1.14
-# Fetch gosu from git
+FROM localhost:5000/lldap/lldap:alpine-base
+# Taken directly from https://github.com/tianon/gosu/blob/master/INSTALL.md
+ENV GOSU_VERSION 1.17
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -83,7 +17,7 @@ RUN set -eux; \
 	export GNUPGHOME="$(mktemp -d)"; \
 	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
 	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	command -v gpgconf && gpgconf --kill all || :; \
+	gpgconf --kill all; \
 	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
 	\
 # clean up fetch dependencies
@@ -93,22 +27,4 @@ RUN set -eux; \
 # verify that the binary works
 	gosu --version; \
 	gosu nobody true
-RUN apk add --no-cache tini ca-certificates bash tzdata && \
-    addgroup -g $GID $USER && \
-    adduser \
-    --disabled-password \
-    --gecos "" \
-    --home "$(pwd)" \
-    --ingroup "$USER" \
-    --no-create-home \
-    --uid "$UID" \
-    "$USER" && \
-    mkdir -p /data && \
-    chown $USER:$USER /data
-COPY --from=lldap --chown=$USER:$USER /lldap /app
-COPY --from=lldap --chown=$USER:$USER /docker-entrypoint.sh /docker-entrypoint.sh
-VOLUME ["/data"]
-WORKDIR /app
-ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
-CMD ["run", "--config-file", "/data/lldap_config.toml"]
-HEALTHCHECK CMD ["/app/lldap", "healthcheck", "--config-file", "/data/lldap_config.toml"]
+COPY --chown=$USER:$USER docker-entrypoint.sh /docker-entrypoint.sh

.github/workflows/Dockerfile.ci.alpine-base

@@ -0,0 +1,85 @@
+FROM debian:bullseye AS lldap
+ARG DEBIAN_FRONTEND=noninteractive
+ARG TARGETPLATFORM
+RUN apt update && apt install -y wget
+WORKDIR /dim
+COPY bin/ bin/
+COPY web/ web/
+
+RUN mkdir -p target/
+RUN mkdir -p /lldap/app
+
+RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then \
+    mv bin/x86_64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
+    mv bin/x86_64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/x86_64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+    mv bin/aarch64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
+    mv bin/aarch64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/aarch64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+RUN if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then \
+    mv bin/armv7-unknown-linux-musleabihf-lldap-bin/lldap target/lldap && \
+    mv bin/armv7-unknown-linux-musleabihf-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/armv7-unknown-linux-musleabihf-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+# Web and App dir
+COPY lldap_config.docker_template.toml /lldap/
+COPY web/index_local.html web/index.html
+RUN cp target/lldap /lldap/ && \
+    cp target/lldap_migration_tool /lldap/ && \
+    cp target/lldap_set_password /lldap/ && \
+    cp -R web/index.html \
+          web/pkg \
+          web/static \
+          /lldap/app/
+
+WORKDIR /lldap
+RUN set -x \
+    && for file in $(cat /lldap/app/static/libraries.txt); do wget -P app/static "$file"; done \
+    && for file in $(cat /lldap/app/static/fonts/fonts.txt); do wget -P app/static/fonts "$file"; done \
+    && chmod a+r -R .
+
+FROM alpine:3.19
+WORKDIR /app
+ENV UID=1000
+ENV GID=1000
+ENV USER=lldap
+RUN apk add --no-cache tini ca-certificates bash tzdata jq curl jo && \
+    addgroup -g $GID $USER && \
+    adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "$(pwd)" \
+    --ingroup "$USER" \
+    --no-create-home \
+    --uid "$UID" \
+    "$USER" && \
+    mkdir -p /data && \
+    chown $USER:$USER /data
+COPY --from=lldap --chown=$USER:$USER /lldap /app
+VOLUME ["/data"]
+HEALTHCHECK CMD ["/app/lldap", "healthcheck", "--config-file", "/data/lldap_config.toml"]
+WORKDIR /app
+COPY scripts/bootstrap.sh ./
+ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
+CMD ["run", "--config-file", "/data/lldap_config.toml"]

.github/workflows/Dockerfile.ci.alpine-rootless

@@ -0,0 +1,3 @@
+FROM localhost:5000/lldap/lldap:alpine-base
+COPY --chown=$USER:$USER docker-entrypoint-rootless.sh /docker-entrypoint.sh
+USER $USER

.github/workflows/Dockerfile.ci.debian

@@ -1,79 +1,31 @@
-FROM debian:bullseye AS lldap
-ARG DEBIAN_FRONTEND=noninteractive
-ARG TARGETPLATFORM
-RUN apt update && apt install -y wget
-WORKDIR /dim
-COPY bin/ bin/
-COPY web/ web/
-
-RUN mkdir -p target/
-RUN mkdir -p /lldap/app
-
-RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then \
-    mv bin/x86_64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
-    mv bin/x86_64-unknown-linux-musl-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/x86_64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
-    mv bin/aarch64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
-    mv bin/aarch64-unknown-linux-musl-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/aarch64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-RUN if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then \
-    mv bin/armv7-unknown-linux-gnueabihf-lldap-bin/lldap target/lldap && \
-    mv bin/armv7-unknown-linux-gnueabihf-migration-tool-bin/migration-tool target/migration-tool && \
-    mv bin/armv7-unknown-linux-gnueabihf-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
-    chmod +x target/lldap && \
-    chmod +x target/migration-tool && \
-    chmod +x target/lldap_set_password && \
-    ls -la target/ . && \
-    pwd \
-    ; fi
-
-# Web and App dir
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY lldap_config.docker_template.toml /lldap/
-COPY web/index_local.html web/index.html
-RUN cp target/lldap /lldap/ && \
-    cp target/migration-tool /lldap/ && \
-    cp target/lldap_set_password /lldap/ && \
-    cp -R web/index.html \
-          web/pkg \
-          web/static \
-          /lldap/app/
-
-WORKDIR /lldap
-RUN set -x \
-    && for file in $(cat /lldap/app/static/libraries.txt); do wget -P app/static "$file"; done \
-    && for file in $(cat /lldap/app/static/fonts/fonts.txt); do wget -P app/static/fonts "$file"; done \
-    && chmod a+r -R .
-
-FROM debian:bullseye-slim
-ENV UID=1000
-ENV GID=1000
-ENV USER=lldap
-RUN apt update && \
-    apt install -y --no-install-recommends tini openssl ca-certificates gosu tzdata && \
-    apt clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    groupadd -g $GID $USER && useradd --system -m -g $USER --uid $UID $USER && \
-    mkdir -p /data && chown $USER:$USER /data
-COPY --from=lldap --chown=$USER:$USER /lldap /app
-COPY --from=lldap --chown=$USER:$USER /docker-entrypoint.sh /docker-entrypoint.sh
-VOLUME ["/data"]
-WORKDIR /app
-ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
-CMD ["run", "--config-file", "/data/lldap_config.toml"]
-HEALTHCHECK CMD ["/app/lldap", "healthcheck", "--config-file", "/data/lldap_config.toml"]
+FROM localhost:5000/lldap/lldap:debian-base
+# Taken directly from https://github.com/tianon/gosu/blob/master/INSTALL.md
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+# save list of currently installed packages for later so we can clean up
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends ca-certificates gnupg wget; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+COPY --chown=$USER:$USER docker-entrypoint.sh /docker-entrypoint.sh

.github/workflows/Dockerfile.ci.debian-base

@@ -0,0 +1,80 @@
+FROM debian:bullseye AS lldap
+ARG DEBIAN_FRONTEND=noninteractive
+ARG TARGETPLATFORM
+RUN apt update && apt install -y wget
+WORKDIR /dim
+COPY bin/ bin/
+COPY web/ web/
+
+RUN mkdir -p target/
+RUN mkdir -p /lldap/app
+
+RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then \
+    mv bin/x86_64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
+    mv bin/x86_64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/x86_64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+    mv bin/aarch64-unknown-linux-musl-lldap-bin/lldap target/lldap && \
+    mv bin/aarch64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/aarch64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+RUN if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then \
+    mv bin/armv7-unknown-linux-musleabihf-lldap-bin/lldap target/lldap && \
+    mv bin/armv7-unknown-linux-musleabihf-lldap_migration_tool-bin/lldap_migration_tool target/lldap_migration_tool && \
+    mv bin/armv7-unknown-linux-musleabihf-lldap_set_password-bin/lldap_set_password target/lldap_set_password && \
+    chmod +x target/lldap && \
+    chmod +x target/lldap_migration_tool && \
+    chmod +x target/lldap_set_password && \
+    ls -la target/ . && \
+    pwd \
+    ; fi
+
+# Web and App dir
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+COPY lldap_config.docker_template.toml /lldap/
+COPY web/index_local.html web/index.html
+RUN cp target/lldap /lldap/ && \
+    cp target/lldap_migration_tool /lldap/ && \
+    cp target/lldap_set_password /lldap/ && \
+    cp -R web/index.html \
+          web/pkg \
+          web/static \
+          /lldap/app/
+
+WORKDIR /lldap
+RUN set -x \
+    && for file in $(cat /lldap/app/static/libraries.txt); do wget -P app/static "$file"; done \
+    && for file in $(cat /lldap/app/static/fonts/fonts.txt); do wget -P app/static/fonts "$file"; done \
+    && chmod a+r -R .
+
+FROM debian:bullseye-slim
+ENV UID=1000
+ENV GID=1000
+ENV USER=lldap
+RUN apt update && \
+    apt install -y --no-install-recommends tini openssl ca-certificates tzdata jq curl jo && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    groupadd -g $GID $USER && useradd --system -m -g $USER --uid $UID $USER && \
+    mkdir -p /data && chown $USER:$USER /data
+COPY --from=lldap --chown=$USER:$USER /lldap /app
+COPY --from=lldap --chown=$USER:$USER /docker-entrypoint.sh /docker-entrypoint.sh
+VOLUME ["/data"]
+WORKDIR /app
+COPY scripts/bootstrap.sh ./
+ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
+CMD ["run", "--config-file", "/data/lldap_config.toml"]
+HEALTHCHECK CMD ["/app/lldap", "healthcheck", "--config-file", "/data/lldap_config.toml"]

.github/workflows/Dockerfile.ci.debian-rootless

@@ -0,0 +1,3 @@
+FROM localhost:5000/lldap/lldap:debian-base
+COPY --chown=$USER:$USER docker-entrypoint-rootless.sh /docker-entrypoint.sh
+USER $USER

.github/workflows/Dockerfile.dev

@@ -1,45 +1,41 @@
 # Keep tracking base image
-FROM rust:1.66-slim-bullseye
+FROM rust:1.81-slim-bookworm
 
 # Set needed env path
-ENV PATH="/opt/aarch64-linux-musl-cross/:/opt/aarch64-linux-musl-cross/bin/:/opt/x86_64-linux-musl-cross/:/opt/x86_64-linux-musl-cross/bin/:$PATH"
+ENV PATH="/opt/armv7l-linux-musleabihf-cross/:/opt/armv7l-linux-musleabihf-cross/bin/:/opt/aarch64-linux-musl-cross/:/opt/aarch64-linux-musl-cross/bin/:/opt/x86_64-linux-musl-cross/:/opt/x86_64-linux-musl-cross/bin/:$PATH"
 
-### Install build deps x86_64
+# Set building env
+ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
+    CARGO_NET_GIT_FETCH_WITH_CLI=true \
+    CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_LINKER=armv7l-linux-musleabihf-gcc \
+    CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=aarch64-linux-musl-gcc \
+    CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-linux-musl-gcc \
+    CC_armv7_unknown_linux_musleabihf=armv7l-linux-musleabihf-gcc \
+    CC_x86_64_unknown_linux_musl=x86_64-linux-musl-gcc \
+    CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
+
+### Install Additional Build Tools
 RUN apt update && \
-    apt install -y --no-install-recommends curl git wget build-essential make perl pkg-config curl tar jq musl-tools gzip && \
-    curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
-    apt update && \
-    apt install -y --no-install-recommends nodejs && \
+    apt install -y --no-install-recommends curl git wget make perl pkg-config tar jq gzip && \
     apt clean && \
     rm -rf /var/lib/apt/lists/*
-
-### Install build deps aarch64 build
-RUN dpkg --add-architecture arm64 && \
-    apt update && \
-    apt install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libc6-arm64-cross libc6-dev-arm64-cross gzip && \
-    apt clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    rustup target add aarch64-unknown-linux-gnu
-
-### armhf deps
-RUN dpkg --add-architecture armhf && \
-    apt update && \
-    apt install -y gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf libc6-armhf-cross libc6-dev-armhf-cross gzip && \
-    apt clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    rustup target add armv7-unknown-linux-gnueabihf
-
-### Add musl-gcc aarch64 and x86_64
+     
+### Add musl-gcc aarch64, x86_64 and armv7l
 RUN wget -c https://musl.cc/x86_64-linux-musl-cross.tgz && \
     tar zxf ./x86_64-linux-musl-cross.tgz -C /opt && \
     wget -c https://musl.cc/aarch64-linux-musl-cross.tgz && \
     tar zxf ./aarch64-linux-musl-cross.tgz -C /opt && \
+    wget -c http://musl.cc/armv7l-linux-musleabihf-cross.tgz && \
+    tar zxf ./armv7l-linux-musleabihf-cross.tgz -C /opt && \
     rm ./x86_64-linux-musl-cross.tgz && \
-    rm ./aarch64-linux-musl-cross.tgz
+    rm ./aarch64-linux-musl-cross.tgz && \
+    rm ./armv7l-linux-musleabihf-cross.tgz
 
 ### Add musl target
 RUN rustup target add x86_64-unknown-linux-musl && \
-    rustup target add aarch64-unknown-linux-musl
+    rustup target add aarch64-unknown-linux-musl && \
+    rustup target add armv7-unknown-linux-musleabihf && \
+    rustup target add x86_64-unknown-freebsd
 
 
 CMD ["bash"]

.github/workflows/docker-build-static.yml

@@ -4,12 +4,18 @@ on:
   push:
     branches:
       - 'main'
+    paths-ignore:
+      - 'docs/**'
+      - 'example_configs/**'
   release:
     types:
       - 'published'
   pull_request:
     branches:
       - 'main'
+    paths-ignore:
+      - 'docs/**'
+      - 'example_configs/**'
   workflow_dispatch:
     inputs:
       msg:
@@ -24,7 +30,6 @@ env:
 
 # build-ui , create/compile the web
 ### install wasm
-### install rollup
 ### run app/build.sh
 ### upload artifacts
 
@@ -34,10 +39,10 @@ env:
 # GitHub actions randomly timeout when downloading musl-gcc, using custom dev image   #
 # Look into .github/workflows/Dockerfile.dev for development image details            #
 # Using lldap dev image based on https://hub.docker.com/_/rust and musl-gcc bundled   #
+# lldap/rust-dev                                                                      #
 #######################################################################################
-### Cargo build
-### aarch64 and amd64 is musl based
-### armv7 is glibc based, musl had issue with time_t when cross compile https://github.com/rust-lang/libc/issues/1848
+# Cargo build
+### armv7, aarch64 and amd64 is musl based
 
 # build-ui,builds-armhf, build-aarch64, build-amd64 will upload artifacts will be used next job
 
@@ -45,12 +50,11 @@ env:
 ### will run lldap with postgres, mariadb and sqlite backend, do selfcheck command.
 
 # Build docker image
-### Triplet docker image arch with debian base
-### amd64 & aarch64 with alpine base
+### Triplet docker image arch with debian and alpine base
 # build-docker-image job will fetch artifacts and run Dockerfile.ci then push the image.
 ### Look into .github/workflows/Dockerfile.ci.debian or .github/workflowds/Dockerfile.ci.alpine
 
-# create release artifacts
+# Create release artifacts
 ### Fetch artifacts
 ### Clean up web artifact
 ### Setup folder structure
@@ -60,14 +64,31 @@ env:
 # cache based on Cargo.lock per cargo target
 
 jobs:
+  pre_job:
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - id: skip_check
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          concurrent_skipping: 'outdated_runs'
+          skip_after_successful_duplicate: ${{ github.ref != 'refs/heads/main' }}
+          paths_ignore: '["**/*.md", "**/docs/**", "example_configs/**", "*.sh", ".gitignore", "lldap_config.docker_template.toml"]'
+          do_not_skip: '["workflow_dispatch", "schedule"]'
+          cancel_others: true
+
   build-ui:
     runs-on: ubuntu-latest
+    needs: pre_job
+    if: ${{ needs.pre_job.outputs.should_skip != 'true' || github.event_name == 'release' }}
     container:
-      image: nitnelave/rust-dev:latest
+      image: lldap/rust-dev:v81
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.5.0
-      - uses: actions/cache@v3
+        uses: actions/checkout@v4.2.2
+      - uses: actions/cache@v4
         with:
           path: |
             /usr/local/cargo/bin
@@ -78,8 +99,6 @@ jobs:
           key: lldap-ui-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
             lldap-ui-
-      - name: Install rollup (nodejs)
-        run: npm install -g rollup
       - name: Add wasm target (rust)
         run: rustup target add wasm32-unknown-unknown
       - name: Install wasm-pack with cargo
@@ -91,7 +110,7 @@ jobs:
       - name: Check build path
         run: ls -al app/
       - name: Upload ui artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ui
           path: app/
@@ -99,22 +118,22 @@ jobs:
 
   build-bin:
     runs-on: ubuntu-latest
+    needs: pre_job
+    if: ${{ needs.pre_job.outputs.should_skip != 'true' || github.event_name == 'release' }}
     strategy:
+      fail-fast: false
       matrix:
-        target: [armv7-unknown-linux-gnueabihf, aarch64-unknown-linux-musl, x86_64-unknown-linux-musl]
+        target: [armv7-unknown-linux-musleabihf, aarch64-unknown-linux-musl, x86_64-unknown-linux-musl]
     container:
-      image: nitnelave/rust-dev:latest
+      image: lldap/rust-dev:v81
       env:
-        CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_LINKER: arm-linux-gnueabihf-gcc
-        CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER: aarch64-linux-musl-gcc
-        CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER: x86_64-linux-musl-gcc
         CARGO_TERM_COLOR: always
         RUSTFLAGS: -Ctarget-feature=+crt-static
         CARGO_HOME: ${GITHUB_WORKSPACE}/.cargo
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.5.0
-      - uses: actions/cache@v3
+        uses: actions/checkout@v4.2.2
+      - uses: actions/cache@v4
         with:
           path: |
             .cargo/bin
@@ -126,28 +145,28 @@ jobs:
           restore-keys: |
             lldap-bin-${{ matrix.target }}-
       - name: Compile ${{ matrix.target }} lldap and tools
-        run: cargo build --target=${{ matrix.target }} --release -p lldap -p migration-tool -p lldap_set_password
+        run: cargo build --target=${{ matrix.target }} --release -p lldap -p lldap_migration_tool -p lldap_set_password
       - name: Check path
         run: ls -al target/release
       - name: Upload ${{ matrix.target}} lldap artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.target}}-lldap-bin
           path: target/${{ matrix.target }}/release/lldap
       - name: Upload ${{ matrix.target }} migration tool artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.target }}-migration-tool-bin
-          path: target/${{ matrix.target }}/release/migration-tool
+          name: ${{ matrix.target }}-lldap_migration_tool-bin
+          path: target/${{ matrix.target }}/release/lldap_migration_tool
       - name: Upload ${{ matrix.target }} password tool artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.target }}-lldap_set_password-bin
           path: target/${{ matrix.target }}/release/lldap_set_password
 
-  lldap-database-integration-test:
+  lldap-database-init-test:
     needs: [build-ui,build-bin]
-    name: LLDAP test
+    name: LLDAP database init test
     runs-on: ubuntu-latest
     services:
         mariadb:
@@ -155,10 +174,13 @@ jobs:
           ports:
             - 3306:3306
           env:
-            MYSQL_USER: lldapuser
-            MYSQL_PASSWORD: lldappass
-            MYSQL_DATABASE: lldap
-            MYSQL_ROOT_PASSWORD: rootpass
+            MARIADB_USER: lldapuser
+            MARIADB_PASSWORD: lldappass
+            MARIADB_DATABASE: lldap
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+          options: >-
+            --name mariadb
+            --health-cmd="mariadb-admin ping" --health-interval=5s --health-timeout=2s --health-retries=3
 
         postgresql:
            image: postgres:latest
@@ -168,15 +190,20 @@ jobs:
              POSTGRES_USER: lldapuser
              POSTGRES_PASSWORD: lldappass
              POSTGRES_DB: lldap
+           options: >-
+             --health-cmd pg_isready
+             --health-interval 10s
+             --health-timeout 5s
+             --health-retries 5
+             --name postgresql
 
     steps:
        - name: Download artifacts
-         uses: actions/download-artifact@v3
+         uses: actions/download-artifact@v4
          with:
            name: x86_64-unknown-linux-musl-lldap-bin
            path: bin/
-       - name: Where is the bin?
-         run: ls -alR bin
+
        - name: Set executables to LLDAP
          run: chmod +x bin/lldap
 
@@ -212,123 +239,422 @@ jobs:
            LLDAP_ldap_port: 3892
            LLDAP_http_port: 17172
 
+       - name: Check DB container logs
+         run: |
+              docker logs -n 20 mariadb
+              docker logs -n 20 postgresql
 
+  lldap-database-migration-test:
+    needs: [build-ui,build-bin]
+    name: LLDAP database migration test
+    runs-on: ubuntu-latest
+    services:
+        postgresql:
+           image: postgres:latest
+           ports:
+             - 5432:5432
+           env:
+             POSTGRES_USER: lldapuser
+             POSTGRES_PASSWORD: lldappass
+             POSTGRES_DB: lldap
+           options: >-
+             --health-cmd pg_isready
+             --health-interval 10s
+             --health-timeout 5s
+             --health-retries 5
+             --name postgresql
+
+        mariadb:
+          image: mariadb:latest
+          ports:
+            - 3306:3306
+          env:
+            MARIADB_USER: lldapuser
+            MARIADB_PASSWORD: lldappass
+            MARIADB_DATABASE: lldap
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+          options: >-
+            --name mariadb
+            --health-cmd="mariadb-admin ping" --health-interval=5s --health-timeout=2s --health-retries=3
+
+
+        mysql:
+          image: mysql:latest
+          ports:
+            - 3307:3306
+          env:
+            MYSQL_USER: lldapuser
+            MYSQL_PASSWORD: lldappass
+            MYSQL_DATABASE: lldap
+            MYSQL_ALLOW_EMPTY_PASSWORD: 1
+          options: >-
+            --name mysql
+            --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3
+
+
+    steps:
+       - name: Checkout scripts
+         uses: actions/checkout@v4.2.2
+         with:
+           sparse-checkout: 'scripts'
+
+       - name: Download LLDAP artifacts
+         uses: actions/download-artifact@v4
+         with:
+           name: x86_64-unknown-linux-musl-lldap-bin
+           path: bin/
+
+       - name: Download LLDAP set password
+         uses: actions/download-artifact@v4
+         with:
+           name: x86_64-unknown-linux-musl-lldap_set_password-bin
+           path: bin/
+
+       - name: Set executables to LLDAP and LLDAP set password
+         run: |
+              chmod +x bin/lldap
+              chmod +x bin/lldap_set_password
+
+       - name: Install sqlite3 and ldap-utils for exporting and searching dummy user
+         run: sudo apt update && sudo apt install -y sqlite3 ldap-utils
+
+       - name: Run lldap with sqlite DB and healthcheck
+         run: |
+              bin/lldap run &
+              sleep 10s
+              bin/lldap healthcheck
+         env:
+           LLDAP_database_url: sqlite://users.db?mode=rwc
+           LLDAP_ldap_port: 3890
+           LLDAP_http_port: 17170
+           LLDAP_LDAP_USER_PASS: ldappass
+           LLDAP_JWT_SECRET: somejwtsecret
+
+       - name: Create dummy user
+         run: |
+              TOKEN=$(curl -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "ldappass"}' http://localhost:17170/auth/simple/login | jq -r .token)
+              echo "$TOKEN"
+              curl 'http://localhost:17170/api/graphql' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN//[$'\t\r\n ']}" --data-binary '{"query":"mutation{\n  createUser(user:\n    {\n      id: \"dummyuser\",\n      email: \"dummyuser@example.com\"\n    }\n  )\n  {\n    id\n    email\n  }\n}\n\n\n"}' --compressed
+              bin/lldap_set_password --base-url http://localhost:17170 --admin-username admin --admin-password ldappass --token $TOKEN --username dummyuser --password dummypassword
+
+       - name: Test Dummy User, This will be checked again after importing
+         run: |
+              ldapsearch -H ldap://localhost:3890 -LLL -D "uid=dummyuser,ou=people,dc=example,dc=com" -w 'dummypassword' -s "One" -b "ou=people,dc=example,dc=com"
+
+       - name: Stop LLDAP sqlite
+         run: pkill lldap
+
+       - name: Export and Converting to Postgress
+         run: |
+              bash ./scripts/sqlite_dump_commands.sh | sqlite3 ./users.db > ./dump.sql
+              sed -i -r -e "s/X'([[:xdigit:]]+'[^'])/'\\\x\\1/g" -e ":a; s/(INSERT INTO (user_attribute_schema|jwt_storage)\(.*\) VALUES\(.*),1([^']*\);)$/\1,true\3/; s/(INSERT INTO (user_attribute_schema|jwt_storage)\(.*\) VALUES\(.*),0([^']*\);)$/\1,false\3/; ta" -e '1s/^/BEGIN;\n/' -e '$aCOMMIT;' ./dump.sql
+
+       - name: Create schema on postgres
+         run: |
+              bin/lldap create_schema -d postgres://lldapuser:lldappass@localhost:5432/lldap
+
+       - name: Copy converted db to postgress and import
+         run: |
+              docker cp ./dump.sql postgresql:/tmp/dump.sql
+              docker exec postgresql bash -c "psql -U lldapuser -d lldap < /tmp/dump.sql" | tee import.log
+              rm ./dump.sql
+              ! grep ERROR import.log > /dev/null
+
+       - name: Export and Converting to mariadb
+         run: |
+              bash ./scripts/sqlite_dump_commands.sh | sqlite3 ./users.db > ./dump.sql
+              cp ./dump.sql ./dump-no-sed.sql
+              sed -i -r -e "s/([^']'[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{9})\+00:00'([^'])/\1'\2/g" \-e 's/^INSERT INTO "?([a-zA-Z0-9_]+)"?/INSERT INTO `\1`/' -e '1s/^/START TRANSACTION;\n/' -e '$aCOMMIT;' ./dump.sql
+              sed  -i '1 i\SET FOREIGN_KEY_CHECKS = 0;' ./dump.sql
+
+       - name: Create schema on mariadb
+         run: bin/lldap create_schema -d mysql://lldapuser:lldappass@localhost:3306/lldap
+
+       - name: Copy converted db to mariadb and import
+         run: |
+              docker cp ./dump.sql mariadb:/tmp/dump.sql
+              docker exec mariadb bash -c "mariadb -ulldapuser -plldappass -f lldap < /tmp/dump.sql" | tee import.log
+              rm ./dump.sql
+              ! grep ERROR import.log > /dev/null
+
+       - name: Export and Converting to mysql
+         run: |
+              bash ./scripts/sqlite_dump_commands.sh | sqlite3 ./users.db > ./dump.sql
+              sed -i -r -e 's/^INSERT INTO "?([a-zA-Z0-9_]+)"?/INSERT INTO `\1`/' -e '1s/^/START TRANSACTION;\n/' -e '$aCOMMIT;' ./dump.sql
+              sed  -i '1 i\SET FOREIGN_KEY_CHECKS = 0;' ./dump.sql
+
+       - name: Create schema on mysql
+         run: bin/lldap create_schema -d mysql://lldapuser:lldappass@localhost:3307/lldap
+
+       - name: Copy converted db to mysql and import
+         run: |
+              docker cp ./dump.sql mysql:/tmp/dump.sql
+              docker exec mysql bash -c "mysql -ulldapuser -plldappass -f lldap < /tmp/dump.sql" | tee import.log
+              rm ./dump.sql
+              ! grep ERROR import.log > /dev/null
+
+       - name: Run lldap with postgres DB and healthcheck again
+         run: |
+              bin/lldap run &
+              sleep 10s
+              bin/lldap healthcheck
+         env:
+           LLDAP_database_url: postgres://lldapuser:lldappass@localhost:5432/lldap
+           LLDAP_ldap_port: 3891
+           LLDAP_http_port: 17171
+           LLDAP_LDAP_USER_PASS: ldappass
+           LLDAP_JWT_SECRET: somejwtsecret
+
+       - name: Run lldap with mariaDB and healthcheck again
+         run: |
+              bin/lldap run &
+              sleep 10s
+              bin/lldap healthcheck
+         env:
+           LLDAP_database_url: mysql://lldapuser:lldappass@localhost:3306/lldap
+           LLDAP_ldap_port: 3892
+           LLDAP_http_port: 17172
+           LLDAP_JWT_SECRET: somejwtsecret
+
+       - name: Run lldap with mysql and healthcheck again
+         run: |
+              bin/lldap run &
+              sleep 10s
+              bin/lldap healthcheck
+         env:
+           LLDAP_database_url: mysql://lldapuser:lldappass@localhost:3307/lldap
+           LLDAP_ldap_port: 3893
+           LLDAP_http_port: 17173
+           LLDAP_JWT_SECRET: somejwtsecret
+
+       - name: Test Dummy User Postgres
+         run: ldapsearch -H ldap://localhost:3891 -LLL -D "uid=dummyuser,ou=people,dc=example,dc=com" -w 'dummypassword' -s "One" -b "ou=people,dc=example,dc=com"
+       - name: Test Dummy User MariaDB
+         run: ldapsearch -H ldap://localhost:3892 -LLL -D "uid=dummyuser,ou=people,dc=example,dc=com" -w 'dummypassword' -s "One" -b "ou=people,dc=example,dc=com"
+       - name: Test Dummy User MySQL
+         run: ldapsearch -H ldap://localhost:3893 -LLL -D "uid=dummyuser,ou=people,dc=example,dc=com" -w 'dummypassword' -s "One" -b "ou=people,dc=example,dc=com"
+
+########################################
+#### BUILD BASE IMAGE ##################
+########################################
   build-docker-image:
     needs: [build-ui, build-bin]
     name: Build Docker image
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        container: ["debian","alpine"]
+        include:
+          - container: alpine
+            platforms: linux/amd64,linux/arm64,linux/arm/v7
+            tags: |
+                  type=ref,event=pr
+                  type=semver,pattern=v{{version}}
+                  type=semver,pattern=v{{major}}
+                  type=semver,pattern=v{{major}}.{{minor}}
+                  type=semver,pattern=v{{version}},suffix=
+                  type=semver,pattern=v{{major}},suffix=
+                  type=semver,pattern=v{{major}}.{{minor}},suffix=
+                  type=raw,value=latest,enable={{ is_default_branch }}
+                  type=raw,value=stable,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+                  type=raw,value=stable,enable=${{ startsWith(github.ref, 'refs/tags/v') }},suffix=
+                  type=raw,value=latest,enable={{ is_default_branch }},suffix=
+                  type=raw,value={{ date 'YYYY-MM-DD' }},enable={{ is_default_branch }}
+                  type=raw,value={{ date 'YYYY-MM-DD' }},enable={{ is_default_branch }},suffix=
+          - container: debian
+            platforms: linux/amd64,linux/arm64,linux/arm/v7
+            tags: |
+                  type=ref,event=pr
+                  type=semver,pattern=v{{version}}
+                  type=semver,pattern=v{{major}}
+                  type=semver,pattern=v{{major}}.{{minor}}
+                  type=raw,value=latest,enable={{ is_default_branch }}
+                  type=raw,value=stable,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+                  type=raw,value={{ date 'YYYY-MM-DD' }},enable={{ is_default_branch }}
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     permissions:
       contents: read
       packages: write
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v4.2.2
+
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           path: bin
 
       - name: Download llap ui artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ui
           path: web
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+        uses: docker/setup-qemu-action@v3
+      - name: Setup buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=host
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
+      - name: Docker ${{ matrix.container }} Base meta
+        id: meta-base
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            localhost:5000/lldap/lldap
+          tags: ${{ matrix.container }}-base
+
+      - name: Build ${{ matrix.container }} Base Docker Image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # On PR will fail, force fully uncomment push: true, or docker image will fail for next steps
+          #push: ${{ github.event_name != 'pull_request' }}
+          push: true
+          platforms: ${{ matrix.platforms }}
+          file: ./.github/workflows/Dockerfile.ci.${{ matrix.container }}-base
+          tags: |
+                ${{ steps.meta-base.outputs.tags }}
+          labels: ${{ steps.meta-base.outputs.labels }}
+          cache-from: type=gha,mode=max
+          cache-to: type=gha,mode=max
+
+#####################################
+#### build variants docker image ####
+#####################################
+
+      - name: Docker ${{ matrix.container }}-rootless meta
+        id: meta-rootless
+        uses: docker/metadata-action@v5
         with:
           # list of Docker images to use as base name for tags
           images: |
             nitnelave/lldap
-          # generate Docker tags based on the following events/attributes
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
+            lldap/lldap
+            ghcr.io/lldap/lldap
+          # Wanted Docker tags
+          # vX-alpine
+          # vX.Y-alpine
+          # vX.Y.Z-alpine
+          # latest
+          # latest-alpine
+          # stable
+          # stable-alpine
+          # YYYY-MM-DD
+          # YYYY-MM-DD-alpine
+          #################
+          # vX-debian
+          # vX.Y-debian
+          # vX.Y.Z-debian
+          # latest-debian
+          # stable-debian
+          # YYYY-MM-DD-debian
+          #################
+          # Check matrix for tag list definition
+          flavor: |
+            latest=false
+            suffix=-${{ matrix.container }}-rootless
+          tags: ${{ matrix.tags }}
 
-      - name: parse tag
-        uses: gacts/github-slug@v1
-        id: slug
+      - name: Docker ${{ matrix.container }} meta
+        id: meta-standard
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            nitnelave/lldap
+            lldap/lldap
+            ghcr.io/lldap/lldap
+          # Wanted Docker tags
+          # vX-alpine
+          # vX.Y-alpine
+          # vX.Y.Z-alpine
+          # latest
+          # latest-alpine
+          # stable
+          # stable-alpine
+          # YYYY-MM-DD
+          # YYYY-MM-DD-alpine
+          #################
+          # vX-debian
+          # vX.Y-debian
+          # vX.Y.Z-debian
+          # latest-debian
+          # stable-debian
+          # YYYY-MM-DD-debian
+          #################
+          # Check matrix for tag list definition
+          flavor: |
+            latest=false
+            suffix=-${{ matrix.container }}
+          tags: ${{ matrix.tags }}
 
