From 56b7cbf4dbcc4a1ec201518f291c119470cc4e93 Mon Sep 17 00:00:00 2001
From: wwuck <wirelessduck@gmail.com>
Date: Thu, 26 Oct 2023 23:16:29 +1100
Subject: [PATCH] Return both user and operational LDAP attributes

Explicitly request both user and operation attributes
for LDAP group search as the default searching does not
include operational attributes.

This is required to fetch the memberOf attribute when checking
LDAP group membership.

Fixes #9151
---
 .../java/org/dspace/authenticate/LDAPAuthentication.java  | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
index afd82db863ba..4dcba5c1d493 100644
--- a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
+++ b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
@@ -494,6 +494,8 @@ protected String getDNOfUser(String adminUser, String adminPassword, Context con
                 try {
                     SearchControls ctrls = new SearchControls();
                     ctrls.setSearchScope(ldap_search_scope_value);
+                    // Fetch both user attributes '*' (eg. uid, cn) and operational attributes '+' (eg. memberOf)
+                    ctrls.setReturningAttributes(new String[] {"*", "+"});
 
                     String searchName;
                     if (useTLS) {
@@ -700,13 +702,13 @@ public String getName() {
     /*
      * Add authenticated users to the group defined in dspace.cfg by
      * the authentication-ldap.login.groupmap.* key.
-     * 
+     *
      * @param dn
      *  The string containing distinguished name of the user
-     * 
+     *
      * @param group
      *  List of strings with LDAP dn of groups
-     * 
+     *
      * @param context
      *  DSpace context
      */