From 85c31a40731652231cf51f6945a699bec04d3571 Mon Sep 17 00:00:00 2001
From: Giuseppe Leo <giuseppe.leo@suse.com>
Date: Thu, 30 Jan 2025 23:19:43 +0100
Subject: [PATCH] Auth Providers: Add search_using_service_account field
 (#13223)

* Add LPDAP option for search

* Add unit tests for LDAP config

* Add restriction for searchUsingServiceAccount config to specific types

* Use computed over direct check due lack of rendering issues with the prop

* Add tooltip for searchUsingServiceAccount
---
 shell/assets/translations/en-us.yaml          |  3 +++
 shell/edit/auth/ldap/__tests__/config.test.ts | 18 ++++++++++++++
 shell/edit/auth/ldap/config.vue               | 24 +++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 shell/edit/auth/ldap/__tests__/config.test.ts

diff --git a/shell/assets/translations/en-us.yaml b/shell/assets/translations/en-us.yaml
index c30d687386c..c7d4e68c903 100644
--- a/shell/assets/translations/en-us.yaml
+++ b/shell/assets/translations/en-us.yaml
@@ -517,6 +517,9 @@ authConfig:
     starttls:
       label: Start TLS
       tip: Upgrades non-encrypted connections by wrapping with TLS during the connection process. Can not be used in conjunction with TLS.
+    searchUsingServiceAccount: 
+      label: Enable Service Account Search
+      tip: When enabled, Rancher will use the service account instead of the user account to search for users and groups.
     tls: TLS
     userEnabledAttribute: User Enabled Attribute
     userMemberAttribute: User Member Attribute
diff --git a/shell/edit/auth/ldap/__tests__/config.test.ts b/shell/edit/auth/ldap/__tests__/config.test.ts
new file mode 100644
index 00000000000..945a05c82b4
--- /dev/null
+++ b/shell/edit/auth/ldap/__tests__/config.test.ts
@@ -0,0 +1,18 @@
+import { mount } from '@vue/test-utils';
+import LDAPConfig from '@shell/edit/auth/ldap/config.vue';
+
+describe('lDAP config', () => {
+  it.each([
+    'openldap', 'freeipa'
+  ])('should display searchUsingServiceAccount checkbox if type %p', (type) => {
+    const wrapper = mount(LDAPConfig, {
+      propsData: {
+        value: {},
+        type,
+      }
+    });
+    const checkbox = wrapper.find('[data-testid="searchUsingServiceAccount"]');
+
+    expect(checkbox).toBeDefined();
+  });
+});
diff --git a/shell/edit/auth/ldap/config.vue b/shell/edit/auth/ldap/config.vue
index 7bdf026dc2a..54b49a6664f 100644
--- a/shell/edit/auth/ldap/config.vue
+++ b/shell/edit/auth/ldap/config.vue
@@ -11,6 +11,8 @@ const DEFAULT_TLS_PORT = 636;
 
 export const SHIBBOLETH = 'shibboleth';
 export const OKTA = 'okta';
+export const OPEN_LDAP = 'openldap';
+export const FREE_IPA = 'freeipa';
 
 export default {
   emits: ['update:value'],
@@ -64,6 +66,11 @@ export default {
     // Does the auth provider support LDAP for search in addition to SAML?
     isSamlProvider() {
       return this.type === SHIBBOLETH || this.type === OKTA;
+    },
+
+    // Allow to enable user search just for these providers
+    isSearchAllowed() {
+      return this.type === OPEN_LDAP || this.type === FREE_IPA;
     }
   },
 
@@ -226,6 +233,23 @@ export default {
         />
       </div>
     </div>
+
+    <div
+      v-if="isSearchAllowed"
+      class="row mb-20"
+    >
+      <div class="col">
+        <Checkbox
+          v-model:value="model.searchUsingServiceAccount"
+          :mode="mode"
+          data-testid="searchUsingServiceAccount"
+          class="full-height"
+          :label="t('authConfig.ldap.searchUsingServiceAccount.label')"
+          :tooltip="t('authConfig.ldap.searchUsingServiceAccount.tip')"
+        />
+      </div>
+    </div>
+
     <div class="row mb-20">
       <div class="col span-6">
         <LabeledInput