-      - name: Login to Docker Hub
+      # Docker login to nitnelave/lldap and lldap/lldap
+      - name: Login to Nitnelave/LLDAP Docker Hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-########################################
-#### docker image :latest tag build ####
-########################################
-      - name: Build and push latest alpine
-        if: github.event_name != 'release'
-        uses: docker/build-push-action@v4
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: nitnelave
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build ${{ matrix.container }}-rootless Docker Image
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
-          platforms: linux/amd64,linux/arm64
-          file: ./.github/workflows/Dockerfile.ci.alpine
-          tags: nitnelave/lldap:latest, nitnelave/lldap:latest-alpine
+          platforms: ${{ matrix.platforms  }}
+          file: ./.github/workflows/Dockerfile.ci.${{ matrix.container  }}-rootless
+          tags: |
+                ${{ steps.meta-rootless.outputs.tags }}
+          labels: ${{ steps.meta-rootless.outputs.labels }}
           cache-from: type=gha,mode=max
           cache-to: type=gha,mode=max
 
-      - name: Build and push latest debian
-        if: github.event_name != 'release'
-        uses: docker/build-push-action@v4
+### This docker build always the last, due :latest tag pushed multiple times, for whatever variants may added in future add docker build above this
+      - name: Build ${{ matrix.container }} Docker Image
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          file: ./.github/workflows/Dockerfile.ci.debian
-          tags: nitnelave/lldap:latest-debian
-          cache-from: type=gha,mode=max
-          cache-to: type=gha,mode=max
-
-########################################
-#### docker image :semver tag build ####
-########################################
-      - name: Build and push release alpine
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          # Tag as latest, stable, semver, major, major.minor and major.minor.patch.
-          file: ./.github/workflows/Dockerfile.ci.alpine
-          tags: nitnelave/lldap:stable, nitnelave/lldap:stable-alpine, nitnelave/lldap:v${{ steps.slug.outputs.version-semantic }}, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}.${{ steps.slug.outputs.version-minor }}, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}.${{ steps.slug.outputs.version-minor }}.${{ steps.slug.outputs.version-patch }}, nitnelave/lldap:v${{ steps.slug.outputs.version-semantic }}-alpine, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}-alpine, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}-alpine.${{ steps.slug.outputs.version-minor }}-alpine, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}.${{ steps.slug.outputs.version-minor }}.${{ steps.slug.outputs.version-patch }}-alpine
-          cache-from: type=gha,mode=max
-          cache-to: type=gha,mode=max
-
-      - name: Build and push release debian
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          push: true
-          # Tag as latest, stable, semver, major, major.minor and major.minor.patch.
-          file: ./.github/workflows/Dockerfile.ci.debian
-          tags: nitnelave/lldap:stable-debian, nitnelave/lldap:v${{ steps.slug.outputs.version-semantic }}-debian, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}-debian, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}.${{ steps.slug.outputs.version-minor }}-debian, nitnelave/lldap:v${{ steps.slug.outputs.version-major }}.${{ steps.slug.outputs.version-minor }}.${{ steps.slug.outputs.version-patch }}-debian
+          platforms: ${{ matrix.platforms  }}
+          file: ./.github/workflows/Dockerfile.ci.${{ matrix.container  }}
+          tags: |
+                ${{ steps.meta-standard.outputs.tags }}
+          labels: ${{ steps.meta-standard.outputs.labels }}
           cache-from: type=gha,mode=max
           cache-to: type=gha,mode=max
 
       - name: Update repo description
         if: github.event_name != 'pull_request'
-        uses: peter-evans/dockerhub-description@v3
+        uses: peter-evans/dockerhub-description@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
           repository: nitnelave/lldap
 
+      - name: Update lldap repo description
+        if: github.event_name != 'pull_request'
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          repository: lldap/lldap
+
 ###############################################################
 ### Download artifacts, clean up ui, upload to release page ###
 ###############################################################
@@ -337,9 +663,11 @@ jobs:
      name: Create release artifacts
      if: github.event_name == 'release'
      runs-on: ubuntu-latest
+     permissions:
+       contents: write
      steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           path: bin/
       - name: Check file
@@ -348,19 +676,19 @@ jobs:
         run: |
              mv bin/aarch64-unknown-linux-musl-lldap-bin/lldap bin/aarch64-lldap
              mv bin/x86_64-unknown-linux-musl-lldap-bin/lldap bin/amd64-lldap
-             mv bin/armv7-unknown-linux-gnueabihf-lldap-bin/lldap bin/armhf-lldap
-             mv bin/aarch64-unknown-linux-musl-migration-tool-bin/migration-tool bin/aarch64-migration-tool
-             mv bin/x86_64-unknown-linux-musl-migration-tool-bin/migration-tool bin/amd64-migration-tool
-             mv bin/armv7-unknown-linux-gnueabihf-migration-tool-bin/migration-tool bin/armhf-migration-tool
+             mv bin/armv7-unknown-linux-musleabihf-lldap-bin/lldap bin/armhf-lldap
+             mv bin/aarch64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool bin/aarch64-lldap_migration_tool
+             mv bin/x86_64-unknown-linux-musl-lldap_migration_tool-bin/lldap_migration_tool bin/amd64-lldap_migration_tool
+             mv bin/armv7-unknown-linux-musleabihf-lldap_migration_tool-bin/lldap_migration_tool bin/armhf-lldap_migration_tool
              mv bin/aarch64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password bin/aarch64-lldap_set_password
              mv bin/x86_64-unknown-linux-musl-lldap_set_password-bin/lldap_set_password bin/amd64-lldap_set_password
-             mv bin/armv7-unknown-linux-gnueabihf-lldap_set_password-bin/lldap_set_password bin/armhf-lldap_set_password
+             mv bin/armv7-unknown-linux-musleabihf-lldap_set_password-bin/lldap_set_password bin/armhf-lldap_set_password
              chmod +x bin/*-lldap
-             chmod +x bin/*-migration-tool
+             chmod +x bin/*-lldap_migration_tool
              chmod +x bin/*-lldap_set_password
 
       - name: Download llap ui artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ui
           path: web
@@ -382,9 +710,9 @@ jobs:
              mv bin/aarch64-lldap aarch64-lldap/lldap
              mv bin/amd64-lldap amd64-lldap/lldap
              mv bin/armhf-lldap armhf-lldap/lldap
-             mv bin/aarch64-migration-tool aarch64-lldap/migration-tool
-             mv bin/amd64-migration-tool amd64-lldap/migration-tool
-             mv bin/armhf-migration-tool armhf-lldap/migration-tool
+             mv bin/aarch64-lldap_migration_tool aarch64-lldap/lldap_migration_tool
+             mv bin/amd64-lldap_migration_tool amd64-lldap/lldap_migration_tool
+             mv bin/armhf-lldap_migration_tool armhf-lldap/lldap_migration_tool
              mv bin/aarch64-lldap_set_password aarch64-lldap/lldap_set_password
              mv bin/amd64-lldap_set_password amd64-lldap/lldap_set_password
              mv bin/armhf-lldap_set_password armhf-lldap/lldap_set_password

.github/workflows/rust.yml

@@ -13,7 +13,6 @@ jobs:
   pre_job:
     continue-on-error: true
     runs-on: ubuntu-latest
-    # Map a step output to a job output
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
@@ -22,7 +21,7 @@ jobs:
         with:
           concurrent_skipping: 'outdated_runs'
           skip_after_successful_duplicate: 'true'
-          paths_ignore: '["**/*.md", "**/docs/**", "example_configs/**", "*.sh"]'
+          paths_ignore: '["**/*.md", "**/docs/**", "example_configs/**", "*.sh", ".dockerignore", ".gitignore", "lldap_config.docker_template.toml", "Dockerfile"]'
           do_not_skip: '["workflow_dispatch", "schedule"]'
           cancel_others: true
 
@@ -34,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v4.2.2
       - uses: Swatinem/rust-cache@v2
       - name: Build
         run: cargo build --verbose --workspace
@@ -53,7 +52,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v4.2.2
 
       - uses: Swatinem/rust-cache@v2
 
@@ -70,7 +69,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v4.2.2
 
       - uses: Swatinem/rust-cache@v2
 
@@ -82,12 +81,14 @@ jobs:
 
   coverage:
     name: Code coverage
-    needs: pre_job
+    needs:
+      - pre_job
+      - test
     if: ${{ needs.pre_job.outputs.should_skip != 'true' || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@v4.2.2
 
       - name: Install Rust
         run: rustup toolchain install nightly --component llvm-tools-preview && rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu
@@ -100,9 +101,10 @@ jobs:
         run: cargo llvm-cov  --workspace --no-report
       - name: Aggregate reports
         run: cargo llvm-cov --no-run --lcov --output-path lcov.info
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+      - name: Upload coverage to Codecov (main)
+        uses: codecov/codecov-action@v4
         with:
           files: lcov.info
           fail_ci_if_error: true
+          codecov_yml_path: .github/codecov.yml
           token: ${{ secrets.CODECOV_TOKEN }}

CHANGELOG.md

@@ -5,6 +5,199 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.6.1] 2024-11-22
+
+Small release, mainly to fix a migration issue with Sqlite and Postgresql.
+
+### Added
+
+ - Added a link to a community terraform provider (#1035)
+
+### Changed
+
+ - The opaque dependency now points to the official crate rather than a fork (#1040)
+
+### Fixed
+
+ - Migration of the DB schema from 7 to 8 is now automatic for sqlite, and fixed for postgres (#1045)
+ - The startup warning about `key_seed` applying instead of `key_file` now has instructions on how to silence it (#1032)
+
+### New services
+
+- OneDev
+
+## [0.6.0] 2024-11-09
+
+### Breaking
+
+- The endpoint `/auth/reset/step1` is now `POST` instead of `GET` (#704)
+
+### Added
+
+- Custom attributes are now supported (#67) ! You can add new fields (string, integers, JPEG or dates) to users and query them. That unlocks many integrations with other services, and allows for a deeper/more customized integration. Special thanks to @pixelrazor and @bojidar-bg for their help with the UI.
+- Custom object classes (for all users/groups) can now be added (#833)
+- Barebones support for Paged Results Control (no paging, no respect for windows, but a correct response with all the results) (#698)
+- A daily docker image is tagged and released. (#613)
+- A bootstrap script allows reading the list of users/groups from a file and making sure the server contains exactly the same thing. (#654)
+- Make it possible to serve lldap behind a sub-path in (#752)
+- LLDAP can now be found on a custom package repository for opensuse, fedora, ubuntu, debian and centos ([Repository link](https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap)). Thanks @Masgalor for setting it up and maintaining it.
+- There's now an option to force reset the admin password (#748) optionally on every restart (#959)
+- There's a rootless docker container (#755)
+- entryDN is now supported (#780)
+- Unknown LDAP controls are now detected and ignored (#787, #799)
+- A community-developed CLI for scripting (#793)
+- Added a way to print raw logs to debug long-running sessions (#992)
+
+
+### Changed
+
+- The official docker repository is now `lldap/lldap`
+- Removed password length limitation in lldap_set_password tool
+- Group names and emails are now case insensitive, but keep their casing (#666)
+- Better error messages (and exit code (#745)) when changing the private key (#778, #1008), using the wrong SMTP port (#970), using the wrong env variables (#972)
+- Allow `member=` filters with plain user names (not full DNs) (#949)
+- Correctly detect and refuse anonymous binds (#974)
+- Clearer logging (#971, #981, #982)
+
+### Fixed
+
+- Logging out applies globally, not just in the local browser. (#721)
+- It's no longer possible to create the same user twice (#745)
+- Fix wide substring filters (#738)
+- Don't log the database password if provided in the connection URL (#735)
+- Fix a panic when postgres uses a different collation (#821)
+- The UI now defaults to the user ID for users with no display names (#843)
+- Fix searching for users with more than one `memberOf` filter (#872)
+- Fix compilation on Windows (#932) and Illumos (#964)
+- The UI now correctly detects whether password resets are enabled. (#753)
+- Fix a missing lowercasing of username when changing passwords through LDAP (#1012)
+- Fix SQLite writers erroring when racing (#1021)
+- LDAP sessions no longer buffer their logs until unbind, causing memory leaks (#1025)
+
+### Performance
+
+- Only expand attributes once per query, not per result (#687)
+
+### Security
+
+- When asked to send a password reset to an unknown email, sleep for 3 seconds and don't print the email in the error (#887)
+
+### New services
+
+Linux user accounts can now be managed by LLDAP, using PAM and nslcd.
+
+- Apereo CAS server
+- Carpal
+- Gitlab
+- Grocy
+- Harbor
+- Home Assistant
+- Jenkins
+- Kasm
+- Maddy
+- Mastodon
+- Metabase
+- MegaRAC-BMC
+- Netbox
+- OCIS
+- Prosody
+- Radicale
+- SonarQube
+- Traccar
+- Zitadel
+
+## [0.5.0] 2023-09-14
+
+### Breaking
+
+ - Emails and UUIDs are now enforced to be unique.
+   - If you have several users with the same email, you'll have to disambiguate
+     them. You can do that by either issuing SQL commands directly
+     (`UPDATE users SET email = 'x@x' WHERE user_id = 'bob';`), or by reverting
+     to a 0.4.x version of LLDAP and editing the user through the web UI.
+     An error will prevent LLDAP 0.5+ from starting otherwise.
+   - This was done to prevent account takeover for systems that allow to
+     login via email.
+
+### Added
+
+ - The server private key can be set as a seed from an env variable (#504).
+   - This is especially useful when you have multiple containers, they don't
+     need to share a writeable folder.
+ - Added support for changing the password through a plain LDAP Modify
+   operation (as opposed to an extended operation), to allow Jellyfin
+   to change password (#620).
+ - Allow creating a user with multiple objectClass (#612).
+ - Emails now have a message ID (#608).
+ - Added a warning for browsers that have WASM/JS disabled (#639).
+ - Added support for querying OUs in LDAP (#669).
+ - Added a button to clear the avatar in the UI (#358).
+
+
+### Changed
+
+ - Groups are now sorted by name in the web UI (#623).
+ - ARM build now uses musl (#584).
+ - Improved logging.
+ - Default admin user is only created if there are no admins (#563).
+   - That allows you to remove the default admin, making it harder to
+     bruteforce.
+
+### Fixed
+
+ - Fixed URL parsing with a trailing slash in the password setting utility
+   (#597).
+
+In addition to all that, there was significant progress towards #67,
+user-defined attributes. That complex feature will unblock integration with many
+systems, including PAM authentication.
+
+### New services
+
+ - Ejabberd
+ - Ergo
+ - LibreNMS
+ - Mealie
+ - MinIO
+ - OpnSense
+ - PfSense
+ - PowerDnsAdmin
+ - Proxmox
+ - Squid
+ - Tandoor recipes
+ - TheLounge
+ - Zabbix-web
+ - Zulip
+
+## [0.4.3] 2023-04-11
+
+The repository has changed from `nitnelave/lldap` to `lldap/lldap`, both on GitHub
+and on DockerHub (although we will keep publishing the images to
+`nitnelave/lldap` for the foreseeable future). All data on GitHub has been
+migrated, and the new docker images are available both on DockerHub and on the
+GHCR under `lldap/lldap`.
+
+### Added
+
+ - EC private keys are not supported for LDAPS.
+
+### Changed
+
+ - SMTP user no longer has a default value (and instead defaults to unauthenticated).
+
+### Fixed
+
+ - WASM payload is now delivered uncompressed to Safari due to a Safari bug.
+ - Password reset no longer redirects to login page.
+ - NextCloud config should add the "mail" attribute.
+ - GraphQL parameters are now urldecoded, to support special characters in usernames.
+ - Healthcheck correctly checks the server certificate.
+
+### New services
+
+ - Home Assistant
+ - Shaarli
+
 ## [0.4.2] - 2023-03-27
 
 ### Added

CONTRIBUTING.md

@@ -0,0 +1,97 @@
+# How to contribute to LLDAP
+
+## Did you find a bug?
+
+ - Make sure there isn't already an [issue](https://github.com/lldap/lldap/issues?q=is%3Aissue+is%3Aopen) for it.
+ - Check if the bug still happens with the `latest` docker image, or the `main` branch if you compile it yourself.
+ - [Create an issue](https://github.com/lldap/lldap/issues/new) on GitHub. What makes a great issue:
+   - A quick summary of the bug.
+   - Steps to reproduce.
+   - LLDAP _verbose_ logs when reproducing the bug. Verbose mode can be set through environment variables (`LLDAP_VERBOSE=true`) or in the config (`verbose = true`).
+   - What you expected to happen.
+   - What actually happened.
+   - Other notes (what you tried, why you think it's happening, ...).
+
+## Are you requesting integration with a new service?
+
+ - Check if there is already an [example config](https://github.com/lldap/lldap/tree/main/example_configs) for it.
+ - Try to figure out the configuration values for the new service yourself.
+   - You can use other example configs for inspiration.
+   - If you're having trouble, you can ask on [Discord](https://discord.gg/h5PEdRMNyP)
+   - If you succeed, make sure to contribute an example configuration, or a configuration guide.
+ - If you hit a block because of an unimplemented feature, go to the next section.
+
+## Are you asking for a new feature?
+
+ - Make sure there isn't already an [issue](https://github.com/lldap/lldap/issues?q=is%3Aissue+is%3Aopen) for it.
+ - [Create an issue](https://github.com/lldap/lldap/issues/new) on GitHub. What makes a great feature request:
+   - A quick summary of the feature.
+   - Motivation: what problem does the feature solve?
+   - Workarounds: what are the currently possible solutions to the problem, however bad?
+
+## Do you want to work on a PR?
+
+That's great! There are 2 main ways to contribute to the project: documentation and code.
+
+### Documentation
+
+The simplest way to contribute is to submit a configuration guide for a new
+service: it can be an example configuration file, or a markdown guide
+explaining the steps necessary to configure the service.
+
+We also have some 
+[documentation](https://github.com/lldap/lldap/tree/main/docs) with more
+advanced guides (scripting, migrations, ...) you can contribute to.
+
+### Code
+
+If you don't know what to start with, check out the 
+[good first issues](https://github.com/lldap/lldap/labels/good%20first%20issue). 
+
+Otherwise, if you want to fix a specific bug or implement a feature, make sure
+to start by creating an issue for it (if it doesn't already exist). There, we
+can discuss whether it would be likely to be accepted and consider design
+issues. That will save you from going down a wrong path, creating an entire PR
+before getting told that it doesn't align with the project or the design is 
+flawed!
+
+Once we agree on what to do in the issue, you can start working on the PR. A good quality PR has:
+ - A description of the change.
+   - The format we use for both commit titles and PRs is:
+     `tag: Do the thing`
+     The tag can be: server, app, docker, example_configs, ... It's a broad category.
+     The rest of the title should be an imperative sentence (see for instance [Commit Message
+     Guidelines](https://gist.github.com/robertpainsi/b632364184e70900af4ab688decf6f53)).
+   - The PR should refer to the issue it's addressing (e.g. "Fix #123").
+   - Explain the _why_ of the change.
+   - But also the _how_.
+   - Highlight any potential flaw or limitation.
+ - The code change should be as small as possible while solving the problem.
+   - Don't try to code-golf to change fewer characters, but keep logically separate changes in
+     different PRs.
+ - Add tests if possible.
+   - The tests should highlight the original issue in case of a bug.
+   - Ideally, we can apply the tests without the rest of the change and they would fail. With the
+     change, they pass.
+   - In some areas, there is no test infrastructure in place (e.g. for frontend changes). In that
+     case, do some manual testing and include the results (logs for backend changes, screenshot of a
+     successful service integration, screenshot of the frontend change).
+   - For backend changes, the tests should cover a significant portion of the new code paths, or
+     everything if possible. You can also add more tests to cover existing code.
+ - Of course, make sure all the existing tests pass. This will be checked anyway in the GitHub CI.
+
+### Workflow
+
+We use [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow):
+ - Fork the repository.
+ - (Optional) Create a new branch, or just use `main` in your fork.
+ - Make your change.
+ - Create a PR.
+ - Address the comments by adding more commits to your branch (or to `main`).
+ - The PR gets merged (the commits get squashed to a single one).
+ - (Optional) You can delete your branch/fork.
+
+## Reminder
+
+We're all volunteers, so be kind to each other! And since we're doing that in our free time, some
+things can take a longer than expected.

Cargo.toml

@@ -9,15 +9,13 @@ members = [
 
 default-members = ["server"]
 
+resolver = "2"
+
 [profile.release]
 lto = true
 
 [profile.release.package.lldap_app]
 opt-level = 's'
 
-[patch.crates-io.opaque-ke]
-git = 'https://github.com/nitnelave/opaque-ke/'
-branch = 'zeroize_1.5'
-
 [patch.crates-io.lber]
 git = 'https://github.com/inejge/ldap3/'

Dockerfile

@@ -31,17 +31,17 @@ FROM chef AS builder
 COPY --from=planner /tmp/recipe.json recipe.json
 RUN cargo chef cook --release -p lldap_app --target wasm32-unknown-unknown \
     && cargo chef cook --release -p lldap \
-    && cargo chef cook --release -p migration-tool \
+    && cargo chef cook --release -p lldap_migration_tool \
     && cargo chef cook --release -p lldap_set_password
 
 # Copy the source and build the app and server.
 COPY --chown=app:app . .
-RUN cargo build --release -p lldap -p migration-tool -p lldap_set_password \
+RUN cargo build --release -p lldap -p lldap_migration_tool -p lldap_set_password \
     # Build the frontend.
     && ./app/build.sh
 
 # Final image
-FROM alpine:3.16
+FROM alpine:3.19
 
 ENV GOSU_VERSION 1.14
 # Fetch gosu from git
@@ -78,8 +78,9 @@ WORKDIR /app
 COPY --from=builder /app/app/index_local.html app/index.html
 COPY --from=builder /app/app/static app/static
 COPY --from=builder /app/app/pkg app/pkg
-COPY --from=builder /app/target/release/lldap /app/target/release/migration-tool /app/target/release/lldap_set_password ./
+COPY --from=builder /app/target/release/lldap /app/target/release/lldap_migration_tool /app/target/release/lldap_set_password ./
 COPY docker-entrypoint.sh lldap_config.docker_template.toml ./
+COPY scripts/bootstrap.sh ./
 
 RUN set -x \
     && apk add --no-cache bash tzdata \

README.md

@@ -5,14 +5,15 @@
 </p>
 
 <p align="center">
-  <a href="https://github.com/nitnelave/lldap/actions/workflows/rust.yml?query=branch%3Amain">
+  <a href="https://github.com/lldap/lldap/actions/workflows/rust.yml?query=branch%3Amain">
     <img
-      src="https://github.com/nitnelave/lldap/actions/workflows/rust.yml/badge.svg"
+      src="https://github.com/lldap/lldap/actions/workflows/rust.yml/badge.svg"
       alt="Build"/>
   </a>
   <a href="https://discord.gg/h5PEdRMNyP">
     <img alt="Discord" src="https://img.shields.io/discord/898492935446876200?label=discord&logo=discord" />
   </a>
+
   <a href="https://twitter.com/nitnelave1?ref_src=twsrc%5Etfw">
     <img
       src="https://img.shields.io/twitter/follow/nitnelave1?style=social"
@@ -23,23 +24,38 @@
       src="https://img.shields.io/badge/unsafe-forbidden-success.svg"
       alt="Unsafe forbidden"/>
   </a>
-  <a href="https://app.codecov.io/gh/nitnelave/lldap">
-    <img alt="Codecov" src="https://img.shields.io/codecov/c/github/nitnelave/lldap" />
+  <a href="https://app.codecov.io/gh/lldap/lldap">
+    <img alt="Codecov" src="https://img.shields.io/codecov/c/github/lldap/lldap" />
+  </a>
+  <br/>
+  <a href="https://www.buymeacoffee.com/nitnelave" target="_blank">
+    <img src="https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png" alt="Buy Me A Coffee" style="height: 41px !important;width: 174px !important;box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;-webkit-box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;" >
   </a>
 </p>
 
 - [About](#about)
 - [Installation](#installation)
   - [With Docker](#with-docker)
+  - [With Kubernetes](#with-kubernetes)
+  - [From a package repository](#from-a-package-repository)
+  - [With FreeBSD](#with-freebsd)
   - [From source](#from-source)
+    - [Backend](#backend)
+    - [Frontend](#frontend)
   - [Cross-compilation](#cross-compilation)
+- [Usage](#usage)
+  - [Recommended architecture](#recommended-architecture)
 - [Client configuration](#client-configuration)
   - [Compatible services](#compatible-services)
   - [General configuration guide](#general-configuration-guide)
+  - [Integration with OS's](#integration-with-oss)
   - [Sample client configurations](#sample-client-configurations)
+  - [Incompatible services](#incompatible-services)
+- [Migrating from SQLite](#migrating-from-sqlite)
 - [Comparisons with other services](#comparisons-with-other-services)
   - [vs OpenLDAP](#vs-openldap)
   - [vs FreeIPA](#vs-freeipa)
+  - [vs Kanidm](#vs-kanidm)
 - [I can't log in!](#i-cant-log-in)
 - [Contributions](#contributions)
 
@@ -51,7 +67,7 @@ many backends, from KeyCloak to Authelia to Nextcloud and
 [more](#compatible-services)!
 
 <img
-  src="https://raw.githubusercontent.com/nitnelave/lldap/master/screenshot.png"
+  src="https://raw.githubusercontent.com/lldap/lldap/master/screenshot.png"
   alt="Screenshot of the user list page"
   width="50%"
   align="right"
@@ -77,13 +93,17 @@ For more features (OAuth/OpenID support, reverse proxy, ...) you can install
 other components (KeyCloak, Authelia, ...) using this server as the source of
 truth for users, via LDAP.
 
+By default, the data is stored in SQLite, but you can swap the backend with
+MySQL/MariaDB or PostgreSQL.
+
 ## Installation
 
 ### With Docker
 
-The image is available at `nitnelave/lldap`. You should persist the `/data`
-folder, which contains your configuration, the database and the private key
-file.
+The image is available at `lldap/lldap`. You should persist the `/data`
+folder, which contains your configuration and the SQLite database (you can
+remove this step if you use a different DB and configure with environment
+variables only).
 
 Configure the server by copying the `lldap_config.docker_template.toml` to
 `/data/lldap_config.toml` and updating the configuration values (especially the
@@ -91,10 +111,12 @@ Configure the server by copying the `lldap_config.docker_template.toml` to
 Environment variables should be prefixed with `LLDAP_` to override the
 configuration.
 
-If the `lldap_config.toml` doesn't exist when starting up, LLDAP will use default one. The default admin password is `password`, you can change the password later using the web interface.
+If the `lldap_config.toml` doesn't exist when starting up, LLDAP will use
+default one. The default admin password is `password`, you can change the
+password later using the web interface.
 
 Secrets can also be set through a file. The filename should be specified by the
-variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_LDAP_USER_PASS_FILE`, and the file
+variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_KEY_SEED_FILE`, and the file
 contents are loaded into the respective configuration parameters. Note that
 `_FILE` variables take precedence.
 
@@ -104,6 +126,7 @@ Example for docker compose:
 - `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.
 - If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.
 - If no `TZ` is set, default `UTC` timezone will be used.
+- You can generate the secrets by running `./generate_secrets.sh`
 
 ```yaml
 version: "3"
@@ -114,10 +137,12 @@ volumes:
 
 services:
   lldap:
-    image: nitnelave/lldap:stable
+    image: lldap/lldap:stable
     ports:
-      # For LDAP
-      - "3890:3890"
+      # For LDAP, not recommended to expose, see Usage section.
+      #- "3890:3890"
+      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
+      #- "6360:6360"
       # For the web front-end
       - "17170:17170"
     volumes:
@@ -129,11 +154,24 @@ services:
       - GID=####
       - TZ=####/####
       - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
-      - LLDAP_LDAP_USER_PASS=REPLACE_WITH_PASSWORD
+      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
       - LLDAP_LDAP_BASE_DN=dc=example,dc=com
+      # If using LDAPS, set enabled true and configure cert and key path
+      # - LLDAP_LDAPS_OPTIONS__ENABLED=true
+      # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/path/to/certfile.crt
+      # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/path/to/keyfile.key
       # You can also set a different database:
       # - LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database
       # - LLDAP_DATABASE_URL=postgres://postgres-user:password@postgres-server/my-database
+      # If using SMTP, set the following variables
+      # - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true
+      # - LLDAP_SMTP_OPTIONS__SERVER=smtp.example.com
+      # - LLDAP_SMTP_OPTIONS__PORT=465 # Check your smtp providor's documentation for this setting
+      # - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS # How the connection is encrypted, either "NONE" (no encryption, port 25), "TLS" (sometimes called SSL, port 465) or "STARTTLS" (sometimes called TLS, port 587).
+      # - LLDAP_SMTP_OPTIONS__USER=no-reply@example.com # The SMTP user, usually your email address
+      # - LLDAP_SMTP_OPTIONS__PASSWORD=PasswordGoesHere # The SMTP password
+      # - LLDAP_SMTP_OPTIONS__FROM=no-reply <no-reply@example.com> # The header field, optional: how the sender appears in the email. The first is a free-form name, followed by an email between <>.
+      # - LLDAP_SMTP_OPTIONS__TO=admin <admin@example.com> # Same for reply-to, optional.
 ```
 
 Then the service will listen on two ports, one for LDAP and one for the web
@@ -143,6 +181,239 @@ front-end.
 
 See https://github.com/Evantage-WS/lldap-kubernetes for a LLDAP deployment for Kubernetes
 
+You can bootstrap your lldap instance (users, groups)
+using [bootstrap.sh](example_configs/bootstrap/bootstrap.md#kubernetes-job).
+It can be run by Argo CD for managing users in git-opt way, or as a one-shot job.
+
+### From a package repository
+
+**Do not open issues in this repository for problems with third-party
+pre-built packages. Report issues downstream.**
+
+Depending on the distribution you use, it might be possible to install lldap
+from a package repository, officially supported by the distribution or
+community contributed.
+
+Each package offers a [systemd service](https://wiki.archlinux.org/title/systemd#Using_units) `lldap.service` to (auto-)start and stop lldap.<br>
+When using the distributed packages, the default login is `admin/password`. You can change that from the web UI after starting the service.
+
+<details>
+<summary><b>Arch</b></summary>
+<br>
+  Arch Linux offers unofficial support through the <a href="https://wiki.archlinux.org/title/Arch_User_Repository">Arch User Repository (AUR)</a>.<br>
+  The package descriptions can be used <a href="https://wiki.archlinux.org/title/Arch_User_Repository#Getting_started">to create and install packages</a>.<br><br>
+  Maintainer: <a href="https://github.com/Zepmann">@Zepmann</a><br>
+  Support: <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://aur.archlinux.org/packages">Arch user repository</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td><a href="https://aur.archlinux.org/packages/lldap">lldap</a></td>
+    <td>Builds the latest stable version.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td><a href="https://aur.archlinux.org/packages/lldap-bin">lldap-bin</a></td>
+    <td>Uses the latest pre-compiled binaries from the <a href="https://aur.archlinux.org/packages/lldap-bin">releases in this repository</a>.<br>
+        This package is recommended if you want to run lldap on a system with limited resources.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td><a href="https://aur.archlinux.org/packages/lldap-git">lldap-git</a></td>
+    <td>Builds the latest main branch code.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap.toml<br>
+</details>
+<details>
+<summary><b>Debian</b></summary>
+<br>
+  Unofficial Debian support is offered through the <a href="https://build.opensuse.org/">openSUSE Build Service</a>.<br><br>
+  Maintainer: <a href="https://github.com/Masgalor">@Masgalor</a><br>
+  Support: <a href="https://codeberg.org/Masgalor/LLDAP-Packaging/issues">Codeberg</a>, <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap">SUSE openBuildService</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td>lldap</td>
+    <td>Light LDAP server for authentication.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-extras</td>
+    <td>Meta-Package for LLDAP and its tools and extensions.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-migration-tool</td>
+    <td>CLI migration tool to go from OpenLDAP to LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-set-password</td>
+    <td>CLI tool to set a user password in LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-cli</td>
+    <td>LLDAP-CLI is an unofficial command line interface for LLDAP.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap/lldap_config.toml<br>
+</details>
+<details>
+<summary><b>CentOS</b></summary>
+<br>
+  Unofficial CentOS support is offered through the <a href="https://build.opensuse.org/">openSUSE Build Service</a>.<br><br>
+  Maintainer: <a href="https://github.com/Masgalor">@Masgalor</a><br>
+  Support: <a href="https://codeberg.org/Masgalor/LLDAP-Packaging/issues">Codeberg</a>, <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap">SUSE openBuildService</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td>lldap</td>
+    <td>Light LDAP server for authentication.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-extras</td>
+    <td>Meta-Package for LLDAP and its tools and extensions.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-migration-tool</td>
+    <td>CLI migration tool to go from OpenLDAP to LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-set-password</td>
+    <td>CLI tool to set a user password in LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-cli</td>
+    <td>LLDAP-CLI is an unofficial command line interface for LLDAP.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap/lldap_config.toml<br>
+</details>
+<details>
+<summary><b>Fedora</b></summary>
+<br>
+  Unofficial Fedora support is offered through the <a href="https://build.opensuse.org/">openSUSE Build Service</a>.<br><br>
+  Maintainer: <a href="https://github.com/Masgalor">@Masgalor</a><br>
+  Support: <a href="https://codeberg.org/Masgalor/LLDAP-Packaging/issues">Codeberg</a>, <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap">SUSE openBuildService</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td>lldap</td>
+    <td>Light LDAP server for authentication.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-extras</td>
+    <td>Meta-Package for LLDAP and its tools and extensions.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-migration-tool</td>
+    <td>CLI migration tool to go from OpenLDAP to LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-set-password</td>
+    <td>CLI tool to set a user password in LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-cli</td>
+    <td>LLDAP-CLI is an unofficial command line interface for LLDAP.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap/lldap_config.toml<br>
+</details>
+<details>
+<summary><b>OpenSUSE</b></summary>
+<br>
+  Unofficial OpenSUSE support is offered through the <a href="https://build.opensuse.org/">openSUSE Build Service</a>.<br><br>
+  Maintainer: <a href="https://github.com/Masgalor">@Masgalor</a><br>
+  Support: <a href="https://codeberg.org/Masgalor/LLDAP-Packaging/issues">Codeberg</a>, <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap">SUSE openBuildService</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td>lldap</td>
+    <td>Light LDAP server for authentication.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-extras</td>
+    <td>Meta-Package for LLDAP and its tools and extensions.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-migration-tool</td>
+    <td>CLI migration tool to go from OpenLDAP to LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-set-password</td>
+    <td>CLI tool to set a user password in LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-cli</td>
+    <td>LLDAP-CLI is an unofficial command line interface for LLDAP.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap/lldap_config.toml<br>
+</details>
+<details>
+<summary><b>Ubuntu</b></summary>
+<br>
+  Unofficial Ubuntu support is offered through the <a href="https://build.opensuse.org/">openSUSE Build Service</a>.<br><br>
+  Maintainer: <a href="https://github.com/Masgalor">@Masgalor</a><br>
+  Support: <a href="https://codeberg.org/Masgalor/LLDAP-Packaging/issues">Codeberg</a>, <a href="https://github.com/lldap/lldap/discussions">Discussions</a><br>
+  Package repository: <a href="https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP&package=lldap">SUSE openBuildService</a><br>
+<table>
+  <tr>
+    <td>Available packages:</td>
+    <td>lldap</td>
+    <td>Light LDAP server for authentication.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-extras</td>
+    <td>Meta-Package for LLDAP and its tools and extensions.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-migration-tool</td>
+    <td>CLI migration tool to go from OpenLDAP to LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-set-password</td>
+    <td>CLI tool to set a user password in LLDAP.</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>lldap-cli</td>
+    <td>LLDAP-CLI is an unofficial command line interface for LLDAP.</td>
+  </tr>
+</table>
+LLDPA configuration file: /etc/lldap/lldap_config.toml<br>
+</details>
+
+### With FreeBSD
+
+You can also install it as a rc.d service in FreeBSD, see
+[FreeBSD-install.md](example_configs/freebsd/freebsd-install.md).
+
+The rc.d script file
+[rc.d_lldap](example_configs/freebsd/rc.d_lldap).
+
 ### From source
 
 #### Backend
@@ -155,7 +426,7 @@ To compile the project, you'll need:
 Then you can compile the server (and the migration tool if you want):
 
 ```shell
-cargo build --release -p lldap -p migration-tool
+cargo build --release -p lldap -p lldap_migration_tool
 ```
 
 The resulting binaries will be in `./target/release/`. Alternatively, you can
@@ -164,15 +435,13 @@ just run `cargo run -- run` to run the server.
 #### Frontend
 
 To bring up the server, you'll need to compile the frontend. In addition to
-`cargo`, you'll need:
-
-- WASM-pack: `cargo install wasm-pack`
+`cargo`, you'll need WASM-pack, which can be installed by running `cargo install wasm-pack`.
 
