feat(frontend)_Fetch_user_groups_via_LDAP_login_API

[aabharti-visa]

It was observed that LDAP groups were not getting fetched for user via /login API.

This PR involves changes for /login API via LDAP authentication. The changes includes validating user credentials for /login API via LDAP provider and then fetching groups associated for user, using groupProvider.
Post this validation, it will provision user, groups and then create relationship between user and groups.

Sample frontend jaas.conf

WHZ-Authentication {
security.PropertyFileLoginModule sufficient
debug="true"
file="user.props";

com.sun.security.auth.module.LdapLoginModule sufficient
userProvider={}
authIdentity="{USERNAME}@Domain"
userFilter="(&(userPrincipalName={USERNAME}@Domain)(objectClass=person))"
groupProvider={}
groupNameAttribute="cn"
java.naming.security.authentication="simple"
debug="true"
useSSL="true";
};

[codecov]

Bundle Report

Changes will decrease total bundle size by 81 bytes (-0.0%) ⬇️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
datahub-react-web-esm	28.58MB	-81 bytes (-0.0%) ⬇️

Affected Assets, Files, and Routes:

view changes for bundle: datahub-react-web-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/index-*.js	-81 bytes	18.92MB	-0.0%

[aabharti-visa]

/build

[aabharti-visa]

/build pr

[deepgarg760]

one test failing: https://github.com/datahub-project/datahub/actions/runs/18217782387/job/51870802886?pr=14918

[aabharti-visa]

one test failing: https://github.com/datahub-project/datahub/actions/runs/18217782387/job/51870802886?pr=14918

Hi @deepgarg760 the test case is not related to new test cases which are done in AuthenticationManagerTest but from

ApplicationTest STANDARD_OUT
2025-10-06 07:10:16,107 [application-akka.actor.default-dispatcher-6] INFO controllers.SsoCallbackController - Home URL: /
2025-10-06 07:10:16,332 [application-akka.actor.default-dispatcher-9] INFO filters.BasePathRedirectFilter - BasePathRedirectFilter: Base path configured as: '/'
2025-10-06 07:10:16,655 [Test worker] INFO app.ApplicationTest - Shutdown Mock GMS
2025-10-06 07:10:16,664 [Test worker] INFO app.ApplicationTest - Shutdown Play Frontend
2025-10-06 07:10:16,677 [Test worker] INFO p.a.i.l.c.CoordinatedShutdownSupport - Starting synchronous coordinated shutdown with ServerStoppedReason reason and 2147508000 milliseconds timeout
2025-10-06 07:10:16,694 [application-akka.actor.default-dispatcher-6] INFO akka.actor.CoordinatedShutdown - Running CoordinatedShutdown with reason [ServerStoppedReason]
2025-10-06 07:10:16,719 [application-akka.actor.internal-dispatcher-5] INFO play.core.server.AkkaHttpServer - Terminating server binding for /[0:0:0:0:0:0:0:0]:19001
2025-10-06 07:10:16,802 [application-akka.actor.internal-dispatcher-3] INFO play.core.server.AkkaHttpServer - Running provided shutdown stop hooks
2025-10-06 07:10:16,885 [Test worker] INFO app.ApplicationTest - Shutdown MockOAuth2Server
2025-10-06 07:10:16,887 [Test worker] INFO app.ApplicationTest - Shutdown MockOAuth2Server thread
app.ApplicationTest ✘ initializationError

org.awaitility.core.ConditionTimeoutException: Condition with app.ApplicationTest was not fulfilled within 10 seconds.
    at app//app.ApplicationTest.init(ApplicationTest.java:200)
Caused by: java.util.concurrent.TimeoutException
    at app.ApplicationTest.init(ApplicationTest.java:200)

[codecov]

Codecov Report

❌ Patch coverage is 86.66667% with 50 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...b-frontend/app/security/AuthenticationManager.java	77.21%	27 Missing and 9 partials ⚠️
...-frontend/app/auth/ldap/LdapProvisioningLogic.java	95.41%	4 Missing and 1 partial ⚠️
...hub-frontend/app/auth/ldap/LdapConnectionUtil.java	95.65%	0 Missing and 3 partials ⚠️
...tend/app/auth/ldap/LdapUserAttributeExtractor.java	91.17%	3 Missing ⚠️
...tend/app/controllers/AuthenticationController.java	40.00%	3 Missing ⚠️

📢 Thoughts on this report? Let us know!

[deepgarg760]

any specific reason using hashTable instead of hashmap ?

[aabharti-visa]

public static DirContext createLdapContext(Hashtable<String, Object> env) throws NamingException {
return new InitialDirContext(env);
}

Java's LDAP API (InitialDirContext) requires a Hashtable for environment properties hence used it instead of hashMap.

[aikido-pr-checks]

Exposed secret in datahub-frontend/test/auth/ldap/LdapConnectionUtilTest.java - low severity
Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.
^{View details in Aikido Security}

[aikido-pr-checks]

Exposed secret in datahub-frontend/test/auth/ldap/LdapUserAttributeExtractorTest.java - low severity
Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.
^{View details in Aikido Security}

[aikido-pr-checks]

Exposed secret in datahub-frontend/test/auth/ldap/LdapProvisioningLogicTest.java - low severity
Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.
^{View details in Aikido Security}

[david-leifker]

I would expect similar configuration options for enabling group provisioning and extraction. Something like this to match the OIDC versions: AUTH_LDAP_JIT_PROVISIONING_ENABLED and AUTH_LDAP_EXTRACT_GROUPS_ENABLED (maybe take a look at the other ones to see if any apply)

[david-leifker]

We should also update the documentation around ldap+jaas, maybe adding to this document.

[chakru-r]

The changes in AuthenticationManager.java are too LDAP specific which do not make sense when the specific configuration with LDAP you used for testing this is not being used.

This may be better addressed if you reorganise the code into wrapper Custom LoginModule that delegates calls to an LDAPLoginModule and additionally did the group lookup and provision groups/user membership if needed.
With that approach, custom LoginModule would get used only when it is explicitly configured to be used.

The LoginModule can receive some additional object references required to create groups/user membership by calling [Configuration.setConfiguration]((https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#setConfiguration-javax.security.auth.login.Configuration-) and adding SystemEntityClient and OperationContext there will give the login module access to these objects and be able to create groups from custom login module.

The custom login module can access these merged configuration options by implementing the initialize method, the last param options contains the config options from jaas.conf and the additional objects added (SystemEntityClient and OperationContext). Your login module would then roughly do what OidcCallbackLogic to create groups and group membership .

[chakru-r]

See the comment on alternate approach that keeps the LDAP groups sync code separate into a module and used only when this custom module is explicitly configured.