feat: Implement LDAP interface-specific provisioning filters (#642)

* Implement LDAP filter-based access control for interface provisioning * test: add unit tests for LDAP interface filtering logic * smaller improvements / cleanup --------- Co-authored-by: jc <37738506+theguy147@users.noreply.github.com> Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>
2026-03-24 00:56:26 +00:00 · 2026-03-19 23:13:19 +01:00
parent f70f60a3f5
commit 402cc1b5f3
16 changed files with 339 additions and 18 deletions
--- a/docs/documentation/usage/user-sync.md
+++ b/docs/documentation/usage/user-sync.md
@@ -43,4 +43,12 @@ If you set the `disable_missing` property to `true`, any user that is not found
 All peers associated with that user will also be disabled.

 If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
-This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.
+This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.
+
+##### Interface-specific Access Materialization
+
+If `interface_filter` is configured in the LDAP provider, the synchronization process will evaluate these filters for each enabled user.
+The results are materialized in the `interfaces` table of the database in a hidden field. 
+This materialized list is used by the backend to quickly determine if a user has permission to provision peers for a specific interface, without having to query the LDAP server for every request.
+The list is refreshed every time the LDAP synchronization runs.
+For more details on how to configure these filters, see the [Authentication](./authentication.md#interface-specific-provisioning-filters) section.