 Then you can build the frontend files with
 
 ```shell
 ./app/build.sh
-````
+```
 
 (you'll need to run this after every front-end change to update the WASM
 package served).
@@ -207,6 +476,53 @@ You can then get the compiled server binary in
 Raspberry Pi (or other target), with the folder structure maintained (`app`
 files in an `app` folder next to the binary).
 
+## Usage
+
+The simplest way to use LLDAP is through the web front-end. There you can
+create users, set passwords, add them to groups and so on. Users can also
+connect to the web UI and change their information, or request a password reset
+link (if you configured the SMTP client).
+
+You can create and manage custom attributes through the Web UI, or through the
+community-contributed CLI frontend (
+[Zepmann/lldap-cli](https://github.com/Zepmann/lldap-cli)). This is necessary
+for some service integrations.
+
+The [bootstrap.sh](scripts/bootstrap.sh) script can enforce a list of
+users/groups/attributes from a given file, reflecting it on the server.
+
+To manage the user, group and membership lifecycle in an infrastructure-as-code
+scenario you can use the unofficial [LLDAP terraform provider in the terraform registry](https://registry.terraform.io/providers/tasansga/lldap/latest).
+
+LLDAP is also very scriptable, through its GraphQL API. See the
+[Scripting](docs/scripting.md) docs for more info.
+
+### Recommended architecture
+
+If you are using containers, a sample architecture could look like this:
+
+- A reverse proxy (e.g. nginx or Traefik)
+- An authentication service (e.g. Authelia, Authentik or KeyCloak) connected to
+  LLDAP to provide authentication for non-authenticated services, or to provide
+  SSO with compatible ones.
+- The LLDAP service, with the web port exposed to Traefik.
+  - The LDAP port doesn't need to be exposed, since only the other containers
+    will access it.
+  - You can also set up LDAPS if you want to expose the LDAP port to the
+    internet (not recommended) or for an extra layer of security in the
+    inter-container communication (though it's very much optional).
+  - The default LLDAP container starts up as root to fix up some files'
+    permissions before downgrading the privilege to the given user. However,
+    you can (should?) use the `*-rootless` version of the images to be able to
+    start directly as that user, once you got the permissions right. Just don't
+    forget to change from the `UID/GID` env vars to the `uid` docker-compose
+    field.
+- Any other service that needs to connect to LLDAP for authentication (e.g.
+  NextCloud) can be added to a shared network with LLDAP. The finest
+  granularity is a network for each pair of LLDAP-service, but there are often
+  coarser granularities that make sense (e.g. a network for the \*arr stack and
+  LLDAP).
+
 ## Client configuration
 
 ### Compatible services
@@ -238,6 +554,13 @@ admin rights in the Web UI. Most LDAP integrations should instead use a user in
 the `lldap_strict_readonly` or `lldap_password_manager` group, to avoid granting full
 administration access to many services.
 
+### Integration with OS's
+
+Integration with Linux accounts is possible, through PAM and nslcd. See [PAM
+configuration guide](example_configs/pam/README.md).
+
+Integration with Windows (e.g. Samba) is WIP.
+
 ### Sample client configurations
 
 Some specific clients have been tested to work and come with sample
@@ -246,35 +569,93 @@ folder for help with:
 
 - [Airsonic Advanced](example_configs/airsonic-advanced.md)
 - [Apache Guacamole](example_configs/apacheguacamole.md)
+- [Apereo CAS Server](example_configs/apereo_cas_server.md)
 - [Authelia](example_configs/authelia_config.yml)
 - [Authentik](example_configs/authentik.md)
 - [Bookstack](example_configs/bookstack.env.example)
 - [Calibre-Web](example_configs/calibre_web.md)
+- [Carpal](example_configs/carpal.md)
 - [Dell iDRAC](example_configs/dell_idrac.md)
 - [Dex](example_configs/dex_config.yml)
 - [Dokuwiki](example_configs/dokuwiki.md)
 - [Dolibarr](example_configs/dolibarr.md)
+- [Ejabberd](example_configs/ejabberd.md)
 - [Emby](example_configs/emby.md)
+- [Ergo IRCd](example_configs/ergo.md)
 - [Gitea](example_configs/gitea.md)
+- [GitLab](example_configs/gitlab.md)
 - [Grafana](example_configs/grafana_ldap_config.toml)
+- [Grocy](example_configs/grocy.md)
+- [Harbor](example_configs/harbor.md)
 - [Hedgedoc](example_configs/hedgedoc.md)
+- [Home Assistant](example_configs/home-assistant.md)
 - [Jellyfin](example_configs/jellyfin.md)
+- [Jenkins](example_configs/jenkins.md)
 - [Jitsi Meet](example_configs/jitsi_meet.conf)
+- [Kasm](example_configs/kasm.md)
 - [KeyCloak](example_configs/keycloak.md)
+- [LibreNMS](example_configs/librenms.md)
+- [Maddy](example_configs/maddy.md)
+- [Mastodon](example_configs/mastodon.env.example)
 - [Matrix](example_configs/matrix_synapse.yml)
+- [Mealie](example_configs/mealie.md)
+- [Metabase](example_configs/metabase.md)
+- [MegaRAC-BMC](example_configs/MegaRAC-SP-X-BMC.md)
+- [MinIO](example_configs/minio.md)
+- [Netbox](example_configs/netbox.md)
 - [Nextcloud](example_configs/nextcloud.md)
 - [Nexus](example_configs/nexus.md)
+- [OCIS (OwnCloud Infinite Scale)](example_configs/ocis.md)
+- [OneDev](example_configs/onedev.md)
 - [Organizr](example_configs/Organizr.md)
 - [Portainer](example_configs/portainer.md)
+- [PowerDNS Admin](example_configs/powerdns_admin.md)
+- [Prosody](example_configs/prosody.md)
+- [Proxmox VE](example_configs/proxmox.md)
+- [Radicale](example_configs/radicale.md)
 - [Rancher](example_configs/rancher.md)
 - [Seafile](example_configs/seafile.md)
+- [Shaarli](example_configs/shaarli.md)
+- [SonarQube](example_configs/sonarqube.md)
+- [Squid](example_configs/squid.md)
 - [Syncthing](example_configs/syncthing.md)
+- [TheLounge](example_configs/thelounge.md)
+- [Traccar](example_configs/traccar.xml)
 - [Vaultwarden](example_configs/vaultwarden.md)
 - [WeKan](example_configs/wekan.md)
 - [WG Portal](example_configs/wg_portal.env.example)
 - [WikiJS](example_configs/wikijs.md)
 - [XBackBone](example_configs/xbackbone_config.php)
 - [Zendto](example_configs/zendto.md)
+- [Zitadel](example_configs/zitadel.md)
+- [Zulip](example_configs/zulip.md)
+
+### Incompatible services
+
+Though we try to be maximally compatible, not every feature is supported; LLDAP
+is not a fully-featured LDAP server, intentionally so.
+
+LDAP browsing tools are generally not supported, though they could be. If you
+need to use one but it behaves weirdly, please file a bug.
+
+Some services use features that are not implemented, or require specific
+attributes. You can try to create those attributes (see custom attributes in
+the [Usage](#usage) section).
+
+Finally, some services require password hashes so they can validate themselves
+the user's password without contacting LLDAP. This is not and will not be
+supported, it's incompatible with our password hashing scheme (a zero-knowledge
+proof). Furthermore, it's generally not recommended in terms of security, since
+it duplicates the places from which a password hash could leak.
+
+In that category, the most prominent is Synology. It is, to date, the only
+service that seems definitely incompatible with LLDAP.
+
+## Migrating from SQLite
+
+If you started with an SQLite database and would like to migrate to
+MySQL/MariaDB or PostgreSQL, check out the [DB
+migration docs](/docs/database_migration.md).
 
 ## Comparisons with other services
 

app/Cargo.toml

@@ -1,8 +1,12 @@
 [package]
-name = "lldap_app"
-version = "0.4.2"
 authors = ["Valentin Tolmer <valentin@tolmer.fr>"]
+description = "Frontend for LLDAP"
 edition = "2021"
+homepage = "https://github.com/lldap/lldap"
+license = "GPL-3.0-only"
+name = "lldap_app"
+repository = "https://github.com/lldap/lldap"
+version = "0.6.1"
 include = ["src/**/*", "queries/**/*", "Cargo.toml", "../schema.graphql"]
 
 [dependencies]
@@ -18,8 +22,8 @@ rand = "0.8"
 serde = "1"
 serde_json = "1"
 url-escape = "0.1.1"
-validator = "=0.14"
-validator_derive = "*"
+validator = "0.14"
+validator_derive = "0.14"
 wasm-bindgen = "0.2"
 wasm-bindgen-futures = "*"
 yew = "0.19.3"
@@ -33,12 +37,16 @@ version = "0.3"
 features = [
   "Document",
   "Element",
+  "Event",
   "FileReader",
+  "FormData",
   "HtmlDocument",
+  "HtmlFormElement",
   "HtmlInputElement",
   "HtmlOptionElement",
   "HtmlOptionsCollection",
   "HtmlSelectElement",
+  "SubmitEvent",
   "console",
 ]
 
@@ -67,3 +75,10 @@ rev = "4b9fabffb63393ec7626a4477fd36de12a07fac9"
 
 [lib]
 crate-type = ["cdylib"]
+
+[package.metadata.wasm-pack.profile.dev]
+wasm-opt = ['--enable-bulk-memory']
+[package.metadata.wasm-pack.profile.profiling]
+wasm-opt = ['--enable-bulk-memory']
+[package.metadata.wasm-pack.profile.release]
+wasm-opt = ['--enable-bulk-memory']

app/build.sh

@@ -14,4 +14,4 @@ fi
 
 wasm-pack build --target web --release
 
-gzip -9 -f pkg/lldap_app_bg.wasm
+gzip -9 -k -f pkg/lldap_app_bg.wasm

app/index.html

@@ -4,7 +4,8 @@
 <head>
     <meta charset="utf-8" />
     <title>LLDAP Administration</title>
-    <script src="/static/main.js" type="module" defer></script>
+    <base href="/">
+    <script src="static/main.js" type="module" defer></script>
     <link
       href="https://cdn.jsdelivr.net/npm/bootstrap-dark-5@1.1.3/dist/css/bootstrap-nightshade.min.css"
       rel="preload stylesheet"
@@ -15,8 +16,8 @@
       src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.1/dist/js/bootstrap.bundle.min.js"
       integrity="sha384-/bQdsTh/da6pkI1MST/rWKFNjaCP5gBSY4sEBT38Q/9RBh9AH40zEOg7Hlq2THRZ"
       crossorigin="anonymous"></script>
-      <script 
-      src="https://cdn.jsdelivr.net/npm/bootstrap-dark-5@1.1.3/dist/js/darkmode.min.js" 
+      <script
+      src="https://cdn.jsdelivr.net/npm/bootstrap-dark-5@1.1.3/dist/js/darkmode.min.js"
       integrity="sha384-A4SLs39X/aUfwRclRaXvNeXNBTLZdnZdHhhteqbYFS2jZTRD79tKeFeBn7SGXNpi"
       crossorigin="anonymous"></script>
     <link
@@ -33,7 +34,7 @@
       href="https://fonts.googleapis.com/css2?family=Bebas+Neue&display=swap" />
     <link
       rel="stylesheet"
-      href="/static/style.css" />
+      href="static/style.css" />
     <script>
       function inDarkMode(){
         return darkmode.inDarkMode;
@@ -43,6 +44,23 @@
 </head>
 
 <body>
+    <noscript>
+        <!-- This will be displayed if the user doesn't have JavaScript enabled. -->
+        LLDAP requires JavaScript, please switch to a compatible browser or
+        enable it.
+    </noscript>
+
+    <script>
+        /* Detect if the user has WASM support. */
+        if (typeof WebAssembly === 'undefined') {
+            const pWASMMsg = document.createElement("p")
+            pWASMMsg.innerHTML = `
+            LLDAP requires WASM and JIT for JavaScript, please switch to a
+            compatible browser or enable it.
+            `
+            document.body.appendChild(pWASMMsg)
+        }
+    </script>
 </body>
 
 </html>

app/index_local.html

@@ -13,8 +13,8 @@
     <script
       src="/static/bootstrap.bundle.min.js"
       integrity="sha384-/bQdsTh/da6pkI1MST/rWKFNjaCP5gBSY4sEBT38Q/9RBh9AH40zEOg7Hlq2THRZ"></script>
-    <script 
-    src="/static/darkmode.min.js" 
+    <script
+    src="/static/darkmode.min.js"
     integrity="sha384-A4SLs39X/aUfwRclRaXvNeXNBTLZdnZdHhhteqbYFS2jZTRD79tKeFeBn7SGXNpi"></script>
     <link
       rel="stylesheet"
@@ -40,6 +40,23 @@
 </head>
 
 <body>
+    <noscript>
+        <!-- This will be displayed if the user doesn't have JavaScript enabled. -->
+        LLDAP requires JavaScript, please switch to a compatible browser or
+        enable it.
+    </noscript>
+
+    <script>
+        /* Detect if the user has WASM support. */
+        if (typeof WebAssembly === 'undefined') {
+            const pWASMMsg = document.createElement("p")
+            pWASMMsg.innerHTML = `
+            LLDAP requires WASM and JIT for JavaScript, please switch to a
+            compatible browser or enable it.
+            `
+            document.body.appendChild(pWASMMsg)
+        }
+    </script>
 </body>
 
 </html>

app/queries/create_group.graphql

@@ -1,5 +1,5 @@
-mutation CreateGroup($name: String!) {
-  createGroup(name: $name) {
+mutation CreateGroup($group: CreateGroupInput!) {
+  createGroupWithDetails(request: $group) {
     id
     displayName
   }

app/queries/create_group_attribute.graphql

@@ -0,0 +1,5 @@
+mutation CreateGroupAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!) {
+    addGroupAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: false) {
+        ok
+    }
+}

app/queries/create_user_attribute.graphql

@@ -0,0 +1,5 @@
+mutation CreateUserAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {
+    addUserAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {
+        ok
+    }
+}

app/queries/delete_group_attribute.graphql

@@ -0,0 +1,5 @@
+mutation DeleteGroupAttributeQuery($name: String!) {
+    deleteGroupAttribute(name: $name) {
+        ok
+    }
+}

app/queries/delete_user_attribute.graphql

@@ -0,0 +1,5 @@
+mutation DeleteUserAttributeQuery($name: String!) {
+    deleteUserAttribute(name: $name) {
+        ok
+    }
+}

app/queries/get_group_attributes_schema.graphql

@@ -0,0 +1,14 @@
+query GetGroupAttributesSchema {
+  schema {
+    groupSchema {
+      attributes {
+        name
+        attributeType
+        isList
+        isVisible
+        isHardcoded
+        isReadonly
+      }
+    }
+  }
+}

app/queries/get_group_details.graphql

@@ -8,5 +8,22 @@ query GetGroupDetails($id: Int!) {
       id
       displayName
     }
+    attributes {
+      name
+      value
+    }
+  }
+  schema {
+    groupSchema {
+      attributes {
+        name
+        attributeType
+        isList
+        isVisible
+        isEditable
+        isHardcoded
+        isReadonly
+      }
+    }
   }
 }

app/queries/get_user_attributes_schema.graphql

@@ -0,0 +1,15 @@
+query GetUserAttributesSchema {
+  schema {
+    userSchema {
+      attributes {
+        name
+        attributeType
+        isList
+        isVisible
+        isEditable
+        isHardcoded
+        isReadonly
+      }
+    }
+  }
+}

app/queries/get_user_details.graphql

@@ -2,15 +2,30 @@ query GetUserDetails($id: String!) {
   user(userId: $id) {
     id
     email
-    displayName
-    firstName
-    lastName
     avatar
+    displayName
     creationDate
     uuid
     groups {
       id
       displayName
     }
+    attributes {
+      name
+      value
+    }
+  }
+  schema {
+    userSchema {
+      attributes {
+        name
+        attributeType
+        isList
+        isVisible
+        isEditable
+        isHardcoded
+        isReadonly
+      }
+    }
   }
 }

app/queries/update_group.graphql

@@ -0,0 +1,6 @@
+mutation UpdateGroup($group: UpdateGroupInput!) {
+  updateGroup(group: $group) {
+    ok
+  }
+}
+

app/src/components/add_group_member.rs

@@ -155,8 +155,13 @@ impl Component for AddGroupMemberComponent {
             let to_add_user_list = self.get_selectable_user_list(ctx, user_list);
             #[allow(unused_braces)]
             let make_select_option = |user: User| {
+                let name = if user.display_name.is_empty() {
+                    user.id.clone()
+                } else {
+                    user.display_name.clone()
+                };
                 html_nested! {
-                    <SelectOption value={user.id.clone()} text={user.display_name.clone()} key={user.id} />
+                    <SelectOption value={user.id.clone()} text={name} key={user.id} />
                 }
             };
             html! {

app/src/components/app.rs

@@ -1,23 +1,26 @@
 use crate::{
     components::{
+        banner::Banner,
         change_password::ChangePasswordForm,
         create_group::CreateGroupForm,
+        create_group_attribute::CreateGroupAttributeForm,
         create_user::CreateUserForm,
+        create_user_attribute::CreateUserAttributeForm,
         group_details::GroupDetails,
+        group_schema_table::ListGroupSchema,
         group_table::GroupTable,
         login::LoginForm,
-        logout::LogoutButton,
         reset_password_step1::ResetPasswordStep1Form,
         reset_password_step2::ResetPasswordStep2Form,
         router::{AppRoute, Link, Redirect},
         user_details::UserDetails,
+        user_schema_table::ListUserSchema,
         user_table::UserTable,
     },
     infra::{api::HostService, cookies::get_cookie},
 };
 
 use gloo_console::error;
-use wasm_bindgen::prelude::*;
 use yew::{
     function_component,
     html::Scope,
@@ -30,25 +33,6 @@ use yew_router::{
     BrowserRouter, Switch,
 };
 
-#[wasm_bindgen]
-extern "C" {
-    #[wasm_bindgen(js_namespace = darkmode)]
-    fn toggleDarkMode(doSave: bool);
-
-    #[wasm_bindgen]
-    fn inDarkMode() -> bool;
-}
-
-#[function_component(DarkModeToggle)]
-pub fn dark_mode_toggle() -> Html {
-    html! {
-      <div class="form-check form-switch">
-        <input class="form-check-input" onclick={|_| toggleDarkMode(true)} type="checkbox" id="darkModeToggle" checked={inDarkMode()}/>
-        <label class="form-check-label" for="darkModeToggle">{"Dark mode"}</label>
-      </div>
-    }
-}
-
 #[function_component(AppContainer)]
 pub fn app_container() -> Html {
     html! {
@@ -135,10 +119,11 @@ impl Component for App {
     fn view(&self, ctx: &Context<Self>) -> Html {
         let link = ctx.link().clone();
         let is_admin = self.is_admin();
+        let username = self.user_info.clone().map(|(username, _)| username);
         let password_reset_enabled = self.password_reset_enabled;
         html! {
           <div>
-            {self.view_banner(ctx)}
+            <Banner is_admin={is_admin} username={username} on_logged_out={link.callback(|_| Msg::Logout)} />
             <div class="container py-3 bg-kug">
               <div class="row justify-content-center" style="padding-bottom: 80px;">
                 <main class="py-3" style="max-width: 1000px">
@@ -177,7 +162,13 @@ impl App {
                 Some(AppRoute::StartResetPassword | AppRoute::FinishResetPassword { token: _ }),
                 _,
                 _,
-            ) if self.password_reset_enabled == Some(false) => Some(AppRoute::Login),
+            ) => {
+                if self.password_reset_enabled == Some(false) {
+                    Some(AppRoute::Login)
+                } else {
+                    None
+                }
+            }
             (None, _, _) | (_, None, _) => Some(AppRoute::Login),
             // User is logged in, a URL was given, don't redirect.
             (_, Some(_), Some(_)) => None,
@@ -221,6 +212,12 @@ impl App {
             AppRoute::CreateGroup => html! {
                 <CreateGroupForm/>
             },
+            AppRoute::CreateUserAttribute => html! {
+                <CreateUserAttributeForm/>
+            },
+            AppRoute::CreateGroupAttribute => html! {
+                <CreateGroupAttributeForm/>
+            },
             AppRoute::ListGroups => html! {
                 <div>
                   <GroupTable />
@@ -230,8 +227,14 @@ impl App {
                   </Link>
                 </div>
             },
+            AppRoute::ListUserSchema => html! {
+                <ListUserSchema />
+            },
+            AppRoute::ListGroupSchema => html! {
+                <ListGroupSchema />
+            },
             AppRoute::GroupDetails { group_id } => html! {
-                <GroupDetails group_id={*group_id} />
+                <GroupDetails group_id={*group_id} is_admin={is_admin} />
             },
             AppRoute::UserDetails { user_id } => html! {
                 <UserDetails username={user_id.clone()} is_admin={is_admin} />
@@ -257,91 +260,6 @@ impl App {
         }
     }
 
-    fn view_banner(&self, ctx: &Context<Self>) -> Html {
-        html! {
-          <header class="p-2 mb-3 border-bottom">
-            <div class="container">
-              <div class="d-flex flex-wrap align-items-center justify-content-center justify-content-lg-start">
-                <a href="/" class="d-flex align-items-center mt-2 mb-lg-0 me-md-5 text-decoration-none">
-                  <h2>{"LLDAP"}</h2>
-                </a>
-
-                <ul class="nav col-12 col-lg-auto me-lg-auto mb-2 justify-content-center mb-md-0">
-                  {if self.is_admin() { html! {
-                    <>
-                      <li>
-                        <Link
-                          classes="nav-link px-2 h6"
-                          to={AppRoute::ListUsers}>
-                          <i class="bi-people me-2"></i>
-                          {"Users"}
-                        </Link>
-                      </li>
-                      <li>
-                        <Link
-                          classes="nav-link px-2 h6"
-                          to={AppRoute::ListGroups}>
-                          <i class="bi-collection me-2"></i>
-                          {"Groups"}
-                        </Link>
-                      </li>
-                    </>
-                  } } else { html!{} } }
-                </ul>
-                { self.view_user_menu(ctx) }
-                <DarkModeToggle />
-              </div>
-            </div>
-          </header>
-        }
-    }
-
-    fn view_user_menu(&self, ctx: &Context<Self>) -> Html {
-        if let Some((user_id, _)) = &self.user_info {
-            let link = ctx.link();
-            html! {
-              <div class="dropdown text-end">
-                <a href="#"
-                  class="d-block nav-link text-decoration-none dropdown-toggle"
-                  id="dropdownUser"
-                  data-bs-toggle="dropdown"
-                  aria-expanded="false">
-                  <svg xmlns="http://www.w3.org/2000/svg"
-                    width="32"
-                    height="32"
-                    fill="currentColor"
-                    class="bi bi-person-circle"
-                    viewBox="0 0 16 16">
-                    <path d="M11 6a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/>
-                    <path fill-rule="evenodd" d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm8-7a7 7 0 0 0-5.468 11.37C3.242 11.226 4.805 10 8 10s4.757 1.225 5.468 2.37A7 7 0 0 0 8 1z"/>
-                  </svg>
-                  <span class="ms-2">
-                    {user_id}
-                  </span>
-                </a>
-                <ul
-                  class="dropdown-menu text-small dropdown-menu-lg-end"
-                  aria-labelledby="dropdownUser1"
-                  style="">
-                  <li>
-                    <Link
-                      classes="dropdown-item"
-                      to={AppRoute::UserDetails{ user_id: user_id.clone() }}>
-                      {"View details"}
-                    </Link>
-                  </li>
-                  <li><hr class="dropdown-divider" /></li>
-                  <li>
-                    <LogoutButton on_logged_out={link.callback(|_| Msg::Logout)} />
-                  </li>
-                </ul>
-              </div>
-            }
-        } else {
-            html! {}
-        }
-    }
-
     fn view_footer(&self) -> Html {
         html! {
           <footer class="text-center fixed-bottom text-muted bg-light py-2">
@@ -349,7 +267,7 @@ impl App {
               <span>{format!("LLDAP version {}", env!("CARGO_PKG_VERSION"))}</span>
             </div>
             <div>
-              <a href="https://github.com/nitnelave/lldap" class="me-4 text-reset">
+              <a href="https://github.com/lldap/lldap" class="me-4 text-reset">
                 <i class="bi-github"></i>
               </a>
               <a href="https://discord.gg/h5PEdRMNyP" class="me-4 text-reset">
@@ -360,7 +278,7 @@ impl App {
               </a>
             </div>
             <div>
-              <span>{"License "}<a href="https://github.com/nitnelave/lldap/blob/main/LICENSE" class="link-secondary">{"GNU GPL"}</a></span>
+              <span>{"License "}<a href="https://github.com/lldap/lldap/blob/main/LICENSE" class="link-secondary">{"GNU GPL"}</a></span>
             </div>
           </footer>
         }

app/src/components/avatar.rs

@@ -0,0 +1,88 @@
+use crate::infra::functional::{use_graphql_call, LoadableResult};
+use graphql_client::GraphQLQuery;
+use yew::{function_component, html, virtual_dom::AttrValue, Properties};
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/get_user_details.graphql",
+    variables_derives = "Clone,PartialEq,Eq",
+    response_derives = "Debug, Hash, PartialEq, Eq, Clone",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct GetUserDetails;
+
+#[derive(Properties, PartialEq)]
+pub struct Props {
+    pub user: AttrValue,
+    #[prop_or(32)]
+    pub width: i32,
+    #[prop_or(32)]
+    pub height: i32,
+}
+
+#[function_component(Avatar)]
+pub fn avatar(props: &Props) -> Html {
+    let user_details = use_graphql_call::<GetUserDetails>(get_user_details::Variables {
+        id: props.user.to_string(),
+    });
+
+    match &(*user_details) {
+        LoadableResult::Loaded(Ok(response)) => {
+            let avatar = response.user.avatar.clone();
+            match &avatar {
+                Some(data) => html! {
+                  <img
+                    id="avatarDisplay"
+                    src={format!("data:image/jpeg;base64, {}", data)}
+                    style={format!("max-height:{}px;max-width:{}px;height:auto;width:auto;", props.height, props.width)}
+                    alt="Avatar" />
+                },
+                None => html! {
+                  <BlankAvatarDisplay
+                    width={props.width}
+                    height={props.height} />
+                },
+            }
+        }
+        LoadableResult::Loaded(Err(error)) => html! {
+          <BlankAvatarDisplay
+            error={error.to_string()}
+            width={props.width}
+            height={props.height} />
+        },
+        LoadableResult::Loading => html! {
+          <BlankAvatarDisplay
+            width={props.width}
+            height={props.height} />
+        },
+    }
+}
+
+#[derive(Properties, PartialEq)]
+struct BlankAvatarDisplayProps {
+    #[prop_or(None)]
+    pub error: Option<AttrValue>,
+    pub width: i32,
+    pub height: i32,
+}
+
+#[function_component(BlankAvatarDisplay)]
+fn blank_avatar_display(props: &BlankAvatarDisplayProps) -> Html {
+    let fill = match &props.error {
+        Some(_) => "red",
+        None => "currentColor",
+    };
+    html! {
+      <svg xmlns="http://www.w3.org/2000/svg"
+        width={props.width.to_string()}
+        height={props.height.to_string()}
+        fill={fill}
+        class="bi bi-person-circle"
+        viewBox="0 0 16 16">
+        <title>{props.error.clone().unwrap_or(AttrValue::Static("Avatar"))}</title>
+        <path d="M11 6a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/>
+        <path fill-rule="evenodd" d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm8-7a7 7 0 0 0-5.468 11.37C3.242 11.226 4.805 10 8 10s4.757 1.225 5.468 2.37A7 7 0 0 0 8 1z"/>
+      </svg>
+    }
+}

app/src/components/banner.rs

@@ -0,0 +1,132 @@
+use crate::components::{
+    avatar::Avatar,
+    logout::LogoutButton,
+    router::{AppRoute, Link},
+};
+use wasm_bindgen::prelude::wasm_bindgen;
+use yew::{function_component, html, Callback, Properties};
+
+#[derive(Properties, PartialEq)]
+pub struct Props {
+    pub is_admin: bool,
+    pub username: Option<String>,
+    pub on_logged_out: Callback<()>,
+}
+
+#[function_component(Banner)]
+pub fn banner(props: &Props) -> Html {
+    html! {
+      <header class="p-2 mb-3 border-bottom">
+        <div class="container">
+          <div class="d-flex flex-wrap align-items-center justify-content-center justify-content-lg-start">
+            <a href={yew_router::utils::base_url().unwrap_or("/".to_string())} class="d-flex align-items-center mt-2 mb-lg-0 me-md-5 text-decoration-none">
+              <h2>{"LLDAP"}</h2>
+            </a>
+
+            <ul class="nav col-12 col-lg-auto me-lg-auto mb-2 justify-content-center mb-md-0">
+              {if props.is_admin { html! {
+                <>
+                  <li>
+                    <Link
+                      classes="nav-link px-2 h6"
+                      to={AppRoute::ListUsers}>
+                      <i class="bi-people me-2"></i>
+                      {"Users"}
+                    </Link>
+                  </li>
+                  <li>
+                    <Link
+                      classes="nav-link px-2 h6"
+                      to={AppRoute::ListGroups}>
+                      <i class="bi-collection me-2"></i>
+                      {"Groups"}
+                    </Link>
+                  </li>
+                  <li>
+                    <Link
+                      classes="nav-link px-2 h6"
+                      to={AppRoute::ListUserSchema}>
+                      <i class="bi-list-ul me-2"></i>
+                      {"User schema"}
+                    </Link>
+                  </li>
+                  <li>
+                    <Link
+                      classes="nav-link px-2 h6"
+                      to={AppRoute::ListGroupSchema}>
+                      <i class="bi-list-ul me-2"></i>
+                      {"Group schema"}
+                    </Link>
+                  </li>
+                </>
+              } } else { html!{} } }
+            </ul>
+            <UserMenu username={props.username.clone()} on_logged_out={props.on_logged_out.clone()}/>
+            <DarkModeToggle />
+          </div>
+        </div>
+      </header>
+    }
+}
+
+#[derive(Properties, PartialEq)]
+struct UserMenuProps {
+    pub username: Option<String>,
+    pub on_logged_out: Callback<()>,
+}
+
+#[function_component(UserMenu)]
+fn user_menu(props: &UserMenuProps) -> Html {
+    match &props.username {
+        Some(username) => html! {
+          <div class="dropdown text-end">
+            <a href="#"
+              class="d-block nav-link text-decoration-none dropdown-toggle"
+              id="dropdownUser"
+              data-bs-toggle="dropdown"
+              aria-expanded="false">
+              <Avatar user={username.clone()} />
+              <span class="ms-2">
+                {username}
+              </span>
+            </a>
+            <ul
+              class="dropdown-menu text-small dropdown-menu-lg-end"
+              aria-labelledby="dropdownUser1"
+              style="">
+              <li>
+                <Link
+                  classes="dropdown-item"
+                  to={AppRoute::UserDetails{ user_id: username.to_string() }}>
+                  {"View details"}
+                </Link>
+              </li>
+              <li><hr class="dropdown-divider" /></li>
+              <li>
+                <LogoutButton on_logged_out={props.on_logged_out.clone()} />
+              </li>
+            </ul>
+          </div>
+        },
+        _ => html! {},
+    }
+}
+
+#[wasm_bindgen]
+extern "C" {
+    #[wasm_bindgen(js_namespace = darkmode)]
+    fn toggleDarkMode(doSave: bool);
+
+    #[wasm_bindgen]
+    fn inDarkMode() -> bool;
+}
+
+#[function_component(DarkModeToggle)]
+fn dark_mode_toggle() -> Html {
+    html! {
+      <div class="form-check form-switch">
+        <input class="form-check-input" onclick={|_| toggleDarkMode(true)} type="checkbox" id="darkModeToggle" checked={inDarkMode()}/>
+        <label class="form-check-label" for="darkModeToggle">{"Dark mode"}</label>
+      </div>
+    }
+}

app/src/components/change_password.rs

@@ -1,5 +1,8 @@
 use crate::{
-    components::router::{AppRoute, Link},
+    components::{
+        form::{field::Field, submit::Submit},
+        router::{AppRoute, Link},
+    },
     infra::{
         api::HostService,
         common_component::{CommonComponent, CommonComponentParts},
@@ -97,7 +100,7 @@ impl CommonComponent<ChangePasswordForm> for ChangePasswordForm {
                             .context("Could not initialize login")?;
                     self.opaque_data = OpaqueData::Login(login_start_request.state);
                     let req = login::ClientLoginStartRequest {
-                        username: ctx.props().username.clone(),
+                        username: ctx.props().username.clone().into(),
                         login_start_request: login_start_request.message,
                     };
                     self.common.call_backend(
@@ -128,11 +131,13 @@ impl CommonComponent<ChangePasswordForm> for ChangePasswordForm {
             Msg::SubmitNewPassword => {
                 let mut rng = rand::rngs::OsRng;
                 let new_password = self.form.model().password;
-                let registration_start_request =
-                    opaque::client::registration::start_registration(&new_password, &mut rng)
-                        .context("Could not initiate password change")?;
+                let registration_start_request = opaque::client::registration::start_registration(
+                    new_password.as_bytes(),
+                    &mut rng,
+                )
+                .context("Could not initiate password change")?;
                 let req = registration::ClientRegistrationStartRequest {
-                    username: ctx.props().username.clone(),
+                    username: ctx.props().username.clone().into(),
                     registration_start_request: registration_start_request.message,
                 };
                 self.opaque_data = OpaqueData::Registration(registration_start_request.state);
@@ -205,7 +210,6 @@ impl Component for ChangePasswordForm {
     fn view(&self, ctx: &Context<Self>) -> Html {
         let is_admin = ctx.props().is_admin;
         let link = ctx.link();
-        type Field = yew_form::Field<FormModel>;
         html! {
           <>
             <div class="mb-2 mt-2">
@@ -222,90 +226,44 @@ impl Component for ChangePasswordForm {
                 }
               } else { html! {} }
             }
-            <form
-              class="form">
+            <form class="form">
               {if !is_admin { html! {
-                <div class="form-group row">
-                  <label for="old_password"
-                    class="form-label col-sm-2 col-form-label">
-                    {"Current password*:"}
-                  </label>
-                  <div class="col-sm-10">
-                    <Field
-                      form={&self.form}
-                      field_name="old_password"
-                      input_type="password"
-                      class="form-control"
-                      class_invalid="is-invalid has-error"
-                      class_valid="has-success"
-                      autocomplete="current-password"
-                      oninput={link.callback(|_| Msg::FormUpdate)} />
-                    <div class="invalid-feedback">
-                      {&self.form.field_message("old_password")}
-                    </div>
-                  </div>
-                </div>
+                <Field<FormModel>
+                  form={&self.form}
+                  required=true
+                  label="Current password"
+                  field_name="old_password"
+                  input_type="password"
+                  autocomplete="current-password"
+                  oninput={link.callback(|_| Msg::FormUpdate)} />
               }} else { html! {} }}
-              <div class="form-group row mb-3">
-                <label for="new_password"
-                  class="form-label col-sm-2 col-form-label">
-                   {"New Password"}
-                   <span class="text-danger">{"*"}</span>
-                   {":"}
-                </label>
-                <div class="col-sm-10">
-                  <Field
-                    form={&self.form}
-                    field_name="password"
-                    input_type="password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    oninput={link.callback(|_| Msg::FormUpdate)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="confirm_password"
-                  class="form-label col-sm-2 col-form-label">
-                  {"Confirm Password"}
-                  <span class="text-danger">{"*"}</span>
-                  {":"}
-                </label>
-                <div class="col-sm-10">
-                  <Field
-                    form={&self.form}
-                    field_name="confirm_password"
-                    input_type="password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    oninput={link.callback(|_| Msg::FormUpdate)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("confirm_password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row justify-content-center">
-                <button
-                  class="btn btn-primary col-auto col-form-label"
-                  type="submit"
-                  disabled={self.common.is_task_running()}
-                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})}>
-                  <i class="bi-save me-2"></i>
-                  {"Save changes"}
-                </button>
+              <Field<FormModel>
+                form={&self.form}
+                required=true
+                label="New password"
+                field_name="password"
+                input_type="password"
+                autocomplete="new-password"
+                oninput={link.callback(|_| Msg::FormUpdate)} />
+              <Field<FormModel>
+                form={&self.form}
+                required=true
+                label="Confirm password"
+                field_name="confirm_password"
+                input_type="password"
+                autocomplete="new-password"
+                oninput={link.callback(|_| Msg::FormUpdate)} />
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})}
+                text="Save changes" >
                 <Link
                   classes="btn btn-secondary ms-2 col-auto col-form-label"
                   to={AppRoute::UserDetails{user_id: ctx.props().username.clone()}}>
                   <i class="bi-arrow-return-left me-2"></i>
                   {"Back"}
                 </Link>
-              </div>
+              </Submit>
             </form>
           </>
         }

app/src/components/create_group.rs

@@ -1,8 +1,23 @@
 use crate::{
-    components::router::AppRoute,
-    infra::common_component::{CommonComponent, CommonComponentParts},
+    components::{
+        form::{
+            attribute_input::{ListAttributeInput, SingleAttributeInput},
+            field::Field,
+            submit::Submit,
+        },
+        router::AppRoute,
+    },
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        form_utils::{
+            read_all_form_attributes, AttributeValue, EmailIsRequired, GraphQlAttributeSchema,
+            IsAdmin,
+        },
+        schema::AttributeType,
+    },
 };
-use anyhow::{bail, Result};
+use anyhow::{ensure, Result};
 use gloo_console::log;
 use graphql_client::GraphQLQuery;
 use validator_derive::Validate;
@@ -10,6 +25,33 @@ use yew::prelude::*;
 use yew_form_derive::Model;
 use yew_router::{prelude::History, scope_ext::RouterScopeExt};
 
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/get_group_attributes_schema.graphql",
+    response_derives = "Debug,Clone,PartialEq,Eq",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct GetGroupAttributesSchema;
+
+use get_group_attributes_schema::ResponseData;
+
+pub type Attribute =
+    get_group_attributes_schema::GetGroupAttributesSchemaSchemaGroupSchemaAttributes;
+
+convert_attribute_type!(get_group_attributes_schema::AttributeType);
+
+impl From<&Attribute> for GraphQlAttributeSchema {
+    fn from(attr: &Attribute) -> Self {
+        Self {
+            name: attr.name.clone(),
+            is_list: attr.is_list,
+            is_readonly: attr.is_readonly,
+            is_editable: false, // Need to be admin to edit it.
+        }
+    }
+}
+
 #[derive(GraphQLQuery)]
 #[graphql(
     schema_path = "../schema.graphql",
@@ -22,6 +64,8 @@ pub struct CreateGroup;
 pub struct CreateGroupForm {
     common: CommonComponentParts<Self>,
     form: yew_form::Form<CreateGroupModel>,
+    attributes_schema: Option<Vec<Attribute>>,
+    form_ref: NodeRef,
 }
 
 #[derive(Model, Validate, PartialEq, Eq, Clone, Default)]
@@ -32,6 +76,7 @@ pub struct CreateGroupModel {
 
 pub enum Msg {
     Update,
+    ListAttributesResponse(Result<ResponseData>),
     SubmitForm,
     CreateGroupResponse(Result<create_group::ResponseData>),
 }
@@ -45,12 +90,33 @@ impl CommonComponent<CreateGroupForm> for CreateGroupForm {
         match msg {
             Msg::Update => Ok(true),
             Msg::SubmitForm => {
-                if !self.form.validate() {
-                    bail!("Check the form for errors");
-                }
+                ensure!(self.form.validate(), "Check the form for errors");
+
+                let all_values = read_all_form_attributes(
+                    self.attributes_schema.iter().flatten(),
+                    &self.form_ref,
+                    IsAdmin(true),
+                    EmailIsRequired(false),
+                )?;
+                let attributes = Some(
+                    all_values
+                        .into_iter()
+                        .filter(|a| !a.values.is_empty())
+                        .map(
+                            |AttributeValue { name, values }| create_group::AttributeValueInput {
+                                name,
+                                value: values,
+                            },
+                        )
+                        .collect(),
+                );
+
                 let model = self.form.model();
                 let req = create_group::Variables {
-                    name: model.groupname,
+                    group: create_group::CreateGroupInput {
+                        displayName: model.groupname,
+                        attributes,
+                    },
                 };
                 self.common.call_graphql::<CreateGroup, _>(
                     ctx,
@@ -63,11 +129,16 @@ impl CommonComponent<CreateGroupForm> for CreateGroupForm {
             Msg::CreateGroupResponse(response) => {
                 log!(&format!(
                     "Created group '{}'",
-                    &response?.create_group.display_name
+                    &response?.create_group_with_details.display_name
                 ));
                 ctx.link().history().unwrap().push(AppRoute::ListGroups);
                 Ok(true)
             }
+            Msg::ListAttributesResponse(schema) => {
+                self.attributes_schema =
+                    Some(schema?.schema.group_schema.attributes.into_iter().collect());
+                Ok(true)
+            }
         }
     }
 
@@ -80,11 +151,22 @@ impl Component for CreateGroupForm {
     type Message = Msg;
     type Properties = ();
 
-    fn create(_: &Context<Self>) -> Self {
-        Self {
+    fn create(ctx: &Context<Self>) -> Self {
+        let mut component = Self {
             common: CommonComponentParts::<Self>::create(),
             form: yew_form::Form::<CreateGroupModel>::new(CreateGroupModel::default()),
-        }
+            attributes_schema: None,
+            form_ref: NodeRef::default(),
+        };
+        component
+            .common
+            .call_graphql::<GetGroupAttributesSchema, _>(
+                ctx,
+                get_group_attributes_schema::Variables {},
+                Msg::ListAttributesResponse,
+                "Error trying to fetch group schema",
+            );
+        component
     }
 
     fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
@@ -93,44 +175,30 @@ impl Component for CreateGroupForm {
 
     fn view(&self, ctx: &Context<Self>) -> Html {
         let link = ctx.link();
-        type Field = yew_form::Field<CreateGroupModel>;
         html! {
           <div class="row justify-content-center">
-            <form class="form py-3" style="max-width: 636px">
+            <form class="form py-3" style="max-width: 636px"
+              ref={self.form_ref.clone()}>
               <div class="row mb-3">
                 <h5 class="fw-bold">{"Create a group"}</h5>
               </div>
-              <div class="form-group row mb-3">
-                <label for="groupname"
-                  class="form-label col-4 col-form-label">
-                  {"Group name"}
-                  <span class="text-danger">{"*"}</span>
-                  {":"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    field_name="groupname"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="groupname"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("groupname")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row justify-content-center">
-                <button
-                  class="btn btn-primary col-auto col-form-label"
-                  type="submit"
-                  disabled={self.common.is_task_running()}
-                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})}>
-                  <i class="bi-save me-2"></i>
-                  {"Submit"}
-                </button>
-              </div>
+              <Field<CreateGroupModel>
+                form={&self.form}
+                required=true
+                label="Group name"
+                field_name="groupname"
+                oninput={link.callback(|_| Msg::Update)} />
+              {
+                  self.attributes_schema
+                      .iter()
+                      .flatten()
+                      .filter(|a| !a.is_readonly && a.name != "display_name")
+                      .map(get_custom_attribute_input)
+                      .collect::<Vec<_>>()
+              }
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})} />
             </form>
             { if let Some(e) = &self.common.error {
                 html! {
@@ -144,3 +212,21 @@ impl Component for CreateGroupForm {
         }
     }
 }
+
+fn get_custom_attribute_input(attribute_schema: &Attribute) -> Html {
+    if attribute_schema.is_list {
+        html! {
+            <ListAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+            />
+        }
+    } else {
+        html! {
+            <SingleAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+            />
+        }
+    }
+}

app/src/components/create_group_attribute.rs

@@ -0,0 +1,168 @@
+use crate::{
+    components::{
+        form::{checkbox::CheckBox, field::Field, select::Select, submit::Submit},
+        router::AppRoute,
+    },
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        schema::{validate_attribute_type, AttributeType},
+    },
+};
+use anyhow::{bail, Result};
+use gloo_console::log;
+use graphql_client::GraphQLQuery;
+use validator_derive::Validate;
+use yew::prelude::*;
+use yew_form_derive::Model;
+use yew_router::{prelude::History, scope_ext::RouterScopeExt};
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/create_group_attribute.graphql",
+    response_derives = "Debug",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct CreateGroupAttribute;
+
+convert_attribute_type!(create_group_attribute::AttributeType);
+
+pub struct CreateGroupAttributeForm {
+    common: CommonComponentParts<Self>,
+    form: yew_form::Form<CreateGroupAttributeModel>,
+}
+
+#[derive(Model, Validate, PartialEq, Eq, Clone, Default, Debug)]
+pub struct CreateGroupAttributeModel {
+    #[validate(length(min = 1, message = "attribute_name is required"))]
+    attribute_name: String,
+    #[validate(custom = "validate_attribute_type")]
+    attribute_type: String,
+    is_list: bool,
+    is_visible: bool, // remove when backend doesn't return group attributes for normal users
+}
+
+pub enum Msg {
+    Update,
+    SubmitForm,
+    CreateGroupAttributeResponse(Result<create_group_attribute::ResponseData>),
+}
+
+impl CommonComponent<CreateGroupAttributeForm> for CreateGroupAttributeForm {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
+        match msg {
+            Msg::Update => Ok(true),
+            Msg::SubmitForm => {
+                if !self.form.validate() {
+                    bail!("Check the form for errors");
+                }
+                let model = self.form.model();
+                let attribute_type = model.attribute_type.parse::<AttributeType>().unwrap();
+                let req = create_group_attribute::Variables {
+                    name: model.attribute_name,
