</code></pre></div><h4id=limit-login-to-existing-users>Limit Login to Existing Users</h4><p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for OAuth2 or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p><h4id=admin-mapping>Admin Mapping</h4><p>You can map users to admin roles based on their attributes in the OAuth2 or OIDC provider. To do this, set the <code>admin_mapping</code> property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.</p><p><strong>Attribute specific mapping</strong> can be achieved by setting the <code>admin_value_regex</code> and the <code>is_admin</code> property. The <code>admin_value_regex</code> property is a regular expression that is matched against the value of the <code>is_admin</code> attribute. The user is granted admin access if the regex matches the attribute value.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div> The example above will grant admin access to users with the <code>wg_admin_prop</code> attribute set to <code>true</code>.</p><p><strong>Group membership mapping</strong> can be achieved by setting the <code>admin_group_regex</code> and <code>user_groups</code> property. The <code>admin_group_regex</code> property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div> The example above will grant admin access to users who are members of the <code>the-admin-group</code> group.</p><h2id=ldap-authentication>LDAP Authentication</h2><p>WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the <ahref=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.</p><p>To configure LDAP authentication, create a new <ahref=../../configuration/overview/#ldap><code>ldap</code></a> authentication provider in the <ahref=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file.</p><h3id=limiting-login-to-specific-users>Limiting Login to Specific Users</h3><p>You can limit the login to specific users by setting the <code>login_filter</code> property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the <code>{{login_identifier}}</code> placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.</p><p>For example, if you want to allow only users with the <code>objectClass</code> attribute set to <code>organizationalPerson</code> to log in, set the property as follows:</p><divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div><p>The <code>login_filter</code> should always be designed to return at most one user.</p><h3id=limit-login-to-existing-users_1>Limit Login to Existing Users</h3><p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p><h3id=admin-mapping_1>Admin Mapping</h3><p>You can map users to admin roles based on their group membership in the LDAP server. To do this, set the <code>admin_group</code> and <code>memberof</code> property for the provider. The <code>admin_group</code> property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the <code>memberof</code> attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.</p><h3id=interface-specific-provisioning-filters>Interface-specific Provisioning Filters</h3><p>You can restrict which users are allowed to provision peers for specific WireGuard interfaces by setting the <code>interface_filter</code> property. This property is a map where each key corresponds to a WireGuard interface identifier, and the value is an LDAP filter. A user will only be able to see and provision peers for an interface if they match the specified LDAP filter for that interface.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
