From f6a3105fa57c86857c1fe317e853af5b4fba78e1 Mon Sep 17 00:00:00 2001
From: Jo Rhett <geek@jorhett.com>
Date: Sun, 9 Feb 2025 11:40:22 -0800
Subject: [PATCH] Add a test for memberof attribute

---
 authentik/sources/ldap/tests/mock_freeipa.py | 11 +++++++
 authentik/sources/ldap/tests/test_sync.py    | 32 ++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/authentik/sources/ldap/tests/mock_freeipa.py b/authentik/sources/ldap/tests/mock_freeipa.py
index f2bb8bb7ba..e401ad69c5 100644
--- a/authentik/sources/ldap/tests/mock_freeipa.py
+++ b/authentik/sources/ldap/tests/mock_freeipa.py
@@ -96,6 +96,17 @@ def mock_freeipa_connection(password: str) -> Connection:
             "objectClass": "posixAccount",
         },
     )
+    # User with groups in memberOf attribute
+    connection.strategy.add_entry(
+        "cn=user4,ou=users,dc=goauthentik,dc=io",
+        {
+            "name": "user4_sn",
+            "objectClass": "person",
+            "memberOf": [
+              "cn=group1,ou=groups,dc=goauthentik,dc=io",
+            ]
+        },
+    )
     # Locked out user
     connection.strategy.add_entry(
         "cn=user-nsaccountlock,ou=users,dc=goauthentik,dc=io",
diff --git a/authentik/sources/ldap/tests/test_sync.py b/authentik/sources/ldap/tests/test_sync.py
index 42c8bea471..28095132b6 100644
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@@ -162,6 +162,38 @@ class LDAPSyncTests(TestCase):
             self.assertFalse(User.objects.filter(username="user1_sn").exists())
             self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active)
 
+    def test_sync_groups_freeipa_memberOf(self):
+        """Test group sync when membership is derived from memberOf user attribute"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.user_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+            )
+        )
+        self.source.group_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                managed="goauthentik.io/sources/ldap/openldap-cn"
+            )
+        )
+        connection = MagicMock(return_value=mock_freeipa_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            self.source.save()
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+            group_sync = GroupLDAPSynchronizer(self.source)
+            group_sync.sync_full()
+            membership_sync = MembershipLDAPSynchronizer(self.source)
+            membership_sync.sync_full()
+
+            self.assertTrue(User.objects.filter(username="user4_sn").exists())
+            # Test if membership mapping based on memberOf works.
+            memberof_group = Group.objects.filter(name="group1").first()
+            self.assertTrue(memberof_group.exists())
+            self.assertTrue(memberof_group.users.filter(name="user4_sn").exists())
+
     def test_sync_groups_ad(self):
         """Test group sync"""
         self.source.user_property_mappings.set(