+                    attribute_type: create_group_attribute::AttributeType::from(attribute_type),
+                    is_list: model.is_list,
+                    is_visible: model.is_visible,
+                };
+                self.common.call_graphql::<CreateGroupAttribute, _>(
+                    ctx,
+                    req,
+                    Msg::CreateGroupAttributeResponse,
+                    "Error trying to create group attribute",
+                );
+                Ok(true)
+            }
+            Msg::CreateGroupAttributeResponse(response) => {
+                response?;
+                let model = self.form.model();
+                log!(&format!(
+                    "Created group attribute '{}'",
+                    model.attribute_name
+                ));
+                ctx.link()
+                    .history()
+                    .unwrap()
+                    .push(AppRoute::ListGroupSchema);
+                Ok(true)
+            }
+        }
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for CreateGroupAttributeForm {
+    type Message = Msg;
+    type Properties = ();
+
+    fn create(_: &Context<Self>) -> Self {
+        let model = CreateGroupAttributeModel {
+            attribute_type: AttributeType::String.to_string(),
+            ..Default::default()
+        };
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            form: yew_form::Form::<CreateGroupAttributeModel>::new(model),
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = ctx.link();
+        html! {
+          <div class="row justify-content-center">
+            <form class="form py-3" style="max-width: 636px">
+              <h5 class="fw-bold">{"Create a group attribute"}</h5>
+              <Field<CreateGroupAttributeModel>
+                label="Name"
+                required={true}
+                form={&self.form}
+                field_name="attribute_name"
+                oninput={link.callback(|_| Msg::Update)} />
+              <Select<CreateGroupAttributeModel>
+                label="Type"
+                required={true}
+                form={&self.form}
+                field_name="attribute_type"
+                oninput={link.callback(|_| Msg::Update)}>
+                <option selected=true value="String">{"String"}</option>
+                <option value="Integer">{"Integer"}</option>
+                <option value="Jpeg">{"Jpeg"}</option>
+                <option value="DateTime">{"DateTime"}</option>
+              </Select<CreateGroupAttributeModel>>
+              <CheckBox<CreateGroupAttributeModel>
+                label="Multiple values"
+                form={&self.form}
+                field_name="is_list"
+                ontoggle={link.callback(|_| Msg::Update)} />
+              <CheckBox<CreateGroupAttributeModel>
+                label="Visible to users"
+                form={&self.form}
+                field_name="is_visible"
+                ontoggle={link.callback(|_| Msg::Update)} />
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})}/>
+            </form>
+            { if let Some(e) = &self.common.error {
+                html! {
+                  <div class="alert alert-danger">
+                    {e.to_string() }
+                  </div>
+                }
+              } else { html! {} }
+            }
+          </div>
+        }
+    }
+}

app/src/components/create_user.rs

@@ -1,11 +1,24 @@
 use crate::{
-    components::router::AppRoute,
+    components::{
+        form::{
+            attribute_input::{ListAttributeInput, SingleAttributeInput},
+            field::Field,
+            submit::Submit,
+        },
+        router::AppRoute,
+    },
+    convert_attribute_type,
     infra::{
         api::HostService,
         common_component::{CommonComponent, CommonComponentParts},
+        form_utils::{
+            read_all_form_attributes, AttributeValue, EmailIsRequired, GraphQlAttributeSchema,
+            IsAdmin,
+        },
+        schema::AttributeType,
     },
 };
-use anyhow::{bail, Result};
+use anyhow::{ensure, Result};
 use gloo_console::log;
 use graphql_client::GraphQLQuery;
 use lldap_auth::{opaque, registration};
@@ -14,6 +27,32 @@ use yew::prelude::*;
 use yew_form_derive::Model;
 use yew_router::{prelude::History, scope_ext::RouterScopeExt};
 
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/get_user_attributes_schema.graphql",
+    response_derives = "Debug,Clone,PartialEq,Eq",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct GetUserAttributesSchema;
+
+use get_user_attributes_schema::ResponseData;
+
+pub type Attribute = get_user_attributes_schema::GetUserAttributesSchemaSchemaUserSchemaAttributes;
+
+convert_attribute_type!(get_user_attributes_schema::AttributeType);
+
+impl From<&Attribute> for GraphQlAttributeSchema {
+    fn from(attr: &Attribute) -> Self {
+        Self {
+            name: attr.name.clone(),
+            is_list: attr.is_list,
+            is_readonly: attr.is_readonly,
+            is_editable: attr.is_editable,
+        }
+    }
+}
+
 #[derive(GraphQLQuery)]
 #[graphql(
     schema_path = "../schema.graphql",
@@ -26,17 +65,14 @@ pub struct CreateUser;
 pub struct CreateUserForm {
     common: CommonComponentParts<Self>,
     form: yew_form::Form<CreateUserModel>,
+    attributes_schema: Option<Vec<Attribute>>,
+    form_ref: NodeRef,
 }
 
 #[derive(Model, Validate, PartialEq, Eq, Clone, Default)]
 pub struct CreateUserModel {
     #[validate(length(min = 1, message = "Username is required"))]
     username: String,
-    #[validate(email(message = "A valid email is required"))]
-    email: String,
-    display_name: String,
-    first_name: String,
-    last_name: String,
     #[validate(custom(
         function = "empty_or_long",
         message = "Password should be longer than 8 characters (or left empty)"
@@ -56,6 +92,7 @@ fn empty_or_long(value: &str) -> Result<(), validator::ValidationError> {
 
 pub enum Msg {
     Update,
+    ListAttributesResponse(Result<ResponseData>),
     SubmitForm,
     CreateUserResponse(Result<create_user::ResponseData>),
     SuccessfulCreation,
@@ -76,20 +113,43 @@ impl CommonComponent<CreateUserForm> for CreateUserForm {
     ) -> Result<bool> {
         match msg {
             Msg::Update => Ok(true),
+            Msg::ListAttributesResponse(schema) => {
+                self.attributes_schema =
+                    Some(schema?.schema.user_schema.attributes.into_iter().collect());
+                Ok(true)
+            }
             Msg::SubmitForm => {
-                if !self.form.validate() {
-                    bail!("Check the form for errors");
-                }
+                ensure!(self.form.validate(), "Check the form for errors");
+
+                let all_values = read_all_form_attributes(
+                    self.attributes_schema.iter().flatten(),
+                    &self.form_ref,
+                    IsAdmin(true),
+                    EmailIsRequired(true),
+                )?;
+                let attributes = Some(
+                    all_values
+                        .into_iter()
+                        .filter(|a| !a.values.is_empty())
+                        .map(
+                            |AttributeValue { name, values }| create_user::AttributeValueInput {
+                                name,
+                                value: values,
+                            },
+                        )
+                        .collect(),
+                );
+
                 let model = self.form.model();
-                let to_option = |s: String| if s.is_empty() { None } else { Some(s) };
                 let req = create_user::Variables {
                     user: create_user::CreateUserInput {
                         id: model.username,
-                        email: model.email,
-                        displayName: to_option(model.display_name),
-                        firstName: to_option(model.first_name),
-                        lastName: to_option(model.last_name),
+                        email: None,
+                        displayName: None,
+                        firstName: None,
+                        lastName: None,
                         avatar: None,
+                        attributes,
                     },
                 };
                 self.common.call_graphql::<CreateUser, _>(
@@ -117,9 +177,12 @@ impl CommonComponent<CreateUserForm> for CreateUserForm {
                     let opaque::client::registration::ClientRegistrationStartResult {
                         state,
                         message,
-                    } = opaque::client::registration::start_registration(&password, &mut rng)?;
+                    } = opaque::client::registration::start_registration(
+                        password.as_bytes(),
+                        &mut rng,
+                    )?;
                     let req = registration::ClientRegistrationStartRequest {
-                        username: user_id,
+                        username: user_id.into(),
                         registration_start_request: message,
                     };
                     self.common
@@ -170,11 +233,20 @@ impl Component for CreateUserForm {
     type Message = Msg;
     type Properties = ();
 
-    fn create(_: &Context<Self>) -> Self {
-        Self {
+    fn create(ctx: &Context<Self>) -> Self {
+        let mut component = Self {
             common: CommonComponentParts::<Self>::create(),
             form: yew_form::Form::<CreateUserModel>::new(CreateUserModel::default()),
-        }
+            attributes_schema: None,
+            form_ref: NodeRef::default(),
+        };
+        component.common.call_graphql::<GetUserAttributesSchema, _>(
+            ctx,
+            get_user_attributes_schema::Variables {},
+            Msg::ListAttributesResponse,
+            "Error trying to fetch user schema",
+        );
+        component
     }
 
     fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
@@ -183,163 +255,41 @@ impl Component for CreateUserForm {
 
     fn view(&self, ctx: &Context<Self>) -> Html {
         let link = &ctx.link();
-        type Field = yew_form::Field<CreateUserModel>;
         html! {
           <div class="row justify-content-center">
-            <form class="form py-3" style="max-width: 636px">
-              <div class="row mb-3">
-                <h5 class="fw-bold">{"Create a user"}</h5>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="username"
-                  class="form-label col-4 col-form-label">
-                  {"User name"}
-                  <span class="text-danger">{"*"}</span>
-                  {":"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    field_name="username"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="username"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("username")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="email"
-                  class="form-label col-4 col-form-label">
-                  {"Email"}
-                  <span class="text-danger">{"*"}</span>
-                  {":"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    input_type="email"
-                    field_name="email"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="email"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("email")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="display-name"
-                  class="form-label col-4 col-form-label">
-                  {"Display name:"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    autocomplete="name"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    field_name="display_name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("display_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="first-name"
-                  class="form-label col-4 col-form-label">
-                  {"First name:"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    autocomplete="given-name"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    field_name="first_name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("first_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="last-name"
-                  class="form-label col-4 col-form-label">
-                  {"Last name:"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    autocomplete="family-name"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    field_name="last_name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("last_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="password"
-                  class="form-label col-4 col-form-label">
-                  {"Password:"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    input_type="password"
-                    field_name="password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="confirm_password"
-                  class="form-label col-4 col-form-label">
-                  {"Confirm password:"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    form={&self.form}
-                    input_type="password"
-                    field_name="confirm_password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("confirm_password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row justify-content-center">
-                <button
-                  class="btn btn-primary col-auto col-form-label mt-4"
-                  disabled={self.common.is_task_running()}
-                  type="submit"
-                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})}>
-                  <i class="bi-save me-2"></i>
-                  {"Submit"}
-                </button>
-              </div>
+            <form class="form py-3"
+              ref={self.form_ref.clone()}>
+              <Field<CreateUserModel>
+                form={&self.form}
+                required=true
+                label="User name"
+                field_name="username"
+                oninput={link.callback(|_| Msg::Update)} />
+              {
+                  self.attributes_schema
+                      .iter()
+                      .flatten()
+                      .filter(|a| !a.is_readonly)
+                      .map(get_custom_attribute_input)
+                      .collect::<Vec<_>>()
+              }
+              <Field<CreateUserModel>
+                form={&self.form}
+                label="Password"
+                field_name="password"
+                input_type="password"
+                autocomplete="new-password"
+                oninput={link.callback(|_| Msg::Update)} />
+              <Field<CreateUserModel>
+                form={&self.form}
+                label="Confirm password"
+                field_name="confirm_password"
+                input_type="password"
+                autocomplete="new-password"
+                oninput={link.callback(|_| Msg::Update)} />
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})} />
             </form>
             {
               if let Some(e) = &self.common.error {
@@ -354,3 +304,21 @@ impl Component for CreateUserForm {
         }
     }
 }
+
+fn get_custom_attribute_input(attribute_schema: &Attribute) -> Html {
+    if attribute_schema.is_list {
+        html! {
+            <ListAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+            />
+        }
+    } else {
+        html! {
+            <SingleAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+            />
+        }
+    }
+}

app/src/components/create_user_attribute.rs

@@ -0,0 +1,175 @@
+use crate::{
+    components::{
+        form::{checkbox::CheckBox, field::Field, select::Select, submit::Submit},
+        router::AppRoute,
+    },
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        schema::{validate_attribute_type, AttributeType},
+    },
+};
+use anyhow::{bail, Result};
+use gloo_console::log;
+use graphql_client::GraphQLQuery;
+use validator_derive::Validate;
+use yew::prelude::*;
+use yew_form_derive::Model;
+use yew_router::{prelude::History, scope_ext::RouterScopeExt};
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/create_user_attribute.graphql",
+    response_derives = "Debug",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct CreateUserAttribute;
+
+convert_attribute_type!(create_user_attribute::AttributeType);
+
+pub struct CreateUserAttributeForm {
+    common: CommonComponentParts<Self>,
+    form: yew_form::Form<CreateUserAttributeModel>,
+}
+
+#[derive(Model, Validate, PartialEq, Eq, Clone, Default, Debug)]
+pub struct CreateUserAttributeModel {
+    #[validate(length(min = 1, message = "attribute_name is required"))]
+    attribute_name: String,
+    #[validate(custom = "validate_attribute_type")]
+    attribute_type: String,
+    is_editable: bool,
+    is_list: bool,
+    is_visible: bool,
+}
+
+pub enum Msg {
+    Update,
+    SubmitForm,
+    CreateUserAttributeResponse(Result<create_user_attribute::ResponseData>),
+}
+
+impl CommonComponent<CreateUserAttributeForm> for CreateUserAttributeForm {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
+        match msg {
+            Msg::Update => Ok(true),
+            Msg::SubmitForm => {
+                if !self.form.validate() {
+                    bail!("Check the form for errors");
+                }
+                let model = self.form.model();
+                if model.is_editable && !model.is_visible {
+                    bail!("Editable attributes must also be visible");
+                }
+                let attribute_type = model.attribute_type.parse::<AttributeType>().unwrap();
+                let req = create_user_attribute::Variables {
+                    name: model.attribute_name,
+                    attribute_type: create_user_attribute::AttributeType::from(attribute_type),
+                    is_editable: model.is_editable,
+                    is_list: model.is_list,
+                    is_visible: model.is_visible,
+                };
+                self.common.call_graphql::<CreateUserAttribute, _>(
+                    ctx,
+                    req,
+                    Msg::CreateUserAttributeResponse,
+                    "Error trying to create user attribute",
+                );
+                Ok(true)
+            }
+            Msg::CreateUserAttributeResponse(response) => {
+                response?;
+                let model = self.form.model();
+                log!(&format!(
+                    "Created user attribute '{}'",
+                    model.attribute_name
+                ));
+                ctx.link().history().unwrap().push(AppRoute::ListUserSchema);
+                Ok(true)
+            }
+        }
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for CreateUserAttributeForm {
+    type Message = Msg;
+    type Properties = ();
+
+    fn create(_: &Context<Self>) -> Self {
+        let model = CreateUserAttributeModel {
+            attribute_type: AttributeType::String.to_string(),
+            ..Default::default()
+        };
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            form: yew_form::Form::<CreateUserAttributeModel>::new(model),
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = ctx.link();
+        html! {
+          <div class="row justify-content-center">
+            <form class="form py-3" style="max-width: 636px">
+              <h5 class="fw-bold">{"Create a user attribute"}</h5>
+              <Field<CreateUserAttributeModel>
+                label="Name"
+                required={true}
+                form={&self.form}
+                field_name="attribute_name"
+                oninput={link.callback(|_| Msg::Update)} />
+              <Select<CreateUserAttributeModel>
+                label="Type"
+                required={true}
+                form={&self.form}
+                field_name="attribute_type"
+                oninput={link.callback(|_| Msg::Update)}>
+                <option selected=true value="String">{"String"}</option>
+                <option value="Integer">{"Integer"}</option>
+                <option value="Jpeg">{"Jpeg"}</option>
+                <option value="DateTime">{"DateTime"}</option>
+              </Select<CreateUserAttributeModel>>
+              <CheckBox<CreateUserAttributeModel>
+                label="Multiple values"
+                form={&self.form}
+                field_name="is_list"
+                ontoggle={link.callback(|_| Msg::Update)} />
+              <CheckBox<CreateUserAttributeModel>
+                label="Visible to users"
+                form={&self.form}
+                field_name="is_visible"
+                ontoggle={link.callback(|_| Msg::Update)} />
+              <CheckBox<CreateUserAttributeModel>
+                label="Editable by users"
+                form={&self.form}
+                field_name="is_editable"
+                ontoggle={link.callback(|_| Msg::Update)} />
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitForm})}/>
+            </form>
+            { if let Some(e) = &self.common.error {
+                html! {
+                  <div class="alert alert-danger">
+                    {e.to_string() }
+                  </div>
+                }
+              } else { html! {} }
+            }
+          </div>
+        }
+    }
+}

app/src/components/delete_group_attribute.rs

@@ -0,0 +1,172 @@
+use crate::infra::{
+    common_component::{CommonComponent, CommonComponentParts},
+    modal::Modal,
+};
+use anyhow::{Error, Result};
+use graphql_client::GraphQLQuery;
+use yew::prelude::*;
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/delete_group_attribute.graphql",
+    response_derives = "Debug",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct DeleteGroupAttributeQuery;
+
+pub struct DeleteGroupAttribute {
+    common: CommonComponentParts<Self>,
+    node_ref: NodeRef,
+    modal: Option<Modal>,
+}
+
+#[derive(yew::Properties, Clone, PartialEq, Debug)]
+pub struct DeleteGroupAttributeProps {
+    pub attribute_name: String,
+    pub on_attribute_deleted: Callback<String>,
+    pub on_error: Callback<Error>,
+}
+
+pub enum Msg {
+    ClickedDeleteGroupAttribute,
+    ConfirmDeleteGroupAttribute,
+    DismissModal,
+    DeleteGroupAttributeResponse(Result<delete_group_attribute_query::ResponseData>),
+}
+
+impl CommonComponent<DeleteGroupAttribute> for DeleteGroupAttribute {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
+        match msg {
+            Msg::ClickedDeleteGroupAttribute => {
+                self.modal.as_ref().expect("modal not initialized").show();
+            }
+            Msg::ConfirmDeleteGroupAttribute => {
+                self.update(ctx, Msg::DismissModal);
+                self.common.call_graphql::<DeleteGroupAttributeQuery, _>(
+                    ctx,
+                    delete_group_attribute_query::Variables {
+                        name: ctx.props().attribute_name.clone(),
+                    },
+                    Msg::DeleteGroupAttributeResponse,
+                    "Error trying to delete group attribute",
+                );
+            }
+            Msg::DismissModal => {
+                self.modal.as_ref().expect("modal not initialized").hide();
+            }
+            Msg::DeleteGroupAttributeResponse(response) => {
+                response?;
+                ctx.props()
+                    .on_attribute_deleted
+                    .emit(ctx.props().attribute_name.clone());
+            }
+        }
+        Ok(true)
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for DeleteGroupAttribute {
+    type Message = Msg;
+    type Properties = DeleteGroupAttributeProps;
+
+    fn create(_: &Context<Self>) -> Self {
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            node_ref: NodeRef::default(),
+            modal: None,
+        }
+    }
+
+    fn rendered(&mut self, _: &Context<Self>, first_render: bool) {
+        if first_render {
+            self.modal = Some(Modal::new(
+                self.node_ref
+                    .cast::<web_sys::Element>()
+                    .expect("Modal node is not an element"),
+            ));
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update_and_report_error(
+            self,
+            ctx,
+            msg,
+            ctx.props().on_error.clone(),
+        )
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+        html! {
+          <>
+          <button
+            class="btn btn-danger"
+            disabled={self.common.is_task_running()}
+            onclick={link.callback(|_| Msg::ClickedDeleteGroupAttribute)}>
+            <i class="bi-x-circle-fill" aria-label="Delete attribute" />
+          </button>
+          {self.show_modal(ctx)}
+          </>
+        }
+    }
+}
+
+impl DeleteGroupAttribute {
+    fn show_modal(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+        html! {
+          <div
+            class="modal fade"
+            id={"deleteGroupAttributeModal".to_string() + &ctx.props().attribute_name}
+            tabindex="-1"
+            aria-labelledby="deleteGroupAttributeModalLabel"
+            aria-hidden="true"
+            ref={self.node_ref.clone()}>
+            <div class="modal-dialog">
+              <div class="modal-content">
+                <div class="modal-header">
+                  <h5 class="modal-title" id="deleteGroupAttributeModalLabel">{"Delete group attribute?"}</h5>
+                  <button
+                    type="button"
+                    class="btn-close"
+                    aria-label="Close"
+                    onclick={link.callback(|_| Msg::DismissModal)} />
+                </div>
+                <div class="modal-body">
+                <span>
+                  {"Are you sure you want to delete group attribute "}
+                  <b>{&ctx.props().attribute_name}</b>{"?"}
+                </span>
+                </div>
+                <div class="modal-footer">
+                  <button
+                    type="button"
+                    class="btn btn-secondary"
+                    onclick={link.callback(|_| Msg::DismissModal)}>
+                      <i class="bi-x-circle me-2"></i>
+                      {"Cancel"}
+                  </button>
+                  <button
+                    type="button"
+                    onclick={link.callback(|_| Msg::ConfirmDeleteGroupAttribute)}
+                    class="btn btn-danger">
+                    <i class="bi-check-circle me-2"></i>
+                    {"Yes, I'm sure"}
+                 </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        }
+    }
+}

app/src/components/delete_user_attribute.rs

@@ -0,0 +1,172 @@
+use crate::infra::{
+    common_component::{CommonComponent, CommonComponentParts},
+    modal::Modal,
+};
+use anyhow::{Error, Result};
+use graphql_client::GraphQLQuery;
+use yew::prelude::*;
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/delete_user_attribute.graphql",
+    response_derives = "Debug",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct DeleteUserAttributeQuery;
+
+pub struct DeleteUserAttribute {
+    common: CommonComponentParts<Self>,
+    node_ref: NodeRef,
+    modal: Option<Modal>,
+}
+
+#[derive(yew::Properties, Clone, PartialEq, Debug)]
+pub struct DeleteUserAttributeProps {
+    pub attribute_name: String,
+    pub on_attribute_deleted: Callback<String>,
+    pub on_error: Callback<Error>,
+}
+
+pub enum Msg {
+    ClickedDeleteUserAttribute,
+    ConfirmDeleteUserAttribute,
+    DismissModal,
+    DeleteUserAttributeResponse(Result<delete_user_attribute_query::ResponseData>),
+}
+
+impl CommonComponent<DeleteUserAttribute> for DeleteUserAttribute {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
+        match msg {
+            Msg::ClickedDeleteUserAttribute => {
+                self.modal.as_ref().expect("modal not initialized").show();
+            }
+            Msg::ConfirmDeleteUserAttribute => {
+                self.update(ctx, Msg::DismissModal);
+                self.common.call_graphql::<DeleteUserAttributeQuery, _>(
+                    ctx,
+                    delete_user_attribute_query::Variables {
+                        name: ctx.props().attribute_name.clone(),
+                    },
+                    Msg::DeleteUserAttributeResponse,
+                    "Error trying to delete user attribute",
+                );
+            }
+            Msg::DismissModal => {
+                self.modal.as_ref().expect("modal not initialized").hide();
+            }
+            Msg::DeleteUserAttributeResponse(response) => {
+                response?;
+                ctx.props()
+                    .on_attribute_deleted
+                    .emit(ctx.props().attribute_name.clone());
+            }
+        }
+        Ok(true)
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for DeleteUserAttribute {
+    type Message = Msg;
+    type Properties = DeleteUserAttributeProps;
+
+    fn create(_: &Context<Self>) -> Self {
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            node_ref: NodeRef::default(),
+            modal: None,
+        }
+    }
+
+    fn rendered(&mut self, _: &Context<Self>, first_render: bool) {
+        if first_render {
+            self.modal = Some(Modal::new(
+                self.node_ref
+                    .cast::<web_sys::Element>()
+                    .expect("Modal node is not an element"),
+            ));
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update_and_report_error(
+            self,
+            ctx,
+            msg,
+            ctx.props().on_error.clone(),
+        )
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+        html! {
+          <>
+          <button
+            class="btn btn-danger"
+            disabled={self.common.is_task_running()}
+            onclick={link.callback(|_| Msg::ClickedDeleteUserAttribute)}>
+            <i class="bi-x-circle-fill" aria-label="Delete attribute" />
+          </button>
+          {self.show_modal(ctx)}
+          </>
+        }
+    }
+}
+
+impl DeleteUserAttribute {
+    fn show_modal(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+        html! {
+          <div
+            class="modal fade"
+            id={"deleteUserAttributeModal".to_string() + &ctx.props().attribute_name}
+            tabindex="-1"
+            aria-labelledby="deleteUserAttributeModalLabel"
+            aria-hidden="true"
+            ref={self.node_ref.clone()}>
+            <div class="modal-dialog">
+              <div class="modal-content">
+                <div class="modal-header">
+                  <h5 class="modal-title" id="deleteUserAttributeModalLabel">{"Delete user attribute?"}</h5>
+                  <button
+                    type="button"
+                    class="btn-close"
+                    aria-label="Close"
+                    onclick={link.callback(|_| Msg::DismissModal)} />
+                </div>
+                <div class="modal-body">
+                <span>
+                  {"Are you sure you want to delete user attribute "}
+                  <b>{&ctx.props().attribute_name}</b>{"?"}
+                </span>
+                </div>
+                <div class="modal-footer">
+                  <button
+                    type="button"
+                    class="btn btn-secondary"
+                    onclick={link.callback(|_| Msg::DismissModal)}>
+                      <i class="bi-x-circle me-2"></i>
+                      {"Cancel"}
+                  </button>
+                  <button
+                    type="button"
+                    onclick={link.callback(|_| Msg::ConfirmDeleteUserAttribute)}
+                    class="btn btn-danger">
+                    <i class="bi-check-circle me-2"></i>
+                    {"Yes, I'm sure"}
+                 </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        }
+    }
+}

app/src/components/form/attribute_input.rs

@@ -0,0 +1,190 @@
+use crate::{
+    components::form::{date_input::DateTimeInput, file_input::JpegFileInput},
+    infra::{schema::AttributeType, tooltip::Tooltip},
+};
+use web_sys::Element;
+use yew::{
+    function_component, html, use_effect_with_deps, use_node_ref, virtual_dom::AttrValue,
+    Component, Context, Html, Properties,
+};
+
+#[derive(Properties, PartialEq)]
+struct AttributeInputProps {
+    name: AttrValue,
+    attribute_type: AttributeType,
+    #[prop_or(None)]
+    value: Option<String>,
+}
+
+#[function_component(AttributeInput)]
+fn attribute_input(props: &AttributeInputProps) -> Html {
+    let input_type = match props.attribute_type {
+        AttributeType::String => "text",
+        AttributeType::Integer => "number",
+        AttributeType::DateTime => {
+            return html! {
+                <DateTimeInput name={props.name.clone()} value={props.value.clone()} />
+            }
+        }
+        AttributeType::Jpeg => {
+            return html! {
+                <JpegFileInput name={props.name.clone()} value={props.value.clone()} />
+            }
+        }
+    };
+
+    html! {
+        <input
+            type={input_type}
+            name={props.name.clone()}
+            class="form-control"
+            value={props.value.clone()} />
+    }
+}
+
+#[derive(Properties, PartialEq)]
+struct AttributeLabelProps {
+    pub name: String,
+}
+#[function_component(AttributeLabel)]
+fn attribute_label(props: &AttributeLabelProps) -> Html {
+    let tooltip_ref = use_node_ref();
+
+    use_effect_with_deps(
+        move |tooltip_ref| {
+            Tooltip::new(
+                tooltip_ref
+                    .cast::<Element>()
+                    .expect("Tooltip element should exist"),
+            );
+            || {}
+        },
+        tooltip_ref.clone(),
+    );
+
+    html! {
+        <label for={props.name.clone()}
+            class="form-label col-4 col-form-label"
+            >
+            {props.name[0..1].to_uppercase() + &props.name[1..].replace('_', " ")}{":"}
+            <button
+                class="btn btn-sm btn-link"
+                type="button"
+                data-bs-placement="right"
+                title={props.name.clone()}
+                ref={tooltip_ref}>
+                <i class="bi bi-info-circle" aria-label="Info" />
+            </button>
+        </label>
+    }
+}
+
+#[derive(Properties, PartialEq)]
+pub struct SingleAttributeInputProps {
+    pub name: String,
+    pub attribute_type: AttributeType,
+    #[prop_or(None)]
+    pub value: Option<String>,
+}
+
+#[function_component(SingleAttributeInput)]
+pub fn single_attribute_input(props: &SingleAttributeInputProps) -> Html {
+    html! {
+        <div class="row mb-3">
+            <AttributeLabel name={props.name.clone()} />
+            <div class="col-8">
+            <AttributeInput
+                attribute_type={props.attribute_type.clone()}
+                name={props.name.clone()}
+                value={props.value.clone()} />
+            </div>
+        </div>
+    }
+}
+
+#[derive(Properties, PartialEq)]
+pub struct ListAttributeInputProps {
+    pub name: String,
+    pub attribute_type: AttributeType,
+    #[prop_or(vec!())]
+    pub values: Vec<String>,
+}
+
+pub enum ListAttributeInputMsg {
+    Remove(usize),
+    Append,
+}
+
+pub struct ListAttributeInput {
+    indices: Vec<usize>,
+    next_index: usize,
+    values: Vec<String>,
+}
+impl Component for ListAttributeInput {
+    type Message = ListAttributeInputMsg;
+    type Properties = ListAttributeInputProps;
+
+    fn create(ctx: &Context<Self>) -> Self {
+        let values = ctx.props().values.clone();
+        Self {
+            indices: (0..values.len()).collect(),
+            next_index: values.len(),
+            values,
+        }
+    }
+
+    fn update(&mut self, _ctx: &Context<Self>, msg: Self::Message) -> bool {
+        match msg {
+            ListAttributeInputMsg::Remove(removed) => {
+                self.indices.retain_mut(|x| *x != removed);
+            }
+            ListAttributeInputMsg::Append => {
+                self.indices.push(self.next_index);
+                self.next_index += 1;
+            }
+        };
+        true
+    }
+
+    fn changed(&mut self, ctx: &Context<Self>) -> bool {
+        if ctx.props().values != self.values {
+            self.values.clone_from(&ctx.props().values);
+            self.indices = (0..self.values.len()).collect();
+            self.next_index = self.values.len();
+        }
+        true
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let props = &ctx.props();
+        let link = &ctx.link();
+        html! {
+            <div class="row mb-3">
+                <AttributeLabel name={props.name.clone()} />
+                <div class="col-8">
+                {self.indices.iter().map(|&i| html! {
+                    <div class="input-group mb-2" key={i}>
+                    <AttributeInput
+                        attribute_type={props.attribute_type.clone()}
+                        name={props.name.clone()}
+                        value={props.values.get(i).cloned().unwrap_or_default()} />
+                    <button
+                        class="btn btn-danger"
+                        type="button"
+                        onclick={link.callback(move |_| ListAttributeInputMsg::Remove(i))}>
+                        <i class="bi-x-circle-fill" aria-label="Remove value" />
+                    </button>
+                    </div>
+                }).collect::<Html>()}
+                <button
+                    class="btn btn-secondary"
+                    type="button"
+                    onclick={link.callback(|_| ListAttributeInputMsg::Append)}>
+                    <i class="bi-plus-circle me-2"></i>
+                    {"Add value"}
+                </button>
+                </div>
+            </div>
+        }
+    }
+}

app/src/components/form/checkbox.rs

@@ -0,0 +1,35 @@
+use yew::{function_component, html, virtual_dom::AttrValue, Callback, Properties};
+use yew_form::{Form, Model};
+
+#[derive(Properties, PartialEq)]
+pub struct Props<T: Model> {
+    pub label: AttrValue,
+    pub field_name: String,
+    pub form: Form<T>,
+    #[prop_or(false)]
+    pub required: bool,
+    #[prop_or_else(Callback::noop)]
+    pub ontoggle: Callback<bool>,
+}
+
+#[function_component(CheckBox)]
+pub fn checkbox<T: Model>(props: &Props<T>) -> Html {
+    html! {
+        <div class="form-group row mb-3">
+            <label for={props.field_name.clone()}
+                class="form-label col-4 col-form-label">
+                {&props.label}
+                {if props.required {
+                    html!{<span class="text-danger">{"*"}</span>}
+                } else {html!{}}}
+                {":"}
+            </label>
+            <div class="col-8">
+                <yew_form::CheckBox<T>
+                form={&props.form}
+                field_name={props.field_name.clone()}
+                ontoggle={props.ontoggle.clone()} />
+            </div>
+        </div>
+    }
+}

app/src/components/form/date_input.rs

@@ -0,0 +1,49 @@
+use std::str::FromStr;
+
+use chrono::{DateTime, NaiveDateTime, Utc};
+use wasm_bindgen::JsCast;
+use web_sys::HtmlInputElement;
+use yew::{function_component, html, use_state, virtual_dom::AttrValue, Event, Properties};
+
+#[derive(Properties, PartialEq)]
+pub struct DateTimeInputProps {
+    pub name: AttrValue,
+    pub value: Option<String>,
+}
+
+#[function_component(DateTimeInput)]
+pub fn date_time_input(props: &DateTimeInputProps) -> Html {
+    let value = use_state(|| {
+        props
+            .value
+            .as_ref()
+            .and_then(|x| DateTime::<Utc>::from_str(x).ok())
+    });
+
+    html! {
+        <div class="input-group">
+            <input
+                type="hidden"
+                name={props.name.clone()}
+                value={value.as_ref().map(|v: &DateTime<Utc>| v.to_rfc3339())} />
+            <input
+                type="datetime-local"
+                step="1"
+                class="form-control"
+                value={value.as_ref().map(|v: &DateTime<Utc>| v.naive_utc().to_string())}
+                onchange={move |e: Event| {
+                    let string_val =
+                        e.target()
+                         .expect("Event should have target")
+                         .unchecked_into::<HtmlInputElement>()
+                         .value();
+                    value.set(
+                        NaiveDateTime::from_str(&string_val)
+                            .ok()
+                            .map(|x| DateTime::from_naive_utc_and_offset(x, Utc))
+                    )
+                }} />
+            <span class="input-group-text">{"UTC"}</span>
+        </div>
+    }
+}

app/src/components/form/field.rs

@@ -0,0 +1,48 @@
+use yew::{function_component, html, virtual_dom::AttrValue, Callback, InputEvent, Properties};
+use yew_form::{Form, Model};
+
+#[derive(Properties, PartialEq)]
+pub struct Props<T: Model> {
+    pub label: AttrValue,
+    pub field_name: String,
+    pub form: Form<T>,
+    #[prop_or(false)]
+    pub required: bool,
+    #[prop_or(String::from("text"))]
+    pub input_type: String,
+    // If not present, will default to field_name
+    #[prop_or(None)]
+    pub autocomplete: Option<String>,
+    #[prop_or_else(Callback::noop)]
+    pub oninput: Callback<InputEvent>,
+}
+
+#[function_component(Field)]
+pub fn field<T: Model>(props: &Props<T>) -> Html {
+    html! {
+      <div class="row mb-3">
+        <label for={props.field_name.clone()}
+          class="form-label col-4 col-form-label">
+          {&props.label}
+          {if props.required {
+            html!{<span class="text-danger">{"*"}</span>}
+          } else {html!{}}}
+          {":"}
+        </label>
+        <div class="col-8">
+          <yew_form::Field<T>
+            form={&props.form}
+            field_name={props.field_name.clone()}
+            input_type={props.input_type.clone()}
+            class="form-control"
+            class_invalid="is-invalid has-error"
+            class_valid="has-success"
+            autocomplete={props.autocomplete.clone().unwrap_or(props.field_name.clone())}
+            oninput={&props.oninput} />
+            <div class="invalid-feedback">
+              {&props.form.field_message(&props.field_name)}
+            </div>
+        </div>
+      </div>
+    }
+}

app/src/components/form/file_input.rs

@@ -0,0 +1,238 @@
+use std::{fmt::Display, str::FromStr};
+
+use anyhow::{bail, Error, Ok, Result};
+use gloo_file::{
+    callbacks::{read_as_bytes, FileReader},
+    File,
+};
+use web_sys::{FileList, HtmlInputElement, InputEvent};
+use yew::Properties;
+use yew::{prelude::*, virtual_dom::AttrValue};
+
+#[derive(Default)]
+struct JsFile {
+    file: Option<File>,
+    contents: Option<Vec<u8>>,
+}
+
+impl Display for JsFile {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(
+            f,
+            "{}",
+            self.file.as_ref().map(File::name).unwrap_or_default()
+        )
+    }
+}
+
+impl FromStr for JsFile {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self> {
+        if s.is_empty() {
+            Ok(JsFile::default())
+        } else {
+            bail!("Building file from non-empty string")
+        }
+    }
+}
+
+fn to_base64(file: &JsFile) -> Result<String> {
+    match file {
+        JsFile {
+            file: None,
+            contents: None,
+        } => Ok(String::new()),
+        JsFile {
+            file: Some(_),
+            contents: None,
+        } => bail!("Image file hasn't finished loading, try again"),
+        JsFile {
+            file: Some(_),
+            contents: Some(data),
+        } => {
+            if !is_valid_jpeg(data.as_slice()) {
+                bail!("Chosen image is not a valid JPEG");
+            }
+            Ok(base64::encode(data))
+        }
+        JsFile {
+            file: None,
+            contents: Some(data),
+        } => Ok(base64::encode(data)),
+    }
+}
+
+/// A [yew::Component] to display the user details, with a form allowing to edit them.
+pub struct JpegFileInput {
+    // None means that the avatar hasn't changed.
+    avatar: Option<JsFile>,
+    reader: Option<FileReader>,
+}
+
+pub enum Msg {
+    Update,
+    /// A new file was selected.
+    FileSelected(File),
+    /// The "Clear" button for the avatar was clicked.
+    ClearClicked,
+    /// A picked file finished loading.
+    FileLoaded(String, Result<Vec<u8>>),
+}
+
+#[derive(Properties, Clone, PartialEq, Eq)]
+pub struct Props {
+    pub name: AttrValue,
+    pub value: Option<String>,
+}
+
+impl Component for JpegFileInput {
+    type Message = Msg;
+    type Properties = Props;
+
+    fn create(ctx: &Context<Self>) -> Self {
+        Self {
+            avatar: Some(JsFile {
+                file: None,
+                contents: ctx
+                    .props()
+                    .value
+                    .as_ref()
+                    .and_then(|x| base64::decode(x).ok()),
+            }),
+            reader: None,
+        }
+    }
+
+    fn changed(&mut self, ctx: &Context<Self>) -> bool {
+        self.avatar = Some(JsFile {
+            file: None,
+            contents: ctx
+                .props()
+                .value
+                .as_ref()
+                .and_then(|x| base64::decode(x).ok()),
+        });
+        self.reader = None;
+        true
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        match msg {
+            Msg::Update => true,
+            Msg::FileSelected(new_avatar) => {
+                if self
+                    .avatar
+                    .as_ref()
+                    .and_then(|f| f.file.as_ref().map(|f| f.name()))
+                    != Some(new_avatar.name())
+                {
+                    let file_name = new_avatar.name();
+                    let link = ctx.link().clone();
+                    self.reader = Some(read_as_bytes(&new_avatar, move |res| {
+                        link.send_message(Msg::FileLoaded(
+                            file_name,
+                            res.map_err(|e| anyhow::anyhow!("{:#}", e)),
+                        ))
+                    }));
+                    self.avatar = Some(JsFile {
+                        file: Some(new_avatar),
+                        contents: None,
+                    });
+                }
+                true
+            }
+            Msg::ClearClicked => {
+                self.avatar = Some(JsFile::default());
+                true
+            }
+            Msg::FileLoaded(file_name, data) => {
+                if let Some(avatar) = &mut self.avatar {
+                    if let Some(file) = &avatar.file {
+                        if file.name() == file_name {
+                            if let Result::Ok(data) = data {
+                                if !is_valid_jpeg(data.as_slice()) {
+                                    // Clear the selection.
+                                    self.avatar = Some(JsFile::default());
+                                    // TODO: bail!("Chosen image is not a valid JPEG");
+                                } else {
+                                    avatar.contents = Some(data);
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+                }
+                self.reader = None;
+                true
+            }
+        }
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+
+        let avatar_string = match &self.avatar {
+            Some(avatar) => {
+                let avatar_base64 = to_base64(avatar);
+                avatar_base64.as_deref().unwrap_or("").to_owned()
+            }
+            None => String::new(),
+        };
+        html! {
+            <div class="row align-items-center">
+                <div class="col-5">
+                    <input type="hidden" name={ctx.props().name.clone()} value={avatar_string.clone()} />
+                    <input
+                        class="form-control"
+                        id="avatarInput"
+                        type="file"
+                        accept="image/jpeg"
+                        oninput={link.callback(|e: InputEvent| {
+                            let input: HtmlInputElement = e.target_unchecked_into();
+                            Self::upload_files(input.files())
+                        })} />
+                </div>
+                <div class="col-3">
+                    <button
+                        class="btn btn-secondary col-auto"
+                        id="avatarClear"
+                        type="button"
+                        onclick={link.callback(|_| {Msg::ClearClicked})}>
+                        {"Clear"}
+                        </button>
+                </div>
+                <div class="col-4">
+                {
+                    if !avatar_string.is_empty() {
+                        html!{
+                            <img
+                            id="avatarDisplay"
+                            src={format!("data:image/jpeg;base64, {}", avatar_string)}
+                            style="max-height:128px;max-width:128px;height:auto;width:auto;"
+                            alt="Avatar" />
+                        }
+                    } else { html! {} }
+                }
+                </div>
+            </div>
+        }
+    }
+}
+
+impl JpegFileInput {
+    fn upload_files(files: Option<FileList>) -> Msg {
+        match files {
+            Some(files) if files.length() > 0 => {
+                Msg::FileSelected(File::from(files.item(0).unwrap()))
+            }
+            Some(_) | None => Msg::Update,
+        }
+    }
+}
+
+fn is_valid_jpeg(bytes: &[u8]) -> bool {
+    image::io::Reader::with_format(std::io::Cursor::new(bytes), image::ImageFormat::Jpeg)
+        .decode()
+        .is_ok()
+}

app/src/components/form/mod.rs

@@ -0,0 +1,8 @@
+pub mod attribute_input;
+pub mod checkbox;
+pub mod date_input;
+pub mod field;
+pub mod file_input;
+pub mod select;
+pub mod static_value;
+pub mod submit;

app/src/components/form/select.rs

@@ -0,0 +1,46 @@
+use yew::{
+    function_component, html, virtual_dom::AttrValue, Callback, Children, InputEvent, Properties,
+};
+use yew_form::{Form, Model};
+
+#[derive(Properties, PartialEq)]
+pub struct Props<T: Model> {
+    pub label: AttrValue,
+    pub field_name: String,
+    pub form: Form<T>,
+    #[prop_or(false)]
+    pub required: bool,
+    #[prop_or_else(Callback::noop)]
+    pub oninput: Callback<InputEvent>,
+    pub children: Children,
+}
+
+#[function_component(Select)]
+pub fn select<T: Model>(props: &Props<T>) -> Html {
+    html! {
+        <div class="row mb-3">
+            <label for={props.field_name.clone()}
+                class="form-label col-4 col-form-label">
+                {&props.label}
+                {if props.required {
+                    html!{<span class="text-danger">{"*"}</span>}
+                } else {html!{}}}
+                {":"}
+            </label>
+            <div class="col-8">
+                <yew_form::Select<T>
+                    form={&props.form}
+                    class="form-control"
+                    class_invalid="is-invalid has-error"
+                    class_valid="has-success"
+                    field_name={props.field_name.clone()}
+                    oninput={&props.oninput} >
+                    {for props.children.iter()}
+                </yew_form::Select<T>>
+                <div class="invalid-feedback">
+                    {&props.form.field_message(&props.field_name)}
+                </div>
+            </div>
+        </div>
+    }
+}

app/src/components/form/static_value.rs

@@ -0,0 +1,26 @@
+use yew::{function_component, html, virtual_dom::AttrValue, Children, Properties};
+
+#[derive(Properties, PartialEq)]
+pub struct Props {
+    pub label: AttrValue,
+    pub id: AttrValue,
+    pub children: Children,
+}
+
+#[function_component(StaticValue)]
+pub fn static_value(props: &Props) -> Html {
+    html! {
+      <div class="row mb-3">
+        <label for={props.id.clone()}
+          class="form-label col-4 col-form-label">
+          {&props.label}
+          {":"}
+        </label>
+        <div class="col-8">
+          <span id={props.id.clone()} class="form-control-static">
+            {for props.children.iter()}
+          </span>
+        </div>
+      </div>
+    }
+}

app/src/components/form/submit.rs

@@ -0,0 +1,30 @@
+use web_sys::MouseEvent;
+use yew::{function_component, html, virtual_dom::AttrValue, Callback, Children, Properties};
+
+#[derive(Properties, PartialEq)]
+pub struct Props {
+    pub disabled: bool,
+    pub onclick: Callback<MouseEvent>,
+    // Additional elements to insert after the button, in the same div
+    #[prop_or_default]
+    pub children: Children,
+    #[prop_or(AttrValue::from("Submit"))]
+    pub text: AttrValue,
+}
+
+#[function_component(Submit)]
+pub fn submit(props: &Props) -> Html {
+    html! {
+      <div class="form-group row justify-content-center">
+        <button
+          class="btn btn-primary col-auto col-form-label"
+          type="submit"
+          disabled={props.disabled}
+          onclick={&props.onclick}>
+          <i class="bi-save me-2"></i>
+          {props.text.clone()}
+        </button>
+        {for props.children.iter()}
+      </div>
+    }
+}

app/src/components/group_details.rs

@@ -1,10 +1,15 @@
 use crate::{
     components::{
         add_group_member::{self, AddGroupMemberComponent},
+        group_details_form::GroupDetailsForm,
         remove_user_from_group::RemoveUserFromGroupComponent,
         router::{AppRoute, Link},
     },
-    infra::common_component::{CommonComponent, CommonComponentParts},
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        form_utils::GraphQlAttributeSchema,
+    },
 };
 use anyhow::{bail, Error, Result};
 use graphql_client::GraphQLQuery;
@@ -22,12 +27,28 @@ pub struct GetGroupDetails;
 pub type Group = get_group_details::GetGroupDetailsGroup;
 pub type User = get_group_details::GetGroupDetailsGroupUsers;
 pub type AddGroupMemberUser = add_group_member::User;
+pub type Attribute = get_group_details::GetGroupDetailsGroupAttributes;
+pub type AttributeSchema = get_group_details::GetGroupDetailsSchemaGroupSchemaAttributes;
+pub type AttributeType = get_group_details::AttributeType;
+
+convert_attribute_type!(AttributeType);
+
+impl From<&AttributeSchema> for GraphQlAttributeSchema {
+    fn from(attr: &AttributeSchema) -> Self {
+        Self {
+            name: attr.name.clone(),
+            is_list: attr.is_list,
+            is_readonly: attr.is_readonly,
+            is_editable: attr.is_editable,
+        }
+    }
+}
 
 pub struct GroupDetails {
     common: CommonComponentParts<Self>,
     /// The group info. If none, the error is in `error`. If `error` is None, then we haven't
     /// received the server response yet.
-    group: Option<Group>,
+    group_and_schema: Option<(Group, Vec<AttributeSchema>)>,
 }
 
 /// State machine describing the possible transitions of the component state.
@@ -38,11 +59,13 @@ pub enum Msg {
     OnError(Error),
     OnUserAddedToGroup(AddGroupMemberUser),
     OnUserRemovedFromGroup((String, i64)),
+    DisplayNameUpdated,
 }
 
 #[derive(yew::Properties, Clone, PartialEq, Eq)]
 pub struct Props {
     pub group_id: i64,
+    pub is_admin: bool,
 }
 
 impl GroupDetails {
@@ -69,41 +92,16 @@ impl GroupDetails {
         }
     }
 
-    fn view_details(&self, g: &Group) -> Html {
+    fn view_details(&self, ctx: &Context<Self>, g: &Group, schema: Vec<AttributeSchema>) -> Html {
         html! {
           <>
             <h3>{g.display_name.to_string()}</h3>
-            <div class="py-3">
-              <form class="form">
-                <div class="form-group row mb-3">
-                  <label for="displayName"
-                    class="form-label col-4 col-form-label">
-                    {"Group: "}
-                  </label>
-                  <div class="col-8">
-                    <span id="groupId" class="form-constrol-static">{g.display_name.to_string()}</span>
-                  </div>
-                </div>
-                <div class="form-group row mb-3">
-                  <label for="creationDate"
-                    class="form-label col-4 col-form-label">
-                    {"Creation date: "}
-                  </label>
-                  <div class="col-8">
-                    <span id="creationDate" class="form-constrol-static">{g.creation_date.naive_local().date()}</span>
-                  </div>
-                </div>
-                <div class="form-group row mb-3">
-                  <label for="uuid"
-                    class="form-label col-4 col-form-label">
-                    {"UUID: "}
-                  </label>
-                  <div class="col-8">
-                    <span id="uuid" class="form-constrol-static">{g.uuid.to_string()}</span>
-                  </div>
-                </div>
-              </form>
-            </div>
+            <GroupDetailsForm
+              group={g.clone()}
+              group_attributes_schema={schema}
+              is_admin={ctx.props().is_admin}
+              on_display_name_updated={ctx.link().callback(|_| Msg::DisplayNameUpdated)}
+            />
           </>
         }
     }
@@ -182,29 +180,38 @@ impl GroupDetails {
 }
 
 impl CommonComponent<GroupDetails> for GroupDetails {
-    fn handle_msg(&mut self, _: &Context<Self>, msg: <Self as Component>::Message) -> Result<bool> {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
         match msg {
             Msg::GroupDetailsResponse(response) => match response {
-                Ok(group) => self.group = Some(group.group),
+                Ok(group) => {
+                    self.group_and_schema =
+                        Some((group.group, group.schema.group_schema.attributes))
+                }
                 Err(e) => {
-                    self.group = None;
+                    self.group_and_schema = None;
                     bail!("Error getting user details: {}", e);
                 }
             },
             Msg::OnError(e) => return Err(e),
             Msg::OnUserAddedToGroup(user) => {
-                self.group.as_mut().unwrap().users.push(User {
+                self.group_and_schema.as_mut().unwrap().0.users.push(User {
                     id: user.id,
                     display_name: user.display_name,
                 });
             }
             Msg::OnUserRemovedFromGroup((user_id, _)) => {
-                self.group
+                self.group_and_schema
                     .as_mut()
                     .unwrap()
+                    .0
                     .users
                     .retain(|u| u.id != user_id);
             }
+            Msg::DisplayNameUpdated => self.get_group_details(ctx),
         }
         Ok(true)
     }
@@ -221,7 +228,7 @@ impl Component for GroupDetails {
     fn create(ctx: &Context<Self>) -> Self {
         let mut table = Self {
             common: CommonComponentParts::<Self>::create(),
-            group: None,
+            group_and_schema: None,
         };
         table.get_group_details(ctx);
         table
@@ -232,15 +239,15 @@ impl Component for GroupDetails {
     }
 
     fn view(&self, ctx: &Context<Self>) -> Html {
-        match (&self.group, &self.common.error) {
+        match (&self.group_and_schema, &self.common.error) {
             (None, None) => html! {{"Loading..."}},
             (None, Some(e)) => html! {<div>{"Error: "}{e.to_string()}</div>},
-            (Some(u), error) => {
+            (Some((group, schema)), error) => {
                 html! {
                     <div>
-                      {self.view_details(u)}
-                      {self.view_user_list(ctx, u)}
-                      {self.view_add_user_button(ctx, u)}
+                      {self.view_details(ctx, group, schema.clone())}
+                      {self.view_user_list(ctx, group)}
+                      {self.view_add_user_button(ctx, group)}
                       {self.view_messages(error)}
                     </div>
                 }

app/src/components/group_details_form.rs

@@ -0,0 +1,272 @@
+use crate::{
+    components::{
+        form::{
+            attribute_input::{ListAttributeInput, SingleAttributeInput},
+            static_value::StaticValue,
+            submit::Submit,
+        },
+        group_details::{Attribute, AttributeSchema, Group},
+    },
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        form_utils::{read_all_form_attributes, AttributeValue, EmailIsRequired, IsAdmin},
+        schema::AttributeType,
+    },
+};
+use anyhow::{Ok, Result};
+use graphql_client::GraphQLQuery;
+use yew::prelude::*;
+
+/// The GraphQL query sent to the server to update the group details.
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/update_group.graphql",
+    response_derives = "Debug",
+    variables_derives = "Clone,PartialEq,Eq",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct UpdateGroup;
+
+/// A [yew::Component] to display the group details, with a form allowing to edit them.
+pub struct GroupDetailsForm {
+    common: CommonComponentParts<Self>,
+    /// True if we just successfully updated the group, to display a success message.
+    just_updated: bool,
+    updated_group_name: bool,
+    group: Group,
+    form_ref: NodeRef,
+}
+
+pub enum Msg {
+    /// A form field changed.
+    Update,
+    /// The "Submit" button was clicked.
+    SubmitClicked,
+    /// We got the response from the server about our update message.
+    GroupUpdated(Result<update_group::ResponseData>),
+}
+
+#[derive(yew::Properties, Clone, PartialEq)]
+pub struct Props {
+    /// The current group details.
+    pub group: Group,
+    pub group_attributes_schema: Vec<AttributeSchema>,
+    pub is_admin: bool,
+    pub on_display_name_updated: Callback<()>,
+}
+
+impl CommonComponent<GroupDetailsForm> for GroupDetailsForm {
+    fn handle_msg(
+        &mut self,
+        ctx: &Context<Self>,
+        msg: <Self as Component>::Message,
+    ) -> Result<bool> {
+        match msg {
+            Msg::Update => Ok(true),
+            Msg::SubmitClicked => self.submit_group_update_form(ctx),
+            Msg::GroupUpdated(Err(e)) => Err(e),
+            Msg::GroupUpdated(Result::Ok(_)) => {
+                self.just_updated = true;
+                if self.updated_group_name {
+                    self.updated_group_name = false;
+                    ctx.props().on_display_name_updated.emit(());
+                }
+                Ok(true)
+            }
+        }
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for GroupDetailsForm {
+    type Message = Msg;
+    type Properties = Props;
+
+    fn create(ctx: &Context<Self>) -> Self {
+        Self {
+            common: CommonComponentParts::<Self>::create(),
+            just_updated: false,
+            updated_group_name: false,
+            group: ctx.props().group.clone(),
+            form_ref: NodeRef::default(),
+        }
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        self.just_updated = false;
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        let link = &ctx.link();
+
+        let can_edit =
+            |a: &AttributeSchema| (ctx.props().is_admin || a.is_editable) && !a.is_readonly;
+        let display_field = |a: &AttributeSchema| {
+            if can_edit(a) {
+                get_custom_attribute_input(a, &self.group.attributes)
+            } else {
+                get_custom_attribute_static(a, &self.group.attributes)
+            }
+        };
+        html! {
+          <div class="py-3">
+            <form
+              class="form"
+              ref={self.form_ref.clone()}>
+              <StaticValue label="Group ID" id="groupId">
+                <i>{&self.group.id}</i>
+              </StaticValue>
+              {
+                  ctx
+                      .props()
+                      .group_attributes_schema
+                      .iter()
+                      .filter(|a| a.is_hardcoded && a.name != "group_id")
+                      .map(display_field)
+                      .collect::<Vec<_>>()
+              }
+              {
+                  ctx
+                      .props()
+                      .group_attributes_schema
+                      .iter()
+                      .filter(|a| !a.is_hardcoded)
+                      .map(display_field)
+                      .collect::<Vec<_>>()
+              }
+              <Submit
+                text="Save changes"
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitClicked})} />
+            </form>
+            {
+              if let Some(e) = &self.common.error {
+                html! {
+                  <div class="alert alert-danger">
+                    {e.to_string() }
+                  </div>
+                }
+              } else { html! {} }
+            }
+            <div hidden={!self.just_updated}>
+              <div class="alert alert-success mt-4">{"Group successfully updated!"}</div>
+            </div>
+          </div>
+        }
+    }
+}
+
+fn get_custom_attribute_input(
+    attribute_schema: &AttributeSchema,
+    group_attributes: &[Attribute],
+) -> Html {
+    let values = group_attributes
+        .iter()
+        .find(|a| a.name == attribute_schema.name)
+        .map(|attribute| attribute.value.clone())
+        .unwrap_or_default();
+    if attribute_schema.is_list {
+        html! {
+            <ListAttributeInput
+               name={attribute_schema.name.clone()}
+               attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+               values={values}
+            />
+        }
+    } else {
+        html! {
+            <SingleAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+                value={values.first().cloned().unwrap_or_default()}
+            />
+        }
+    }
+}
+
+fn get_custom_attribute_static(
+    attribute_schema: &AttributeSchema,
+    group_attributes: &[Attribute],
+) -> Html {
+    let values = group_attributes
+        .iter()
+        .find(|a| a.name == attribute_schema.name)
+        .map(|attribute| attribute.value.clone())
+        .unwrap_or_default();
+    html! {
+        <StaticValue label={attribute_schema.name.clone()} id={attribute_schema.name.clone()}>
+            {values.into_iter().map(|x| html!{<div>{x}</div>}).collect::<Vec<_>>()}
+        </StaticValue>
+    }
+}
+
+impl GroupDetailsForm {
+    fn submit_group_update_form(&mut self, ctx: &Context<Self>) -> Result<bool> {
+        let mut all_values = read_all_form_attributes(
+            ctx.props().group_attributes_schema.iter(),
+            &self.form_ref,
+            IsAdmin(ctx.props().is_admin),
+            EmailIsRequired(false),
+        )?;
+        let base_attributes = &self.group.attributes;
+        all_values.retain(|a| {
+            let base_val = base_attributes
+                .iter()
+                .find(|base_val| base_val.name == a.name);
+            base_val
+                .map(|v| v.value != a.values)
+                .unwrap_or(!a.values.is_empty())
+        });
+        if all_values.iter().any(|a| a.name == "display_name") {
+            self.updated_group_name = true;
+        }
+        let remove_attributes: Option<Vec<String>> = if all_values.is_empty() {
+            None
+        } else {
+            Some(all_values.iter().map(|a| a.name.clone()).collect())
+        };
+        let insert_attributes: Option<Vec<update_group::AttributeValueInput>> =
+            if remove_attributes.is_none() {
+                None
+            } else {
+                Some(
+                    all_values
+                        .into_iter()
+                        .filter(|a| !a.values.is_empty())
+                        .map(
+                            |AttributeValue { name, values }| update_group::AttributeValueInput {
+                                name,
+                                value: values,
+                            },
+                        )
+                        .collect(),
+                )
+            };
+        let mut group_input = update_group::UpdateGroupInput {
+            id: self.group.id,
+            displayName: None,
+            removeAttributes: None,
+            insertAttributes: None,
+        };
+        let default_group_input = group_input.clone();
+        group_input.removeAttributes = remove_attributes;
+        group_input.insertAttributes = insert_attributes;
+        // Nothing changed.
+        if group_input == default_group_input {
+            return Ok(false);
+        }
+        let req = update_group::Variables { group: group_input };
+        self.common.call_graphql::<UpdateGroup, _>(
+            ctx,
+            req,
+            Msg::GroupUpdated,
+            "Error trying to update group",
+        );
+        Ok(false)
+    }
+}

app/src/components/group_schema_table.rs

@@ -0,0 +1,198 @@
+use crate::{
+    components::{
+        delete_group_attribute::DeleteGroupAttribute,
+        router::{AppRoute, Link},
+    },
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        schema::AttributeType,
+    },
+};
+use anyhow::{anyhow, Error, Result};
+use gloo_console::log;
+use graphql_client::GraphQLQuery;
+use yew::prelude::*;
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/get_group_attributes_schema.graphql",
+    response_derives = "Debug,Clone,PartialEq,Eq",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct GetGroupAttributesSchema;
+
+use get_group_attributes_schema::ResponseData;
+
+pub type Attribute =
+    get_group_attributes_schema::GetGroupAttributesSchemaSchemaGroupSchemaAttributes;
+
+convert_attribute_type!(get_group_attributes_schema::AttributeType);
+
+#[derive(yew::Properties, Clone, PartialEq, Eq)]
+pub struct Props {
+    pub hardcoded: bool,
+}
+
+pub struct GroupSchemaTable {
+    common: CommonComponentParts<Self>,
+    attributes: Option<Vec<Attribute>>,
+}
+
+pub enum Msg {
+    ListAttributesResponse(Result<ResponseData>),
+    OnAttributeDeleted(String),
+    OnError(Error),
+}
+
+impl CommonComponent<GroupSchemaTable> for GroupSchemaTable {
+    fn handle_msg(&mut self, _: &Context<Self>, msg: <Self as Component>::Message) -> Result<bool> {
+        match msg {
+            Msg::ListAttributesResponse(schema) => {
+                self.attributes =
+                    Some(schema?.schema.group_schema.attributes.into_iter().collect());
+                Ok(true)
+            }
+            Msg::OnError(e) => Err(e),
+            Msg::OnAttributeDeleted(attribute_name) => {
+                match self.attributes {
+                    None => {
+                        log!(format!("Attribute {attribute_name} was  deleted but component has no attributes"));
+                        Err(anyhow!("invalid state"))
+                    }
+                    Some(_) => {
+                        self.attributes
+                            .as_mut()
+                            .unwrap()
+                            .retain(|a| a.name != attribute_name);
+                        Ok(true)
+                    }
+                }
+            }
+        }
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for GroupSchemaTable {
+    type Message = Msg;
+    type Properties = Props;
+
+    fn create(ctx: &Context<Self>) -> Self {
+        let mut table = GroupSchemaTable {
+            common: CommonComponentParts::<Self>::create(),
+            attributes: None,
+        };
+        table.common.call_graphql::<GetGroupAttributesSchema, _>(
+            ctx,
+            get_group_attributes_schema::Variables {},
+            Msg::ListAttributesResponse,
+            "Error trying to fetch group schema",
+        );
+        table
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        html! {
+            <div>
+              {self.view_attributes(ctx)}
+              {self.view_errors()}
+            </div>
+        }
+    }
+}
+
+impl GroupSchemaTable {
+    fn view_attributes(&self, ctx: &Context<Self>) -> Html {
+        let hardcoded = ctx.props().hardcoded;
+        let make_table = |attributes: &Vec<Attribute>| {
+            html! {
+                <div class="table-responsive">
+                    <h3>{if hardcoded {"Hardcoded"} else {"User-defined"}}{" attributes"}</h3>
+                    <table class="table table-hover">
+                        <thead>
+                            <tr>
+                                <th>{"Attribute name"}</th>
+                                <th>{"Type"}</th>
+                                <th>{"Visible"}</th>
+                                {if hardcoded {html!{}} else {html!{<th>{"Delete"}</th>}}}
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {attributes.iter().map(|u| self.view_attribute(ctx, u)).collect::<Vec<_>>()}
+                        </tbody>
+                    </table>
+                </div>
+            }
+        };
+        match &self.attributes {
+            None => html! {{"Loading..."}},
+            Some(attributes) => {
+                let mut attributes = attributes.clone();
+                attributes.retain(|attribute| attribute.is_hardcoded == ctx.props().hardcoded);
+                make_table(&attributes)
+            }
+        }
+    }
+
+    fn view_attribute(&self, ctx: &Context<Self>, attribute: &Attribute) -> Html {
+        let link = ctx.link();
+        let attribute_type = AttributeType::from(attribute.attribute_type.clone());
+        let checkmark = html! {
+                    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-check" viewBox="0 0 16 16">
+          <path d="M10.97 4.97a.75.75 0 0 1 1.07 1.05l-3.99 4.99a.75.75 0 0 1-1.08.02L4.324 8.384a.75.75 0 1 1 1.06-1.06l2.094 2.093 3.473-4.425z"></path>
+        </svg>
+                };
+        let hardcoded = ctx.props().hardcoded;
+        html! {
+            <tr key={attribute.name.clone()}>
+                <td>{&attribute.name}</td>
+                <td>{if attribute.is_list { format!("List<{attribute_type}>")} else {attribute_type.to_string()}}</td>
+                <td>{if attribute.is_visible {checkmark.clone()} else {html!{}}}</td>
+                {
+                    if hardcoded {
+                        html!{}
+                    } else {
+                        html!{
+                            <td>
+                                <DeleteGroupAttribute
+                                    attribute_name={attribute.name.clone()}
+                                    on_attribute_deleted={link.callback(Msg::OnAttributeDeleted)}
+                                    on_error={link.callback(Msg::OnError)}/>
+                            </td>
+                        }
+                    }
+                }
+            </tr>
+        }
+    }
+
+    fn view_errors(&self) -> Html {
+        match &self.common.error {
+            None => html! {},
+            Some(e) => html! {<div>{"Error: "}{e.to_string()}</div>},
+        }
+    }
+}
+
+#[function_component(ListGroupSchema)]
+pub fn list_group_schema() -> Html {
+    html! {
+        <div>
+            <GroupSchemaTable hardcoded={true} />
+            <GroupSchemaTable hardcoded={false} />
+            <Link classes="btn btn-primary" to={AppRoute::CreateGroupAttribute}>
+                <i class="bi-plus-circle me-2"></i>
+                {"Create an attribute"}
+            </Link>
+        </div>
+    }
+}

app/src/components/login.rs

@@ -1,5 +1,8 @@
 use crate::{
-    components::router::{AppRoute, Link},
+    components::{
+        form::submit::Submit,
+        router::{AppRoute, Link},
+    },
     infra::{
         api::HostService,
         common_component::{CommonComponent, CommonComponentParts},
@@ -66,7 +69,7 @@ impl CommonComponent<LoginForm> for LoginForm {
                     opaque::client::login::start_login(&password, &mut rng)
                         .context("Could not initialize login")?;
                 let req = login::ClientLoginStartRequest {
-                    username,
+                    username: username.into(),
                     login_start_request: message,
                 };
                 self.common
@@ -155,68 +158,62 @@ impl Component for LoginForm {
             }
         } else {
             html! {
-              <form
-                class="form center-block col-sm-4 col-offset-4">
-                  <div class="input-group">
-                    <div class="input-group-prepend">
-                      <span class="input-group-text">
-                        <i class="bi-person-fill"/>
-                      </span>
-                    </div>
-                    <Field
-                      class="form-control"
-                      class_invalid="is-invalid has-error"
-                      class_valid="has-success"
-                      form={&self.form}
-                      field_name="username"
-                      placeholder="Username"
-                      autocomplete="username"
-                      oninput={link.callback(|_| Msg::Update)} />
+              <form class="form center-block col-sm-4 col-offset-4">
+                <div class="input-group">
+                  <div class="input-group-prepend">
+                    <span class="input-group-text">
+                      <i class="bi-person-fill"/>
+                    </span>
                   </div>
-                  <div class="input-group">
-                    <div class="input-group-prepend">
-                      <span class="input-group-text">
-                        <i class="bi-lock-fill"/>
-                      </span>
-                    </div>
-                    <Field
-                      class="form-control"
-                      class_invalid="is-invalid has-error"
-                      class_valid="has-success"
-                      form={&self.form}
-                      field_name="password"
-                      input_type="password"
-                      placeholder="Password"
-                      autocomplete="current-password" />
-                  </div>
-                  <div class="form-group mt-3">
-                    <button
-                      type="submit"
-                      class="btn btn-primary"
-                      disabled={self.common.is_task_running()}
-                      onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})}>
-                      <i class="bi-box-arrow-in-right me-2"/>
-                      {"Login"}
-                    </button>
-                    { if password_reset_enabled {
-                      html! {
-                        <Link
-                          classes="btn-link btn"
-                          disabled={self.common.is_task_running()}
-                          to={AppRoute::StartResetPassword}>
-                          {"Forgot your password?"}
-                        </Link>
-                      }
-                    } else {
-                      html!{}
-                    }}
-                  </div>
-                  <div class="form-group">
-                  { if let Some(e) = &self.common.error {
-                      html! { e.to_string() }
-                    } else { html! {} }
-                  }
+                  <Field
+                    class="form-control"
+                    class_invalid="is-invalid has-error"
+                    class_valid="has-success"
+                    form={&self.form}
+                    field_name="username"
+                    placeholder="Username"
+                    autocomplete="username"
+                    oninput={link.callback(|_| Msg::Update)} />
+                </div>
+                <div class="input-group">
+                  <div class="input-group-prepend">
+                    <span class="input-group-text">
+                      <i class="bi-lock-fill"/>
+                    </span>
                   </div>
+                  <Field
+                    class="form-control"
+                    class_invalid="is-invalid has-error"
+                    class_valid="has-success"
+                    form={&self.form}
+                    field_name="password"
+                    input_type="password"
+                    placeholder="Password"
+                    autocomplete="current-password" />
+                </div>
+                <Submit
+                  text="Login"
+                  disabled={self.common.is_task_running()}
+                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})}>
+                  { if password_reset_enabled {
+                    html! {
+                      <Link
+                        classes="btn-link btn"
+                        disabled={self.common.is_task_running()}
+                        to={AppRoute::StartResetPassword}>
+                        {"Forgot your password?"}
+                      </Link>
+                    }
+                  } else {
+                    html!{}
+                  }}
+                </Submit>
+                <div class="form-group">
+                { if let Some(e) = &self.common.error {
+                    html! { e.to_string() }
+                  } else { html! {} }
+                }
+                </div>
               </form>
             }
         }

app/src/components/mod.rs

@@ -1,12 +1,21 @@
 pub mod add_group_member;
 pub mod add_user_to_group;
 pub mod app;
+pub mod avatar;
+pub mod banner;
 pub mod change_password;
 pub mod create_group;
+pub mod create_group_attribute;
 pub mod create_user;
+pub mod create_user_attribute;
 pub mod delete_group;
+pub mod delete_group_attribute;
 pub mod delete_user;
+pub mod delete_user_attribute;
+pub mod form;
 pub mod group_details;
+pub mod group_details_form;
+pub mod group_schema_table;
 pub mod group_table;
 pub mod login;
 pub mod logout;
@@ -17,4 +26,5 @@ pub mod router;
 pub mod select;
 pub mod user_details;
 pub mod user_details_form;
+pub mod user_schema_table;
 pub mod user_table;

app/src/components/reset_password_step1.rs

@@ -104,7 +104,11 @@ impl Component for ResetPasswordStep1Form {
                 </div>
                 { if self.just_succeeded {
                     html! {
-                      {"A reset token has been sent to your email."}
+                      {"If a user with this username or email exists, a password reset email will \
+                          be sent to the associated email address. Please check your email and \
+                          follow the instructions. If you don't receive an email, please check \
+                          your spam folder. If you still don't receive an email, please contact \
+                          your administrator."}
                     }
                 } else {
                     html! {

app/src/components/reset_password_step2.rs

@@ -1,5 +1,8 @@
 use crate::{
-    components::router::{AppRoute, Link},
+    components::{
+        form::{field::Field, submit::Submit},
+        router::{AppRoute, Link},
+    },
     infra::{
         api::HostService,
         common_component::{CommonComponent, CommonComponentParts},
@@ -65,10 +68,10 @@ impl CommonComponent<ResetPasswordStep2Form> for ResetPasswordStep2Form {
                 let mut rng = rand::rngs::OsRng;
                 let new_password = self.form.model().password;
                 let registration_start_request =
-                    opaque_registration::start_registration(&new_password, &mut rng)
+                    opaque_registration::start_registration(new_password.as_bytes(), &mut rng)
                         .context("Could not initiate password change")?;
                 let req = registration::ClientRegistrationStartRequest {
-                    username: self.username.clone().unwrap(),
+                    username: self.username.as_ref().unwrap().into(),
                     registration_start_request: registration_start_request.message,
                 };
                 self.opaque_data = Some(registration_start_request.state);
@@ -164,61 +167,29 @@ impl Component for ResetPasswordStep2Form {
             }
             _ => (),
         };
-        type Field = yew_form::Field<FormModel>;
         html! {
           <>
             <h2>{"Reset your password"}</h2>
-            <form
-              class="form">
-              <div class="form-group row">
-                <label for="new_password"
-                  class="form-label col-sm-2 col-form-label">
-                  {"New password*:"}
-                </label>
-                <div class="col-sm-10">
-                  <Field
-                    form={&self.form}
-                    field_name="password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    input_type="password"
-                    oninput={link.callback(|_| Msg::FormUpdate)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row">
-                <label for="confirm_password"
-                  class="form-label col-sm-2 col-form-label">
-                  {"Confirm password*:"}
-                </label>
-                <div class="col-sm-10">
-                  <Field
-                    form={&self.form}
-                    field_name="confirm_password"
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    autocomplete="new-password"
-                    input_type="password"
-                    oninput={link.callback(|_| Msg::FormUpdate)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("confirm_password")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mt-2">
-                <button
-                  class="btn btn-primary col-sm-1 col-form-label"
-                  type="submit"
-                  disabled={self.common.is_task_running()}
-                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})}>
-                  {"Submit"}
-                </button>
-              </div>
+            <form class="form">
+              <Field<FormModel>
+                label="New password"
+                required=true
+                form={&self.form}
+                field_name="password"
+                autocomplete="new-password"
+                input_type="password"
+                oninput={link.callback(|_| Msg::FormUpdate)} />
+              <Field<FormModel>
+                label="Confirm password"
+                required=true
+                form={&self.form}
+                field_name="confirm_password"
+                autocomplete="new-password"
+                input_type="password"
+                oninput={link.callback(|_| Msg::FormUpdate)} />
+              <Submit
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::Submit})} />
             </form>
             { if let Some(e) = &self.common.error {
                 html! {

app/src/components/router.rs

@@ -22,6 +22,14 @@ pub enum AppRoute {
     ListGroups,
     #[at("/group/:group_id")]
     GroupDetails { group_id: i64 },
+    #[at("/user-attributes")]
+    ListUserSchema,
+    #[at("/user-attributes/create")]
+    CreateUserAttribute,
+    #[at("/group-attributes")]
+    ListGroupSchema,
+    #[at("/group-attributes/create")]
+    CreateGroupAttribute,
     #[at("/")]
     Index,
 }

app/src/components/user_details.rs

@@ -5,7 +5,11 @@ use crate::{
         router::{AppRoute, Link},
         user_details_form::UserDetailsForm,
     },
-    infra::common_component::{CommonComponent, CommonComponentParts},
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        form_utils::GraphQlAttributeSchema,
+    },
 };
 use anyhow::{bail, Error, Result};
 use graphql_client::GraphQLQuery;
@@ -22,12 +26,34 @@ pub struct GetUserDetails;
 
 pub type User = get_user_details::GetUserDetailsUser;
 pub type Group = get_user_details::GetUserDetailsUserGroups;
+pub type Attribute = get_user_details::GetUserDetailsUserAttributes;
+pub type AttributeSchema = get_user_details::GetUserDetailsSchemaUserSchemaAttributes;
+pub type AttributeType = get_user_details::AttributeType;
+
+convert_attribute_type!(AttributeType);
+
+impl From<&AttributeSchema> for GraphQlAttributeSchema {
+    fn from(attr: &AttributeSchema) -> Self {
+        Self {
+            name: attr.name.clone(),
+            is_list: attr.is_list,
+            is_readonly: attr.is_readonly,
+            is_editable: attr.is_editable,
+        }
+    }
+}
 
 pub struct UserDetails {
     common: CommonComponentParts<Self>,
     /// The user info. If none, the error is in `error`. If `error` is None, then we haven't
     /// received the server response yet.
-    user: Option<User>,
+    user_and_schema: Option<(User, Vec<AttributeSchema>)>,
+}
+
+impl UserDetails {
+    fn mut_groups(&mut self) -> &mut Vec<Group> {
+        &mut self.user_and_schema.as_mut().unwrap().0.groups
+    }
 }
 
 /// State machine describing the possible transitions of the component state.
@@ -50,22 +76,20 @@ impl CommonComponent<UserDetails> for UserDetails {
     fn handle_msg(&mut self, _: &Context<Self>, msg: <Self as Component>::Message) -> Result<bool> {
         match msg {
             Msg::UserDetailsResponse(response) => match response {
-                Ok(user) => self.user = Some(user.user),
+                Ok(user) => {
+                    self.user_and_schema = Some((user.user, user.schema.user_schema.attributes))
+                }
                 Err(e) => {
-                    self.user = None;
+                    self.user_and_schema = None;
                     bail!("Error getting user details: {}", e);
                 }
             },
             Msg::OnError(e) => return Err(e),
             Msg::OnUserAddedToGroup(group) => {
-                self.user.as_mut().unwrap().groups.push(group);
+                self.mut_groups().push(group);
             }
             Msg::OnUserRemovedFromGroup((_, group_id)) => {
-                self.user
-                    .as_mut()
-                    .unwrap()
-                    .groups
-                    .retain(|g| g.id != group_id);
+                self.mut_groups().retain(|g| g.id != group_id);
             }
         }
         Ok(true)
@@ -178,7 +202,7 @@ impl Component for UserDetails {
     fn create(ctx: &Context<Self>) -> Self {
         let mut table = Self {
             common: CommonComponentParts::<Self>::create(),
-            user: None,
+            user_and_schema: None,
         };
         table.get_user_details(ctx);
         table
@@ -189,10 +213,8 @@ impl Component for UserDetails {
     }
 
     fn view(&self, ctx: &Context<Self>) -> Html {
-        match (&self.user, &self.common.error) {
-            (None, None) => html! {{"Loading..."}},
-            (None, Some(e)) => html! {<div>{"Error: "}{e.to_string()}</div>},
-            (Some(u), error) => {
+        match (&self.user_and_schema, &self.common.error) {
+            (Some((u, schema)), error) => {
                 html! {
                   <>
                     <h3>{u.id.to_string()}</h3>
@@ -207,13 +229,20 @@ impl Component for UserDetails {
                     <div>
                       <h5 class="row m-3 fw-bold">{"User details"}</h5>
                     </div>
-                    <UserDetailsForm user={u.clone()} />
+                    <UserDetailsForm
+                      user={u.clone()}
+                      user_attributes_schema={schema.clone()}
+                      is_admin={ctx.props().is_admin}
+                      is_edited_user_admin={u.groups.iter().any(|g| g.display_name == "lldap_admin")}
+                    />
                     {self.view_group_memberships(ctx, u)}
                     {self.view_add_group_button(ctx, u)}
                     {self.view_messages(error)}
                   </>
                 }
             }
+            (None, None) => html! {{"Loading..."}},
+            (None, Some(e)) => html! {<div>{"Error: "}{e.to_string()}</div>},
         }
     }
 }

app/src/components/user_details_form.rs

@@ -1,56 +1,21 @@
-use std::str::FromStr;
-
 use crate::{
-    components::user_details::User,
-    infra::common_component::{CommonComponent, CommonComponentParts},
-};
-use anyhow::{bail, Error, Result};
-use gloo_file::{
-    callbacks::{read_as_bytes, FileReader},
-    File,
+    components::{
+        form::{
+            attribute_input::{ListAttributeInput, SingleAttributeInput},
+            static_value::StaticValue,
+            submit::Submit,
+        },
+        user_details::{Attribute, AttributeSchema, User},
+    },
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        form_utils::{read_all_form_attributes, AttributeValue, EmailIsRequired, IsAdmin},
+        schema::AttributeType,
+    },
 };
+use anyhow::{Ok, Result};
 use graphql_client::GraphQLQuery;
-use validator_derive::Validate;
-use web_sys::{FileList, HtmlInputElement, InputEvent};
 use yew::prelude::*;
-use yew_form_derive::Model;
-
-#[derive(Default)]
-struct JsFile {
-    file: Option<File>,
-    contents: Option<Vec<u8>>,
-}
-
-impl ToString for JsFile {
-    fn to_string(&self) -> String {
-        self.file
-            .as_ref()
-            .map(File::name)
-            .unwrap_or_else(String::new)
-    }
-}
-
-impl FromStr for JsFile {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self> {
-        if s.is_empty() {
-            Ok(JsFile::default())
-        } else {
-            bail!("Building file from non-empty string")
-        }
-    }
-}
-
-/// The fields of the form, with the editable details and the constraints.
-#[derive(Model, Validate, PartialEq, Eq, Clone)]
-pub struct UserModel {
-    #[validate(email)]
-    email: String,
-    display_name: String,
-    first_name: String,
-    last_name: String,
-}
 
 /// The GraphQL query sent to the server to update the user details.
 #[derive(GraphQLQuery)]
@@ -66,23 +31,17 @@ pub struct UpdateUser;
 /// A [yew::Component] to display the user details, with a form allowing to edit them.
 pub struct UserDetailsForm {
     common: CommonComponentParts<Self>,
-    form: yew_form::Form<UserModel>,
-    avatar: JsFile,
-    reader: Option<FileReader>,
     /// True if we just successfully updated the user, to display a success message.
     just_updated: bool,
     user: User,
+    form_ref: NodeRef,
 }
 
 pub enum Msg {
     /// A form field changed.
     Update,
-    /// A new file was selected.
-    FileSelected(File),
     /// The "Submit" button was clicked.
     SubmitClicked,
-    /// A picked file finished loading.
-    FileLoaded(String, Result<Vec<u8>>),
     /// We got the response from the server about our update message.
     UserUpdated(Result<update_user::ResponseData>),
 }
@@ -91,6 +50,9 @@ pub enum Msg {
 pub struct Props {
     /// The current user details.
     pub user: User,
+    pub user_attributes_schema: Vec<AttributeSchema>,
+    pub is_admin: bool,
+    pub is_edited_user_admin: bool,
 }
 
 impl CommonComponent<UserDetailsForm> for UserDetailsForm {
@@ -101,41 +63,11 @@ impl CommonComponent<UserDetailsForm> for UserDetailsForm {
     ) -> Result<bool> {
         match msg {
             Msg::Update => Ok(true),
-            Msg::FileSelected(new_avatar) => {
-                if self.avatar.file.as_ref().map(|f| f.name()) != Some(new_avatar.name()) {
-                    let file_name = new_avatar.name();
-                    let link = ctx.link().clone();
-                    self.reader = Some(read_as_bytes(&new_avatar, move |res| {
-                        link.send_message(Msg::FileLoaded(
-                            file_name,
-                            res.map_err(|e| anyhow::anyhow!("{:#}", e)),
-                        ))
-                    }));
-                    self.avatar = JsFile {
-                        file: Some(new_avatar),
-                        contents: None,
-                    };
-                }
-                Ok(true)
-            }
             Msg::SubmitClicked => self.submit_user_update_form(ctx),
-            Msg::UserUpdated(response) => self.user_update_finished(response),
-            Msg::FileLoaded(file_name, data) => {
-                if let Some(file) = &self.avatar.file {
-                    if file.name() == file_name {
-                        let data = data?;
-                        if !is_valid_jpeg(data.as_slice()) {
-                            // Clear the selection.
-                            self.avatar = JsFile::default();
-                            bail!("Chosen image is not a valid JPEG");
-                        } else {
-                            self.avatar.contents = Some(data);
-                            return Ok(true);
-                        }
-                    }
-                }
-                self.reader = None;
-                Ok(false)
+            Msg::UserUpdated(Err(e)) => Err(e),
+            Msg::UserUpdated(Result::Ok(_)) => {
+                self.just_updated = true;
+                Ok(true)
             }
         }
     }
@@ -150,19 +82,11 @@ impl Component for UserDetailsForm {
     type Properties = Props;
 
     fn create(ctx: &Context<Self>) -> Self {
-        let model = UserModel {
-            email: ctx.props().user.email.clone(),
-            display_name: ctx.props().user.display_name.clone(),
-            first_name: ctx.props().user.first_name.clone(),
-            last_name: ctx.props().user.last_name.clone(),
-        };
         Self {
             common: CommonComponentParts::<Self>::create(),
-            form: yew_form::Form::new(model),
-            avatar: JsFile::default(),
             just_updated: false,
-            reader: None,
             user: ctx.props().user.clone(),
+            form_ref: NodeRef::default(),
         }
     }
 
@@ -172,156 +96,47 @@ impl Component for UserDetailsForm {
     }
 
     fn view(&self, ctx: &Context<Self>) -> Html {
-        type Field = yew_form::Field<UserModel>;
         let link = &ctx.link();
 
-        let avatar_base64 = maybe_to_base64(&self.avatar).unwrap_or_default();
-        let avatar_string = avatar_base64
-            .as_deref()
-            .or(self.user.avatar.as_deref())
-            .unwrap_or("");
+        let can_edit =
+            |a: &AttributeSchema| (ctx.props().is_admin || a.is_editable) && !a.is_readonly;
+        let display_field = |a: &AttributeSchema| {
+            if can_edit(a) {
+                get_custom_attribute_input(a, &self.user.attributes)
+            } else {
+                get_custom_attribute_static(a, &self.user.attributes)
+            }
+        };
         html! {
           <div class="py-3">
-            <form class="form">
-              <div class="form-group row mb-3">
-                <label for="userId"
-                  class="form-label col-4 col-form-label">
-                  {"User ID: "}
-                </label>
-                <div class="col-8">
-                  <span id="userId" class="form-control-static"><i>{&self.user.id}</i></span>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="creationDate"
-                  class="form-label col-4 col-form-label">
-                  {"Creation date: "}
-                </label>
-                <div class="col-8">
-                  <span id="creationDate" class="form-control-static">{&self.user.creation_date.naive_local().date()}</span>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="uuid"
-                  class="form-label col-4 col-form-label">
-                  {"UUID: "}
-                </label>
-                <div class="col-8">
-                  <span id="creationDate" class="form-control-static">{&self.user.uuid}</span>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="email"
-                  class="form-label col-4 col-form-label">
-                  {"Email"}
-                  <span class="text-danger">{"*"}</span>
-                  {":"}
-                </label>
-                <div class="col-8">
-                  <Field
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    form={&self.form}
-                    field_name="email"
-                    autocomplete="email"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("email")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="display_name"
-                  class="form-label col-4 col-form-label">
-                  {"Display Name: "}
-                </label>
-                <div class="col-8">
-                  <Field
-                    class="form-control"
-                    class_invalid="is-invalid has-error"
-                    class_valid="has-success"
-                    form={&self.form}
-                    field_name="display_name"
-                    autocomplete="name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("display_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="first_name"
-                  class="form-label col-4 col-form-label">
-                  {"First Name: "}
-                </label>
-                <div class="col-8">
-                  <Field
-                    class="form-control"
-                    form={&self.form}
-                    field_name="first_name"
-                    autocomplete="given-name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("first_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row mb-3">
-                <label for="last_name"
-                  class="form-label col-4 col-form-label">
-                  {"Last Name: "}
-                </label>
-                <div class="col-8">
-                  <Field
-                    class="form-control"
-                    form={&self.form}
-                    field_name="last_name"
-                    autocomplete="family-name"
-                    oninput={link.callback(|_| Msg::Update)} />
-                  <div class="invalid-feedback">
-                    {&self.form.field_message("last_name")}
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row align-items-center mb-3">
-                <label for="avatar"
-                  class="form-label col-4 col-form-label">
-                  {"Avatar: "}
-                </label>
-                <div class="col-8">
-                  <div class="row align-items-center">
-                    <div class="col-8">
-                      <input
-                        class="form-control"
-                        id="avatarInput"
-                        type="file"
-                        accept="image/jpeg"
-                        oninput={link.callback(|e: InputEvent| {
-                            let input: HtmlInputElement = e.target_unchecked_into();
-                            Self::upload_files(input.files())
-                        })} />
-                    </div>
-                    <div class="col-4">
-                      <img
-                        id="avatarDisplay"
-                        src={format!("data:image/jpeg;base64, {}", avatar_string)}
-                        style="max-height:128px;max-width:128px;height:auto;width:auto;"
-                        alt="Avatar" />
-                    </div>
-                  </div>
-                </div>
-              </div>
-              <div class="form-group row justify-content-center mt-3">
-                <button
-                  type="submit"
-                  class="btn btn-primary col-auto col-form-label"
-                  disabled={self.common.is_task_running()}
-                  onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitClicked})}>
-                  <i class="bi-save me-2"></i>
-                  {"Save changes"}
-                </button>
-              </div>
+            <form
+              class="form"
+              ref={self.form_ref.clone()}>
+              <StaticValue label="User ID" id="userId">
+                <i>{&self.user.id}</i>
+              </StaticValue>
+              {
+                  ctx
+                      .props()
+                      .user_attributes_schema
+                      .iter()
+                      .filter(|a| a.is_hardcoded && a.name != "user_id")
+                      .map(display_field)
+                      .collect::<Vec<_>>()
+              }
+              {
+                  ctx
+                      .props()
+                      .user_attributes_schema
+                      .iter()
+                      .filter(|a| !a.is_hardcoded)
+                      .map(display_field)
+                      .collect::<Vec<_>>()
+              }
+              <Submit
+                text="Save changes"
+                disabled={self.common.is_task_running()}
+                onclick={link.callback(|e: MouseEvent| {e.prevent_default(); Msg::SubmitClicked})} />
             </form>
             {
               if let Some(e) = &self.common.error {
@@ -340,19 +155,97 @@ impl Component for UserDetailsForm {
     }
 }
 
+fn get_custom_attribute_input(
+    attribute_schema: &AttributeSchema,
+    user_attributes: &[Attribute],
+) -> Html {
+    let values = user_attributes
+        .iter()
+        .find(|a| a.name == attribute_schema.name)
+        .map(|attribute| attribute.value.clone())
+        .unwrap_or_default();
+    if attribute_schema.is_list {
+        html! {
+            <ListAttributeInput
+               name={attribute_schema.name.clone()}
+               attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+               values={values}
+            />
+        }
+    } else {
+        html! {
+            <SingleAttributeInput
+                name={attribute_schema.name.clone()}
+                attribute_type={Into::<AttributeType>::into(attribute_schema.attribute_type.clone())}
+                value={values.first().cloned().unwrap_or_default()}
+            />
+        }
+    }
+}
+
+fn get_custom_attribute_static(
+    attribute_schema: &AttributeSchema,
+    user_attributes: &[Attribute],
+) -> Html {
+    let values = user_attributes
+        .iter()
+        .find(|a| a.name == attribute_schema.name)
+        .map(|attribute| attribute.value.clone())
+        .unwrap_or_default();
+    html! {
+        <StaticValue label={attribute_schema.name.clone()} id={attribute_schema.name.clone()}>
+            {values.into_iter().map(|x| html!{<div>{x}</div>}).collect::<Vec<_>>()}
+        </StaticValue>
+    }
+}
+
 impl UserDetailsForm {
     fn submit_user_update_form(&mut self, ctx: &Context<Self>) -> Result<bool> {
-        if !self.form.validate() {
-            bail!("Invalid inputs");
-        }
-        if let JsFile {
-            file: Some(_),
-            contents: None,
-        } = &self.avatar
-        {
-            bail!("Image file hasn't finished loading, try again");
-        }
-        let base_user = &self.user;
+        // TODO: Handle unloaded files.
+        // if let Some(JsFile {
+        //     file: Some(_),
+        //     contents: None,
+        // }) = &self.avatar
+        // {
+        //     bail!("Image file hasn't finished loading, try again");
+        // }
+        let mut all_values = read_all_form_attributes(
+            ctx.props().user_attributes_schema.iter(),
+            &self.form_ref,
+            IsAdmin(ctx.props().is_admin),
+            EmailIsRequired(!ctx.props().is_edited_user_admin),
+        )?;
+        let base_attributes = &self.user.attributes;
+        all_values.retain(|a| {
+            let base_val = base_attributes
+                .iter()
+                .find(|base_val| base_val.name == a.name);
+            base_val
+                .map(|v| v.value != a.values)
+                .unwrap_or(!a.values.is_empty())
+        });
+        let remove_attributes: Option<Vec<String>> = if all_values.is_empty() {
+            None
+        } else {
+            Some(all_values.iter().map(|a| a.name.clone()).collect())
+        };
+        let insert_attributes: Option<Vec<update_user::AttributeValueInput>> =
+            if remove_attributes.is_none() {
+                None
+            } else {
+                Some(
+                    all_values
+                        .into_iter()
+                        .filter(|a| !a.values.is_empty())
+                        .map(
+                            |AttributeValue { name, values }| update_user::AttributeValueInput {
+                                name,
+                                value: values,
+                            },
+                        )
+                        .collect(),
+                )
+            };
         let mut user_input = update_user::UpdateUserInput {
             id: self.user.id.clone(),
             email: None,
@@ -360,23 +253,12 @@ impl UserDetailsForm {
             firstName: None,
             lastName: None,
             avatar: None,
+            removeAttributes: None,
+            insertAttributes: None,
         };
         let default_user_input = user_input.clone();
-        let model = self.form.model();
-        let email = model.email;
-        if base_user.email != email {
-            user_input.email = Some(email);
-        }
-        if base_user.display_name != model.display_name {
-            user_input.displayName = Some(model.display_name);
-        }
-        if base_user.first_name != model.first_name {
-            user_input.firstName = Some(model.first_name);
-        }
-        if base_user.last_name != model.last_name {
-            user_input.lastName = Some(model.last_name);
-        }
-        user_input.avatar = maybe_to_base64(&self.avatar)?;
+        user_input.removeAttributes = remove_attributes;
+        user_input.insertAttributes = insert_attributes;
         // Nothing changed.
         if user_input == default_user_input {
             return Ok(false);
@@ -390,58 +272,4 @@ impl UserDetailsForm {
         );
         Ok(false)
     }
-
-    fn user_update_finished(&mut self, r: Result<update_user::ResponseData>) -> Result<bool> {
-        r?;
-        let model = self.form.model();
-        self.user.email = model.email;
-        self.user.display_name = model.display_name;
-        self.user.first_name = model.first_name;
-        self.user.last_name = model.last_name;
-        if let Some(avatar) = maybe_to_base64(&self.avatar)? {
-            self.user.avatar = Some(avatar);
-        }
-        self.just_updated = true;
-        Ok(true)
-    }
-
-    fn upload_files(files: Option<FileList>) -> Msg {
-        if let Some(files) = files {
-            if files.length() > 0 {
-                Msg::FileSelected(File::from(files.item(0).unwrap()))
-            } else {
-                Msg::Update
-            }
-        } else {
-            Msg::Update
-        }
-    }
-}
-
-fn is_valid_jpeg(bytes: &[u8]) -> bool {
-    image::io::Reader::with_format(std::io::Cursor::new(bytes), image::ImageFormat::Jpeg)
-        .decode()
-        .is_ok()
-}
-
-fn maybe_to_base64(file: &JsFile) -> Result<Option<String>> {
-    match file {
-        JsFile {
-            file: None,
-            contents: _,
-        } => Ok(None),
-        JsFile {
-            file: Some(_),
-            contents: None,
-        } => bail!("Image file hasn't finished loading, try again"),
-        JsFile {
-            file: Some(_),
-            contents: Some(data),
-        } => {
-            if !is_valid_jpeg(data.as_slice()) {
-                bail!("Chosen image is not a valid JPEG");
-            }
-            Ok(Some(base64::encode(data)))
-        }
-    }
 }

app/src/components/user_schema_table.rs

@@ -0,0 +1,198 @@
+use crate::{
+    components::{
+        delete_user_attribute::DeleteUserAttribute,
+        router::{AppRoute, Link},
+    },
+    convert_attribute_type,
+    infra::{
+        common_component::{CommonComponent, CommonComponentParts},
+        schema::AttributeType,
+    },
+};
+use anyhow::{anyhow, Error, Result};
+use gloo_console::log;
+use graphql_client::GraphQLQuery;
+use yew::prelude::*;
+
+#[derive(GraphQLQuery)]
+#[graphql(
+    schema_path = "../schema.graphql",
+    query_path = "queries/get_user_attributes_schema.graphql",
+    response_derives = "Debug,Clone,PartialEq,Eq",
+    custom_scalars_module = "crate::infra::graphql"
+)]
+pub struct GetUserAttributesSchema;
+
+use get_user_attributes_schema::ResponseData;
+
+pub type Attribute = get_user_attributes_schema::GetUserAttributesSchemaSchemaUserSchemaAttributes;
+
+convert_attribute_type!(get_user_attributes_schema::AttributeType);
+
+#[derive(yew::Properties, Clone, PartialEq, Eq)]
+pub struct Props {
+    pub hardcoded: bool,
+}
+
+pub struct UserSchemaTable {
+    common: CommonComponentParts<Self>,
+    attributes: Option<Vec<Attribute>>,
+}
+
+pub enum Msg {
+    ListAttributesResponse(Result<ResponseData>),
+    OnAttributeDeleted(String),
+    OnError(Error),
+}
+
+impl CommonComponent<UserSchemaTable> for UserSchemaTable {
+    fn handle_msg(&mut self, _: &Context<Self>, msg: <Self as Component>::Message) -> Result<bool> {
+        match msg {
+            Msg::ListAttributesResponse(schema) => {
+                self.attributes = Some(schema?.schema.user_schema.attributes.into_iter().collect());
+                Ok(true)
+            }
+            Msg::OnError(e) => Err(e),
+            Msg::OnAttributeDeleted(attribute_name) => {
+                match self.attributes {
+                    None => {
+                        log!(format!("Attribute {attribute_name} was  deleted but component has no attributes"));
+                        Err(anyhow!("invalid state"))
+                    }
+                    Some(_) => {
+                        self.attributes
+                            .as_mut()
+                            .unwrap()
+                            .retain(|a| a.name != attribute_name);
+                        Ok(true)
+                    }
+                }
+            }
+        }
+    }
+
+    fn mut_common(&mut self) -> &mut CommonComponentParts<Self> {
+        &mut self.common
+    }
+}
+
+impl Component for UserSchemaTable {
+    type Message = Msg;
+    type Properties = Props;
+
+    fn create(ctx: &Context<Self>) -> Self {
+        let mut table = UserSchemaTable {
+            common: CommonComponentParts::<Self>::create(),
+            attributes: None,
+        };
+        table.common.call_graphql::<GetUserAttributesSchema, _>(
+            ctx,
+            get_user_attributes_schema::Variables {},
+            Msg::ListAttributesResponse,
+            "Error trying to fetch user schema",
+        );
+        table
+    }
+
+    fn update(&mut self, ctx: &Context<Self>, msg: Self::Message) -> bool {
+        CommonComponentParts::<Self>::update(self, ctx, msg)
+    }
+
+    fn view(&self, ctx: &Context<Self>) -> Html {
+        html! {
+            <div>
+              {self.view_attributes(ctx)}
+              {self.view_errors()}
+            </div>
+        }
+    }
+}
+
+impl UserSchemaTable {
+    fn view_attributes(&self, ctx: &Context<Self>) -> Html {
+        let hardcoded = ctx.props().hardcoded;
+        let make_table = |attributes: &Vec<Attribute>| {
+            html! {
+                <div class="table-responsive">
+                    <h3>{if hardcoded {"Hardcoded"} else {"User-defined"}}{" attributes"}</h3>
+                    <table class="table table-hover">
+                        <thead>
+                            <tr>
+                                <th>{"Attribute name"}</th>
+                                <th>{"Type"}</th>
+                                <th>{"Editable"}</th>
+                                <th>{"Visible"}</th>
+                                {if hardcoded {html!{}} else {html!{<th>{"Delete"}</th>}}}
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {attributes.iter().map(|u| self.view_attribute(ctx, u)).collect::<Vec<_>>()}
+                        </tbody>
+                    </table>
+                </div>
+            }
+        };
+        match &self.attributes {
+            None => html! {{"Loading..."}},
+            Some(attributes) => {
+                let mut attributes = attributes.clone();
+                attributes.retain(|attribute| attribute.is_hardcoded == ctx.props().hardcoded);
+                make_table(&attributes)
+            }
+        }
+    }
+
+    fn view_attribute(&self, ctx: &Context<Self>, attribute: &Attribute) -> Html {
+        let link = ctx.link();
+        let attribute_type = AttributeType::from(attribute.attribute_type.clone());
+        let checkmark = html! {
+                    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-check" viewBox="0 0 16 16">
+          <path d="M10.97 4.97a.75.75 0 0 1 1.07 1.05l-3.99 4.99a.75.75 0 0 1-1.08.02L4.324 8.384a.75.75 0 1 1 1.06-1.06l2.094 2.093 3.473-4.425z"></path>
+        </svg>
+                };
+        let hardcoded = ctx.props().hardcoded;
+        html! {
+            <tr key={attribute.name.clone()}>
+                <td>{&attribute.name}</td>
+                <td>{if attribute.is_list { format!("List<{attribute_type}>")} else {attribute_type.to_string()}}</td>
+                <td>{if attribute.is_editable {checkmark.clone()} else {html!{}}}</td>
+                <td>{if attribute.is_visible {checkmark.clone()} else {html!{}}}</td>
+                {
+                    if hardcoded {
+                        html!{}
+                    } else {
+                        html!{
+                            <td>
+                                <DeleteUserAttribute
+                                    attribute_name={attribute.name.clone()}
+                                    on_attribute_deleted={link.callback(Msg::OnAttributeDeleted)}
+                                    on_error={link.callback(Msg::OnError)}/>
+                            </td>
+                        }
+                    }
+                }
+            </tr>
+        }
+    }
+
+    fn view_errors(&self) -> Html {
+        match &self.common.error {
+            None => html! {},
+            Some(e) => html! {<div>{"Error: "}{e.to_string()}</div>},
+        }
+    }
+}
+
+#[function_component(ListUserSchema)]
+pub fn list_user_schema() -> Html {
+    html! {
+        <div>
+            <UserSchemaTable hardcoded={true} />
+            <UserSchemaTable hardcoded={false} />
+            <Link classes="btn btn-primary" to={AppRoute::CreateUserAttribute}>
+                <i class="bi-plus-circle me-2"></i>
+                {"Create an attribute"}
+            </Link>
+        </div>
+    }
+}

app/src/infra/api.rs

@@ -1,6 +1,6 @@
 use super::cookies::set_cookie;
 use anyhow::{anyhow, Context, Result};
-use gloo_net::http::{Method, Request};
+use gloo_net::http::{Method, RequestBuilder};
 use graphql_client::GraphQLQuery;
 use lldap_auth::{login, registration, JWTClaims};
 
@@ -16,21 +16,32 @@ fn get_claims_from_jwt(jwt: &str) -> Result<JWTClaims> {
     Ok(token.claims().clone())
 }
 
-const NO_BODY: Option<()> = None;
+enum RequestType<Body: Serialize> {
+    Get,
+    Post(Body),
+}
 
-async fn call_server(
+const GET_REQUEST: RequestType<()> = RequestType::Get;
+
+fn base_url() -> String {
+    yew_router::utils::base_url().unwrap_or_default()
+}
+
+async fn call_server<Body: Serialize>(
     url: &str,
-    body: Option<impl Serialize>,
+    body: RequestType<Body>,
     error_message: &'static str,
 ) -> Result<String> {
-    let mut request = Request::new(url)
+    let request_builder = RequestBuilder::new(url)
         .header("Content-Type", "application/json")
         .credentials(RequestCredentials::SameOrigin);
-    if let Some(b) = body {
-        request = request
-            .body(serde_json::to_string(&b)?)
-            .method(Method::POST);
-    }
+    let request = if let RequestType::Post(b) = body {
+        request_builder
+            .method(Method::POST)
+            .body(serde_json::to_string(&b)?)?
+    } else {
+        request_builder.build()?
+    };
     let response = request.send().await?;
     if response.ok() {
         Ok(response.text().await?)
@@ -47,7 +58,7 @@ async fn call_server(
 
 async fn call_server_json_with_error_message<CallbackResult, Body: Serialize>(
     url: &str,
-    request: Option<Body>,
+    request: RequestType<Body>,
     error_message: &'static str,
 ) -> Result<CallbackResult>
 where
@@ -59,7 +70,7 @@ where
 
 async fn call_server_empty_response_with_error_message<Body: Serialize>(
     url: &str,
-    request: Option<Body>,
+    request: RequestType<Body>,
     error_message: &'static str,
 ) -> Result<()> {
     call_server(url, request, error_message).await.map(|_| ())
@@ -97,8 +108,8 @@ impl HostService {
         };
         let request_body = QueryType::build_query(variables);
         call_server_json_with_error_message::<graphql_client::Response<_>, _>(
-            "/api/graphql",
-            Some(request_body),
+            &(base_url() + "/api/graphql"),
+            RequestType::Post(request_body),
             error_message,
         )
         .await
@@ -109,8 +120,8 @@ impl HostService {
         request: login::ClientLoginStartRequest,
     ) -> Result<Box<login::ServerLoginStartResponse>> {
         call_server_json_with_error_message(
-            "/auth/opaque/login/start",
-            Some(request),
+            &(base_url() + "/auth/opaque/login/start"),
+            RequestType::Post(request),
             "Could not start authentication: ",
         )
         .await
@@ -118,8 +129,8 @@ impl HostService {
 
     pub async fn login_finish(request: login::ClientLoginFinishRequest) -> Result<(String, bool)> {
         call_server_json_with_error_message::<login::ServerLoginResponse, _>(
-            "/auth/opaque/login/finish",
-            Some(request),
+            &(base_url() + "/auth/opaque/login/finish"),
+            RequestType::Post(request),
             "Could not finish authentication",
         )
         .await
@@ -130,8 +141,8 @@ impl HostService {
         request: registration::ClientRegistrationStartRequest,
     ) -> Result<Box<registration::ServerRegistrationStartResponse>> {
         call_server_json_with_error_message(
-            "/auth/opaque/register/start",
-            Some(request),
+            &(base_url() + "/auth/opaque/register/start"),
+            RequestType::Post(request),
             "Could not start registration: ",
         )
         .await
@@ -141,8 +152,8 @@ impl HostService {
         request: registration::ClientRegistrationFinishRequest,
     ) -> Result<()> {
         call_server_empty_response_with_error_message(
-            "/auth/opaque/register/finish",
-            Some(request),
+            &(base_url() + "/auth/opaque/register/finish"),
+            RequestType::Post(request),
             "Could not finish registration",
         )
         .await
@@ -150,8 +161,8 @@ impl HostService {
 
     pub async fn refresh() -> Result<(String, bool)> {
         call_server_json_with_error_message::<login::ServerLoginResponse, _>(
-            "/auth/refresh",
-            NO_BODY,
+            &(base_url() + "/auth/refresh"),
+            GET_REQUEST,
             "Could not start authentication: ",
         )
         .await
@@ -160,14 +171,22 @@ impl HostService {
 
     // The `_request` parameter is to make it the same shape as the other functions.
     pub async fn logout() -> Result<()> {
-        call_server_empty_response_with_error_message("/auth/logout", NO_BODY, "Could not logout")
-            .await
+        call_server_empty_response_with_error_message(
+            &(base_url() + "/auth/logout"),
+            GET_REQUEST,
+            "Could not logout",
+        )
+        .await
     }
 
     pub async fn reset_password_step1(username: String) -> Result<()> {
         call_server_empty_response_with_error_message(
-            &format!("/auth/reset/step1/{}", url_escape::encode_query(&username)),
-            NO_BODY,
+            &format!(
+                "{}/auth/reset/step1/{}",
+                base_url(),
+                url_escape::encode_query(&username)
+            ),
+            RequestType::Post(""),
             "Could not initiate password reset",
         )
         .await
@@ -177,21 +196,21 @@ impl HostService {
         token: String,
     ) -> Result<lldap_auth::password_reset::ServerPasswordResetResponse> {
         call_server_json_with_error_message(
-            &format!("/auth/reset/step2/{}", token),
-            NO_BODY,
+            &format!("{}/auth/reset/step2/{}", base_url(), token),
+            GET_REQUEST,
             "Could not validate token",
         )
         .await
     }
 
     pub async fn probe_password_reset() -> Result<bool> {
-        Ok(
-            gloo_net::http::Request::get("/auth/reset/step1/lldap_unlikely_very_long_user_name")
-                .header("Content-Type", "application/json")
-                .send()
-                .await?
-                .status()
-                != http::StatusCode::NOT_FOUND,
+        Ok(gloo_net::http::Request::post(
+            &(base_url() + "/auth/reset/step1/lldap_unlikely_very_long_user_name"),
         )
+        .header("Content-Type", "application/json")
+        .send()
+        .await?
+        .status()
+            != http::StatusCode::NOT_FOUND)
     }
 }

app/src/infra/cookies.rs

@@ -22,10 +22,11 @@ pub fn set_cookie(cookie_name: &str, value: &str, expiration: &DateTime<Utc>) ->
                 .map_err(|_| anyhow!("Document is not an HTMLDocument"))
         })?;
     let cookie_string = format!(
-        "{}={}; expires={}; sameSite=Strict; path=/",
+        "{}={}; expires={}; sameSite=Strict; path={}/",
         cookie_name,
         value,
-        expiration.to_rfc2822()
+        expiration.to_rfc2822(),
+        yew_router::utils::base_url().unwrap_or_default()
     );
     doc.set_cookie(&cookie_string)
         .map_err(|_| anyhow!("Could not set cookie"))

app/src/infra/form_utils.rs

@@ -0,0 +1,70 @@
+use anyhow::{anyhow, ensure, Result};
+use validator::validate_email;
+use web_sys::{FormData, HtmlFormElement};
+use yew::NodeRef;
+
+#[derive(Debug)]
+pub struct AttributeValue {
+    pub name: String,
+    pub values: Vec<String>,
+}
+
+pub struct GraphQlAttributeSchema {
+    pub name: String,
+    pub is_list: bool,
+    pub is_readonly: bool,
+    pub is_editable: bool,
+}
+
+fn validate_attributes(
+    all_values: &[AttributeValue],
+    email_is_required: EmailIsRequired,
+) -> Result<()> {
+    let maybe_email_values = all_values.iter().find(|a| a.name == "mail");
+    if email_is_required.0 || maybe_email_values.is_some() {
+        let email_values = &maybe_email_values
+            .ok_or_else(|| anyhow!("Email is required"))?
+            .values;
+        ensure!(email_values.len() == 1, "Email is required");
+        ensure!(validate_email(&email_values[0]), "Email is not valid");
+    }
+    Ok(())
+}
+
+pub struct IsAdmin(pub bool);
+pub struct EmailIsRequired(pub bool);
+
+pub fn read_all_form_attributes(
+    schema: impl IntoIterator<Item = impl Into<GraphQlAttributeSchema>>,
+    form_ref: &NodeRef,
+    is_admin: IsAdmin,
+    email_is_required: EmailIsRequired,
+) -> Result<Vec<AttributeValue>> {
+    let form = form_ref.cast::<HtmlFormElement>().unwrap();
+    let form_data = FormData::new_with_form(&form)
+        .map_err(|e| anyhow!("Failed to get FormData: {:#?}", e.as_string()))?;
+    let all_values = schema
+        .into_iter()
+        .map(Into::<GraphQlAttributeSchema>::into)
+        .filter(|attr| !attr.is_readonly && (is_admin.0 || attr.is_editable))
+        .map(|attr| -> Result<AttributeValue> {
+            let val = form_data
+                .get_all(attr.name.as_str())
+                .iter()
+                .map(|js_val| js_val.as_string().unwrap_or_default())
+                .filter(|val| !val.is_empty())
+                .collect::<Vec<String>>();
+            ensure!(
+                val.len() <= 1 || attr.is_list,
+                "Multiple values supplied for non-list attribute {}",
+                attr.name
+            );
+            Ok(AttributeValue {
+                name: attr.name.clone(),
+                values: val,
+            })
+        })
+        .collect::<Result<Vec<_>>>()?;
+    validate_attributes(&all_values, email_is_required)?;
+    Ok(all_values)
+}

app/src/infra/functional.rs

@@ -0,0 +1,59 @@
+use crate::infra::api::HostService;
+use anyhow::Result;
+use graphql_client::GraphQLQuery;
+use wasm_bindgen_futures::spawn_local;
+use yew::{use_effect_with_deps, use_state_eq, UseStateHandle};
+
+// Enum to represent a result that is fetched asynchronously.
+#[derive(Debug)]
+pub enum LoadableResult<T> {
+    // The result is still being fetched
+    Loading,
+    // The async call is completed
+    Loaded(Result<T>),
+}
+
+impl<T: PartialEq> PartialEq for LoadableResult<T> {
+    fn eq(&self, other: &Self) -> bool {
+        match (self, other) {
+            (LoadableResult::Loading, LoadableResult::Loading) => true,
+            (LoadableResult::Loaded(Ok(d1)), LoadableResult::Loaded(Ok(d2))) => d1.eq(d2),
+            (LoadableResult::Loaded(Err(e1)), LoadableResult::Loaded(Err(e2))) => {
+                e1.to_string().eq(&e2.to_string())
+            }
+            _ => false,
+        }
+    }
+}
+
+pub fn use_graphql_call<QueryType>(
+    variables: QueryType::Variables,
+) -> UseStateHandle<LoadableResult<QueryType::ResponseData>>
+where
+    QueryType: GraphQLQuery + 'static,
+    <QueryType as graphql_client::GraphQLQuery>::Variables: std::cmp::PartialEq + Clone,
+    <QueryType as graphql_client::GraphQLQuery>::ResponseData: std::cmp::PartialEq,
+{
+    let loadable_result: UseStateHandle<LoadableResult<QueryType::ResponseData>> =
+        use_state_eq(|| LoadableResult::Loading);
+    {
+        let loadable_result = loadable_result.clone();
+        use_effect_with_deps(
+            move |variables| {
+                let task = HostService::graphql_query::<QueryType>(
+                    variables.clone(),
+                    "Failed graphql query",
+                );
+
+                spawn_local(async move {
+                    let response = task.await;
+                    loadable_result.set(LoadableResult::Loaded(response));
+                });
+
+                || ()
+            },
+            variables,
+        )
+    }
+    loadable_result.clone()
+}

app/src/infra/mod.rs

@@ -1,5 +1,9 @@
 pub mod api;
 pub mod common_component;
 pub mod cookies;
+pub mod form_utils;
+pub mod functional;
 pub mod graphql;
 pub mod modal;
+pub mod schema;
+pub mod tooltip;

app/src/infra/modal.rs

@@ -1,3 +1,5 @@
+#![allow(clippy::empty_docs)]
+
 use wasm_bindgen::prelude::*;
 
 #[wasm_bindgen]

app/src/infra/schema.rs

@@ -0,0 +1,66 @@
+use anyhow::Result;
+use std::{fmt::Display, str::FromStr};
+use validator::ValidationError;
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AttributeType {
+    String,
+    Integer,
+    DateTime,
+    Jpeg,
+}
+
+impl Display for AttributeType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{:?}", self)
+    }
+}
+
+impl FromStr for AttributeType {
+    type Err = ();
+    fn from_str(value: &str) -> Result<Self, Self::Err> {
+        match value {
+            "String" => Ok(AttributeType::String),
+            "Integer" => Ok(AttributeType::Integer),
+            "DateTime" => Ok(AttributeType::DateTime),
+            "Jpeg" => Ok(AttributeType::Jpeg),
+            _ => Err(()),
+        }
+    }
+}
+
+// Macro to generate traits for converting between AttributeType and the
+// graphql generated equivalents.
+#[macro_export]
+macro_rules! convert_attribute_type {
+    ($source_type:ty) => {
+        impl From<$source_type> for $crate::infra::schema::AttributeType {
+            fn from(value: $source_type) -> Self {
+                match value {
+                    <$source_type>::STRING => $crate::infra::schema::AttributeType::String,
+                    <$source_type>::INTEGER => $crate::infra::schema::AttributeType::Integer,
+                    <$source_type>::DATE_TIME => $crate::infra::schema::AttributeType::DateTime,
+                    <$source_type>::JPEG_PHOTO => $crate::infra::schema::AttributeType::Jpeg,
+                    _ => panic!("Unknown attribute type"),
+                }
+            }
+        }
+
+        impl From<$crate::infra::schema::AttributeType> for $source_type {
+            fn from(value: $crate::infra::schema::AttributeType) -> Self {
+                match value {
+                    $crate::infra::schema::AttributeType::String => <$source_type>::STRING,
+                    $crate::infra::schema::AttributeType::Integer => <$source_type>::INTEGER,
+                    $crate::infra::schema::AttributeType::DateTime => <$source_type>::DATE_TIME,
+                    $crate::infra::schema::AttributeType::Jpeg => <$source_type>::JPEG_PHOTO,
+                }
+            }
+        }
+    };
+}
+
+pub fn validate_attribute_type(attribute_type: &str) -> Result<(), ValidationError> {
+    AttributeType::from_str(attribute_type)
+        .map_err(|_| ValidationError::new("Invalid attribute type"))?;
+    Ok(())
+}

app/src/infra/tooltip.rs

@@ -0,0 +1,12 @@
+#![allow(clippy::empty_docs)]
+
+use wasm_bindgen::prelude::*;
+
+#[wasm_bindgen]
+extern "C" {
+    #[wasm_bindgen(js_namespace = bootstrap)]
+    pub type Tooltip;
+
+    #[wasm_bindgen(constructor, js_namespace = bootstrap)]
+    pub fn new(e: web_sys::Element) -> Tooltip;
+}

app/static/main.js

@@ -1,6 +1,10 @@
 import init, { run_app } from '/pkg/lldap_app.js';
 async function main() {
-   await init('/pkg/lldap_app_bg.wasm');
-   run_app();
+  if(navigator.userAgent.indexOf('AppleWebKit') != -1) {
+    await init('/pkg/lldap_app_bg.wasm');
+  } else {
+    await init('/pkg/lldap_app_bg.wasm.gz');
+  }
+  run_app();
 }
 main()

auth/Cargo.toml

@@ -1,36 +1,52 @@
 [package]
-name = "lldap_auth"
-version = "0.3.0"
 authors = ["Valentin Tolmer <valentin@tolmer.fr>"]
+description = "Authentication protocol for LLDAP"
 edition = "2021"
+homepage = "https://github.com/lldap/lldap"
+license = "GPL-3.0-only"
+name = "lldap_auth"
+repository = "https://github.com/lldap/lldap"
+version = "0.6.0"
 
 [features]
 default = ["opaque_server", "opaque_client"]
 opaque_server = []
 opaque_client = []
 js = []
+sea_orm = ["dep:sea-orm"]
 
 [dependencies]
 rust-argon2 = "0.8"
 curve25519-dalek = "3"
 digest = "0.9"
-generic-array = "*"
+generic-array = "0.14"
 rand = "0.8"
 serde = "*"
 sha2 = "0.9"
 thiserror = "*"
 
+[dependencies.derive_more]
+features = ["debug", "display"]
+default-features = false
+version = "1"
+
 [dependencies.opaque-ke]
-version = "0.6"
+version = "0.7"
 
 [dependencies.chrono]
 version = "*"
-features = [ "serde" ]
+features = ["serde"]
+
+[dependencies.sea-orm]
+version = "0.12"
+default-features = false
+features = ["macros"]
+optional = true
 
 # For WASM targets, use the JS getrandom.
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies.getrandom]
 version = "0.2"
-features = ["js"]
 
 [target.'cfg(target_arch = "wasm32")'.dependencies.getrandom]
 version = "0.2"
+features = ["js"]

auth/src/lib.rs

@@ -9,17 +9,17 @@ pub mod opaque;
 
 /// The messages for the 3-step OPAQUE and simple login process.
 pub mod login {
-    use super::*;
+    use super::{types::UserId, *};
 
     #[derive(Serialize, Deserialize, Clone)]
     pub struct ServerData {
-        pub username: String,
+        pub username: UserId,
         pub server_login: opaque::server::login::ServerLogin,
     }
 
     #[derive(Serialize, Deserialize, Clone)]
     pub struct ClientLoginStartRequest {
-        pub username: String,
+        pub username: UserId,
         pub login_start_request: opaque::server::login::CredentialRequest,
     }
 
@@ -39,14 +39,14 @@ pub mod login {
 
     #[derive(Serialize, Deserialize, Clone)]
     pub struct ClientSimpleLoginRequest {
-        pub username: String,
+        pub username: UserId,
         pub password: String,
     }
 
     impl fmt::Debug for ClientSimpleLoginRequest {
         fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
             f.debug_struct("ClientSimpleLoginRequest")
-                .field("username", &self.username)
+                .field("username", &self.username.as_str())
                 .field("password", &"***********")
                 .finish()
         }
@@ -63,16 +63,16 @@ pub mod login {
 /// The messages for the 3-step OPAQUE registration process.
 /// It is used to reset a user's password.
 pub mod registration {
-    use super::*;
+    use super::{types::UserId, *};
 
     #[derive(Serialize, Deserialize, Clone)]
     pub struct ServerData {
-        pub username: String,
+        pub username: UserId,
     }
 
     #[derive(Serialize, Deserialize, Clone)]
     pub struct ClientRegistrationStartRequest {
-        pub username: String,
+        pub username: UserId,
         pub registration_start_request: opaque::server::registration::RegistrationRequest,
     }
 
@@ -104,6 +104,107 @@ pub mod password_reset {
     }
 }
 
+pub mod types {
+    use serde::{Deserialize, Serialize};
+
+    #[cfg(feature = "sea_orm")]
+    use sea_orm::{DbErr, DeriveValueType, TryFromU64, Value};
+
+    #[derive(
+        PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Default, Hash, Serialize, Deserialize,
+    )]
+    #[cfg_attr(feature = "sea_orm", derive(DeriveValueType))]
+    #[serde(from = "String")]
+    pub struct CaseInsensitiveString(String);
+
+    impl CaseInsensitiveString {
+        pub fn new(s: &str) -> Self {
+            Self(s.to_ascii_lowercase())
+        }
+
+        pub fn as_str(&self) -> &str {
+            self.0.as_str()
+        }
+
+        pub fn into_string(self) -> String {
+            self.0
+        }
+    }
+
+    impl From<String> for CaseInsensitiveString {
+        fn from(mut s: String) -> Self {
+            s.make_ascii_lowercase();
+            Self(s)
+        }
+    }
+
+    impl From<&String> for CaseInsensitiveString {
+        fn from(s: &String) -> Self {
+            Self::new(s.as_str())
+        }
+    }
+
+    impl From<&str> for CaseInsensitiveString {
+        fn from(s: &str) -> Self {
+            Self::new(s)
+        }
+    }
+
+    #[derive(
+        PartialEq,
+        Eq,
+        PartialOrd,
+        Ord,
+        Clone,
+        Default,
+        Hash,
+        Serialize,
+        Deserialize,
+        derive_more::Debug,
+        derive_more::Display,
+    )]
+    #[cfg_attr(feature = "sea_orm", derive(DeriveValueType))]
+    #[serde(from = "CaseInsensitiveString")]
+    #[debug(r#""{}""#, _0.as_str())]
+    #[display("{}", _0.as_str())]
+    pub struct UserId(CaseInsensitiveString);
+
+    impl UserId {
+        pub fn new(s: &str) -> Self {
+            s.into()
+        }
+        pub fn as_str(&self) -> &str {
+            self.0.as_str()
+        }
+        pub fn into_string(self) -> String {
+            self.0.into_string()
+        }
+    }
+    impl<T> From<T> for UserId
+    where
+        T: Into<CaseInsensitiveString>,
+    {
+        fn from(s: T) -> Self {
+            Self(s.into())
+        }
+    }
+
+    #[cfg(feature = "sea_orm")]
+    impl From<&UserId> for Value {
+        fn from(user_id: &UserId) -> Self {
+            user_id.as_str().into()
+        }
+    }
+    #[cfg(feature = "sea_orm")]
+    impl TryFromU64 for UserId {
+        fn try_from_u64(_n: u64) -> Result<Self, DbErr> {
+            Err(DbErr::ConvertFromU64(
+                "UserId cannot be constructed from u64",
+            ))
+        }
+    }
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 pub struct JWTClaims {
     pub exp: DateTime<Utc>,

auth/src/opaque.rs

@@ -1,3 +1,4 @@
+use crate::types::UserId;
 use opaque_ke::ciphersuite::CipherSuite;
 use rand::{CryptoRng, RngCore};
 
@@ -77,10 +78,10 @@ pub mod client {
         pub use opaque_ke::ClientRegistrationFinishParameters;
         /// Initiate the registration negotiation.
         pub fn start_registration<R: RngCore + CryptoRng>(
-            password: &str,
+            password: &[u8],
             rng: &mut R,
         ) -> AuthenticationResult<ClientRegistrationStartResult> {
-            Ok(ClientRegistration::start(rng, password.as_bytes())?)
+            Ok(ClientRegistration::start(rng, password)?)
         }
 
         /// Finalize the registration negotiation.
@@ -145,12 +146,12 @@ pub mod server {
         pub fn start_registration(
             server_setup: &ServerSetup,
             registration_request: RegistrationRequest,
-            username: &str,
+            username: &UserId,
         ) -> AuthenticationResult<ServerRegistrationStartResult> {
             Ok(ServerRegistration::start(
                 server_setup,
                 registration_request,
-                username.as_bytes(),
+                username.as_str().as_bytes(),
             )?)
         }
 
@@ -178,14 +179,14 @@ pub mod server {
             server_setup: &ServerSetup,
             password_file: Option<ServerRegistration>,
             credential_request: CredentialRequest,
-            username: &str,
+            username: &UserId,
         ) -> AuthenticationResult<ServerLoginStartResult> {
             Ok(ServerLogin::start(
                 rng,
                 server_setup,
                 password_file,
                 credential_request,
-                username.as_bytes(),
+                username.as_str().as_bytes(),
                 ServerLoginStartParameters::default(),
             )?)
         }

docker-entrypoint-rootless.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CONFIG_FILE=/data/lldap_config.toml
+
+if [ ! -f "$CONFIG_FILE" ]; then
+  echo "[entrypoint] Copying the default config to $CONFIG_FILE"
+  echo "[entrypoint] Edit this $CONFIG_FILE to configure LLDAP."
+  if cp /app/lldap_config.docker_template.toml $CONFIG_FILE; then
+     echo "Configuration copied successfully."
+  else
+     echo "Fail to copy configuration, check permission on /data or manually create one by copying from LLDAP repository"
+     exit 1
+  fi
+fi
+
+echo "> Starting lldap.."
+echo ""
+exec /app/lldap "$@"
+exec "$@"

docs/architecture.md

@@ -14,21 +14,20 @@ Backend:
     is defined in `schema.graphql`.
   * The static frontend files are served by this port too.
 
-Note that secure protocols (LDAPS, HTTPS) are currently not supported. This can
-be worked around by using a reverse proxy in front of the server (for the HTTP
-API) that wraps/unwraps the HTTPS messages, or only open the service to
-localhost or other trusted docker containers (for the LDAP API).
+Note that HTTPS is currently not supported. This can be worked around by using
+a reverse proxy in front of the server (for the HTTP API) that wraps/unwraps
+the HTTPS messages. LDAPS is supported.
 
 Frontend:
 * User management UI.
 * Written in Rust compiled to WASM as an SPA with the Yew library.
-* Based on components, with a React-like organization.
+* Based on components, with a React-like framework.
 
 Data storage:
 * The data (users, groups, memberships, active JWTs, ...) is stored in SQL.
-* Currently only SQLite is supported (see
-  https://github.com/launchbadge/sqlx/issues/1225 for what blocks us from
-  supporting more SQL backends).
+* The main SQL DBs are supported: SQLite by default, MySQL, MariaDB, PostgreSQL
+  (see [DB Migration](/database_migration.md) for how to migrate off of
+  SQLite).
 
 ### Code organization
 
@@ -50,19 +49,19 @@ Data storage:
 Authentication is done via the OPAQUE protocol, meaning that the passwords are
 never sent to the server, but instead the client proves that they know the
 correct password (zero-knowledge proof). This is likely overkill, especially
-considered that the LDAP interface requires sending the password to the server,
-but it's one less potential flaw (especially since the LDAP interface can be
-restricted to an internal docker-only network while the web app is exposed to
-the Internet).
+considered that the LDAP interface requires sending the password in cleartext
+to the server, but it's one less potential flaw (especially since the LDAP
+interface can be restricted to an internal docker-only network while the web
+app is exposed to the Internet).
 
 OPAQUE's "passwords" (user-specific blobs of data that can only be used in a
 zero-knowledge proof that the password is correct) are hashed using Argon2, the
 state of the art in terms of password storage. They are hashed using a secret
-provided in the configuration (which can be given as environment variable or
-command line argument as well): this should be kept secret and shouldn't change
-(it would invalidate all passwords). Note that even if it was compromised, the
-attacker wouldn't be able to decrypt the passwords without running an expensive
-brute-force search independently for each password.
+provided in the configuration (which can be given as environment variable,
+command line argument or a file as well): this should be kept secret and
+shouldn't change (it would invalidate all passwords). Note that even if it was
+compromised, the attacker wouldn't be able to decrypt the passwords without
+running an expensive brute-force search independently for each password.
 
 ### JWTs and refresh tokens
 

docs/database_migration.md

@@ -20,7 +20,7 @@ LLDAP has a command that will connect to a target database and initialize the
 schema. If running with docker, run the following command to use your active
 instance (this has the benefit of ensuring your container has access):
 
-```
+```sh
 docker exec -it <LLDAP container name> /app/lldap create_schema -d <Target database url>
 ```
 
@@ -34,7 +34,7 @@ databases (SQLite in this example) will give an error if LLDAP is in the middle
 statements. There are various ways to do this, but a simple enough way is filtering a
 whole database dump. This repo contains [a script](/scripts/sqlite_dump_commands.sh) to generate SQLite commands for creating an appropriate dump:
 
-```
+```sh
 ./sqlite_dump_commands.sh | sqlite3 /path/to/lldap/config/users.db > /path/to/dump.sql
 ```
 
@@ -49,23 +49,26 @@ a transaction in case one of the statements fail.
 PostgreSQL uses a different hex string format. The command below should switch SQLite
 format to PostgreSQL format, and wrap it all in a transaction:
 
-```
+```sh
 sed -i -r -e "s/X'([[:xdigit:]]+'[^'])/'\\\x\\1/g" \
+-e ":a; s/(INSERT INTO (user_attribute_schema|jwt_storage)\(.*\) VALUES\(.*),1([^']*\);)$/\1,true\3/; s/(INSERT INTO (user_attribute_schema|jwt_storage)\(.*\) VALUES\(.*),0([^']*\);)$/\1,false\3/; ta" \
 -e '1s/^/BEGIN;\n/' \
+-e '$aSELECT setval(pg_get_serial_sequence('\''groups'\'', '\''group_id'\''), COALESCE((SELECT MAX(group_id) FROM groups), 1));' \
 -e '$aCOMMIT;' /path/to/dump.sql
 ```
 
 ### To MySQL
 
 MySQL mostly cooperates, but it gets some errors if you don't escape the `groups` table. It also uses
-backticks to escape table name instead of quotes.  Run the
+backticks to escape table name instead of quotes. Run the
 following command to wrap all table names in backticks for good measure, and wrap the inserts in
 a transaction:
 
-```
+```sh
 sed -i -r -e 's/^INSERT INTO "?([a-zA-Z0-9_]+)"?/INSERT INTO `\1`/' \
 -e '1s/^/START TRANSACTION;\n/' \
--e '$aCOMMIT;' /path/to/dump.sql
+-e '$aCOMMIT;' \
+-e '1 i\SET FOREIGN_KEY_CHECKS = 0;' /path/to/dump.sql
 ```
 
 ### To MariaDB
@@ -73,11 +76,12 @@ sed -i -r -e 's/^INSERT INTO "?([a-zA-Z0-9_]+)"?/INSERT INTO `\1`/' \
 While MariaDB is supposed to be identical to MySQL, it doesn't support timezone offsets on DATETIME
 strings. Use the following command to remove those and perform the additional MySQL sanitization:
 
-```
+```sh
 sed -i -r -e "s/([^']'[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{9})\+00:00'([^'])/\1'\2/g" \
 -e 's/^INSERT INTO "?([a-zA-Z0-9_]+)"?/INSERT INTO `\1`/' \
 -e '1s/^/START TRANSACTION;\n/' \
--e '$aCOMMIT;' /path/to/dump.sql
+-e '$aCOMMIT;' \
+-e '1 i\SET FOREIGN_KEY_CHECKS = 0;' /path/to/dump.sql
 ```
 
 ## Insert data
@@ -102,4 +106,6 @@ or
 
 Modify your `database_url` in `lldap_config.toml` (or `LLDAP_DATABASE_URL` in the env)
 to point to your new database (the same value used when generating schema). Restart
-LLDAP and check the logs to ensure there were no errors.
+LLDAP and check the logs to ensure there were no errors.
+
+#### More details/examples can be seen in the CI process [here](https://raw.githubusercontent.com/lldap/lldap/main/.github/workflows/docker-build-static.yml), look for the job `lldap-database-migration-test`

docs/migration_guides/v0.5.md

@@ -0,0 +1,58 @@
+# Migration from 0.4 to 0.5
+
+Welcome! If you're here, it's probably that the migration from 0.4.x to 0.5
+didn't go smoothly for you. Don't worry, we can fix that.
+
+## Multiple users with the same email
+
+This is the most common case. You can see in the LLDAP logs that there are
+several users with the same email, and they are listed.
+
+This is not allowed anymore in v0.5, to prevent a user from setting their email
+to someone else's email and gaining access to systems that identify by email.
+
+The problem is that you currently have several users with the same email, so the
+constraint cannot be enforced.
+
+### Step 1: Take a note of the users with duplicate emails
+
+In the LLDAP logs when you tried to start v0.5+, you'll see some warnings with
+the list of users with the same emails. Take note of them.
+
+### Step 2: Downgrade to v0.4.3
+
+If using docker, switch to the `lldap/lldap:v0.4.3` image. Alternatively, grab
+the binaries at https://github.com/lldap/lldap/releases/tag/v0.4.3.
+
+This downgrade is safe and supported.
+
+### Step 3: Remove duplicate emails
+
+Restart LLDAP with the v0.4.3 version, and using your notes from step 1, change
+the email of users with duplicate emails to make sure that each email is unique.
+
+### Step 4: Upgrade again
+
+You can now revert to the initial version.
+
+## Multiple users/groups with the same UUID
+
+This should be extremely rare. In this case, you'll need to find which users
+have the same UUID, revert to v0.4.3 to be able to apply the changes, and delete
+one of the duplicates.
+
+## FAQ
+
+### What if I want several users to be controlled by the same email?
+
+You can use plus codes to set "the same" email to several users, while ensuring
+that they can't identify as each other. For instance:
+
+ - Admin: `admin@example.com`
+ - Read-only admin: `admin+readonly@example.com`
+ - Jellyfin admin: `admin+jellyfin@example.com`
+
+### I'm upgrading to a higher version than v0.5.
+
+This guide is still relevant: you can use whatever later version in place of
+v0.5. You'll still need to revert to v0.4.3 to apply the changes.

docs/scripting.md

@@ -18,6 +18,15 @@ still supports basic RootDSE queries.
 
 Anonymous bind is not supported.
 
+## `lldap-cli`
+
+There is a community-built CLI frontend,
+[Zepmann/lldap-cli](https://github.com/Zepmann/lldap-cli), that supports all
+(as of this writing) the operations possible. Getting information from the
+server, creating users, adding them to groups, creating new custom attributes
+and populating them, all of that is supported. It is currently the easiest way
+to script the interaction with LLDAP.
+
 ## GraphQL
 
 The best way to interact with LLDAP programmatically is via the GraphQL

example_configs/MegaRAC-SP-X-BMC.md

@@ -0,0 +1,48 @@
+# MegaRAC SP-X BMC IPMI LDAP Setup
+
+The MegaRAC SP-X BMC is a service processor firmware stack designed by American Megatrends Inc. (AMI), aimed at providing out-of-band management for servers and computing systems. 
+It's part of the MegaRAC family of management solutions, offering remote server management capabilities, including monitoring, control, and maintenance functionalities, independent of the operating system or system state. 
+This enables administrators to manage systems remotely for tasks such as updates, troubleshooting, and recovery.
+
+## Setting up LLDAP with MegaRAC SP-X BMC IPMI
+
+### Pre-requisites
+- Create and assign the `ipmi` group in LLDAP to a (test) user.
+- Bind User: It is recommended that you create a separate user account (e.g, `bind_user`) instead of admin for sharing Bind credentials with other services. The bind_user should be a member of the lldap_strict_readonly group to limit access to your LDAP configuration in LLDAP.
+- Bind Password: password of the user specified above
+
+### Configuration Steps
+
+1. **Navigate**: Go to `Settings > External User Settings > LDAP/E-Directory Settings > General Settings`.
+
+2. **General LDAP Settings**:
+    - **Encryption Type**: `SSL` (or No Encryption if preferred)
+    - **Common Name Type**: `FQDN` (or IP if you use a plain IP address to connect to lldap)
+    - **Server Address**: `fqdn.lldap.tld`
+    - **Port**: `6360` (default for SSL, adjust if necessary to default non ssl `3890`)
+
+3. **Authentication** (use read-only bind user):
+    - **Bind DN**: `uid=bind_user,ou=people,dc=example,dc=com`
+    - **Password**: `change_bind_user_password`
+
+4. **Search Configuration**:
+    - **Search Base**: `ou=people,dc=example,dc=com`
+    - **Attribute of User Login**: `uid`
+
+![General LDAP Settings](images/megarac_user.png)
+
+5. **Navigate**: Go to `Settings > External User Settings > LDAP/E-Directory Settings > Role groups`.
+
+6. **Click on empty role group in order to assign a new one**
+
+7. **Role Group - Group Details**:
+    - **Group Name**: `ipmi`
+    - **Group Domain**: `cn=ipmi,ou=groups,dc=example,dc=com`
+    - **Group Privilege**: `Administrator`
+
+8. **Group Permissions**:
+    - KVM Access: Enabled (adjust as needed)
+    - VMedia Access: Enabled (adjust as needed)
+
+![Role Groups](images/megarac_group.png)
+

example_configs/apereo_cas_server.md

@@ -0,0 +1,18 @@
+# Configuration for Apereo CAS Server
+
+Replace `dc=example,dc=com` with your LLDAP configured domain, and hostname for your LLDAP server.
+
+The `search-filter` provided here requires users to be members of the `cas_auth` group in LLDAP.
+
+Configuration to use LDAP in e.g. `/etc/cas/config/standalone.yml`
+```
+cas:
+  authn:
+    ldap:
+    - base-dn: dc=example,dc=com
+      bind-credential: password
+      bind-dn: uid=admin,ou=people,dc=example,dc=com
+      ldap-url: ldap://ldap.example.com:3890
+      search-filter: (&(objectClass=person)(memberOf=uid=cas_auth,ou=groups,dc=example,dc=com))
+```
+

example_configs/authelia_config.yml

@@ -15,7 +15,7 @@ authentication_backend:
     implementation: custom
     # Pattern is ldap://HOSTNAME-OR-IP:PORT
     # Normal ldap port is 389, standard in LLDAP is 3890
-    url: ldap://lldap:3890
+    address: ldap://lldap:3890
     # The dial timeout for LDAP.
     timeout: 5s
     # Use StartTLS with the LDAP connection, TLS not supported right now
@@ -25,7 +25,6 @@ authentication_backend:
     #  minimum_version: TLS1.2
     # Set base dn, like dc=google,dc.com
     base_dn: dc=example,dc=com
-    username_attribute: uid
     # You need to set this to ou=people, because all users are stored in this ou!
     additional_users_dn: ou=people
     # To allow sign in both with username and email, one can use a filter like
@@ -33,16 +32,20 @@ authentication_backend:
     users_filter: "(&({username_attribute}={input})(objectClass=person))"
     # Set this to ou=groups, because all groups are stored in this ou
     additional_groups_dn: ou=groups
-    # Only this filter is supported right now
+    # The groups are not displayed in the UI, but this filter works.
     groups_filter: "(member={dn})"
     # The attribute holding the name of the group.
-    group_name_attribute: cn
-    # Email attribute
-    mail_attribute: mail
-    # The attribute holding the display name of the user. This will be used to greet an authenticated user.
-    display_name_attribute: displayName
-    # The username and password of the admin user.
-    # "admin" should be the admin username you set in the LLDAP configuration
-    user: uid=admin,ou=people,dc=example,dc=com
+    attributes:
+      display_name: displayName
+      username: uid
+      group_name: cn
+      mail: mail
+      # distinguished_name: distinguishedName
+      # member_of: memberOf
+
+    # The username and password of the bind user.
+    # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+    # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+    user: uid=bind_user,ou=people,dc=example,dc=com
     # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
     password: 'REPLACE_ME'

example_configs/bootstrap/bootstrap.md

@@ -0,0 +1,314 @@
+# Bootstrapping lldap using [bootstrap.sh](/scripts/bootstrap.sh) script
+
+bootstrap.sh allows managing your lldap in a git-ops, declarative way using JSON config files.
+
+The script can:
+
+* create, update users
+  * set/update all lldap built-in user attributes
+  * add/remove users to/from corresponding groups
+  * set/update user avatar from file, link or from gravatar by user email
+  * set/update user password
+* create groups
+* delete redundant users and groups (when `DO_CLEANUP` env var is true)
+* maintain the desired state described in JSON config files
+* create user/group user-defined attributes
+
+![](bootstrap-example-log-1.jpeg)
+
+## Required packages
+
+> The script will automatically install the required packages for alpine and debian-based distributions
+> when run by root, or you can install them by yourself.
+
+- curl
+- [jq](https://github.com/jqlang/jq)
+- [jo](https://github.com/jpmens/jo)
+
+## Environment variables
+
+- `LLDAP_URL` or `LLDAP_URL_FILE` (default value: `http://localhost:17170`) - URL to your lldap instance or path to file that contains URL
+- `LLDAP_ADMIN_USERNAME` or `LLDAP_ADMIN_USERNAME_FILE` (default value: `admin`) - admin username or path to file that contains username
+- `LLDAP_ADMIN_PASSWORD` or `LLDAP_ADMIN_PASSWORD_FILE` (default value: `password`) - admin password or path to file that contains password
+- `USER_CONFIGS_DIR` (default value: `/bootstrap/user-configs`) - directory where the user JSON configs could be found
+- `GROUP_CONFIGS_DIR` (default value: `/bootstrap/group-configs`) - directory where the group JSON configs could be found
+- `USER_SCHEMAS_DIR` (default value: `/bootstrap/user-schemas`) - directory where the user schema JSON configs could be found
+- `GROUP_SCHEMAS_DIR` (default value: `/bootstrap/group-schemas`) - directory where the group schema JSON configs could be found
+- `LLDAP_SET_PASSWORD_PATH` - path to the `lldap_set_password` utility (default value: `/app/lldap_set_password`)
+- `DO_CLEANUP` (default value: `false`) - delete groups and users not specified in config files, also remove users from groups that they do not belong to
+
+## Config files
+
+There are two types of config files: [group](#group-config-file-example) and [user](#user-config-file-example) configs.
+Each config file can be as one JSON file with nested JSON top-level values as several JSON files.
+
+### Group config file example
+
+Group configs are used to define groups that will be created by the script
+
+Fields description:
+
+* `name`: name of the group (**MANDATORY**)
+
+```json
+{
+  "name": "group-1"
+}
+{
+  "name": "group-2"
+}
+```
+
+### User config file example
+
+User config defines all the lldap user structures,
+if the non-mandatory field is omitted, the script will clean this field in lldap as well.
+
+Fields description:
+
+* `id`: it's just username (**MANDATORY**)
+* `email`: self-explanatory (**MANDATORY**)
+* `password`: would be used to set the password using `lldap_set_password` utility
+* `displayName`: self-explanatory
+* `firstName`: self-explanatory
+* `lastName`: self-explanatory
+* `avatar_file`: must be a valid path to jpeg file (ignored if `avatar_url` specified)
+* `avatar_url`: must be a valid URL to jpeg file (ignored if `gravatar_avatar` specified)
+* `gravatar_avatar` (`false` by default): the script will try to get an avatar from [gravatar](https://gravatar.com/) by previously specified `email` (has the highest priority)
+* `weserv_avatar` (`false` by default): avatar file from `avatar_url` or `gravatar_avatar` would be converted to jpeg using [wsrv.nl](https://wsrv.nl) (useful when your avatar is png)
+* `groups`: an array of groups the user would be a member of (all the groups must be specified in group config files)
+
+```json
+{
+  "id": "username",
+  "email": "username@example.com",
+  "password": "changeme",
+  "displayName": "Display Name",
+  "firstName": "First",
+  "lastName": "Last",
+  "avatar_file": "/path/to/avatar.jpg",
+  "avatar_url": "https://i.imgur.com/nbCxk3z.jpg",
+  "gravatar_avatar": "false",
+  "weserv_avatar": "false",
+  "groups": [
+    "group-1",
+    "group-2"
+  ]
+}
+
+```
+
+### User and group schema config file example
+
+User and group schema have the same structure.
+
+Fields description:
+
+* `name`: name of field, case insensitve - you should use lowercase
+* `attributeType`: `STRING` / `INTEGER` / `JPEG` / `DATE_TIME`
+* `isList`: single on multiple value field
+* `isEditable`: self-explanatory
+* `isVisible`: self-explanatory
+
+```json
+[
+  {
+    "name": "uid",
+    "attributeType": "INTEGER",
+    "isEditable": false,
+    "isList": false,
+    "isVisible": true
+  },
+  {
+    "name": "mailbox",
+    "attributeType": "STRING",
+    "isEditable": false,
+    "isList": false,
+    "isVisible": true
+  },
+  {
+    "name": "mail_alias",
+    "attributeType": "STRING",
+    "isEditable": false,
+    "isList": true,
+    "isVisible": true
+  }
+]
+```
+
+## Usage example
+
+### Manually
+
+The script can be run manually in the terminal for initial bootstrapping of your lldap instance.
+You should make sure that the [required packages](#required-packages) are installed
+and the [environment variables](#environment-variables) are configured properly.
+
+```bash
+export LLDAP_URL=http://localhost:8080
+export LLDAP_ADMIN_USERNAME=admin
+export LLDAP_ADMIN_PASSWORD=changeme
+export USER_CONFIGS_DIR="$(realpath ./configs/user)"
+export GROUP_CONFIGS_DIR="$(realpath ./configs/group)"
+export USER_SCHEMAS_DIR="$(realpath ./configs/user-schema)"
+export GROUP_SCHEMAS_DIR="$(realpath ./configs/group-schema)"
+export LLDAP_SET_PASSWORD_PATH="$(realpath ./lldap_set_password)"
+export DO_CLEANUP=false
+./bootstrap.sh
+```
+
+### Manually from running docker container or service
+
+After setting a docker container you can bootstrap users using:
+
+```
+docker exec -e LLDAP_ADMIN_PASSWORD_FILE=password -v ./bootstrap:/bootstrap -it $(docker ps --filter name=lldap -q) /app/bootstrap.sh
+```
+
+### Docker compose
+
+Let's suppose you have the next file structure:
+
+```text
+./
+├─ docker-compose.yaml
+└─ bootstrap
+   ├─ bootstrap.sh
+   └─ user-configs
+   │  ├─ user-1.json
+   │  ├─ ...
+   │  └─ user-n.json
+   └─ group-configs
+   |  ├─ group-1.json
+   |  ├─ ...
+   |  └─ group-n.json
+   └─ user-schemas
+   |  ├─ user-attrs-1.json
+   |  ├─ ...
+   |  └─ user-attrs-n.json
+   └─ group-schemas
+      ├─ group-attrs-1.json
+      ├─ ...
+      └─ group-attrs-n.json
+```
+
+You should mount `bootstrap` dir to lldap container and set the corresponding `env` variables:
+
+```yaml
+version: "3"
+
+services:
+  lldap:
+    image: lldap/lldap:v0.5.0
+    volumes:
+      - ./bootstrap:/bootstrap
+    ports:
+      - "3890:3890" # For LDAP
+      - "17170:17170" # For the web front-end
+    environment:
+      # envs required for lldap
+      - LLDAP_LDAP_USER_EMAIL=admin@example.com
+      - LLDAP_LDAP_USER_PASS=changeme
+      - LLDAP_LDAP_BASE_DN=dc=example,dc=com
+      
+      # envs required for bootstrap.sh
+      - LLDAP_URL=http://localhost:17170
+      - LLDAP_ADMIN_USERNAME=admin
+      - LLDAP_ADMIN_PASSWORD=changeme # same as LLDAP_LDAP_USER_PASS
+      - USER_CONFIGS_DIR=/bootstrap/user-configs
+      - GROUP_CONFIGS_DIR=/bootstrap/group-configs
+      - USER_SCHEMAS_DIR=/bootstrap/user-schemas
+      - GROUP_SCHEMAS_DIR=/bootstrap/group-schemas
+      - DO_CLEANUP=false
+```
+
+Then, to bootstrap your lldap just run `docker compose exec lldap /bootstrap/bootstrap.sh`.
+If config files were changed, re-run the `bootstrap.sh` with the same command.
+
+### Kubernetes job
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: lldap-bootstrap
+  # Next annotations are required if the job managed by Argo CD,
+  # so Argo CD can relaunch the job on every app sync action
+  annotations: 
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: lldap-bootstrap
+          image: lldap/lldap:v0.5.0
+
+          command:
+            - /bootstrap/bootstrap.sh
+
+          env:
+            - name: LLDAP_URL
+              value: "http://lldap:8080"
+
+            - name: LLDAP_ADMIN_USERNAME
+              valueFrom: { secretKeyRef: { name: lldap-admin-user, key: username } }
+
+            - name: LLDAP_ADMIN_PASSWORD
+              valueFrom: { secretKeyRef: { name: lldap-admin-user, key: password } }
+
+            - name: DO_CLEANUP
+              value: "true"
+
+          volumeMounts:
+            - name: bootstrap
+              mountPath: /bootstrap/bootstrap.sh
+              readOnly: true
+              subPath: bootstrap.sh
+
+            - name: user-configs
+              mountPath: /bootstrap/user-configs
+              readOnly: true
+
+            - name: group-configs
+              mountPath: /bootstrap/group-configs
+              readOnly: true
+
+      volumes:
+        - name: bootstrap
+          configMap:
+            name: bootstrap
+            defaultMode: 0555
+            items:
+              - key: bootstrap.sh
+                path: bootstrap.sh
+
+        - name: user-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-admin-user
+                  items:
+                    - key: user-config.json
+                      path: admin-config.json
+              - secret:
+                  name: lldap-password-manager-user
+                  items:
+                    - key: user-config.json
+                      path: password-manager-config.json
+              - secret:
+                  name: lldap-bootstrap-configs
+                  items:
+                    - key: user-configs.json
+                      path: user-configs.json
+
+        - name: group-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-bootstrap-configs
+                  items:
+                    - key: group-configs.json
+                      path: group-configs.json
+```

example_configs/carpal.md

@@ -0,0 +1,59 @@
+# Configuration for Carpal
+
+[Carpal](https://github.com/peeley/carpal) is a small, configurable
+[WebFinger](https://webfinger.net) server than can pull resource information
+from LDAP directories.
+
+There are two files used to configure Carpal for LDAP:
+
+- The YAML configuration file for Carpal itself
+- A Go template file for injecting the LDAP data into the WebFinger response
+
+### YAML File
+
+Replace the server URL, admin credentials, and domain for your server:
+
+```yaml
+# /etc/carpal/config.yml
+
+driver: ldap
+ldap:
+  url: ldap://myldapserver
+  bind_user: uid=myadmin,ou=people,dc=foobar,dc=com
+  bind_pass: myadminpassword
+  basedn: ou=people,dc=foobar,dc=com
+  filter: (uid=*)
+  user_attr: uid
+  attributes:
+    - uid
+    - mail
+    - cn
+  template: /etc/carpal/ldap.gotempl
+```
+
+If you have configured any user-defined attributes on your users, you can also
+add those to the `attributes` field.
+
+### Go Template File
+
+This is an example template; the template file is intended to be editable for
+your needs. If your users, for example, don't have Mastodon profiles, you can
+delete the Mastodon alias.
+
+```gotempl
+# /etc/carpal/ldap.gotempl
+
+aliases:
+  - "mailto:{{ index . "mail" }}"
+  - "https://mastodon/{{ index . "uid" }}"
+properties:
+  'http://webfinger.example/ns/name': '{{ index . "cn" }}'
+links:
+  - rel: "http://webfinger.example/rel/profile-page"
+    href: "https://www.example.com/~{{ index . "uid" }}/"
+```
+
+This example also only contains the default attributes present on all LLDAP
+users. If you have added custom user-defined attributes to your users and added
+them to the `attributes` field of the YAML config file, you can use them in
+this template file.

example_configs/dex_config.yml

@@ -10,8 +10,7 @@ connectors:
     id: ldap
     name: LDAP
     config:
-      host: lldap-host # make sure it does not start with `ldap://`
-      port: 3890 # or 6360 if you have ldaps enabled
+      host: lldap-host:3890 # or 6360 if you have ldaps enabled, make sure it does not start with `ldap://`
       insecureNoSSL: true # or false if you have ldaps enabled
       insecureSkipVerify: true # or false if you have ldaps enabled
       bindDN: uid=admin,ou=people,dc=example,dc=com # replace admin with your admin user

example_configs/dokuwiki.md

@@ -6,11 +6,12 @@ LDAP configuration is in ```/dokuwiki/conf/local.protected.php```:
 <?php
 $conf['useacl']         = 1;           //enable ACL
 $conf['authtype']       = 'authldap';  //enable this Auth plugin
+$conf['superuser'] = 'admin';
 $conf['plugin']['authldap']['server']      = 'ldap://lldap_server:3890'; #IP of your lldap
 $conf['plugin']['authldap']['usertree']    = 'ou=people,dc=example,dc=com';
-$conf['plugin']['authldap']['grouptree']   = 'ou=groups, dc=example, dc=com';
+$conf['plugin']['authldap']['grouptree']   = 'ou=groups,dc=example,dc=com';
 $conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=person))';
-$conf['plugin']['authldap']['groupfilter'] = '(objectClass=group)';
+$conf['plugin']['authldap']['groupfilter'] = '(&(member=%{dn})(objectClass=groupOfUniqueNames))';
 $conf['plugin']['authldap']['attributes']  = array('cn', 'displayname', 'mail', 'givenname', 'objectclass', 'sn', 'uid', 'memberof');
 $conf['plugin']['authldap']['version']    = 3;
 $conf['plugin']['authldap']['binddn']     = 'cn=admin,ou=people,dc=example,dc=com';
@@ -23,3 +24,11 @@ All you need to do is to activate the plugin. This can be done on the DokuWiki E
 Once the LDAP settings are defined, proceed to define the default authentication method.
 Navigate to Table of Contents > DokuWiki > Authentication.
 On the Authentication backend, select ```authldap``` and save the changes.
+
+## Internal (or other authentication) fallback
+If you dont want to use LDAP authentication exclusively, you can install the [authchained plugin](https://www.dokuwiki.org/plugin:authchained). It tries multiple auth backends when a user logs in.
+
+```
+$conf['authtype'] = 'authchained';
+$conf['plugin']['authchained']['authtypes'] = 'authldap:authplain';
+```

example_configs/ejabberd.md

@@ -0,0 +1,30 @@
+# Basic LDAP auth for a Ejabberd XMPP server
+
+[Main documentation here.](https://docs.ejabberd.im/admin/configuration/ldap/)
+
+For simple user auth add this to main ejabberd.yml:
+
+```
+host_config:
+  xmpp.example.org:
+    auth_method: [ldap]
+    ldap_servers:
+      - 127.0.0.1 #IP or hostname of LLDAP server
+    ldap_port: 3890
+    ldap_uids:
+      - uid
+    ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=org"
+    ldap_password: "secret"
+    ldap_base: "ou=people,dc=example,dc=org"
+```
+
+## vCard from LDAP
+Theoretically possible, [see the documentation.](https://docs.ejabberd.im/admin/configuration/ldap/#vcard-in-ldap)
+
+TODO
+
+## Shared roster groups from LDAP
+
+Theoretically possible, [see the documentation.](https://docs.ejabberd.im/admin/configuration/ldap/#shared-roster-in-ldap)
+
+TODO

example_configs/ergo.md

@@ -0,0 +1,22 @@
+# Basic LDAP auth for an Ergo IRC server
+
+[Main documentation here.](https://github.com/ergochat/ergo-ldap)
+
+For simple user auth prepare a ldap-config.yaml with the following settings
+
+```
+host: "127.0.0.1"
+port: 3890
+timeout: 30s
+
+# uncomment for TLS / LDAPS:
+# use-ssl: true
+
+bind-dn: "uid=%s,ou=people,dc=example,dc=org"
+```
+
+Then add the compiled ergo-ldap program to your Ergo folder and make sure it can be executed by the same user your Ergo IRCd runs as.
+
+Follow the instructions in the main Ergo config file's accounts section on how to execute an external auth program.
+
+Make sure SASL auth is enabled and then restart Ergo to enable LDAP linked SASL auth.

example_configs/freebsd/freebsd-install.md

@@ -0,0 +1,18 @@
+Extract lldap's [FreeBSD tar.gz](https://github.com/n-connect/rustd-hbbx/blob/main/x86_64-freebsd_lldap-0.5.1.tar.gz) under /usr/local/:
+
+`tar -xvf x86_64-freebsd_lldap-0.5.1.tar.gz -C /usr/local/`
+
+Move rc.d script into the right place:
+`mv /usr/local/lldap_server/rc.d_lldap /usr/local/etc/rc.d/lldap`
+
+Make your config, if your want to enable LDAPS, copy your server key and certification files, and set the owneship (currently www):
+
+`cp /usr/local/lldap_server/lldap_config.docker_template.toml /usr/local/lldap_server/lldap_config..toml`
+
+Enable lldap service in /etc/rc.conf:
+
+`sysrc lldap_enable="YES"`
+
+Start your service:
+
+`service lldap start`

example_configs/freebsd/rc.d_lldap

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# PROVIDE: lldap
+# REQUIRE: DAEMON NETWORKING
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable lldap:
+# lldap_enable : set to "YES" to enable the daemon, default is "NO"
+
+. /etc/rc.subr
+
+name=lldap
+rcvar=lldap_enable
+
+lldap_chdir="/usr/local/lldap_server"
+
+load_rc_config $name
+
+lldap_enable=${lldap_enable:-"NO"}
+
+logfile="/var/log/${name}.log"
+
+procname=/usr/local/lldap_server/lldap
+command="/usr/sbin/daemon"
+command_args="-u www -o ${logfile} -t ${name} /usr/local/lldap_server/lldap run"
+
+run_rc_command "$1"

example_configs/gitlab.md

@@ -0,0 +1,30 @@
+# GitLab Configuration
+
+Members of the group ``git_user`` will have access to GitLab.
+
+Edit ``/etc/gitlab/gitlab.rb``:
+
+```ruby
+gitlab_rails['ldap_enabled'] = true
+gitlab_rails['ldap_servers'] = {
+  'main' => {
+    'label' => 'LDAP',
+    'host' =>  'ldap.example.com',
+    'port' => 3890,
+    'uid' => 'uid',
+    'base' => 'ou=people,dc=example,dc=com',
+    'encryption' => 'plain',
+    'bind_dn' => 'uid=bind_user,ou=people,dc=example,dc=com',
+    'password' => '<bind user password>',
+    'active_directory' => false,
+    'user_filter' => '(&(objectclass=person)(memberof=cn=git_user,ou=groups,dc=example,dc=com))',
+    'attributes' => {
+      'username' => 'uid',
+      'email' => 'mail',
+      'name' => 'displayName',
+      'first_name' => 'givenName',
+      'last_name' => 'sn'
+    }
+  }
+}
+```

example_configs/grafana_ldap_config.toml

@@ -20,7 +20,7 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"
 
 # Search user bind dn
-bind_dn = "uid=<your grafana user>,ou=people,dc=example,dc=org"
+bind_dn = "uid=<your grafana user>,ou=people,dc=example,dc=com"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 bind_password = "<grafana user password>"
@@ -31,19 +31,19 @@ search_filter = "(uid=%s)"
 # search_filter = "(&(uid=%s)(memberOf=cn=<your group>,ou=groups,dc=example,dc=org))"
 
 # An array of base dns to search through
-search_base_dns = ["dc=example,dc=org"]
+search_base_dns = ["dc=example,dc=com"]
 
 # Specify names of the LDAP attributes your LDAP uses
 [servers.attributes]
 member_of = "memberOf"
 email = "mail"
-name = "givenName"
+name = "displayName"
 surname = "sn"
 username = "uid"
 
 # If you want to map your ldap groups to grafana's groups, see: https://grafana.com/docs/grafana/latest/auth/ldap/#group-mappings
 # As a quick example, here is how you would map lldap's admin group to grafana's admin
 # [[servers.group_mappings]]
-# group_dn = "uid=lldap_admin,ou=groups,dc=example,dc=org"
+# group_dn = "cn=lldap_admin,ou=groups,dc=example,dc=org"
 # org_role = "Admin"
 # grafana_admin = true